tcpproxy
1.0.0
该工具打开一个侦听套接字,接收数据,然后通过代理模块链运行该数据。模块完成后,将结果数据发送到目标服务器。接收响应并再次运行一系列模块,然后将最终数据发送回客户端。要拦截数据,您必须成为网关或进行某种中间人攻击。设置 iptables,以便 PREROUTING 链将修改目的地并将其发送到代理进程。然后,代理会将数据发送到指定的任何目标。
该工具的灵感来自并部分基于 Justin Seitz 的书“Black Hat Python”中使用的 TCP 代理示例,作者为 no star press。
$ ./tcpproxy.py -h
usage: tcpproxy.py [-h] [-ti TARGET_IP] [-tp TARGET_PORT] [-li LISTEN_IP]
[-lp LISTEN_PORT] [-pi PROXY_IP] [-pp PROXY_PORT]
[-pt {SOCKS4,SOCKS5,HTTP}] [-om OUT_MODULES]
[-im IN_MODULES] [-v] [-n] [-l LOGFILE] [--list]
[-lo HELP_MODULES] [-s] [-sc SERVER_CERTIFICATE]
[-sk SERVER_KEY] [-cc CLIENT_CERTIFICATE] [-ck CLIENT_KEY]
Simple TCP proxy for data interception and modification. Select modules to
handle the intercepted traffic.
optional arguments:
-h, --help show this help message and exit
-ti TARGET_IP, --targetip TARGET_IP
remote target IP or host name
-tp TARGET_PORT, --targetport TARGET_PORT
remote target port
-li LISTEN_IP, --listenip LISTEN_IP
IP address/host name to listen for incoming data
-lp LISTEN_PORT, --listenport LISTEN_PORT
port to listen on
-pi PROXY_IP, --proxy-ip PROXY_IP
IP address/host name of proxy
-pp PROXY_PORT, --proxy-port PROXY_PORT
proxy port
-pt {SOCKS4,SOCKS5,HTTP}, --proxy-type {SOCKS4,SOCKS5,HTTP}
proxy type. Options are SOCKS5 (default), SOCKS4, HTTP
-om OUT_MODULES, --outmodules OUT_MODULES
comma-separated list of modules to modify data before
sending to remote target.
-im IN_MODULES, --inmodules IN_MODULES
comma-separated list of modules to modify data
received from the remote target.
-v, --verbose More verbose output of status information
-n, --no-chain Don't send output from one module to the next one
-l LOGFILE, --log LOGFILE
Log all data to a file before modules are run.
--list list available modules
-lo HELP_MODULES, --list-options HELP_MODULES
Print help of selected module
-s, --ssl detect SSL/TLS as well as STARTTLS
-sc SERVER_CERTIFICATE, --server-certificate SERVER_CERTIFICATE
server certificate in PEM format (default: mitm.pem)
-sk SERVER_KEY, --server-key SERVER_KEY
server key in PEM format (default: mitm.pem)
-cc CLIENT_CERTIFICATE, --client-certificate CLIENT_CERTIFICATE
client certificate in PEM format in case client
authentication is required by the target
-ck CLIENT_KEY, --client-key CLIENT_KEY
client key in PEM format in case client authentication
is required by the target
您必须提供 TARGET_IP 和 TARGET_PORT,默认监听设置为 0.0.0.0:8080。为了使该程序真正有用,您必须决定要在传出(客户端到服务器)和传入(服务器到客户端)流量上使用哪些模块。您可以为每个方向使用不同的模块。以逗号分隔的列表形式传递模块列表,例如 -im mod1,mod4,mod2。数据将传递到第一个模块,返回的数据将传递到第二个模块,依此类推,除非您使用 -n/--no/chain 开关。在这种情况下,每个模块都会收到原始数据。您还可以将选项传递给每个模块:-im mod1:key1=val1,mod4,mod2:key1=val1:key2=val2。要了解可以传递给模块的选项,请使用 -lo/--list-options,如下所示:-lo mod1,mod2,mod4
$ ./tcpproxy.py --list
digestdowngrade - Find HTTP Digest Authentication and replace it with a Basic Auth
hexdump - Print a hexdump of the received data
http_ok - Prepend HTTP response header
http_post - Prepend HTTP header
http_strip - Remove HTTP header from data
log - Log data in the module chain. Use in addition to general logging (-l/--log).
removegzip - Replace gzip in the list of accepted encodings in a HTTP request with booo.
replace - Replace text on the fly by using regular expressions in a file or as module parameters
hexreplace - Replace hex data in tcp packets
size - Print the size of the data passed to the module
size404 - Change HTTP responses of a certain size to 404.
textdump - Simply print the received data as text
tcpproxy.py 使用模块来查看或修改截获的数据。要查看模块的最简单实现,请查看 proxymodules 目录中的 textdump.py 模块:
#!/usr/bin/env python3
import os . path as path
class Module :
def __init__ ( self , incoming = False , verbose = False , options = None ):
# extract the file name from __file__. __file__ is proxymodules/name.py
self . name = path . splitext ( path . basename ( __file__ ))[ 0 ]
self . description = 'Simply print the received data as text'
self . incoming = incoming # incoming means module is on -im chain
self . find = None # if find is not None, this text will be highlighted
if options is not None :
if 'find' in options . keys ():
self . find = bytes ( options [ 'find' ], 'ascii' ) # text to highlight
if 'color' in options . keys ():
self . color = bytes ( ' �33 [' + options [ 'color' ] + 'm' , 'ascii' ) # highlight color
else :
self . color = b' �33 [31;1m'
def execute ( self , data ):
if self . find is None :
print ( data )
else :
pdata = data . replace ( self . find , self . color + self . find + b' �33 [0m' )
print ( pdata . decode ( 'ascii' ))
return data
def help ( self ):
h = ' t find: string that should be highlighted n '
h += ( ' t color: ANSI color code. Will be wrapped with \ 033[ and m, so'
' passing 32;1 will result in \ 033[32;1m (bright green)' )
return h
if __name__ == '__main__' :
print ( 'This module is not supposed to be executed alone!' )每个模块文件都包含一个名为 Module 的类。每个模块必须设置 self.description 并且必须实现一个接受一个参数(输入数据)的执行方法。执行方法必须返回一些东西,然后这个东西要么传递到下一个模块,要么继续发送。除此之外,您可以在模块内自由地做任何您想做的事情。当模块位于传入链(-im)中时,构造函数中的传入参数设置为 True,否则为 False。这样,模块就知道数据流向哪个方向(这个想法归功于 jbarg)。如果代理使用 -v/--verbose 启动,则 verbose 参数设置为 True。 options 参数是一个字典,其中包含在命令行上传递给模块的键和值。请注意,如果您在模块中使用选项字典,则还应该实现 help() 方法。该方法必须返回一个字符串。每个选项使用一行,确保每行以 t 字符开头,以便正确缩进。
有关附加选项示例,请参阅 hexdump 模块:
#!/usr/bin/env python3
import os . path as path
class Module :
def __init__ ( self , incoming = False , verbose = False , options = None ):
# extract the file name from __file__. __file__ is proxymodules/name.py
self . name = path . splitext ( path . basename ( __file__ ))[ 0 ]
self . description = 'Print a hexdump of the received data'
self . incoming = incoming # incoming means module is on -im chain
self . len = 16
if options is not None :
if 'length' in options . keys ():
self . len = int ( options [ 'length' ])
def help ( self ):
return ' t length: bytes per line (int)'
def execute ( self , data ):
# -- 8< --- snip
for i in range ( 0 , len ( data ), self . len ):
s = data [ i : i + self . len ]
# # -- 8< --- snip
if __name__ == '__main__' :
print 'This module is not supposed to be executed alone!'上面的示例应该让您了解如何使用模块参数。一个调用示例是:
./tcpproxy.py -om hexdump:length=8,http_post,hexdump:length=12 -ti 127.0.0.1 -tp 12345
< < < < out: hexdump
0000 77 6C 6B 66 6A 6C 77 71 wlkfjlwq
0008 6B 66 6A 68 6C 6B 77 71 kfjhlkwq
0010 6A 65 68 66 6C 6B 65 77 jehflkew
0018 71 6A 66 68 6C 6B 65 77 qjfhlkew
0020 71 6A 66 68 6C 6B 65 77 qjfhlkew
0028 71 6A 66 6C 68 77 71 6B qjflhwqk
0030 65 6A 66 68 77 71 6C 6B ejfhwqlk
0038 65 6A 66 68 0A ejfh.
< < < < out: http_post
< < < < out: hexdump
0000 50 4F 53 54 20 2F 20 48 54 54 50 2F POST / HTTP/
000C 31 2E 31 0A 48 6F 73 74 3A 20 74 63 1.1.Host: tc
0018 70 70 72 6F 78 79 0A 43 6F 6E 74 65 pproxy.Conte
0024 6E 74 2D 4C 65 6E 67 74 68 3A 20 36 nt-Length: 6
0030 31 0A 0A 77 6C 6B 66 6A 6C 77 71 6B 1..wlkfjlwqk
003C 66 6A 68 6C 6B 77 71 6A 65 68 66 6C fjhlkwqjehfl
0048 6B 65 77 71 6A 66 68 6C 6B 65 77 71 kewqjfhlkewq
0054 6A 66 68 6C 6B 65 77 71 6A 66 6C 68 jfhlkewqjflh
0060 77 71 6B 65 6A 66 68 77 71 6C 6B 65 wqkejfhwqlke
006C 6A 66 68 0A jfh.
您可以看到第一个 hexdump 实例如何获得每行 8 字节的长度,而第二个实例如何获得 12 字节的长度。要将多个选项传递给单个模块,请使用 : 字符分隔选项,modname:key1=val1:key2=val2...
您可以使用 -l/--log 参数将代理发送或接收的所有数据写入文件。数据(和一些内务信息)在传递到模块链之前先写入日志。如果您想在模块运行期间或之后记录数据的状态,可以使用日志代理模块。使用链 -im http_post,log:file=log.1,http_strip,log 会首先将 http_post 模块之后的数据记录到名为 log.1 的日志文件中。在链末尾第二次使用日志模块会将数据的最终状态写入具有默认名称的日志文件中,然后再将其传递。
我要感谢以下人员花费宝贵的时间和精力来改进这个小工具:
