tcpproxy
1.0.0
該工具開啟一個偵聽套接字,接收數據,然後透過代理模組鏈運行該數據。模組完成後,將結果資料傳送到目標伺服器。接收回應並再次執行一系列模組,然後將最終資料傳送回客戶端。要攔截數據,您必須成為網關或進行某種中間人攻擊。設定 iptables,以便 PREROUTING 鏈將修改目的地並將其傳送至代理程式。然後,代理會將資料傳送到指定的任何目標。
該工具的靈感來自並部分基於 Justin Seitz 的書“Black Hat Python”中使用的 TCP 代理示例,作者為 no star press。
$ ./tcpproxy.py -h
usage: tcpproxy.py [-h] [-ti TARGET_IP] [-tp TARGET_PORT] [-li LISTEN_IP]
[-lp LISTEN_PORT] [-pi PROXY_IP] [-pp PROXY_PORT]
[-pt {SOCKS4,SOCKS5,HTTP}] [-om OUT_MODULES]
[-im IN_MODULES] [-v] [-n] [-l LOGFILE] [--list]
[-lo HELP_MODULES] [-s] [-sc SERVER_CERTIFICATE]
[-sk SERVER_KEY] [-cc CLIENT_CERTIFICATE] [-ck CLIENT_KEY]
Simple TCP proxy for data interception and modification. Select modules to
handle the intercepted traffic.
optional arguments:
-h, --help show this help message and exit
-ti TARGET_IP, --targetip TARGET_IP
remote target IP or host name
-tp TARGET_PORT, --targetport TARGET_PORT
remote target port
-li LISTEN_IP, --listenip LISTEN_IP
IP address/host name to listen for incoming data
-lp LISTEN_PORT, --listenport LISTEN_PORT
port to listen on
-pi PROXY_IP, --proxy-ip PROXY_IP
IP address/host name of proxy
-pp PROXY_PORT, --proxy-port PROXY_PORT
proxy port
-pt {SOCKS4,SOCKS5,HTTP}, --proxy-type {SOCKS4,SOCKS5,HTTP}
proxy type. Options are SOCKS5 (default), SOCKS4, HTTP
-om OUT_MODULES, --outmodules OUT_MODULES
comma-separated list of modules to modify data before
sending to remote target.
-im IN_MODULES, --inmodules IN_MODULES
comma-separated list of modules to modify data
received from the remote target.
-v, --verbose More verbose output of status information
-n, --no-chain Don't send output from one module to the next one
-l LOGFILE, --log LOGFILE
Log all data to a file before modules are run.
--list list available modules
-lo HELP_MODULES, --list-options HELP_MODULES
Print help of selected module
-s, --ssl detect SSL/TLS as well as STARTTLS
-sc SERVER_CERTIFICATE, --server-certificate SERVER_CERTIFICATE
server certificate in PEM format (default: mitm.pem)
-sk SERVER_KEY, --server-key SERVER_KEY
server key in PEM format (default: mitm.pem)
-cc CLIENT_CERTIFICATE, --client-certificate CLIENT_CERTIFICATE
client certificate in PEM format in case client
authentication is required by the target
-ck CLIENT_KEY, --client-key CLIENT_KEY
client key in PEM format in case client authentication
is required by the target
您必須提供 TARGET_IP 和 TARGET_PORT,預設監聽設定為 0.0.0.0:8080。為了讓程式真正有用,您必須決定要在傳出(客戶端到伺服器)和傳入(伺服器到客戶端)流量上使用哪些模組。您可以為每個方向使用不同的模組。以逗號分隔的列表形式傳遞模組列表,例如 -im mod1,mod4,mod2。資料將傳遞到第一個模組,傳回的資料將傳遞到第二個模組,依此類推,除非您使用 -n/--no/chain 開關。在這種情況下,每個模組都會收到原始資料。您也可以將選項傳遞給每個模組:-im mod1:key1=val1,mod4,mod2:key1=val1:key2=val2。要了解可以傳遞給模組的選項,請使用 -lo/--list-options,如下所示:-lo mod1,mod2,mod4
$ ./tcpproxy.py --list
digestdowngrade - Find HTTP Digest Authentication and replace it with a Basic Auth
hexdump - Print a hexdump of the received data
http_ok - Prepend HTTP response header
http_post - Prepend HTTP header
http_strip - Remove HTTP header from data
log - Log data in the module chain. Use in addition to general logging (-l/--log).
removegzip - Replace gzip in the list of accepted encodings in a HTTP request with booo.
replace - Replace text on the fly by using regular expressions in a file or as module parameters
hexreplace - Replace hex data in tcp packets
size - Print the size of the data passed to the module
size404 - Change HTTP responses of a certain size to 404.
textdump - Simply print the received data as text
tcpproxy.py 使用模組來檢視或修改截獲的資料。要查看模組的最簡單實現,請查看 proxymodules 目錄中的 textdump.py 模組:
#!/usr/bin/env python3
import os . path as path
class Module :
def __init__ ( self , incoming = False , verbose = False , options = None ):
# extract the file name from __file__. __file__ is proxymodules/name.py
self . name = path . splitext ( path . basename ( __file__ ))[ 0 ]
self . description = 'Simply print the received data as text'
self . incoming = incoming # incoming means module is on -im chain
self . find = None # if find is not None, this text will be highlighted
if options is not None :
if 'find' in options . keys ():
self . find = bytes ( options [ 'find' ], 'ascii' ) # text to highlight
if 'color' in options . keys ():
self . color = bytes ( ' �33 [' + options [ 'color' ] + 'm' , 'ascii' ) # highlight color
else :
self . color = b' �33 [31;1m'
def execute ( self , data ):
if self . find is None :
print ( data )
else :
pdata = data . replace ( self . find , self . color + self . find + b' �33 [0m' )
print ( pdata . decode ( 'ascii' ))
return data
def help ( self ):
h = ' t find: string that should be highlighted n '
h += ( ' t color: ANSI color code. Will be wrapped with \ 033[ and m, so'
' passing 32;1 will result in \ 033[32;1m (bright green)' )
return h
if __name__ == '__main__' :
print ( 'This module is not supposed to be executed alone!' )每個模組檔案都包含一個名為 Module 的類別。每個模組必須設定 self.description 並且必須實作一個接受一個參數(輸入資料)的執行方法。執行方法必須返回一些東西,然後這個東西要么傳遞到下一個模組,要么繼續發送。除此之外,您可以在模組內自由地做任何您想做的事情。當模組位於傳入鏈(-im)時,建構函式中的傳入參數設為 True,否則為 False。這樣,模組就知道資料流向哪個方向(這個想法歸功於 jbarg)。如果代理程式使用 -v/--verbose 啟動,則 verbose 參數設為 True。 options 參數是一個字典,其中包含在命令列上傳遞給模組的鍵和值。請注意,如果您在模組中使用選項字典,您也應該實作 help() 方法。該方法必須傳回一個字串。每個選項使用一行,確保每行以 t 字元開頭,以便正確縮排。
有關其他選項範例,請參閱 hexdump 模組:
#!/usr/bin/env python3
import os . path as path
class Module :
def __init__ ( self , incoming = False , verbose = False , options = None ):
# extract the file name from __file__. __file__ is proxymodules/name.py
self . name = path . splitext ( path . basename ( __file__ ))[ 0 ]
self . description = 'Print a hexdump of the received data'
self . incoming = incoming # incoming means module is on -im chain
self . len = 16
if options is not None :
if 'length' in options . keys ():
self . len = int ( options [ 'length' ])
def help ( self ):
return ' t length: bytes per line (int)'
def execute ( self , data ):
# -- 8< --- snip
for i in range ( 0 , len ( data ), self . len ):
s = data [ i : i + self . len ]
# # -- 8< --- snip
if __name__ == '__main__' :
print 'This module is not supposed to be executed alone!'上面的範例應該讓您了解如何使用模組參數。一個呼叫範例是:
./tcpproxy.py -om hexdump:length=8,http_post,hexdump:length=12 -ti 127.0.0.1 -tp 12345
< < < < out: hexdump
0000 77 6C 6B 66 6A 6C 77 71 wlkfjlwq
0008 6B 66 6A 68 6C 6B 77 71 kfjhlkwq
0010 6A 65 68 66 6C 6B 65 77 jehflkew
0018 71 6A 66 68 6C 6B 65 77 qjfhlkew
0020 71 6A 66 68 6C 6B 65 77 qjfhlkew
0028 71 6A 66 6C 68 77 71 6B qjflhwqk
0030 65 6A 66 68 77 71 6C 6B ejfhwqlk
0038 65 6A 66 68 0A ejfh.
< < < < out: http_post
< < < < out: hexdump
0000 50 4F 53 54 20 2F 20 48 54 54 50 2F POST / HTTP/
000C 31 2E 31 0A 48 6F 73 74 3A 20 74 63 1.1.Host: tc
0018 70 70 72 6F 78 79 0A 43 6F 6E 74 65 pproxy.Conte
0024 6E 74 2D 4C 65 6E 67 74 68 3A 20 36 nt-Length: 6
0030 31 0A 0A 77 6C 6B 66 6A 6C 77 71 6B 1..wlkfjlwqk
003C 66 6A 68 6C 6B 77 71 6A 65 68 66 6C fjhlkwqjehfl
0048 6B 65 77 71 6A 66 68 6C 6B 65 77 71 kewqjfhlkewq
0054 6A 66 68 6C 6B 65 77 71 6A 66 6C 68 jfhlkewqjflh
0060 77 71 6B 65 6A 66 68 77 71 6C 6B 65 wqkejfhwqlke
006C 6A 66 68 0A jfh.
您可以看到第一個 hexdump 實例如何獲得每行 8 個位元組的長度,而第二個實例如何獲得 12 個位元組的長度。若要將多個選項傳遞給單一模組,請使用 : 字元分隔選項,modname:key1=val1:key2=val2...
您可以使用 -l/--log 參數將代理程式傳送或接收的所有資料寫入檔案。資料(和一些內務資訊)在傳遞到模組鏈之前先寫入日誌。如果您想在模組運行期間或之後記錄資料的狀態,可以使用日誌代理模組。使用鏈 -im http_post,log:file=log.1,http_strip,log 會先將 http_post 模組之後的資料記錄到名為 log.1 的日誌檔案中。在鏈末尾第二次使用日誌模組會將資料的最終狀態寫入具有預設名稱的日誌檔案中,然後再傳遞。
我要感謝以下人員花費寶貴的時間和精力來改進這個小工具:
