PhanTap (Phantom Tap)

PhanTap is an ‘invisible’ network tap aimed at red teams. With limited physical access to a target building, this tap can be installed inline between a network device and the corporate network. PhanTap is silent in the network and does not affect the victim’s traffic, even in networks having NAC (Network Access Control 802.1X – 2004). PhanTap will analyze traffic on the network and mask its traffic as the victim device. It can mount a tunnel back to a remote server, giving the user a foothold in the network for further analysis and pivoting. PhanTap is an OpenWrt package and should be compatible with any device. The physical device used for our testing is currently a small, inexpensive router, the GL.iNet GL-AR150.

Features:

• Transparent network bridge.
• Silent: no arp, multicast, broadcast.
• 802.1x passthrough.
• Automatic configuration:
  • capture traffic exiting the network (the destination is non RFC1918), source IP and MAC is our victim, destination MAC is our gateway,
  • SNAT bridge traffic to the victim MAC and IP address,
  • set the router default gateway to the MAC of the gateway detected just before.
• Introspects ARP, multicast and broadcast traffic and adds a route to the machine IP address and adds the machine MAC address to the neighbor list, hence giving the possibility of talking to all the machines in the local network.
• Learns the DNS server from traffic and modifies the one on the router so that it’s the same.
• Can run commands (ex: /etc/init.d/openvpn restart) when a new IP or DNS is configured.
• Lets you choose any VPN software, for example, OpenVPN tcp port 443 so it goes through most firewalls.

Install && Use

Copyright (C) 2019 nccgroup