phantap: an ‘invisible’ network tap aimed at red teams
PhanTap (Phantom Tap)
PhanTap is an ‘invisible’ network tap aimed at red teams. With limited physical access to a target building, this tap can be installed inline between a network device and the corporate network. PhanTap is silent in the network and does not affect the victim’s traffic, even in networks having NAC (Network Access Control 802.1X – 2004). PhanTap will analyze traffic on the network and mask its traffic as the victim device. It can mount a tunnel back to a remote server, giving the user a foothold in the network for further analysis and pivoting. PhanTap is an OpenWrt package and should be compatible with any device. The physical device used for our testing is currently a small, inexpensive router, the GL.iNet GL-AR150.
- Transparent network bridge.
- Silent: no arp, multicast, broadcast.
- 802.1x passthrough.
- Automatic configuration:
- capture traffic exiting the network (the destination is non RFC1918), source IP and MAC is our victim, destination MAC is our gateway,
- SNAT bridge traffic to the victim MAC and IP address,
- set the router default gateway to the MAC of the gateway detected just before.
- Introspects ARP, multicast and broadcast traffic and adds a route to the machine IP address and adds the machine MAC address to the neighbor list, hence giving the possibility of talking to all the machines in the local network.
- Learns the DNS server from traffic and modifies the one on the router so that it’s the same.
- Can run commands (ex: /etc/init.d/openvpn restart) when a new IP or DNS is configured.
- Lets you choose any VPN software, for example, OpenVPN tcp port 443 so it goes through most firewalls.