Designed under Raspberry Pi, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode.
Using a low profile hardware & electronics camouflaged as simple network outlet box or PSU injector to be sitting under/over a desk.
CIRCO include different techniques for network data exfiltration to avoid detection.
This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials!
bridge mode, you can also sniff (MiTM) credentials/hashes from an IP-Phone and PC cascade to the phone.
The perfect and cheapeast way to deploy a Cisco honeypot, just deploy either using Raspberry or any other hardware on the network and integrate logging/alarms to your SOC.
Could be sitting outside, inside or DMZ of your network.
The specific hardware will depend on size and features you want, as an example, you can run CIRCO on a Raspberry Pi Zero without Wireless Extraction feature or you could be using a Raspberry Pi 3B with a wireless dongle.
The main constrain could be physical space to fit CIRCO.
You will also need some Cat 5 twisted cable, pliers, RJ45, soldering/desoldering tools, wires, glue-gun, zip-ties, etc
There are 3 main elements that make CIRCO:
The implant main program called
circo.pyto be deployed in the Raspberry Pi hardware
To emulate a Cisco Switch SNMP Agent, we are using forked version of snmposter
To receive extracted credentials via different techniques, we use
carpa.pyon an Internet Server, as long is has a public IP and no firewalls in front preventing traffic to reach it.
We also need a domain pointing NS records to our public IP
Specific for wireless or SDR exfiltration we have
jaula.py, this can run on a laptop with a Wireless adaptor supporting
monitor mode, also an SDR receiver (like RTL-SDR, HackRF, etc)
All packet manipulation and crafting is been done mainly with Scapy as it has enough flexibility with some exceptions (did I say I hate DHCP handshake?)
CIRCO v2 has been coded in Python 3.7
The Wiki has step-by-step instruction to install it
Examples/Screenshots/Videos added to Wiki
s (ssh) and
p (snmp) to identifiy the protocol used for the credentials obtained via honeypots.
enable passwords we
e as 2nd key identifier
honeypots came from, to save bits the Dotted IP format has been converted to Hex
The exfiltration programs
jaula.py will convert back to Dotted
IP format before display/writing output file
From version 2, we sniff credentials using Net-Creds and also capture SIP hashes
- Automatic Installation script (circo/jaula/carpa)
- Include implant ID on exfiltration
- Work on No-DHCP module
- Migrate net-creds to python3
- Code new SNMP agent in python3
- Extra exfiltration methods
- Deploy Blue Team mode
- Make the code much more nicer
The tool is provided for educational, research or testing purposes.
Using this tool against network/systems without prior permission is illegal.
Radio waves are regulated per each country, before any radio wave transmission, make sure you complain within your country regulations (power, frequencies, bandwidth, etc.)
The author is not liable for any damages from misuse of this tool, techniques or code.
Emilio / @ekio_jp
Please see LICENSE.