Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



3 Commits

Repository files navigation

Black Hat Arsenal


Cisco Implant Raspberry Controlled Operations

Red Teams

Designed under Raspberry Pi, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode.
Using a low profile hardware & electronics camouflaged as simple network outlet box or PSU injector to be sitting under/over a desk.
CIRCO include different techniques for network data exfiltration to avoid detection.
This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials!
In bridge mode, you can also sniff (MiTM) credentials/hashes from an IP-Phone and PC cascade to the phone.

Blue Teams

The perfect and cheapeast way to deploy a Cisco honeypot, just deploy either using Raspberry or any other hardware on the network and integrate logging/alarms to your SOC.
Could be sitting outside, inside or DMZ of your network.


The specific hardware will depend on size and features you want, as an example, you can run CIRCO on a Raspberry Pi Zero without Wireless Extraction feature or you could be using a Raspberry Pi 3B with a wireless dongle.

The main constrain could be physical space to fit CIRCO.

You will also need some Cat 5 twisted cable, pliers, RJ45, soldering/desoldering tools, wires, glue-gun, zip-ties, etc

Be creative!


There are 3 main elements that make CIRCO:

  • The implant main program called to be deployed in the Raspberry Pi hardware
    To emulate a Cisco Switch SNMP Agent, we are using forked version of snmposter

  • To receive extracted credentials via different techniques, we use on an Internet Server, as long is has a public IP and no firewalls in front preventing traffic to reach it.
    We also need a domain pointing NS records to our public IP

  • Specific for wireless or SDR exfiltration we have, this can run on a laptop with a Wireless adaptor supporting monitor mode, also an SDR receiver (like RTL-SDR, HackRF, etc)

All packet manipulation and crafting is been done mainly with Scapy as it has enough flexibility with some exceptions (did I say I hate DHCP handshake?)

CIRCO v2 has been coded in Python 3.7


The Wiki has step-by-step instruction to install it


Examples/Screenshots/Videos added to Wiki

Credentials Exfiltration Format

We use t (telnet), s (ssh) and p (snmp) to identifiy the protocol used for the credentials obtained via honeypots.

For Telnet/SSH enable passwords we e as 2nd key identifier

honeypots came from, to save bits the Dotted IP format has been converted to Hex The exfiltration programs or will convert back to Dotted IP format before display/writing output file

From version 2, we sniff credentials using Net-Creds and also capture SIP hashes










DEF CON 28 Demo Labs (Aug-2020)

AV Tokyo HIVE (Nov-2019)

Code Blue Bluebox (Oct-2019)

HITB GSEC Armory (Aug-2019)

Def CON 27 Packet Hacking Village (Aug-2019)

Def CON 27 Demo Labs (Aug-2019)

Hackers Party Booth (Jul-2019)

BlackHat Asia Arsenal (Mar-2019)

濱せっく / HamaSec (Feb-2019)


HIVE AV Tokyo (Nov-2018)


  • Automatic Installation script (circo/jaula/carpa)
  • Include implant ID on exfiltration
  • Work on No-DHCP module
  • Migrate net-creds to python3
  • Code new SNMP agent in python3
  • Extra exfiltration methods
  • Deploy Blue Team mode
  • Make the code much more nicer


The tool is provided for educational, research or testing purposes.
Using this tool against network/systems without prior permission is illegal.
Radio waves are regulated per each country, before any radio wave transmission, make sure you complain within your country regulations (power, frequencies, bandwidth, etc.)
The author is not liable for any damages from misuse of this tool, techniques or code.


Emilio / @ekio_jp


Please see LICENSE.