You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
These scripts let you expose your real server functionality only after sending a magic "Wake Up" packet to an open port. You can use WayCup as anadditional layer of security against fingerprinting for your SSH/HTTP servers (and many more), or a minimal alternative to port knocking.
Run a local example: reverse shell with magic handshake
# apk add git# apt install -y git netcatgit clone https://github.com/avilum/waycup.git&&cd waycup/nohup ./server.sh&# Or in another terminal# To watch server logs:# tail -f nohup.out./client.sh# Starts a reverse shell on the server, or change server_main.sh to do anything you want.
Use Cases:
Hide services from security scanners (Shodan, Censys, nmap, zmap) and hackers (port scanning and fingerprint fails).
Keep your server a secret while it listens to www facing ports. It's like a black hole.
Expose a service's functionality on a port only to clients with a pre-shared secret, without modifying the application layer or managing users.
Copy/Paste where you don't want to configure a proxy like nginx. Also, it's easy to fingerprint nginx. This is a copy/paste solution with almost no dependencies.
Honeypots - Log all the transport to a file with tcpdump/alternative.
Less secure (but nice) use cases:
Use as an API for remote calls on a machine (run a generic script)
When SSH is not (or can't be) installed - pure reverse bash shell.
Pentesting and Red Teams.
How it works:
It wraps your appliction with a "black hole" that swallows automatic crawlers and bots, thus leaving your assets "anonymous" and making cyber attacks on your assets more complex.
The server(s) listen on any port for a magic packet via TCP/UDP.
A magic "Wake Up" packet is sent from a client.
The "Wake Up" packet is received by the server.
The server runs a generic script, that exposes the service (SSH, HTTP, Anything) to the client on the same (or on a new) port.
If the server supports routing tables manipulation, the iptables can be modified and the client can keep communicating over the same port. see ./server.sh for more information.
Examples
Running a server
$ ./server.shListeningfor magic packets on localhost:8080Connection from 127.0.0.1:60427Successful connectionRunning the main startup script: ./server_main.sh...
Connecting clients
nc/netcat/socat/ncat magic packets:
MAGIC_LISTENER_HOST="localhost"SERVER_MAGIC_PORT=8080# Fails, until we send a magic packet.ssh$MAGIC_LISTENER_HOST -p$SERVER_MAGIC_PORT connection refused.# Sending a magic packetMAGIC="secret"echo$MAGIC| nc -c -vvv$MAGIC_LISTENER_HOST$MAGIC_LISTENER_PORT&&echo"Success"# Works nowssh$MAGIC_LISTENER_HOST -p$SERVER_MAGIC_PORT# Do whatever you want here, based on the server implementation.# See server_main.sh and client.sh for more documentation.
Python: Send a magic packet that reveals an HTTP Server
In [1]: import requestsIn [2]: requests.get('http://localhost:80')ConnectionErrorIn [3]: import socket; ...: MAGIC="change this magic string" ...: SERVER_HOST="localhost" ...: SERVER_MAGIC_PORT=8080 ...: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: ...: s.connect((SERVER_HOST, SERVER_MAGIC_PORT)) ...: s.sendall(MAGIC.encode())In [4]: requests.get('http://localhost:80')Out[4]: <Response [200]>
Copy and paste:
importsocketMAGIC="secret"SERVER_HOST="localhost"SERVER_MAGIC_PORT=8080withsocket.socket(socket.AF_INET,socket.SOCK_STREAM)ass:s.connect((SERVER_HOST,SERVER_MAGIC_PORT))s.sendall(MAGIC.encode())# Query the API / Connect to the service on the same or different that just opened for youimportrequests# Modify server_main.sh to run an http server (uncomment a line)requests.get('http://localhost:80')
Remote reverse-shell:
$ ./client.shSending magic packet to localhost:8080localhost [127.0.0.1] 8080 (http-alt) openTotal received bytes: 0Total sent bytes: 25SuccessStarting reverse shell...Connection from 127.0.0.1:60428whoami####sudo suwhoamiroot
Adding security
You should add an extra layer of security if you want to prevent reply attacks. That can be done by adding a TLS layer to your server with OpenSSL/Boring SSL
OpenSSL:
Not implimented yet - feel free to contribute!# Generate random secret:SECRET=$(openssl rand -base64 512)# Copy to server.sh and client.sh.# Generate a random MAC address for the server:sudo ifconfig [interface_name] ether$(openssl rand -hex 6| sed's%\(..\)%\1:%g; s%.$%%')
BoringSSL:
Not implimented yet - feel free to contribute!
HMAC Validation:
Not implimented yet - feel free to contribute!
Server Dependencies:
nc/netcat
Compitability:
Runs on any UNIX system that supports busybox syntax.
You can copy and paste it in your servers, as-is, if you havenc installed.
BSD netcat does not supports client IP extraction and iptables modification (yet), install GNU netcat for better compitability.
Mac users - Remove "-w" argument in server.sh and add "-c" argument to client.sh
Nc manual:
ncnc [OPTIONS] HOST PORT - connect nc [OPTIONS] -l -p PORT [HOST] [PORT] - listenOptions: -e PROG Run PROG after connect (must be last) -l Listen mode,for inbound connects -n Don't do DNS resolution -s ADDR Local address -p PORT Local port -u UDP mode -v Verbose -w SEC Timeout for connects and final net reads -i SEC Delay interval for lines sent -o FILE Hex dump traffic -z Zero-I/O mode (scanning)
About
A minimal tool that hides your online assets from online security scanners, researchers and hackers.