Syphoon - Weapons-grade MitM
Syphoon is a MitM (Man-in-the-Middle) tool - it abuses the ARP protocol to redirect network communications from other hosts through itself.
This allows sniffing as well as manipulation of communications between hosts on the network.
Syphoon will automatically collect most interesting assets such as usernames, passwords, access tokens, session cookies and more.
In addition, simple command-line arguments can be given to achieve much more complex manipulations: regex-based replacements / injections, network redirections and more.
Although these command-line arguments are made to be simple, they can quickly add up to large numbers when mounting elaborate attack scenarios. To facilitate this even further, a light scripting system allows packaging such behaviors into easy-to-use units.
Versatile network pwnage
Syphoon offers great flexibility when it comes to beating a network into submission.
The combination of network hooks, domain smashing, replacing and injection can be made to fit pretty much any attack scenario, whether the aim is to inject silly raccoon GIFs into all web pages for an entire population, or trigger an XSS on one specific domain for a subset of users.
Complex scenarios can easily be packaged into re-usable scripts. These can accept parameters and call upon other scripts for added flexibility. Example scripts are provided as part of the Syphoon distribution to cover basics and help anyone get started writing their own.
Syphoon is written exclusively in C and makes efficient use of parallel processing to fully leverage modern CPU architectures, allowing for almost transparent operation in most cases.
To achieve the highest possible efficiency, Syphoon integrates closely with the Linux Kernel's packet processing engine through the Netfilter Queue API.
Performance will vary depending on many factors such as processor speed, cache size, RAM and network interface used. However, Syphoon is routinely tested and known to run adequately on many consumer-grade systems, including desktops, laptops and even entry-level Windows tablets where Syphoon runs inside a Linux virtual machine with a USB WiFi dongle.
Syphoon runs exclusively on Linux. To achieve high performance it integrates tightly into the Linux network ecosystem and thus requires it to run.
The iptables firewall is used by Syphoon to redirect packets and should generally not be interfered with during operation. To avoid unexpected behavior, it is recommended that the Linux system be configured with only a single active network interface, the one used by Syphoon. Also, the network interface used by Syphoon should not be "shared" with another operating system running along on the same system (such as a virtual machine guest / host).
Considering these constraints, the best way to experience Syphoon is in fact to run it inside a dedicated Linux virtual machine (we use VirtualBox). The virtual machine can be given a dedicated USB network interface, such as a WiFi or Ethernet dongle.
The software itself is distributed as a semi-statically linked binary, meaning most of the libraries required by it are in fact directly built into the binary file. This allows it to run on most systems with minimal dependencies. However, because fully-static linking is not recommended / desired / possible, a few dynamic libraries are still required to run Syphoon. These are usually packaged by default with many distributions.
In most cases, the binary should simply run directly. If not, error messages should be pretty self-explanatory in terms of what needs to be installed. In case more help is needed, licensed users may contact us for support through our regular channels.
As with all other Ringtail Security products, this is intended for use exclusively by security professionals within a legitimate context. You are expected to know what you are purchasing. If we consider you fail to meet this criteria, we may deny your purchase.
IMPORTANT NOTE: THIS IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.
IF YOU ARE PURCHASING THIS, IT IS ASSUMED YOU KNOW HOW TO USE IT AND WHAT YOU ARE DOING.
THAT BEING SAID, YOU ARE REQUIRED TO OBEY THE LAW AND ARE PROHIBITED FROM USING RINGTAIL PRODUCTS FOR ANYTHING OTHER THAN LEGITIMATE PURPOSES.
RINGTAIL WILL NOT BE HELD RESPONSIBLE FOR ANY DAMAGE CAUSED AS A RESULT OF USING OUR PRODUCTS.
Distribution & pricing
Using Syphoon requires purchasing a license to obtain a copy of the software. Multi-user licenses are available for large groups and offer a discounted per-unit price.
The full range of prices is presented in the table below:
|License type||User count||Price per unit (CHF)|
* Student licenses are available at a highly discounted price. However these are restricted to a research use only. The student license can not be used in a professional context.
The Syphoon license is valid for 3 years from the date of purchase and entitles one person to use it on as many systems as desired. Licenses are non-refundable & non-transferable.
Upon purchasing, a licensed copy of the software will be produced and packaged on a dedicated USB flash drive. Additionally, a copy will be sent digitally for immediate use.
Also included with the license is exclusive access to all future updates and extensions made to the Syphoon solution (during the validity of the license), as well as insider-exclusive tutorials / payloads / examples.
Please note that licenses can be revoked at any time in case of misconduct or abuse of any kind.
Only eligible customers may purchase a license. Purchase requests will be individually evaluated on a case-by-case basis and may be denied without further reason or explanation. Eligible entities include:
- Schools / universities
- Research groups
- Security companies
- Individual security researchers
Other populations may be admissible in special cases. We ultimately reserve the right to decide who is eligible for a license.
If you would like to purchase a license and obtain a copy of the software, please contact us directly through one of the channels listed on our contact page.
We will create an invoice for the desired number of licenses. Upon receiving payment, we will issue a licensed copy of the software and ship one USB flash drive per license to your desired location. Free worldwide shipping is included.
At a minimum, Syphoon needs to know what network interface to operate on.
This is actually the only required command-line argument.
# syphoon wlan0
Any asset captured (see "Asset collection" below) during the session will be stored in a file within the DATA_ROOT directory, with a name of "assets-XXX.db" (where XXX is a number which auto-increments to avoid overwriting previous assets).
A log file is automatically produced for the session. Also stored in the DATA_ROOT directory, with a name of "syphoon-YYY.log". Again, YYY is a number which auto-increments to avoid overwriting previous log files.
Now would be a good time to introduce the DATA_ROOT directory, as it will be mentioned a few more times through this guide.
Syphoon reads configuration and stores some files while running. All of these files are stored inside a directory generally referred to as "DATA_ROOT".
By default, this is simply a folder named "data" in the current directory. However, this can be overridden simply by adding the desired DATA_ROOT directory as the last positional argument to the command-line.
# syphoon wlan0 ./some/path/
This will instruct Syphoon to use files from the desired directory, both for configuration and assets / logging.
Running Syphoon just like this (with no command-line arguments other than the network interface) will start "auto-poison" mode (unless overridden by configuration files - see below).
In this mode, Syphoon will scan the network and automatically start poisoning every host into believing it (or the host it's running on) is the default gateway for the network.
This means all hosts on the network will start communicating with the internet through Syphoon, thus allowing it to capture sensitive information and manipulate what they see.
By default, Syphoon only poisons one way, from hosts to the default gateway. This usually fits most scenarios where authentication material needs to be captured. However when both directions are needed, Syphoon can be given the '-b' command-line argument to enable bi-directional poisoning.
This will allow Syphoon to also sniff and manipulate communications "back" from the gateway to the hosts.
# syphoon -b wlan0
This can become useful whenever Syphoon needs to modify things like HTTP responses.
Configuration files can be placed in the DATA_ROOT directory (specified as a positional command-line argument - see advanced help below) to modify Syphoon's behavior.
By default, the DATA_ROOT directory is "./data" (from the current directory).
|Configuration file||Description||Example contents|
|psn.txt||List of IP addresses to poison||
|imp.txt||List of IP addresses to impersonate||
|domignore.rex||List of domain regular expressions to ignore (don't log anything for these domains)||
List of DOMAIN:TARGET pairs for which to respond to DNS queries
When TARGET is a hostname, a 'CNAME' response will be sent
When TARGET is an IP address, an 'A' response will be sent
When TARGET is '0', an 'A' response for the local IP will be sent
List of regular expressions to capture assets from text-based communication
The full syntax for this file is documented within the example provided as part of the Syphoon distribution
|# HTTP Bearer Token (JWT-like)
^Authorization: bearer (?P<gentoken>[^\r\n]+)[\r\n]+
|mac-vendors.tdata||MAC vendor database - table data||-|
|mac-vendors.sdata||MAC vendor database - string data||-|
|ssh-dsa.key||SSH private key (DSA)||-|
|ssh-rsa.key||SSH private key (RSA)||-|
|ssh-dsa.key.pub||SSH public key (DSA)||-|
|ssh-rsa.key.pub||SSH public key (RSA)||-|
SSL certificate for secure socket smashing
SSL private key for secure socket smashing
Some of these files are provided as part of the Syphoon distribution. The gentxt-assets.rex file in particular should serve as a reference and example of what can be done with it.
Some of the files are not meant to be manipulated by hand, but instead are generated using tools provided in the "util" directory of the Syphoon distribution.
Sometimes auto-poison is not the way to go. When specific targeting is needed, the "psn.txt" and "imp.txt" files can be placed in DATA_ROOT (see "configuration files" above).
These disable auto-poison mode and allow for more precise targeting.
If only a few hosts are to be poisoned / impersonated, the '-P' and '-I' command-line arguments can also be used (even multiple times) to directly specify which host(s) to poison (-P) and which to impersonate (-I). These also disable auto-poison mode but take precedence over the configuration files "psn.txt" and "imp.txt".
# syphoon -I 10.0.0.99 -I 10.0.0.110 -P 10.0.0.12 wlan0
In the example above, only host 10.0.0.12 is poisoned into believing both 10.0.0.99 and 10.0.0.110 are in fact the host running Syphoon.
Syphoon is designed to look for patterns of text within any clear-text communication it has access to.
This includes clear-text packets, smashed sockets as well as streams proxied through HTRelay (see sections below).
The "gentext-assets.rex" contains a set of regular expressions to extract interesting assets from most common protocols.
Expected to be customized and / or extended to fit specific needs, its default contents should serve as a reference on how to use it as well as an example of what can be captured with it.
One of the key strengths of Syphoon is its ability to intercept TCP streams, referred to as "socket smashing". Basically, Syphoon is able to capture TCP connection requests for any destination and accept them, while simultaneously creating a client TCP stream to the real destination. This allows for transparent relaying of TCP streams, which is key to manipulating / injecting data into the stream without breaking it, maintaining stable and transparent communication.
This can be achieved both on "regular" TCP sockets (clear-text) as well as SSL sockets.
Just by itself, socket smashing is not very useful. However, this ability to relay streams (both cleartext and SSL) is the basis for using Syphoon's other mechanisms, in particular injection.
When smashing SSL sockets, a self-signed certificate will be presented to the client, which should usually display a warning / certificate alert to the user. In many cases such certificate warnings are simply ignored by most users.
An example certificate is provided with the Syphoon distribution (see "configuration files" above). A new one can be generated using the "update-ssl-material" script from the "util" directory.
-r PROTO:SPORT:DPORT REGEX CASE STR PAD
Syphoon's replace mechanism allows automatically replacing patterns of text within packets. This happens directly at a packet level (no concept of socket) ensuring highest performance, however this also implies that only clear-text communication can be affected (for SSL, see "Inject" below).
Defined through the '-r' command-line argument, replace will look for occurrences of the supplied REGEX (case-sensitive if CASE is non-zero) within packets matching the protocol specification (PROTO:SRC:DST).
Any time a match is found, the first capture group within REGEX will be replaced with STR.
Because modifying the length of packets would break TCP streams, STR will be padded with PAD or truncated if needed to match the available space.
Below is an example for replacing the "User-Agent" header's value within HTTP requests:
# syphoon -r tcp:0:80 '^User-Agent: (.*)\$' 0 'PWNED' '!' wlan0
In the example above, bi-directional poisoning is not necessary considering only requests are being modified. However when looking to modify responses, bi-directional poisoning will need to be enabled with the '-b' argument.
-i PORT MODE REGEX CASE STR
Inject allows more flexibility than the replace mechanism (described above). Instead of having to maintain packet size by truncating or padding, inject relies on socket smashing (see above) to allow size alterations. Injection operates on smashed sockets as well as any communication proxied through HTRelay (see "Integrated services" below).
Obviously, this will take up more processing and network resources than the replace mechanism, but allows for more complex injections.
The "mode" argument defines where the injection point will be placed (relative to the first capture group in REGEX). Its value can be one of "before", "after" or "inplace".
# syphoon -s 80 -i 80 after '(<body>)' 0 '<img src=x onerror=alert("XSS")>' wlan0
In this example, bi-directional poisoning is not required (even though HTTP responses are being modified) since HTTP sockets are being smashed anyways (implying all HTTP communication goes through Syphoon).
DNS is a core element of modern day networks. Careful manipulation of queries and responses can offer great tactical advantages in certain situations.
Syphoon has the ability to interact with DNS queries - either letting them through to their intended destination, or directly intercepting and responding to them.
The "domsmasher.txt" configuration file is used to define how to interact with specific domains. Each line in the file is a DOMAIN:TARGET pair, where DOMAIN can start with a wildcard (*), and TARGET can be a hostname, an IP address, or the special value 0.
When TARGET is an IP address, any DNS query matching DOMAIN will be intercepted by Syphoon and responded to with an "A" (HOST) record pointing to TARGET.
When TARGET is a hostname, a "CNAME" (ALIAS) record referencing TARGET will be served instead.
When TARGET is the special value "0", an "A" (HOST) record pointing to the host running Syphoon will be served.
Whenever a host initiates a TCP stream, Syphoon can transparently divert it from its intended destination to any desired endpoint.
The '-j' command-line argument is used to define a network hook to redirect streams intended for IP:PORT to TARGET:TARGET_PORT.
If IP is "0", TCP connections from all hosts made to PORT will be hooked.
TARGET can be set to "0" to hook connections back to the host running Syphoon (using a TARGET of "127.0.0.1" will not work since this address is on a different interface).
A common example is to redirect SSH streams to Syphoon's integrated SSH service (see "Integrated services" below) in order to capture credentials. To accomplish this, the SSH service must be enabled (-z) and a network hook must be created accordingly:
# syphoon -z -j 10.0.0.42:22:10.0.0.99:10022 wlan0
Syphoon includes some embedded services for common protocols in an attempt to further facilitate more elaborate scenarios.
Syphoon embeds a tiny SSH server which, when started with the '-z' command-line argument, listens for connections on TCP port 10022.
Upon connecting, clients will be prompted to authenticate with a username and password. Any credentials they provide will be captured and stored as assets, however the authentication will never actually complete.
HTRelay transparent HTTP proxy
The HTRelay proxy offers a simple solution to transparently relay HTTP(S) connections. When started with the '-h' command-line argument, the service listens for connections, accepting clear-text HTTP on TCP port 80 and HTTPS on port 443.
HTRelay uses the "Host" header to determine where to relay the connection, then transparently proxies the communication allowing for injection and sniffing.
As mentioned earlier (see "Inject" above), any communication proxied through HTRelay is also subjected to any injection pattern defined using the '-i' argument.
This is particularly useful when combined with domain smashing to focus on specific internet targets.
Although socket smashing enables Syphoon to strip SSL on secure communications, the actual clear-text exchanges are internal to Syphoon and not directly visible from a packet monitor (TCPdump / Wireshark / ...) running on the same system.
For this reason, the '-d' command-line argument is available to instruct Syphoon to dump all SSL-stripped exchanges to a file for later inspection and analysis.
# syphoon -S 995 -S 443 -d ssl-dump.pcap wlan0
The dump file is produced in libpcap format, allowing for easy loading into most common tools such as Wireshark. However, because the actual data represents exchange chunks within stripped SSL streams rather than actual packets, the chunks are represented as UDP packets with matching ports and IP addresses.
This can prove useful when looking to understand non-standard protocols protected by SSL.
Automatic setup scripts
The flexibility offered by the various replace / inject / smash features allows for some complex scenarios.
The number of command-line arguments can quickly grow to impractical levels when combining multiple patterns. In addition, many patterns are in fact quite common, generic and re-usable.
A typical example is the manipulation of HTTP responses, which usually also requires manipulation of some headers to disable caching and gzip compression.
To alleviate all of these issues, Syphoon includes a light scripting system which allows packaging what would normally be a collection of command-line arguments into simple parametric files (hence "scripts").
When placed in the "DATA_ROOT/scripts" directory, these "scripts" can be called upon easily from the command line using the '-a' argument. As mentioned, scripts can accept parameters to further improve their flexbility.
# syphoon -a 'http-easy-replace:80' wlan0
Some basic scripts are provided for common tasks such as:
- http-easy-replace - Enable bi-directional poisoning, disable compression and caching to facilitate HTTP payload manipulation with 'replace'
- http-easy-inject - Disable compression and caching to facilitate HTTP payload manipulation with 'inject'
Creating new scripts
To create a new script, a file must be created in "DATA_ROOT/scripts" with the desired name (the name of the file will be the name used to call the script).
The example below is the "http-strip-encoding-replace" script included with the Syphoon distribution:
# Disable HTTP encoding to allow text-based replacements
# *  TCP Port (usually 80)
replace tcp:0:$0$ '^(Accept-Encoding: [^\r\n]*)\$' 0 'X-A: 0' 0
Each line can be either a comment (starting with '#'), an empty line or a command from the table below followed by its matching arguments (if any).
||Configure a replacer (same as -r)|
||Configure an injector (same as -i)|
||Configure network hook (same as -j)|
||Configure clear-text socket smashing on PORT|
||Configure SSL socket smashing on PORT|
|htrelay||Enable HTRelay proxy|
|sshserv||Enable SSH service|
|bidir||Enable bi-directional poisoning|
||Call SCRIPT_NAME with SCRIPT_PARAMETERS|
As mentioned previously, scripts can accept parameters which extend their flexibility.
Parameters are referenced by their index number enclosed between two dollar signs ('$'); they can be placed anywhere within the arguments passed to commands or other scripts. Their usage is demonstrated in the example script above.
Below is the complete help, which can be obtained from the "syphoon --help" command.
## syphoon --help
Usage: syphoon [OPTION...] INTERFACE [DATA_ROOT]
Syphoon - MitM Tool
Syphoon uses ARP cache poisoning to redirect communications through itself,
allowing easy sniffing / manipulation of packets.
The 'data' directory (configurable through the DATA_ROOT command-line argument)
contains both session output (logs / assets) and configuration files.
The following configuration files can be placed in DATA_ROOT:
* psn.txt - List of IP addresses to be targeted (poisoned)
* imp.txt - List of IP addresses to be impersonated
* domignore.rex - List of regular expressions defining which domains
to ignore requests for (don't log these domains)
* domsmasher.txt - List of DOMAIN:TARGET pairs for which to respond to
DNS queries (DOMAIN can contain wildcards, TARGET can
be an IP address, a hostname, or the value '0' -
when TARGET is an IP, an 'A' response will be sent -
when TARGET is a hostname, a 'CNAME' will be sent -
when TARGET is '0', the local IP will be sent as 'A')
* gentxt-assets.rex - List of regular expressions to capture assets from
* mac-vendors.tdata - MAC vendor table data
* mac-vendors.sdata - MAC vendor string data
* ssh-dsa.key - SSH private key (DSA)
* ssh-rsa.key - SSH private key (RSA)
* ssh-dsa.key.pub - SSH public key (DSA)
* ssh-rsa.key.pub - SSH public key (RSA)
* ssl.crt - SSL certificate for secure socket smashing
* ssl.key - SSL private key for secure socket smashing
By default, Syphoon only sniffs traffic going from the poisoned hosts to the
impersonated hosts (only in this direction). If required, the '-b' option can
be used to force sniffing in both directions.
Clear-text communications are passed through the generic-text asset detector,
which uses the regular expressions defined in DATA_ROOT/gentxt-assets.rex to
identify and extract interesting data.
By default, Syphoon operates in 'auto-poison' mode: any host discovered is
poisoned into believing the host running Syphoon is the default gateway.
This default behavior can be overridden through configuration files 'psn.txt'
and 'imp.txt' in DATA_ROOT. If these are present, auto-poison mode is disabled
and only the hosts listed in 'psn.txt' will be poisoned into believing this
host impersonates every address listed in 'imp.txt'.
In addition, this can be further overridden using command-line arguments '-P'
and '-I'. When used, these arguments also disable auto-poison mode but take
precedence over the files in DATA_ROOT.
# DOMAIN SMASHING
Whenever a DNS query is detected, Syphoon will interrupt it if it matches a
pair in the DATA_ROOT/domsmasher.txt file, and directly respond to it. This
allows for some very specific attacks, especially when combined with HTRelay or
SSH services (see 'SERVICES' below).
# REPLACE / INJECT
The 'replace' option (-r) allows replacing occurrences of a regex with a
specific text within any packet matching the PROTO:SRC:DST parameters. To avoid
breaking TCP streams, replacers must always respect the packet size - when
replacing a string that is too short or too long, some padding or stripping may
Replacers only operate on general packets going through Syphoon (not socket
smashing / services).
The 'inject' option (-i) allows injecting text based on regex matches. Unlike
the replace option, inject operates on smashed sockets and streams proxied
through HTRelay to allow altering the size of messages. This requires either
socket smashing (-s / -S) to be configured on the desired port or an HTRelay
# SOCKET SMASHING
Socket Smashing (-s / -S) is the process of intercepting TCP streams and
relaying them to the real destination. Socket Smashing can be performed on
cleartext or SSL sockets. This allows SSL-stripping and flexible manipulation
of messages (see 'inject' above).
# SSL DUMP
Smashed SSL sockets and HTTPS communications proxied through HTRelay can be
dumped to a file using the '-d' argument for later inspection. SSL data chunks
are stored using the libpcap format, allowing the file to be read easily with
existing tools. However, the data chunks do not actually represent physical
packets. Therefore, they are represented as UDP packets with corresponding port
# NETWORK HOOKS
The 'hook' option (-j) creates a network hook to redirect any TCP connection
for IP:PORT to another endpoint (TARGET:TARGET_PORT). If IP is set to 0,
streams from all hosts will be hooked. For TARGET, the special value 0 will be
replaced with the IP address of the host running Syphoon (hook streams to local
host). Please note: using '127.0.0.1' as TARGET will not work as this address
is on a different interface.
The SSH service implements only a login prompt, which hangs after
authentication. It can be combined with network hooks or domain smashing to
collect SSH credentials.
The HTRelay service acts as a transparent HTTP proxy. It can be combined with
domain smashing or network hooks to facilitate replacing, injection and
sniffing on HTTP(S).
# AUTO-SETUP SCRIPTS
The collection of replace/inject/smash/hook/service arguments can quickly grow
to impractical levels when conducting complex attacks. To avoid having to write
ridiculously long command lines, commonly-used or generic arguments can be
packaged into automatic setup scripts, placed in DATA_ROOT/scripts. These can
be invoked using the '-a' argument to automatically setup various aspects. A
small collection of scripts is packaged along with the Syphoon distribution to
serve as examples and also cover some common basic needs.
-a, --auto=SCRIPT[:ARGS] Add automatic setup from SCRIPT (using ARGS)
-b, --bidir Enable bi-directional poisoning (for auto poison
-d, --ssldump=FILE Dump SSL communications from smashed sockets and
HTRelay to FILE (pcap-format)
-h, --htrelay Enable HTRelay service
-i, --inject=PORT MODE REGEX CASE STR
Inject STR according to MODE (either 'before',
'after', or 'inplace' of the first capture group)
in REGEX (case-sensitive if CASE is not 0), for
I/O relayed traffic on PORT (requires socket
smashing or htrelaying)
-I, --imp=IP Specifically impersonate IP (disables auto mode)
Hook network traffic (redirect IP:PORT to
TARGET:TARGET_PORT, IP can be set to 0 to hook all
hosts, TARGET can be set to 0 to hook to local
-P, --psn=IP Specifically poison IP (disables auto mode)
-r, --replace=PROTO:SPORT:DPORT REGEX CASE STR PAD
Passively replace occurrences of the first capture
group in REGEX (case-sensitive if CASE is not 0)
with STR in packets matching PROTO:SPORT:DPORT
(where PROTO can be 'tcp' or 'udp', and PORTs can
be 0 to match anything) - STR will be truncated
when longer than the matched expression - when
shorter, remaining bytes will be filled with PAD
-s, --ssc=PORT Enable clear-text socket smasher on PORT
-S, --sss=PORT Enable SSL socket smasher on PORT
-v, --verbose Produce verbose output
-z, --ssh Enable SSH service
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.
Report bugs to <firstname.lastname@example.org>.