Home

Awesome

Mística

Mística Logo
Mística Logo by JoelGMSec

Mística is a tool that allows to embed data into application layer protocol fields, with the goal of establishing a bi-directional channel for arbitrary communications. Currently, encapsulation into HTTP, HTTPS, DNS and ICMP protocols has been implemented, but more protocols are expected to be introduced in the near future.

Mística has a modular design, built around a custom transport protocol, called SOTP: Simple Overlay Transport Protocol. Data is encrypted, chunked and put into SOTP packets. SOTP packets are encoded and embedded into the desired field of the application protocol, and sent to the other end.

The goal of the SOTP layer is to offer a generic binary transport protocol, with minimal overhead. SOTP packets can be easily hidden or embeddeded into legitimate application protocols. Also SOTP makes sure that packets are received by the other end, encrypts the data using RC4 (this may change in the future), and makes sure that information can flow in both ways transparently, by using a polling mechanism.

Modules interact with the SOTP layer for different purposes:

Wrapper and overlay modules work together in order to build custom applications, e.g input redirection over DNS or remote port forwarding over HTTP.

Mística’s modular design allows for easy development of new modules. Also, the user can easily fork current modules in order to use some custom field or encoding or modify the behavior of an overlay module.

There are two main pieces of sofware:

Demos

You can see some Mística demos in the following playlist

Dependencies

The project has very few dependencies. Currently:

python3.7 -m pip install pip --user
pip3.7 install dnslib --user

If you don't want to install python on your system, you can use one of the following portable versions:

Current modules

Overlay modules:

Wrap modules:

Usage

ms.py: Mística Server

Here's how the help message looks like:

usage: ms.py [-h] [-k KEY] [-l LIST] [-m MODULES] [-w WRAPPER_ARGS]
             [-o OVERLAY_ARGS] [-s WRAP_SERVER_ARGS]

Mistica server. Anything is a tunnel if you're brave enough. Run without
parameters to launch multi-handler mode.

optional arguments:
  -h, --help            show this help message and exit
  -k KEY, --key KEY     RC4 key used to encrypt the comunications
  -l LIST, --list LIST  Lists modules or parameters. Options are: all,
                        overlays, wrappers, <overlay name>, <wrapper name>
  -m MODULES, --modules MODULES
                        Module pair in single-handler mode. format:
                        'overlay:wrapper'
  -w WRAPPER_ARGS, --wrapper-args WRAPPER_ARGS
                        args for the selected overlay module (Single-handler
                        mode)
  -o OVERLAY_ARGS, --overlay-args OVERLAY_ARGS
                        args for the selected wrapper module (Single-handler
                        mode)
  -s WRAP_SERVER_ARGS, --wrap-server-args WRAP_SERVER_ARGS
                        args for the selected wrap server (Single-handler
                        mode)
  -v, --verbose         Level of verbosity in logger (no -v None, -v Low, -vv
                        Medium, -vvv High)

There are two main modes in Mística Server:

mc.py: Mística client

Here's how the help message looks like:

usage: mc.py [-h] [-k KEY] [-l LIST] [-m MODULES] [-w WRAPPER_ARGS]
             [-o OVERLAY_ARGS]

Mistica client.

optional arguments:
  -h, --help            show this help message and exit
  -k KEY, --key KEY     RC4 key used to encrypt the comunications
  -l LIST, --list LIST  Lists modules or parameters. Options are: all,
                        overlays, wrappers, <overlay name>, <wrapper name>
  -m MODULES, --modules MODULES
                        Module pair. Format: 'overlay:wrapper'
  -w WRAPPER_ARGS, --wrapper-args WRAPPER_ARGS
                        args for the selected overlay module
  -o OVERLAY_ARGS, --overlay-args OVERLAY_ARGS
                        args for the selected wrapper module
  -v, --verbose         Level of verbosity in logger (no -v None, -v Low, -vv
                        Medium, -vvv High)

Parameters

Examples and Advanced use

Remember that you can see all of the accepted parameters of a module by typing -l <module_name> (e.g ./ms.py -l dns). Also remember to use a long and complex key to protect your communications!

HTTP

In order to illustrate the different methods of HTTP encapsulation, the IO redirection overlay module (io) will be used for every example.

DNS

In order to illustrate the different methods of DNS encapsulation, the IO redirection overlay module (io) will be used for every example.

ICMP

The Linux kernel, when it receives an icmp echo request package, by default automatically responds with an icmp echo reply package (without giving us any option to reply). That's why we have to disable icmp responses to be able to send our own with data that differs from that sent by the client. To do this, we do the following:

Disable automatic icmp responses by the kernel (root required) editing /etc/sysctl.conf file:

net.ipv4.icmp_echo_ignore_all=1

Now, in order to illustrate the different methods of ICMP encapsulation, the IO redirection overlay module (io) will be used for every example.

Shell and IO

You can get remote command execution using mística over a custom channel, by combining io and shell modules. Examples:

Port forwarding with tcpconnect and tcplisten

Docker

A Docker image has been created for local use. This avoids us having to install Python or dnslib only if we want to test the tool, it is also very interesting for debug or similar because we avoid the noise generated by other local applications. To build it we simply follow these steps:

sudo docker build --tag mistica:latest .
sudo docker network create misticanw
sudo docker run --network misticanw --sysctl net.ipv4.icmp_echo_ignore_all=1 -v $(pwd):/opt/Mistica -it mistica /bin/bash
sudo docker run --network misticanw -v $(pwd):/opt/Mistica -it mistica /bin/bash

How to compile

Mística is a tool developed in Python, which means that, theoretically, it can be compiled.

To compile the tool we will use Pyinstaller, this tool will allow us to generate a binary (depending on the operating system we are in), this means that we can NOT do Cross-compiling as in other languages like C, C++, Golang, Rust, etc. We are working on a way to make this possible, however, we leave you with the Pyinstaller command that will allow us to compile Mística in any operating system:

Compile Mistica Client

As Mística Client has no dependencies, it can be compiled directly with Pyinstaller. To compile it follow the following steps:

python3.7 -m pip install pyinstaller --user
pyinstaller --onefile \
  --hiddenimport overlay.client.io \
  --hiddenimport overlay.client.shell \
  --hiddenimport overlay.client.tcpconnect \
  --hiddenimport overlay.client.tcplisten \
  --hiddenimport wrapper.client.http \
  --hiddenimport wrapper.client.dns \
  --hiddenimport wrapper.client.icmp \
  --hiddenimport overlay.server.io \
  --hiddenimport overlay.server.shell \
  --hiddenimport overlay.server.tcpconnect \
  --hiddenimport overlay.server.tcplisten \
  --hiddenimport wrapper.server.wrap_module.http \
  --hiddenimport wrapper.server.wrap_module.dns \
  --hiddenimport wrapper.server.wrap_module.icmp \
  --hiddenimport wrapper.server.wrap_server.httpserver \
  --hiddenimport wrapper.server.wrap_server.dnsserver \
  --hiddenimport wrapper.server.wrap_server.icmpserver \
  mc.py

Compile Mistica Server

If you want to compile Mística Server you need to install, with Pip, Dnslib library in a global (remember that it is the only dependency of Mística, and only for the Mística Server). To do this you need to follow the following steps:

pyinstaller --onefile \
  --hiddenimport overlay.client.io \
  --hiddenimport overlay.client.shell \
  --hiddenimport overlay.client.tcpconnect \
  --hiddenimport overlay.client.tcplisten \
  --hiddenimport wrapper.client.http \
  --hiddenimport wrapper.client.dns \
  --hiddenimport wrapper.client.icmp \
  --hiddenimport overlay.server.io \
  --hiddenimport overlay.server.shell \
  --hiddenimport overlay.server.tcpconnect \
  --hiddenimport overlay.server.tcplisten \
  --hiddenimport wrapper.server.wrap_module.http \
  --hiddenimport wrapper.server.wrap_module.dns \
  --hiddenimport wrapper.server.wrap_module.icmp \
  --hiddenimport wrapper.server.wrap_server.httpserver \
  --hiddenimport wrapper.server.wrap_server.dnsserver \
  --hiddenimport wrapper.server.wrap_server.icmpserver \
  --hiddenimport dnslib \
  ms.py

Future work

Authors and license

This project has been developed by Carlos Fernández Sánchez and Raúl Caro Teixidó. The code is released under the GNU General Public License v3.

This project uses third-party open-source code, particularly: