Home

Awesome

PhanTap (Phantom Tap)

PhanTap Logo

PhanTap is an ‘invisible’ network tap aimed at red teams. With limited physical access to a target building, this tap can be installed inline between a network device and the corporate network. PhanTap is silent in the network and does not affect the victim’s traffic, even in networks having NAC (Network Access Control 802.1X - 2004). PhanTap will analyze traffic on the network and mask its traffic as the victim device. It can mount a tunnel back to a remote server, giving the user a foothold in the network for further analysis and pivoting. PhanTap is an OpenWrt package and should be compatible with any device. The physical device used for our testing is currently a small, inexpensive router, the GL.iNet GL-AR150. You can find a detailed blogpost describing PhanTap here

Features:

Setup

PhanTap has been tested with the GL.iNet GL-AR150. This device has two separate network interfaces in OpenWrt (eth0, eth1). If your device is using an internal switch(swconfig based) with interfaces like eth0.1, eth0.2, some special traffic might be blocked, e.g. 802.1Q(tagged vlan), but PhanTap should work.

opkg update
opkg install phantap
# uci show network | grep -E 'device=|ports='
network.loopback.device='lo'
network.@device[0].ports='eth0'
network.lan.device='br-lan'
network.wan.device='eth1'
network.wan6.device='eth1'
network.phantap.device='br-phantap'

In this example we are using a GL-AR150, which only has 2 interfaces.

uci delete network.@device[0].ports
uci delete network.wan.device
uci delete network.wan6.device
uci add_list network.br_phantap.ports='eth0'
uci add_list network.br_phantap.ports='eth1'
uci commit network
/etc/init.d/network reload

Limitations or how it can be detected :

Roadmap :