Introducing
Sock Puppet
- Agent
- Agent Impersonator
- Broker
- Client
Agent
The agent is a small daemon which forks one or more plugins, and establishes a secure connection to the broker. The plugins can be written in any language communicating with the agent via a domain socket.
The plugins write data to a domain socket where in turn, the agent forwards the data to the broker.
- Outbound: TCP/443 to the broker
- Inbound: Can block all or allow as other use cases require
- ESTABLISHED/RELATED required
Broker Connection Security:
- Google Service Account to fetch JWT from storage bucket
- JWT sent to broker during connection
Broker
The broker negotiates data exchange between the agents and the client. Clients that connect, whether an agent, an agent impersonator, or a web client each connection has a type.
When a non-agent connects(ie web client or other user interface), it can subscribe to an agent's stream. As agents send data to the broker, the broker forwards the data to all clients subscribed to that agent's stream.
The broker also has a private certificate which is used to generate a JWT for agent connections. The JWT is rotated on a very short interval and pushed to a private google storage bucket.
PCAP Filtering Demo
In order to quickly see meaningfull data, it's nice to be able to filter out traffic that has no associated log file data, bots and general noisy garbage data. Classifications might be described at a later time.
Test Case Streaming Demo:
Utilizes the agent impersonator feature. The client connects directly to the broker and impersonates an agent. This provides the abiility to have short lived processes, not part of any given agent, executed in a CI/CD pipeline or local development environment to stream data to the broker.
Using the impersonator functionality is as simple as:
import SockAgentImpersonator
from "@ccyphers/sock_agent_impersonator"
streamImpersonator =
await SockAgentImpersonator(
"casper",
"tc_results",
"Test Case Results",
"tc_results",
"https://puppet.casperconnection.com/sock",
"/google_auth.json"
)
// sending image data:
await streamImpersonator.stream({
type: 'image',
imageType: 'png',
data:
screenshot.toString('base64')
})
// sending text data:
await streamImpersonator
.stream({
type: 'text',
data: "something"
})