Initial commit — SetecMITM generic IoT MITM framework

Templated from cam-mitm. The camera-specific code (UBox cloud client, CVE verifiers, OAM HMAC signing, fuzzer wordlists) is removed; what's left is the generic core: ARP spoof, DNS spoof, HTTP/HTTPS interception with peek-before-wrap, raw sniffer with conntrack-based original-dst lookup, protocol fingerprinting, intruder detection, packet injection, log rotation, PyQt6 GUI on top of a service Controller. All 'camera' references renamed to 'target' throughout. Configuration moved into ~/.config/setec-mitm/config.json with the Settings tab as the primary editor. Plugin system at targets/<name>/plugin.py for vendor-specific code. See README.md for full setup, plugin authoring, and troubleshooting. Co-authored by Setec Labs.
2026-04-09 08:38:59 -07:00
commit 20e7eb343d
22 changed files with 2377 additions and 0 deletions
--- a/targets/example/plugin.py
+++ b/targets/example/plugin.py
@@ -0,0 +1,75 @@
+"""
+Example target plugin for SetecMITM.
+
+A plugin is just a Python module under `targets/<name>/plugin.py` that
+exposes a `Plugin` class. The Controller imports it on startup if
+`target_plugin = "<name>"` is set in the config.
+
+A plugin can do anything: register custom DNS spoof rules, install extra
+HTTP request handlers, add a known-endpoint list to the fuzzer, register
+its own CVE verifiers, or extend the protocol fingerprinter. The simplest
+useful plugin is the one that knows the device's expected cloud
+hostnames + the device's UDP P2P port — that's enough to bootstrap
+intruder detection and traffic decoding.
+
+Copy this directory to `targets/<your_brand>/` and edit.
+"""
+
+from utils.log import log, C_INFO
+
+
+class Plugin:
+    NAME = "example"
+    DESCRIPTION = "Skeleton plugin showing the expected interface."
+
+    # Expected outbound destinations the target talks to. Anything
+    # outside this list gets flagged in the Intruders tab.
+    KNOWN_CLOUD_NETS = [
+        # ("8.8.8.0", 24),    # example: Google DNS
+    ]
+
+    # Hostnames to spoof in DNS interception. Empty = spoof all.
+    DNS_SPOOF_HOSTS = [
+        # "api.example.com",
+    ]
+
+    # UDP ports the target uses for P2P / push notifications.
+    UDP_PORTS = [
+        # 10240,
+    ]
+
+    # Known API endpoints (for the future fuzzer module).
+    KNOWN_API_ENDPOINTS = [
+        # "/api/v1/login",
+        # "/api/v1/devices",
+    ]
+
+    def __init__(self, cfg):
+        self.cfg = cfg
+        log(f"plugin '{self.NAME}': initialized", C_INFO)
+
+    # ── Optional hooks (Controller calls these if defined) ──
+
+    def on_start(self):
+        """Called once when MITM services are about to start."""
+        pass
+
+    def on_stop(self):
+        """Called once when MITM services have stopped."""
+        pass
+
+    def custom_http_handler(self, request):
+        """
+        Optional: handle an intercepted HTTP request that the framework
+        otherwise wouldn't know what to do with. Return a (status, body)
+        tuple, or None to fall through.
+        """
+        return None
+
+    def detect_protocol(self, payload_first_bytes):
+        """
+        Optional: extend the built-in protocol fingerprinter. Return a
+        short label (e.g. "MyVendor-P2P") or None to fall through to
+        the framework's default detection.
+        """
+        return None