Home page logo

metasploit logo Metasploit mailing list archives

SniffJoke integration in metasploit
From: vecna <vecna () s0ftpj org>
Date: Tue, 03 May 2011 02:02:57 +0200

Hash: SHA1

Hi metasploit team,

I would like to introduce you to a project: SniffJoke. Sj is a flexible
framework for anti-sniffing and anti-IDS, it runs only under linux, at
the moment, since it is a userspace software able to stop, delay and
mangle the outgoing packets after the kernel. This ability is required
in order to modify the TCP session patterns, and cause IDSs and sniffers
to malfunctions. The first, oldest and anyway useful reference is [1],
and the recent techmarketing-idea from StoneSoft "anti evasion
techniques" [3] has reproposed this topic to the security industries.

anyway, I presume there features would be of great use to the metasploit
project, I'm looking for someone inside your organisation that can:

1) test the beta6 of sniffjoke [2]
2) develop a ruby binding
3) study a specific interface to create a framework similar to
metasploit. I would develop the C++ section of code.

some plausible effects I hope to reach are:

1) make it possible, using the metasploit package, to select a specific
evasion technique
2) plan a packet splitting, reordering, delay, fragmentation, fragment
overlapping, premature expiration of a packet, as a configurable
advanced option when running an exploit inside metasploit

Note: the main difference between the first paper and the recent AET
presentations ([1] and  [4] respectively) is: SecNet studies work in the
IP and TCP layer, AET works by doing a mixed from TCP and application
layer injections.

Note 2:sniffers and IDSs work in different ways, sniffjoke is mainly
though as a tool to protect from massive sniffing: not from an active
mechanism like transparent proxies nor from inline filtering.

The main goal for sniffjoke is to also implement application layer
protocol evasion, in two ways:

1) inject instead of a random payload, some data coherent to the
application protocol
2) some dissectors are not based on the RFC but on the reversing of the
protocols common usage, it is possible to stretch the applicative
implementation using to the best what is supported by the remote service.

LIMITS: at the moment only the Linux version is coded. I'm working on
the BSD/MacOSX porting (the system dependent elements are: iptables,
route command, TUN device usage with ioctl).

[1] http://insecure.org/stf/secnet_ids/secnet_ids.pdf Insertion,
Evasion, and Denial of Service: Eluding Network Intrusion Detection
[2] http://www.delirandom.net/20110317/sniffjoke-04-betatesting-invite/
[3] http://www.antievasion.com/faq
[4] http://www.antievasion.com/principles/principles/part-3
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]