Metasploit mailing list archives
SniffJoke integration in metasploit
From: vecna <vecna () s0ftpj org>
Date: Tue, 03 May 2011 02:02:57 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi metasploit team, I would like to introduce you to a project: SniffJoke. Sj is a flexible framework for anti-sniffing and anti-IDS, it runs only under linux, at the moment, since it is a userspace software able to stop, delay and mangle the outgoing packets after the kernel. This ability is required in order to modify the TCP session patterns, and cause IDSs and sniffers to malfunctions. The first, oldest and anyway useful reference is [1], and the recent techmarketing-idea from StoneSoft "anti evasion techniques" [3] has reproposed this topic to the security industries. anyway, I presume there features would be of great use to the metasploit project, I'm looking for someone inside your organisation that can: 1) test the beta6 of sniffjoke [2] 2) develop a ruby binding 3) study a specific interface to create a framework similar to metasploit. I would develop the C++ section of code. some plausible effects I hope to reach are: 1) make it possible, using the metasploit package, to select a specific evasion technique 2) plan a packet splitting, reordering, delay, fragmentation, fragment overlapping, premature expiration of a packet, as a configurable advanced option when running an exploit inside metasploit Note: the main difference between the first paper and the recent AET presentations ([1] and [4] respectively) is: SecNet studies work in the IP and TCP layer, AET works by doing a mixed from TCP and application layer injections. Note 2:sniffers and IDSs work in different ways, sniffjoke is mainly though as a tool to protect from massive sniffing: not from an active mechanism like transparent proxies nor from inline filtering. The main goal for sniffjoke is to also implement application layer protocol evasion, in two ways: 1) inject instead of a random payload, some data coherent to the application protocol 2) some dissectors are not based on the RFC but on the reversing of the protocols common usage, it is possible to stretch the applicative implementation using to the best what is supported by the remote service. LIMITS: at the moment only the Linux version is coded. I'm working on the BSD/MacOSX porting (the system dependent elements are: iptables, route command, TUN device usage with ioctl). [1] http://insecure.org/stf/secnet_ids/secnet_ids.pdf Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection [2] http://www.delirandom.net/20110317/sniffjoke-04-betatesting-invite/ [3] http://www.antievasion.com/faq [4] http://www.antievasion.com/principles/principles/part-3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFNv0YwuEIJPcZ2VDARAsx0AKDtNuI5hBeE6mJ7fDUYIauN2qrZOACfQBqN VyWfB5u0s/+LaRW1Qf4KwBk= =cV5Q -----END PGP SIGNATURE----- _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- SniffJoke integration in metasploit vecna (May 02)
- Re: SniffJoke integration in metasploit vecna (May 02)