[Full-disclosure] sniffjoke 0.4 release - anti sniffer testing SDK
- From: vecna <vecna@xxxxxxxxxx>
- Date: Tue, 17 May 2011 01:38:46 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Sniffjoke 0.4 release candidate is ready to be spammed around
SniffJoke (Sj) implements a set of anti sniffing technology itself, but
begins developed as a modular framework.
Will easily be supported by a security community that want to exploit
and explore sniffing faults.
During the last years a security company has publicized some "anti
evasion techniques", using mostly techniques at application level and
session scrambling of data. Sj in the 0.4 release, hacks & mangles your
network at layer 3 an 4, but further develop of plugin will make every
applicative protocol at every layer, so scrambled to be undetectable
from the network sniffers.
This is a free software, because of the social and security goals
Sj needs just a client side software, server side components are not
In the years since the first documentation of these techniques (
http://preview.tinyurl.com/68kcm7r "Insertion, Evasion and denial of
service on IDS.pdf") a lot of software trying to do transparent
injection in the traffic has been deploy, but we believe that sniffjoke
only reach a compromise between usability, flexibility and stability.
This release has been developed with the support of Giovanni Pellerano
(evilaliv3 from the ush.it project) and without his collaboration I
could have let Sj die alone. thanks Giovanni!
A short explanation of how Sj works:
it works only under Linux (at the moment), creates a fake default
gateway in your OS (the client or a default gateway) using a TUN
interface check every traffic passing thru it, tracks every session and
applyies two concepts: the scramble and the hack.
the scramble is the technology to bring:
1) a sniffer to accept as true a packet who will be discarded by the
2) a sniffer to drop a packet who will be accepted by the server.
the scramble technology brings in desynchronisation between the sniffer
flow and the real flow.
the bogus packet accepted by the sniffer is generated by the "plugin".
is a C++ simple class, which in a pseudo statefull tracking will forge
the packet to be injected inside the flow. is pretty easy to develop
anew one, and if someone wants to make research on sniffers attacka (or
fuzzing the flow searching for bugs) need to make the hand inside its.
The configuration permits to define blacklist/whitelist ip address to
scramble, a degree of aggressivity for each port, which plugin will be
the "location" concept: the Important one.
Sj transparently make a traceroute-like analysis for every IP address
you contact, it use an internal cache (the ttlfocus.bin file) and keeps
track of which IP/TCP options will work in you network. the combination
of IP options usable is really unstable, a bad usage of an option will
cause your session to be entirely broken. for this reason has been
developed the "sniffjoke-autotest" script. It make a lot of automatical
probe and generate the configuration file suitable fo your network+ISP.
so, you need to run an autotest in every location where you want to use
sniffjoke (eg: your home, office, starbuck, etc..) because the 'generic'
location provided, is useful only as configuration example.
Sj doesn't make your traffic *invisibile*, is opaque. a skilled analyst
would hypotetically, by hand, select the packets and choose what want to
read: your traffic is not encrypted, and thus is NOT protected. but for
a matter of costs-benefit that every sniffer will evaluate, you indeed
high the costs :)
project motto: "transform multi gigabit sniffer into a multi kilobits one"
The social/security goal is to demotivate the data retention, bring
crisis in the massive traffic analysis, and protect sessions in the
nations where the pervasive control cut out the freedom of thinking and
A pseudo site used for explain the same things here, is
comments ? bug ? contribs ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] ZDI-11-168: Multiple Vendor librpc.dll Remote Information Disclosure Vulnerability
- Next by Date: [Full-disclosure] Ruxcon 2011 Call For Papers
- Previous by thread: [Full-disclosure] [USN-1132-1] apturl vulnerability
- Next by thread: [Full-disclosure] Ruxcon 2011 Call For Papers