ALIVE! after, more or less one year where every line of 0.3 code has been modify, this night was released:
http://github.com/vecna/sniffjoke, new site http://www.delirandom.net/sniffjoke where you can get the latest stable version (22/05/2011: 0.4.1)
SniffJoke (Sj) implements a set of anti sniffing technology itself, but begins developed as a modular framework.
Will easily be supported by a security community that want to exploit and explore sniffing faults.
During the last years a security company has publicized some “anti evasion techniques”, using mostly techniques at application level and session scrambling of data. Sj in the 0.4 release, hacks & mangles your network at layer 3 an 4, but further develop of plugin will make every applicative protocol at every layer, so scrambled to be undetectable from the network sniffers. This is a free software, because of the social and security goals described below.
Sj needs just a client side software, server side components are not required.
In the years since the first documentation of these techniques (Insertion, Evasion and denial of service on IDS.pdf) a lot of software trying to do transparent injection in the traffic has been deploy, but we believe that sniffjoke only reach a compromise between usability, flexibility and stability.
This release has been developed with the support of Giovanni Pellerano (evilaliv3 from the ush.it project) and without his collaboration I could have let Sj die alone. thanks Giovanni!
A short explanation of how Sj works:
It works only under Linux (at the moment), creates a fake default gateway in your OS (the client or a default gateway) using a TUN interface check every traffic passing thru it, tracks every session and applyies two concepts: the scramble and the hack.
the scramble is the technology to bring:
1) a sniffer to accept as true a packet who will be discarded by the server
2) a sniffer to drop a packet who will be accepted by the server.
the scramble technology brings in desynchronisation between the sniffer flow and the real flow.
the bogus packet accepted by the sniffer is generated by the “plugin”. Is a C++ simple class, which in a pseudo statefull tracking will forge the packet to be injected inside the flow. is pretty easy to develop a new one, and if someone wants to make research on sniffers attack (or fuzzing the flow searching for bugs) need to make the hand inside its.
The configuration permits to define blacklist/whitelist ip address to scramble, a degree of aggressivity for each port, which plugin will be used.
The “location” concept: the Important one.
Sj transparently make a traceroute-like analysis for every IP address you contact, it use an internal cache (the ttlfocus.bin file) and keeps track of which IP/TCP options will work in you network. the combination of IP options usable is really unstable, a bad usage of an option will cause your session to be entirely broken. for this reason has been developed the “sniffjoke-autotest” script. It make a lot of automatical probe and generate the configuration file suitable fo your network+ISP.
so, you need to run an autotest in every location where you want to use sniffjoke (eg: your home, office, starbuck, etc..) because the ‘generic’ location provided, is useful only as configuration example.
Sj doesn’t make your traffic *invisibile*, is opaque. a skilled analyst would hypotetically, by hand, select the packets and choose what want to read: your traffic is not encrypted, and thus is NOT protected. but for a matter of costs-benefit that every sniffer will evaluate, you indeed high the costs :)
project motto: “transform multi gigabit sniffer into a multi kilobits one”
The social/security goal is to demotivate the data retention, bring crisis in the massive traffic analysis, and protect sessions in the nations where the pervasive control cut out the freedom of thinking and expression.
A pseudo site used for explain the same things here, is http://www.delirandom.net/sniffjoke
