sniffjoke

a client-only layer of protection from the wiretap/sniff/IDS analysis.

SniffJoke: transparent TCP connection scrambler 0.4.1

SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifyng and inject fake packets inside your transmission, make them almost impossible to be correctly readed by a passive wiretapping technology (IDS or sniffer)

Requirements

cmake, gcc, iptables, tcpdump

Suggested

gnupg

How to compile/install

mkdir build
cd build
cmake ..
make 
sudo -s
make install

and you could check the exactly installed file by

cat install_manifest.txt

Suggested setup, for configure your network capabilities

sniffjoke-autotest -l name_of_your_location 

since you have ran the "autotest" in this network location (office, home, lab, etc...) you will invoke sniffjoke with:

sniffjoke --location name_of_your_location
sniffjokectl --stat
sniffjokectl --start
sniffjokectl --help
[...]

Link and info

**The domain name delirandom.org is expired, use the same link in archive.org **

SniffJoke man page: http://www.delirandom.net/sniffjoke/ SniffJoke location requirement: http://www.delirandom.net/sniffjoke/sniffjoke-locations SniffJoke concepts, goals: http://www.delirandom.net/sniffjoke/sniffjoke-how-does-work

CONFIG FILES installed in the 'generic' location

ipblacklist.conf
iptcp-options.conf
ipwhitelist.conf
plugins-enabled.conf
port-aggressivity.conf
sniffjoke-service.conf

CACHE and LOGs that should be generated in a location

plugin.fake_close_fin.log
plugin.fragmentation.log
plugin.segmentation.log
ttlfocusmap.bin

CONFIG FILES generated as location specific by sniffjoke-autotest

iptcp-options.conf
plugins-enabled.conf

Requirements

Linux OS (>=2.6.19) with tun support;

wifi/eth as default gateway (no other interface supported).

Installed files

The service binary

/usr/local/bin/sniffjoke

The client, required to manage remotely the configuration of Sj

/usr/local/bin/sniffjokectl

The "generic location" configuration, containing every default configuration files

/usr/local/var/sniffjoke/generic/

SniffJoke plugins:

/usr/local/lib/sniffjoke/*.so

Scripts:

/usr/local/bin/sniffjoke-autotest
/usr/local/bin/sj-iptcpopt-probe
/usr/local/bin/sj-commit-results

Sniffjoke Man pages

/usr/local/man/man1/sniffjoke.1
/usr/local/man/man1/sniffjokectl.1
/usr/local/man/man1/sniffjoke-autotest.1

External service

Sniffjoke in autotesting required to contact http://www.delirandom.net/sjA, this is not striclty required and if an user want to perform himself the test, will install the "pe.php" script, present in this package here

conf/sjA/pe.php

and using the semi-secret options -s and -a in sniffjoke-autotest (you will avoid every contact w/ delirandom)

# Official sniffjoke page (expired domain, use archive.org)

http://www.delirandom.net/sniffjoke

(old) academic researchs:

http://www.delirandom.net/sniffjoke/Insertion%20Evasion%20and%20denial%20of%20service%20on%20IDS.pdf

Hacker's old bread:

http://www.phrack.org/issues.html?issue=54&id=10#article

MacOSx 0.3 ports as kernel module:

http://en.roolz.org/trafscrambler.html

Wireshark thread about Sj 0.3:

http://www.mail-archive.com/wireshark-dev@wireshark.org/msg13465.html

from  https://github.com/vecna/sniffjoke

-------------------------------------------

SniffJoke—a client-only layer of protection from the wiretap/sniff/IDS analysis, 

transparent TCP connection scrambler.

https://web.archive.org/web/20120818115441/http://www.delirandom.net/sniffjoke/ 2

What’s SniffJoke ?

An internet client running SniffJoke injects in the transmission flow some packets able to seriously disturb passive analysis like sniffing, interception and low level information theft. No server supports needed!

Why is this possible ?

The internet protocols have been developed to allow two elements to communicate, not some third-parts to intercept their communication. This will happen, but the communication system has been not developed with this objective.
SniffJoke uses the network protocol in a permitted way, exploiting the implicit difference of network stack present in an operating system respect the sniffers dissector.

Main concept of SniffJoke

This project aims to exploit the unreliability of the passive protocol reassembly: because the network data is not enought to assure a correct reassembly, a legit use of the network protocol will strongly disrupt the existing software.

A third party will fall in some “ambiguity” when reading passive packets: will never be 100% sure that a packet will be accepted or rejected by the peers under monitoring. using and abusing of this unreliability will bring the wrong rebuilding of the transmission.

Goal of SniffJoke

be a modular framework useful for easy development and usage of technology able to disrupt passive protocol reassembly at every layer. the release 0.4 only bring attack at IP and TCP/UDP layer, in the next release we plan an escalation.

exploiting the swiftness of the network supports, the differencies of every ISP configuration and (not yet implemented) of the Operating System TCP/IP stack differencies, sniffjoke put the sniffers under the difficult option of: drop every packets that have something weird, in order to follow the growning bandwidth and the demaning hardware requests, or to improve analysis, expeding CPU and time, and implictly increase the costs per megabit. this will demotivate massive sniffing from evil entities.