findject.py
Findject is a simple python script that can find injected TCP packets in HTTP sessions, such as the QUANTUMINSERT Man-on-the-Side (MOTS) attacks. Packet injections can be detected with some IDS solutions, such as Bro and Suricata. However, we noticed that these solutions didn't properly detect all MOTS attacks - which is why findject.py was created. Other noteworthy tools for detecting packet injection attacks are HoneyBadger and qisniff.
Findject is open source software and is released under the GNU General Public License version 2 (GPLv2).
Download findject
Usage
Execute findject like this:
Example execution with no injections found:
/nsm/pcap/000.pcap - no injections
/nsm/pcap/001.pcap - no injections
/nsm/pcap/002.pcap - no injections
/nsm/pcap/003.pcap - no injections
/nsm/pcap/004.pcap - no injections
/nsm/pcap/005.pcap - no injections
/nsm/pcap/006.pcap - no injections
/nsm/pcap/007.pcap - no injections
/nsm/pcap/008.pcap - no injections
/nsm/pcap/009.pcap - no injections
/nsm/pcap/010.pcap - no injections
/nsm/pcap/011.pcap - no injections
Example execution with packet injection detected:
/opt/samples/mots/id1-cn_packet-injection.pcap - INJECTION FOUND!
5-tuple: 42.96.141.35:80-192.168.1.254:1337
Sequence numer: 133704711
First: 'HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: 200\r\nConnectio[...]
Last: 'HTTP/1.1 403 Forbidden\r\nServer: Beaver\r\nCache-Control: no-cache\r\nContent[...]
Dependencies
Findject runs on any OS that supports Python, i.e. Windows, Linux and Mac OS X.
You need the following software installed to run findject.py:
- Python 2.6 or 2.7
- dpkt
- repoze.lru
pip install repoze.lru
Download
Findject can be downloaded from the following URL: https://www.netresec.com/?download=findject
PCAP files
We have linked several publicly available PCAP files containing TCP packet injection attacks on our PCAP repository page. Scroll down to the "Packet Injection Attacks / Man-on-the-Side Attacks" segment to find the example packet captures.