trafscrambler

 


Trafscrambler

- is an anti-sniffer/IDS LKM(Network Kernel Extension) for OSX


This project was spawned because of my laziness to port sniffjoke to OSX and my interest in writing LKM for OSX.


Theoretical material was taken from Phrack #54.


License - BSD


Version 0.3 is a bug fixing release:

  1. -plugged an mbuf leak

  2. -corrected data injection


Version 0.2 implements following:

  1. -all from version 0.1

  2. -injection of packets with bogus data and with randomly selected bad TCP cksum or bad TCP sequences

  3. -userland binary(tsctrl) for controlling trafscrambler NKE


Version 0.1 implements following:

  1. SYN decoy - sends out number of SYN pkts before the original SYN pkt

  2. TCP reset attack - sends out RST/FIN pkt with bad sequence

  3. Pre-connection SYN - sends out SYN with wrong TCP-checksum

  4. Post-connection SYN - sends out fake SYN after connection establishment

  5. Zero Window - send out pkt with “0” window set.


NOTE:

Operating from a NAT:ed network, trafscrambler may not achieve its’ designed effect.

Packets sent to the Internet, might be normalized or dropped by firewall/gateway in the middle.


Trafscrambler was tested on OSX 10.5.x(x86 and ppc).

Also on OSX 10.6.x(x86_64).


Testers are more than welcome.


Download:

trafscrambler 0.3

Source(sha256: 63f1a54386d4a4b92cc91435a781879d181cdc1b453243be6c98c029cb8cdb2e)

Pkg(sha256: 323c51905fe90deb7dafe7500a82eaa95415abdc36499eb65228636cc650dfa3)


trafscrambler 0.2

Source(sha256: fa6467defc5898d3d8beae8d23338a8978e1e90bd33e00f07621ebd82993a881)

Pkg(sha256: 93adb194cb9989a68701711b338253acfc29eaa82f0f1547957e37d89a2ac961)


trafscrambler 0.1

Source (SHA256: aab723f080dfb7656d1c9a5a1e0be87e610747f7fbbad4ff67a4c809ec5c6cf2)

Pkg (SHA256: 5e0d6b1576ecaf3b9b55ff84dc947e64b7f681635b428341606caddbd8e819c0)



Here are some screenshots of its’ operation:
























Packets injected by trafscrambler. As they are seen in Wireshark.





















Trafscrambler, compiled with INFO-flag, outputs its’ action to kernel msg buffer(dmesg).



























Injected and original packets. As they are seen past the firewall (OpenBSD)












































Original packet and one with fake data. Random bogus data was replaces with A’s for demonstration.