flightsim流量模擬器

Flightsim 是一個輕量級實用程序,用于生成惡意網絡流量,并幫助安全團隊評估安全控制和網絡可見性。該工具執行測試來模擬 DNS 隧道、 DGA 流量、對已知活動 C2目的地的請求以及其他可疑流量模式。也可稱為惡意網絡流量模擬器。

flightsim安裝

從 Releases 頁面下載最新的 flightsim 二進制文件。該工具可以在任何環境(例如 Linux、 MacOS、 Windows)下使用 Golang 構建,如下所示:

go get -u github.com/alphasoc/flightsim/...

運行flightsim流量模擬器

$ flightsim --help
AlphaSOC Network Flight Simulator? (https://github.com/alphasoc/flightsim)
flightsim is an application which generates malicious network traffic for security
teams to evaluate security controls (e.g. firewalls) and ensure that monitoring tools
are able to detect malicious traffic.
Usage:
  flightsim [command]
Available Commands:
  help        Help about any command
  run         Run all simulators (default) or a particular test
  version     Print version and exit
Flags:
  -h, --help   help for flightsim
Use "flightsim [command] --help" for more information about a command

運行單個模塊來生成惡意流量。要執行所有可用的測試,使用flightsim run,注意: 當運行 C2模塊時,flightsim 將從網絡犯罪跟蹤器(Cybercrime Tracker)和 AlphaSOC API 中收集當前的 C2地址,因此需要外部互聯網訪問。

列出可用的模塊flightsim run --help。要執行特定的測試,使用 flightsim run ,如下所示:

$ flightsim run --help
Run all simulators (default) or a particular test
Usage:
  flightsim run [c2-dns|c2-ip|dga|hijack|scan|sink|spambot|tunnel] [flags]
Flags:
  -n,                      number of hosts generated for each simulator (default 10)
      --fast               run simulator fast without sleep intervals
  -h, --help               help for run
  -i, --interface string   network interface to use
$ flightsim run dga
AlphaSOC Network Flight Simulator? (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 172.31.84.103
The current time is 10-Jan-18 09:30:28
Time      Module   Description
--------------------------------------------------------------------------------
09:30:28  dga      Starting
09:30:28  dga      Generating list of DGA domains
09:30:30  dga      Resolving rdumomx.xyz
09:30:31  dga      Resolving rdumomx.biz
09:30:31  dga      Resolving rdumomx.top
09:30:32  dga      Resolving qtovmrn.xyz
09:30:32  dga      Resolving qtovmrn.biz
09:30:33  dga      Resolving qtovmrn.top
09:30:33  dga      Resolving pbuzkkk.xyz
09:30:34  dga      Resolving pbuzkkk.biz
09:30:34  dga      Resolving pbuzkkk.top
09:30:35  dga      Resolving wfoheoz.xyz
09:30:35  dga      Resolving wfoheoz.biz
09:30:36  dga      Resolving wfoheoz.top
09:30:36  dga      Resolving lhecftf.xyz
09:30:37  dga      Resolving lhecftf.biz
09:30:37  dga      Resolving lhecftf.top
09:30:38  dga      Finished
All done! Check your SIEM for alerts using the timestamps and details above.

flightsim模塊介紹

下面是該工具自帶的模塊包

模塊名模塊描述c2-dns生成當前的C2目的地址列表,分別執行DNS請求c2-ip隨機連接10個當前列表中的C2 IP地址:端口,模擬攻擊會話dga使用隨機標簽和頂級域名模擬DGA流量hijack通過ns1.sandbox.alphasoc.xyz測試DNS劫持scan使用常見端口對10個隨機RFC 1918地址進行端口掃描sink對10個安全提供商的隨機地址進行安全測試spambot隨機解析并連接互聯網SMTP服務器,測試欺詐端口tunnel生成DNS隧道請求并發送至*.sandbox.alphasoc.xyz

如何評估網絡流量和標記異常?

同一個團隊AlphaSOC也開源了另一個安全工具,主要用于評估網絡流量和標記異常,它的名字叫nfr(Network Flight Recorder的縮寫)。

nfr可工作于windows和linux上。nfr默認使用AlphaSOC分析引擎處理網絡流量,所以你需要注冊一個帳號獲取api接口。具體使用詳情可看這里:

https://github.com/alphasoc/nfr

網絡流量
撤稿糾錯
本作品采用《CC 協議》,轉載必須注明作者和本文鏈接