This repository contains tools that can be used to actively hunt for the SYNful Knock Cisco implant in your environment. Please use the tools responsibly.
For more information on SYNful Knock, please see our whitepaper here:
https://www2.fireeye.com/rs/848-DID-242/images/rpt-synful-knock.pdf
These tools will hopefully help you get a head start towards discovering and eradicating the Cisco implant from your environment. We publish these with no warranty or guarantee.
There are a few possibilities here, but the most popular are:
- Download the zip file
- Use git: git clone https://github.com/fireeye/synfulknock.git
Please see readme files in each directory.
Note:
- The NSE script was tested on a Kali 1.1.0 & Ubuntu 15.04 VM--other distros may have strange dependency issues
- Be careful of script name case sensitvity. In the articles, they were all changed to mixed-case. The copy command below should account for that.
- If you have issues with one script, try the other
- If you confirm an infection with one script, validate using the other
- The scripts require root or sudo privileges
- Try Kali 1.1.0 first, it seems to work the best
Nothing special required
cp synfulknock.nse /usr/share/nmap/scripts/
cp synfulknock.nse /usr/share/nmap/scripts/SYNfulKnock.nse
cp packet2.lua /usr/share/nmap/nselib/
Nothing special required
cp synfulknock.nse /usr/share/nmap/scripts/
cp synfulknock.nse /usr/share/nmap/scripts/SYNfulKnock.nse
cp packet2.lua /usr/share/nmap/nselib/
wget https://nmap.org/dist/nmap-6.49BETA4-1.x86_64.rpm
apt-get install alien
alien nmap-6.49BETA4-1.x86_64.rpm
dpkg --install nmap_6.49BETA4-2_amd64.deb
apt-get install subversion
ln -s /usr/lib/x86_64-linux-gnu/libsvn_client-1.so.1 /usr/lib/libsvn_client-1.so.0
cp synfulknock.nse /usr/share/nmap/scripts/
cp synfulknock.nse /usr/share/nmap/scripts/SYNfulKnock.nse
cp packet2.lua /usr/share/nmap/nselib/
This research is ongoing, but if you would like to contribute please email us at: synfulknock [at] fireeye.com
The nmap NSE script is faster than the python script, but requires an additional NSE library (included)
The size of the network will determine which tool is most appropriate, however both can be used for sanity checks.
ESTIMATED WORST-CASE SPEED (THIS FACTORS IN HIGH UNUSED IP SPACE)
Class C - 256 IP addresses - Estimated scan time = 2.28 seconds
nmap -sS -PN -n -T4 -p 80 --script="SYNfulKnock" 10.1.1.1/24
Class B - 65536 IP addresses - Estimated scan time = 2557.50 seconds (42 min)
nmap -sS -PN -n -T4 -p 80 --script="SYNfulKnock" 10.1.1.1/16
Class A - 16,777,216 IP addresses - Estimated scan time = 10,752 minutes (179 hours) = 7 days
nmap -sS -PN -n -T4 -p 80 --script="SYNfulKnock" 10.1.1.1/8
Class C - 256 IP addresses (4 hosts up) - 59.26 seconds
nmap -sS -PN -n -T4 -p 80 --script="SYNfulKnock" 10.1.1.1/24
-- | SYNfulKnock:
-- | seq = 0x7528092b
-- | ack = 0x75341b69
-- | diff = 0xc123e
-- | Result: Handshake confirmed. Checking flags.
-- | TCP flags: 2 04 05 b4 1 01 04 02 1 03 03 05
-- |_Result: Flags match. Confirmed infected!
python ./trigger_scanner_sniff.py -d 10.1.1.1/10.1.1.2
2015-07-14 12:59:02,760 190 INFO Sniffer daemon started
2015-07-14 12:59:02,761 218 INFO Sending 2 syn packets with 10 threads
2015-07-14 12:59:03,188 110 INFO 10.1.1.1:80 - Found implant seq: 667f6e09 ack: 66735bcd
2015-07-14 12:59:03,190 225 INFO Waiting to complete send
2015-07-14 12:59:03,190 227 INFO All packets sent
NSE script - Tony Lee
Python script - Josh Homan
For any issues, please email: synfulknock [at] fireeye.com
See license file within repository