SYNful knock Cisco implant scanning tools

There are two main tools included in the repository. One is an nmap NSE script and the other is a python script. Feel free to email us at synfulknock [at] fireeye.com if you run into issues or want to contribute to the tool development.
mandiant · Sep 16, 2015 · 0bc9bef · 0bc9bef
commit 0bc9bef
Show file tree

Hide file tree

Showing 5 changed files with 1,708 additions and 0 deletions.
diff --git a/NSE/NSE-README.txt b/NSE/NSE-README.txt
@@ -0,0 +1,27 @@
+# REQUIREMENTS #
+� Nmap v6.47 or higher (also tested with v6.49)
+� Modified nselib (included)
+
+
+
+# Setup #
+Place the .nse file here:
+/usr/share/nmap/scripts/
+
+Place the packet2.lua file here:
+/usr/share/nmap/nselib/
+
+
+
+# Example usage #
+nmap -sS -PN -n -T4 -p 80 --script=�SYNfulKnock� 10.1.1.1/24
+
+FLAG EXPLANATION:
+-sS = SYN scan
+-PN = Don�t perform host discovery
+-n = Don�t perform name resolution
+-T4 = Throttle to speed 4
+-p = port number
+--script = script to execute
+optional: --scriptargs=�reportclean=1� Shows the seq and ack for clean
+devices too