Flightsim - A Utility To Generate Malicious Network Traffic In Addition To Evaluate Controls
flightsim is a lightweight utility used to generate malicious network traffic in addition to tending safety teams to evaluate safety controls in addition to network visibility. The tool performs tests to copy DNS tunneling, DGA traffic, requests to known active C2 destinations, in addition to other suspicious traffic patterns.
Installation
Download the latest flightsim binary for your OS from the GitHub Releases page. Alternatively, the utility tin privy hold upward built using Golang inwards whatever surroundings (e.g. Linux, MacOS, Windows), equally follows:
go larn -u github.com/alphasoc/flightsim/...
Running Network Flight Simulator
Upon installation, examination flightsim equally follows:
$ flightsim --help AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) flightsim is an application which generates malicious network traffic for safety teams to evaluate safety controls (e.g. firewalls) in addition to ensure that monitoring tools are able to let on malicious traffic. Usage: flightsim [command] Available Commands: tending Help close whatever command run Run all simulators (default) or a special examination version Print version in addition to larn out Flags: -h, --help tending for flightsim Use "flightsim [command] --help" for to a greater extent than information close a command
The utility runs private modules to generate malicious traffic. To perform all available tests, exactly piece of job flightsim run
which volition generate traffic using the start available non-loopback network interface. NB: when running the C2 modules, flightsim volition get together electrical flow C2 addresses from the Cybercrime Tracker in addition to AlphaSOC API, in addition to then requires egress Internet access.To listing the available modules, piece of job
flightsim run --help
. To execute a special test, piece of job flightsim run
, equally below.$ flightsim run --help Run all simulators (default) or a special examination Usage: flightsim run [c2-dns|c2-ip|dga|hijack|scan|sink|spambot|tunnel] [flags] Flags: -n, release of hosts generated for each simulator (default 10) --fast run simulator fast without slumber intervals -h, --help tending for run -i, --interface string network interface to piece of job $ flightsim run dga AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The IP address of the network interface is 172.31.84.103 The electrical flow fourth dimension is 10-Jan-18 09:30:28 Time Module Description -------------------------------------------------------------------------------- 09:30:28 dga Starting 09:30:28 dga Generating listing of DGA domains 09:30:30 dga Resolving rdumomx.xyz 09:30:31 dga Resolving rdumomx.biz 09:30:31 dga Resolving rdumomx.top 09:30:32 dga Resolving qtovmrn.xyz 09:30:32 dga Resolving qtovmrn.biz 09:30:33 dga Resolving qtovmrn.top 09:30:33 dga Resolving pbuzkkk.xyz 09:30:34 dga Resolving pbuzkkk.biz 09:30:34 dga Resolving pbuzkkk.top 09:30:35 dga Resolving wfoheoz.xyz 09:30:35 dga Resolving wfoheoz.biz 09:30:36 dga Resolving wfoheoz.top 09:30:36 dga Resolving lhecftf.xyz 09:30:37 dga Resolving lhecftf.biz 09:30:37 dga Resolving lhecftf.top 09:30:38 dga Finished All done! Check your SIEM for alerts using the timestamps in addition to details above.
Description of Modules
The modules packaged amongst the utility are listed inwards the tabular array below.
Module | Description |
---|---|
c2-dns | Generates a listing of electrical flow C2 destinations in addition to performs DNS requests to each |
c2-ip | Connects to 10 random electrical flow C2 IP:port pairs to copy egress sessions |
dga | Simulates DGA traffic using random labels in addition to top-level domains |
hijack | Tests for DNS hijacking back upward via ns1.sandbox.alphasoc.xyz |
scan | Performs a port scan of 10 random RFC 1918 addresses using mutual ports |
sink | Connects to 10 random sinkholed destinations run past times safety providers |
spambot | Resolves in addition to connects to random Internet SMTP servers to copy a spam bot |
tunnel | Generates DNS tunneling requests to *.sandbox.alphasoc.xyz |