Flightsim - A Utility To Generate Malicious Network Traffic In Addition To Evaluate Controls


flightsim is a lightweight utility used to generate malicious network traffic in addition to tending safety teams to evaluate safety controls in addition to network visibility. The tool performs tests to copy DNS tunneling, DGA traffic, requests to known active C2 destinations, in addition to other suspicious traffic patterns.

Installation
Download the latest flightsim binary for your OS from the GitHub Releases page. Alternatively, the utility tin privy hold upward built using Golang inwards whatever surroundings (e.g. Linux, MacOS, Windows), equally follows:
go larn -u github.com/alphasoc/flightsim/...

Running Network Flight Simulator
Upon installation, examination flightsim equally follows:
$ flightsim --help  AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim)  flightsim is an application which generates malicious network traffic for safety teams to evaluate safety controls (e.g. firewalls) in addition to ensure that monitoring tools are able to let on malicious traffic.  Usage:   flightsim [command]  Available Commands:   tending        Help close whatever command   run         Run all simulators (default) or a special examination   version     Print version in addition to larn out  Flags:   -h, --help   tending for flightsim  Use "flightsim [command] --help" for to a greater extent than information close a command
The utility runs private modules to generate malicious traffic. To perform all available tests, exactly piece of job flightsim run which volition generate traffic using the start available non-loopback network interface. NB: when running the C2 modules, flightsim volition get together electrical flow C2 addresses from the Cybercrime Tracker in addition to AlphaSOC API, in addition to then requires egress Internet access.
To listing the available modules, piece of job flightsim run --help. To execute a special test, piece of job flightsim run , equally below.
$ flightsim run --help Run all simulators (default) or a special examination  Usage:   flightsim run [c2-dns|c2-ip|dga|hijack|scan|sink|spambot|tunnel] [flags]  Flags:   -n,                      release of hosts generated for each simulator (default 10)       --fast               run simulator fast without slumber intervals   -h, --help               tending for run   -i, --interface string   network interface to piece of job  $ flightsim run dga  AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The IP address of the network interface is 172.31.84.103 The electrical flow fourth dimension is 10-Jan-18 09:30:28  Time      Module   Description -------------------------------------------------------------------------------- 09:30:28  dga      Starting 09:30:28  dga      Generating listing of DGA domains 09:30:30  dga      Resolving rdumomx.xyz 09:30:31  dga      Resolving rdumomx.biz 09:30:31  dga      Resolving rdumomx.top 09:30:32  dga      Resolving qtovmrn.xyz 09:30:32  dga      Resolving qtovmrn.biz 09:30:33  dga      Resolving qtovmrn.top 09:30:33  dga      Resolving pbuzkkk.xyz 09:30:34  dga      Resolving pbuzkkk.biz 09:30:34  dga      Resolving pbuzkkk.top 09:30:35  dga      Resolving wfoheoz.xyz 09:30:35  dga      Resolving wfoheoz.biz 09:30:36  dga      Resolving wfoheoz.top 09:30:36  dga      Resolving lhecftf.xyz 09:30:37  dga      Resolving lhecftf.biz 09:30:37  dga      Resolving lhecftf.top 09:30:38  dga      Finished  All done! Check your SIEM for alerts using the timestamps in addition to details above.

Description of Modules
The modules packaged amongst the utility are listed inwards the tabular array below.
Module Description
c2-dns Generates a listing of electrical flow C2 destinations in addition to performs DNS requests to each
c2-ip Connects to 10 random electrical flow C2 IP:port pairs to copy egress sessions
dga Simulates DGA traffic using random labels in addition to top-level domains
hijack Tests for DNS hijacking back upward via ns1.sandbox.alphasoc.xyz
scan Performs a port scan of 10 random RFC 1918 addresses using mutual ports
sink Connects to 10 random sinkholed destinations run past times safety providers
spambot Resolves in addition to connects to random Internet SMTP servers to copy a spam bot
tunnel Generates DNS tunneling requests to *.sandbox.alphasoc.xyz