flightsim: generate malicious network traffic and evaluate controls
Network Flight Simulator
flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunnelling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.
The utility can be built using Golang in any environment (e.g. Linux, MacOS, Windows), as follows:
go get -u github.com/alphasoc/flightsim/…
Running Network Flight Simulator
The utility runs individual modules to generate malicious traffic. To perform all available tests, simply use flightsim run which will generate traffic using the first available non-loopback network interface. NB: when running the C2 modules, flightsim will gather current C2 addresses from the Cybercrime Tracker and AlphaSOC API, so requires egress Internet access.
To list the available modules, use flightsim run –help. To execute a particular test, use flightsim run <module>, as below.
The modules packaged with the utility are listed in the table below.
|Generates a list of current C2 destinations and performs DNS requests to each|
|Connects to 10 random current C2 IP:port pairs to simulate egress sessions|
|Simulates DGA traffic using random labels and top-level domains|
|Tests for DNS hijacking support via ns1.sandbox.alphasoc.xyz|
|Performs a port scan of 10 random RFC 1918 addresses using common ports|
|Connects to 10 random sinkhole destinations run by security providers|
|Resolves and connects to random Internet SMTP servers to simulate a spam bot|
|Generates DNS tunneling requests to *.sandbox.alphasoc.xyz|