{"id":13826586,"url":"https://github.com/zond/qisniff","last_synced_at":"2025-04-29T03:30:53.529Z","repository":{"id":62361386,"uuid":"42527710","full_name":"zond/qisniff","owner":"zond","description":null,"archived":false,"fork":false,"pushed_at":"2015-09-17T07:43:27.000Z","size":1505,"stargazers_count":66,"open_issues_count":0,"forks_count":14,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-05T12:51:09.491Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zond.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-09-15T15:17:46.000Z","updated_at":"2024-04-25T12:50:24.000Z","dependencies_parsed_at":"2022-10-31T13:45:34.814Z","dependency_job_id":null,"html_url":"https://github.com/zond/qisniff","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zond%2Fqisniff","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zond%2Fqisniff/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zond%2Fqisniff/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zond%2Fqisniff/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zond","download_url":"https://codeload.github.com/zond/qisniff/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251426759,"owners_count":21587642,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T09:01:40.729Z","updated_at":"2025-04-29T03:30:50.285Z","avatar_url":"https://github.com/zond.png","language":"Go","funding_links":[],"categories":["\u003ca id=\"7bf0f5839fb2827fdc1b93ae6ac7f53d\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"32739127f0c38d61b14448c66a797098\"\u003e\u003c/a\u003e嗅探\u0026\u0026Sniff"],"readme":"# qisniff\n\nqisniff sniffs for quantum injection (http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/).\n\nIt does this by assembling the streams in temporary files, and comparing incoming packets covering already received\nsegments of the stream with the already received data.\n\nDifferences in this data is indicative of trickery.\n\nTools that can detect this are relatively rare.\n\nFox IT (see link above) devised a potential detection method, but state\n\n----\n###Evasion\n\nNote that these detection methods are possibly not evasion proof, one could also easily spoof a FIN packet after the QI packet to close the session. This would stop tracking the TCP segments in most IDS systems. Later packets in this stream will not be matched with previous packets.\n\nOther possibilities is to try to create a partial overlap of data, thus avoiding detection of duplicate sequence numbers.\n\n----\n\nqisniff doesn't close sessions at FIN packets, and it doesn't use sequence numbers directly to detect overlaps, so qisniff will detect *all* incoming QI packet insertions.\n\n## Docs\n\nhttp://godoc.org/github.com/zond/qisniff\n\n## Example run\n\nSniffing a pcap file from a suspected injection by the great firewall of china:\n\n```\n$go run qisniff.go -file eureka.tcpdump \n\\ \n123.125.115.164:80(http)-\u003e192.150.187.17:31161 1487292510\n\u003cA\u003e\nHTTP/1.1 200 OK\nServer: Apache\nConnection: close\nContent-Type: text/javascript\nContent-Length: 1130\n\n\neval(function(p,a,c,k,e,r){e=function(c){return(c\u003ca?'':e(parseInt(c/a)))+((c=c%a)\u003e35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){re\n\u003c/A\u003e\n\u003cB\u003e\nHTTP/1.1 200 OK\nServer: nginx\nDate: Fri, 03 Apr 2015 15:41:17 GMT\nContent-Type: application/x-javascript\nContent-Length: 0\nLast-Modified: Fri, 03 Apr 2015 08:55:28 GMT\nConnection: keep-alive\nETag: \"551e5580-0\"\nExpires: Fri, 03 Apr 2015 16:41:17 GMT\nCache-Control: max-age=3600\nAccept-Ranges: bytes\n\n\n\u003c/B\u003e\n```\n\nSniffing a pcap file from a FIN flagged injection packet (which will make most analysis tools drop the later duplicate packet):\n\n```\n$go run qisniff.go -file linkedin_FIN.pcap \n/ \n91.225.248.129:80(http)-\u003e10.0.1.4:54015 4114717474\n\u003cA\u003e\nHTTP/1.1 302 Found\nLocation: http://fox-it.com/\nContent-Length: 0\n\n\n\u003c/A\u003e\n\u003cB\u003e\nHTTP/1.1 301 Moved Permanently\nDate: Tue, 21 Apr 2015 00:40:01 GMT\nX-\n\u003c/B\u003e\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzond%2Fqisniff","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzond%2Fqisniff","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzond%2Fqisniff/lists"}