Findject is a simple pyhton script that can find injected TCP packets in HTTP sessions, such as the QUANTUMINSERT Man-on-the-Side (MOTS) attacks. Packet injections can be detected with some IDS solutions, such as Bro and Suricata. However, we noticed that these solutions didn't properly detect all MOTS attacks - which is why findject.py was created. Other noteworthy tools for detecting packet injection attacks are HoneyBadger and qisniff.
Findject is open source software and is released under the GNU General Public License version 2 (GPLv2).
Execute findject like this:
Example execution with no injections found:
Example execution with packet injection detected:
Findject runs on any OS that supports Python, i.e. Windows, Linux and Mac OS X.
You need the following software installed to run findject.py:
Findject can be downloaded from the following URL: https://www.netresec.com/?download=findject
We have linked several publicly available PCAP files containing TCP packet injection attacks on our PCAP repository page. Scroll down to the "Packet Injection Attacks / Man-on-the-Side Attacks" segment to find the example packet captures.