GoldenEye 2.1 released with even more randomness

Recently I’ve discovered that GoldenEye got his first signature from a big vendor.

That’s funny since the main GoldenEye objective is to be signature-proof due its randomness. I’ve done a quick search on the internet and found the signature update link for their products, downloaded, located that one mentioned above.

It was a very crude signature, as expected:

Mostly are the only static texts GoldenEye had (since this update ;)). These are mostly leftovers from Barry’s HULK, which GoldenEye was spawned from.

Changelog

No worries, this new patch include the following changes:

  • Referer strings from search engines now only domain part hardcoded (rest is generated)
  • Referer generation function now generates even more random referers.
  • NO MORE HARDCODED USER AGENTS. I admit, hardcoded user agents were lame. There’s now a User-Agent Generator function that will generate RFC-2616 compliant user-agent strings.
  • External User-Agent List Support: As the generator function may generate UAs for inexistent browser version + plugin version combinations, you can now supply your own list of User-Agents (one per line – text file) via the -u flag.
  • Besides no-cache I’ve added the directive max-age=0 that does basically the same thing. GoldenEye will chose one of them during the strike request.
  • More random keepalive values: They’re 110-120 (legacy), now they’re random 1-1000
  • User-Agent lists: I’ve added a res directory for external resources. Multiple text files were placed there with user agents from different platforms.
  • Utilities! Now the getuas.py scrapes (requires BeautifulSoup) http://www.useragentstring.com/ URLs.

About the User-Agent generation algorithm

The user-agent string follows the following format: Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions]

I have a python dictionary with OS-specific values and Platform-specific (Webkit, Gecko, Internet Explorer) values. There are many options for each one. Mostly generated on the fly thanks to python’s dynamic lists generation.

Here’s an example of the property generation

Upon program start, it will generate N random values and populate the python list. As lists can be easily joined with the + operator, this makes dynamic list generation a charm. The same goes to OS-specific values

Any effort now to block our user-agents will block legitimate traffic also :)

About referer generation

In the previous GoldenEye versions, referers were crude and simple, like search engine search urls with some random parameter. Now referers are generated like request urls:

  • Random PATH (/Hiad727ja)
  • Random QueryString key and value names
  • Random QueryString key and value quantity
  • Random QueryString presence

As it was before, referer presence is also random.

I think that covers all the changes for this version.

Download, test (please, not on other people’s servers) and report!

Talking about D/DoS (again) at XVII Semana de Informática (Computer Science Week)

I’m speaking at the 17th Computer Science Week at Minas Gerais, Brazil November 24th. I’ll be giving an extended version of my H2HC Talk for Computer Science students at UFV (Universidade Federal de Viçosa / Viçosa Federal University) at Minas Gerais, Brazil.

More at my talk’s summary page on the event website

@UPDATE
It was a great talk! Thanks for everyone that attended! Slides are on my slideshare!

I’m speaking at Hackers 2 Hackers Conference 9th edition – 2012 @ São Paulo, Brazil!

Hi folks! I’m glad to inform that my paper “Advanced DDoS techniques: Layer 7, load-balancing and mobile tools” was accepted by the 9th Hackers 2 Hackers Conference (H2HC).

The event will take place on October 20-21 and it seems to be another success just like previous editions.

Don’t forget to check the event’s website for full line-up. If you can, enroll and enjoy!