We spend most of our time chasing endpoint infections and identity abuse. That’s where the alerts are. That’s where the tooling is. Meanwhile, the device that routes every login, session cookie, software update, and SaaS request can sit untouched for years.

Recent reporting on DKnife changes how that feels. It describes a Linux toolkit built to hijack router traffic, intercept credentials, and quietly deliver malware downstream. Not by attacking the endpoint directly, but by manipulating the path the traffic takes before it ever reaches it.

Read the full article here

How 3TS Real Time Scanner protects against edge-level threats like DKnife ?

Our scanner is much more than a simple port scanner (nmap) and vulnerability detection (Nessus): since DKnife operates by manipulating the traffic path (AitM), our scanner verifies the integrity of the routing logic itself.

Below is a list of 4 functionalities we added to our scanner that will protect against DKnife:

1. “Golden Image” Configuration Auditing

Instead of just checking if a router is “up,” our scanner performs authenticated checks to detect Configuration Drift.

  • iptables/nftables Snapshotting: Regularly pull the current firewall and NAT rules. Flag any new DNAT or REDIRECT rules that weren’t in the baseline. DKnife often uses these to transparently proxy traffic.

  • Persistence Hunter: Scan for new or modified files in high-risk Linux directories like /etc/init.d/, /etc/systemd/system/, and /var/spool/cron/.

  • Binary Integrity: Compare the hashes of core networking binaries (like ip, route, iptables, and dnsmasq) against known-good vendor hashes.

2. DNS Integrity & Path Validation

DKnife relies heavily on DNS hijacking to redirect users before TLS is established.

  • Resolver Monitoring: Alert if the router’s DNS resolver settings (/etc/resolv.conf) change to an external or unknown IP.

  • Synthetic DNS Canary: Have the scanner periodically perform DNS lookups for sensitive internal and external domains (e.g., portal.office.com) through the router. If the returned IP differs from a trusted “clean” source (like 1.1.1.1), flag a hijacking attempt.

  • TTL Tracking: Monitor for unusually low TTL (Time to Live) values in DNS responses, which attackers use to ensure their malicious redirects aren’t cached for too long.

3. Traffic Shadow Detection

DKnife uses components like yitiji.bin to create virtual TAP interfaces and bridge them into the LAN.

  • Promiscuous Mode Detection: Scan the router interfaces to see if any are running in “promiscuous mode” (often used for sniffing).

  • Virtual Interface Inventory: Alert on the creation of unexpected virtual interfaces (e.g., tap0, tun1, or bridges) that don’t match the network’s architectural design.

  • Shadow IP Discovery: DKnife is known to use specific internal IPs (like 10.3.3.3) for its bridged interfaces. Scan for “phantom” IPs that respond to pings but don’t belong to a registered asset.

4. Binary Download & Update Analysis

Since DKnife intercepts software updates (APK for Android, Windows binaries) to inject malware:

  • Cleartext Update Detection: Identify any devices on the network attempting to download .exe, .msi, or .apk files over unencrypted HTTP.

  • Certificate Mismatch Alerts: If your scanner can perform deep packet inspection (DPI), look for “Self-Signed” or “Unexpected Firm” certificates used during POP3/IMAP or HTTPS sessions, which indicates the router is terminating TLS (AitM).

5. Administrative Plane Hygiene

  • Credential Strength Testing: Automatically check for default or weak credentials on router management ports (SSH, Web UI).

  • Access Control Mapping: Map which internal subnets can reach the router’s management interface. If the “whole office” can access the router’s admin page, it’s a high-risk configuration.