This simple tool mirrors in a unix box the traffic received by an network interface into another network interface Download: mirror.c
Usually, in every medium/high size company Network, there's a firewall conecting the corporative LAN/WAN to the Internet with a set of rules that only allows specific traffic, such as HTTP, HTTPS. FTP or POP3 / SMTP. A malicious internal user, could take advantage of these open ports, and use them to access other services (sending through them, other protocols).
For example, he could set up a ssh server on the Internet, listening port 443, and configure the internal ssh client to access that port. Such an arrangement, makes virtually imposible for any administrator to detect the real nature of the traffic. The same applies if there is a proxy working to provide Internet access to the LAN. By using tools like proxytunnel, it is possible to establish a connection to server on the Internet, without being detected.
This snort patch, based on "tcpstatflow" tool and written to be compiled with snort-2.6.1.1 using stream4 preprocessor, is designed with the purpose of fighting these tecniques, by detecting traffic that is not HTTP / HTTPS / FTP / SMTP, with a reasonable margin of error. It's based on the fact that these protocols present a huge asymmetry in the amount of data transmitted in one way and the oposite (within a single TCP connection).
As an example, you could consider HTTP requests, where you have the browser sending a small packet with a GET command (and some extra overhead) and as a response, receives a web page, an image, or a download. The same asymmetry takes place in reverse, with SMTP. Your mail client sends your composition, and a small ACK is sent back from the server. Asymmetry. Keep that in mind.
To apply this patch, you must:
- Download snort source (snort-2.6.1.1.tar.gz)
- Download snort patch (snort_covered_channels_detection.txt)
- Apply the patch: patch -p0
- Compile snort & Install - To configure, you must set the following two values
in the config file:
# detect_covered_channels [number] - Number of bytes
to use as threshold to detect covered channels, 0 to disable this check # covered_channels_ports [list] - use the space separated list of ports in [list], "all" will turn on detection for all ports, "default" will turn
on reassembly for ports 21, 25, 80 and 443 So, if the number of bytes on a ESTABLISHED TCP
connection, is greater than "detect_covered_channels"
threshold for both flows (from client to server, and
from server to client), and it has a destination port
in "covered_channels_ports" list, a standard snort
alarm is generated with GID 111 and SID 26. Download from:
http://oocities.com/fryxar/snort_covered_channels_detection.txt AIDE (Advanced Intrusion Detection Environment) is a
tool that creates a Database that can be used to
verify the integrity of files. As modern filesystems (ext2, ufs, etc) implement fast
symlinks to store target's pathname, if only checksums
options (sha1, md5, tiger, etc) are used to check the
integrity of a soft link file, AIDE will not be able
to detect changes made on it. If you use a mtime/ctime option, and somebody change a
target's pathname, AIDE will show it, but these
options are easy trickly with a standard Unix "touch"
command (and root privilege, of course). So, I added the new option "l" to AIDE, to implement a
target's pathname comparison for symbolic links
against the database. If a target's pathname is
changed on a symlink file, the difference will be
showed. Please upgrade your AIDE tool to the last version
available (>= 0.13-r1) This simple program is useful to check if snort (working as NIDS) is running correctly over a Linux box.
It works sending an ICMP echo-request packet (even if the sniffing interface is in stealth mode) specially prepared to generate a token alert by using a rule that identifys the combination of Origin IP/Destination IP/ICMP echo-reply message Running it periodically (for example once a week from the crontab), it's possible to check if the following items are running correctly: - The snort proccess - The output snort plugin (for example, the delivery of automatics mails of alerts) - The SPAN (or mirroring) switching port. Ussually, you configure the port of the switch where the snort is connected to, in order to listen the traffic of other ports where the servers which you are protecting are connected to. But, if anybody changes the configuration of the switch, or changes the ports where servers are connected to, you shall not be able to see all the traffic. Therefore, to check if the SPAN port is running correctly, using snortcheck you can send an ICMP echo-request packet with the IP and MAC addresses of the server whose port is wanted to be listen as destination's adresses, and the IP address of the default gateway of the net that is being protected and random MAC address as source's address. Then, you write a snort rule that generates an alert based on source IP / destination IP / ICMP echo-reply type packet . So, being that destination's MAC address of the packet is the same that the gateway's MAC address, the sensor will only be able to see it in the case the source's port (or destination's port) is mirrored to sensor's port. Knowing all servers MAC addresses, if it's neccesary, you could complete this process in order check all the ports to sniff. NOTE: The port of the switch where the snort is running needs to be enabled to send/recieve packets.
Download: snortcheck.cAIDE problem handling symlinks:
snortcheck:
Usually, in every medium size company Network, there's a firewall conecting the corporative LAN/WAN to the Internet with a set of rules that only allows specific traffic, such as HTTP, HTTPS. FTP or POP3 / SMTP. A malicious internal user, could take advantage of these open ports, and use them to access other services (sending through them, other protocols).
For example, he could set up a ssh server on the Internet, listening port 443, and configure the Intranet ssh client to access that port. Such an arrangement, makes virtually imposible for any administrator to detect tha real nature of the traffic. The same applies if there is a proxy working to provide Internet access to the LAN. By using tools like proxytunnel, it is possible to stablish a connection to server on the Internet, without being detected.
tcpstatflow is a tool design with the purpose of fighting these tecniques, by detecting traffic that is not HTTP / HTTPS / FTP / SMTP / POP3, with a reasonable margin of error. It's based on the fact that these protocols presents a huge asymmetry in the amount of data transmitted in one way and the oposite (within a single TCP connection).
As an example, you could consider HTTP requests, where you have the browser sending a small packet with a GET command (and same extra overhead) and as a response, receives a web page, an image, or a download. The same asymmetry takes place in reverse, with SMTP. Your mail client sends your composition, and a small ACK is sent back from the server. Asymmetry. Keep that in mind.
tcpstatflow listens network traffic in promiscuos mode, and analize incoming and outgoing packets of each TCP connection, generating alarms when certains (configurables) thresholds are surpassed. These thesholds refers to parameters such as: quantity of in and out packets per connection, quantity of in and out bytes per connection and connection elapsed.
Download: tcpstatflow_v1.0.tgz
Download: tcpstatflow_v1.1.tgzPatched free TACACS server, for support of Novell Authentication (trough LDAP), multiple LDAP server support, and NAS restriction per user
Download: tac_plus_novell_acl_patched.tgz
Telnet brute force script to crack cisco routers.
Download: crack_cisco.pl
The genpasswd.pl password generator allows you to create random passwords that are highly secure and extremely difficult to crack or guess due to an optional combination of lower and upper case letters and numbers. Also, it's easy to change the numbers of characters of each type.
Download: genpasswd.pl
This simple program written in C for Linux scan for UDP ports in remote hosts, determining which UDP services they are offering. All UDP scanners that I proved works under the following principle:
UDP datagram -> Closed Port -> ICMP Port Unreachable
UDP datagram -> Open Port -> No Reply (or application dependent)
But, if the scanned devices are behind a firewall, all the ports will seem open. So, what scanudp does is to send "dependend protocol packets", and wait for the application response. To add new "dependen protocol packets", simple modifies port variable array.
Download: scanudp.c
Download: scanudp_v2.tgzIt?s a program written in C for Linux users that works with a client-server paradigm. The server opens a /bin/sh that clients can access though a virtual tunnel. The following tunnels are supported:
frag: It use IPv4 fragmented packets to encapsulate data. When some routers and firewalls (like Cisco routers and default Linux instalation) receives fragmented packets without headers for the fourth layer, they permit pass it even if they have a rule that deny it. You could select layer four protocol with flag -o.
tcp: It establish a virtual TCP connection without use three handshake (usefull when you have a router with ACL or a linux server with ipchains). Go to http://www.securiteam.com/securityreviews/5OP0P156AE.html for more info. It doesn't bind any port, so you can use a port already used by another process
udp: Standard UDP packet. It doesn't bind any port too, so you can use a port already used by another process (for example DNS).
icmp: Standard ICMP tunnel (echo-reply/echo-request)
ip: Raw IPv4 packets, you could specific layer four protocol with flag -o. Usefull if IPSec it's enable between servers.
Because packets are no sequensed, you can use -d flag to be sure that they will be received in order. Loosed packet are not contemplate (at time...)
Download: tunnelshell_2.3.tgz
This module acts like an icmp proxy for echo/echo-reply packets at kernel level, preventing icmp tunnels through firewalls or directly connections to a server.
Download: mod_icmp.c
Fragmented ICMP packet generator.
Download: frag.c
TCP flood generator (SYN flood/ESTABLISHED flood/HTTP flood).
Download: tcpflood.c
e-mail: fryxar@yahoo.com.ar