Results 1 to 7 of 7

Thread: jaqadss (just another quick and dirty shared script): intruders

  1. #1
    Junior Member roybatty's Avatar
    Join Date
    Jan 2010
    Location
    Tannhauser Gate
    Posts
    55

    Default jaqadss (just another quick and dirty shared script): intruders

    I'm a bit paranoid , specially while running bt as root as my main os. So I coded a horrid and dirty script in order to take care of unwanted visitors. Tested with bt4f english. Try ./aikido -h

    Code:
    #!/bin/bash
    #based on a script by I.Verges
    #made by prowl3r
    
    #declare arrays
    declare -a WHITE_IPS
    declare -a WHITE_MACS
    
    #set here (known) white ips (include the router one). No need to include local IP.
    WHITE_IPS=( "192.168.1.1" "192.168.1.2" "192.168.1.3" )
    
    #set here (known)white macs.
    WHITE_MACS=( "00:11:22:33:44:55" "22:33:44:55:66" )
    
    #Network interface (eth0, wlan0, ra0)
    DEVICE="eth0"
    
    #network mask (24=255.255.255.0, 16=255.255.0.0)
    MASK=24
    
    #help
    for opt in $@; do
        if [ "$opt" = "-h" ]; then
            echo ""        
            echo "aikido dirty script by prowl3r for those bt4f paranoids"
            echo ""
            echo "Create the daemon: 'crontab -e' and then add the following line:"
            echo "*/5 * * * * /path-to-aikido/aikido"
            echo "(execute every 5 minutes)"
            echo ""
            echo "Start cron just for this session: /etc/init.d/cron start"
            echo "update-rc.d cron defaults (to start cron at boot time)"
            echo ""
            echo "Dont forget to set execution rights and run as root. English lang required"
            echo ""
            echo "To remove, edit crontab and delete aikido line"
            echo ""
            echo "It looks for connected hosts and records IP (and MAC if available)."
            echo "Then confirms it's a known IP, otherwise it nmap it and prompts for further actions."
            echo "Please, add your interface as well as known IPs and MACs by editing the script."
            echo ""
            echo "Use: ./aikido"
            echo "Options:"
            echo "    -h Show this help stuff"
            exit
        fi
    done
    
    #obtain local ip
    ip=$(/sbin/ifconfig "$DEVICE" | grep "inet" | awk '{print $2}' | cut -c 6-)
    #add local ip to array
    WHITE_IPS[${#WHITE_IPS[*]}]=$ip
    
    #get connected hosts and save them in "-" file (standar output)
    #redirected to HOST_IPS variable
    HOST_IPS=$(/usr/bin/nmap -sP ${WHITE_IPS[0]}/$MASK -oG -)
    
    #cut to get only valid ip format
    IPS=$(echo "$HOST_IPS" | grep Host | cut -c 7-20 | tr -d "\()")
    
    #count lines in archive, or in other words, ips in archive
    counter=$(echo "$IPS" | wc -l - | cut -c 1-2)
    total=$(expr $counter - 1)
    
    #allow access to X from crontab
    export DISPLAY=:0
    export XAUTHORITY="$HOME/.Xauthority"
    
    #search loop
    var=0
    while [ $var -le $total ]; do
        SKIP_LOOP=0
        let var=$var+1
        #capture ip by line
        adds=$(echo "$IPS" | sed -n "$var p")
        #remove spaces
        adds=${adds/ /}
        for i in ${WHITE_IPS[*]}
        do
            if [ "$i" == "$adds" ]; then
                SKIP_LOOP=1
                break
            fi
        done
        if [ "$SKIP_LOOP" == "1" ]; then
            continue
        fi
        #obtain and format mac
        ARP=$(/usr/sbin/arp -a $adds)
        
        if [ "$ARP" == "arp: in 1 entries no match found." ]; then
            MAC="Not cached yet"
        else
            MAC=$(echo "$ARP" | awk '{print $4}')
        
            MAC=${MAC/ /}
        fi
        
        for i in ${WHITE_MACS[*]}
        do
            if [ "$i" == "$MAC" ]; then
                SKIP_LOOP=1
                break
            fi
        done
        if [ "$SKIP_LOOP" == "1" ]; then
            continue
        fi
        
        #warn about intruder
        WARNING=$(echo `/bin/date --rfc-3339=seconds`" \n HOST: $adds \n ARP: $MAC")
        zenity --timeout 20 --title "aikido: Intruder detected" --question --text "$WARNING \n\n*** Is this a known host? *** \n\n .- OK: No action will be taken \n .- Cancel: Full scan and log details"    
    
        case $? in
            5)
                echo "$WARNING" >> /root/aikido.log
                echo "*** Logged due to dialog timeout / unattended computer ***" >> /root/aikido.log
                echo "--------------------------- x ---------------------------" >> /root/aikido.log;;
            0) 
                zenity --title "aikido: Known/safe IP notification" --info --text "\n\nPlease add $adds to the whitelist by manually editing the aikido script, otherwise alerts will keep popping up at crontab execution.";;
            1)    
                SCAN=$(/usr/bin/nmap -A -T5 $adds)
                
                echo "$WARNING" >> /root/aikido.log
                echo "$SCAN" >> /root/aikido.log
                echo "--------------------------- x ---------------------------" >> /root/aikido.log
    
                zenity --width 400 --title "aikido: Preliminary actions taken" --info --text "Host and port/services scan details logged at /root/aikido.log \n\n$WARNING \n\n$SCAN"            
    
                a="Nah, I'll take care myself (keep alert showing)"
                b="Try to autopwn using fast-track"
                c="Block this host with iptables"
                d="Capture tcpdump session for this host"
    
                OPTION=$(zenity --width 380 --height 230 --title "aikido: Countermeasures" --list --text "Now for the fun part. What you wanna do?" --radiolist --column "Pick" --column "Action" TRUE "Nah, I'll take care myself (keep alert showing)" FALSE "Try to autopwn using fast-track" FALSE "Block this host with iptables" FALSE "Capture tcpdump session for this host")
    
                case $OPTION in
                
                $a) continue;;
                $b) /opt/kde3/bin/konsole --vt_sz 80x40 -noclose --workdir /pentest/exploits/fasttrack/ -e sh -c " python fast-track.py -c 2 $adds -r ";;
                $c) tables=$(/sbin/iptables -A INPUT -s $adds -j DROP)
                    blocked=$(/sbin/iptables -L)
                    zenity --title "aikido: Blocked host notification" --info --text "$blocked";;
                $d) /usr/sbin/tcpdump -i $DEVICE host $adds -s 1500 -w /root/$adds.pcap &
                    zenity --title "aikido: Recording activity for host $adds" --info --text "\n\n *** To stop tcpdump recording, just press OK *** \n\n(Use the following command to replay: \n\ntcpdump -r /root/$adds.pcap)"  
                    killall -9 tcpdump;;
                    
                esac;;
        esac
    done
    I've seen things you people wouldn't believe.

  2. #2
    trellis
    Guest

    Default Re: jaqadss (just another quick and dirty shared script): intruders

    iptables -P INPUT DROP + selective allow anyone?

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: jaqadss (just another quick and dirty shared script): intruders

    Quote Originally Posted by trellis View Post
    iptables -P INPUT DROP + selective allow anyone?
    That doesn't auto-audit them back.

    Any paranoid should be able to point out that there is a bit of an issue with counter-scanning someone that shows up on the network, so you have to be careful, but other than that I only have one inquiry:
    Code:
    echo "aikido dirty script by prowl3r for those bt4f paranoids"
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    Junior Member roybatty's Avatar
    Join Date
    Jan 2010
    Location
    Tannhauser Gate
    Posts
    55

    Default Re: jaqadss (just another quick and dirty shared script): intruders

    Quote Originally Posted by Gitsnik View Post
    but other than that I only have one inquiry:
    Code:
    echo "aikido dirty script by prowl3r for those bt4f paranoids"
    Bah try to ignore us punk kids, we're all trying to sound cool and make a name for ourselves.
    C'mon Gitsnik, that's an easy one. Nice to see ya here.

    (BTW, I do know your eyes hurt after reading the script)
    I've seen things you people wouldn't believe.

  5. #5
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: jaqadss (just another quick and dirty shared script): intruders

    Quote Originally Posted by roybatty View Post
    C'mon Gitsnik, that's an easy one. Nice to see ya here.
    Some things need to be looked into just to be certain

    (BTW, I do know your eyes hurt after reading the script)
    It's actually not that bad (well, I didn't gag :P), I might have gone a different way with some structure and flow idea's, and I'm more of a non-interactive kind of analyst (I would have forked the 4 counter-measure options and done them all at once, tcpdump first in case one wants to analyse the packets later on. But other than that, it looks great and I look forward to actually trying it out rather than pulling it apart and checking the man pages on commands I don't know.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  6. #6

    Default Re: jaqadss (just another quick and dirty shared script): intruders

    You are the pentester you shouldn't be worry to be pentested!

    but who knows

    good script

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Posts
    36

    Default Re: jaqadss (just another quick and dirty shared script): intruders

    You are the pentester you shouldn't be worry to be pentested!
    And if your a good pentester you should always be worried about that

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •