jaqadss (just another quick and dirty shared script): intruders

[roybatty]

I'm a bit paranoid , specially while running bt as root as my main os. So I coded a horrid and dirty script in order to take care of unwanted visitors. Tested with bt4f english. Try ./aikido -h

Code:

#!/bin/bash
#based on a script by I.Verges
#made by prowl3r

#declare arrays
declare -a WHITE_IPS
declare -a WHITE_MACS

#set here (known) white ips (include the router one). No need to include local IP.
WHITE_IPS=( "192.168.1.1" "192.168.1.2" "192.168.1.3" )

#set here (known)white macs.
WHITE_MACS=( "00:11:22:33:44:55" "22:33:44:55:66" )

#Network interface (eth0, wlan0, ra0)
DEVICE="eth0"

#network mask (24=255.255.255.0, 16=255.255.0.0)
MASK=24

#help
for opt in $@; do
    if [ "$opt" = "-h" ]; then
        echo ""        
        echo "aikido dirty script by prowl3r for those bt4f paranoids"
        echo ""
        echo "Create the daemon: 'crontab -e' and then add the following line:"
        echo "*/5 * * * * /path-to-aikido/aikido"
        echo "(execute every 5 minutes)"
        echo ""
        echo "Start cron just for this session: /etc/init.d/cron start"
        echo "update-rc.d cron defaults (to start cron at boot time)"
        echo ""
        echo "Dont forget to set execution rights and run as root. English lang required"
        echo ""
        echo "To remove, edit crontab and delete aikido line"
        echo ""
        echo "It looks for connected hosts and records IP (and MAC if available)."
        echo "Then confirms it's a known IP, otherwise it nmap it and prompts for further actions."
        echo "Please, add your interface as well as known IPs and MACs by editing the script."
        echo ""
        echo "Use: ./aikido"
        echo "Options:"
        echo "    -h Show this help stuff"
        exit
    fi
done

#obtain local ip
ip=$(/sbin/ifconfig "$DEVICE" | grep "inet" | awk '{print $2}' | cut -c 6-)
#add local ip to array
WHITE_IPS[${#WHITE_IPS[*]}]=$ip

#get connected hosts and save them in "-" file (standar output)
#redirected to HOST_IPS variable
HOST_IPS=$(/usr/bin/nmap -sP ${WHITE_IPS[0]}/$MASK -oG -)

#cut to get only valid ip format
IPS=$(echo "$HOST_IPS" | grep Host | cut -c 7-20 | tr -d "\()")

#count lines in archive, or in other words, ips in archive
counter=$(echo "$IPS" | wc -l - | cut -c 1-2)
total=$(expr $counter - 1)

#allow access to X from crontab
export DISPLAY=:0
export XAUTHORITY="$HOME/.Xauthority"

#search loop
var=0
while [ $var -le $total ]; do
    SKIP_LOOP=0
    let var=$var+1
    #capture ip by line
    adds=$(echo "$IPS" | sed -n "$var p")
    #remove spaces
    adds=${adds/ /}
    for i in ${WHITE_IPS[*]}
    do
        if [ "$i" == "$adds" ]; then
            SKIP_LOOP=1
            break
        fi
    done
    if [ "$SKIP_LOOP" == "1" ]; then
        continue
    fi
    #obtain and format mac
    ARP=$(/usr/sbin/arp -a $adds)
    
    if [ "$ARP" == "arp: in 1 entries no match found." ]; then
        MAC="Not cached yet"
    else
        MAC=$(echo "$ARP" | awk '{print $4}')
    
        MAC=${MAC/ /}
    fi
    
    for i in ${WHITE_MACS[*]}
    do
        if [ "$i" == "$MAC" ]; then
            SKIP_LOOP=1
            break
        fi
    done
    if [ "$SKIP_LOOP" == "1" ]; then
        continue
    fi
    
    #warn about intruder
    WARNING=$(echo `/bin/date --rfc-3339=seconds`" \n HOST: $adds \n ARP: $MAC")
    zenity --timeout 20 --title "aikido: Intruder detected" --question --text "$WARNING \n\n*** Is this a known host? *** \n\n .- OK: No action will be taken \n .- Cancel: Full scan and log details"    

    case $? in
        5)
            echo "$WARNING" >> /root/aikido.log
            echo "*** Logged due to dialog timeout / unattended computer ***" >> /root/aikido.log
            echo "--------------------------- x ---------------------------" >> /root/aikido.log;;
        0) 
            zenity --title "aikido: Known/safe IP notification" --info --text "\n\nPlease add $adds to the whitelist by manually editing the aikido script, otherwise alerts will keep popping up at crontab execution.";;
        1)    
            SCAN=$(/usr/bin/nmap -A -T5 $adds)
            
            echo "$WARNING" >> /root/aikido.log
            echo "$SCAN" >> /root/aikido.log
            echo "--------------------------- x ---------------------------" >> /root/aikido.log

            zenity --width 400 --title "aikido: Preliminary actions taken" --info --text "Host and port/services scan details logged at /root/aikido.log \n\n$WARNING \n\n$SCAN"            

            a="Nah, I'll take care myself (keep alert showing)"
            b="Try to autopwn using fast-track"
            c="Block this host with iptables"
            d="Capture tcpdump session for this host"

            OPTION=$(zenity --width 380 --height 230 --title "aikido: Countermeasures" --list --text "Now for the fun part. What you wanna do?" --radiolist --column "Pick" --column "Action" TRUE "Nah, I'll take care myself (keep alert showing)" FALSE "Try to autopwn using fast-track" FALSE "Block this host with iptables" FALSE "Capture tcpdump session for this host")

            case $OPTION in
            
            $a) continue;;
            $b) /opt/kde3/bin/konsole --vt_sz 80x40 -noclose --workdir /pentest/exploits/fasttrack/ -e sh -c " python fast-track.py -c 2 $adds -r ";;
            $c) tables=$(/sbin/iptables -A INPUT -s $adds -j DROP)
                blocked=$(/sbin/iptables -L)
                zenity --title "aikido: Blocked host notification" --info --text "$blocked";;
            $d) /usr/sbin/tcpdump -i $DEVICE host $adds -s 1500 -w /root/$adds.pcap &
                zenity --title "aikido: Recording activity for host $adds" --info --text "\n\n *** To stop tcpdump recording, just press OK *** \n\n(Use the following command to replay: \n\ntcpdump -r /root/$adds.pcap)"  
                killall -9 tcpdump;;
                
            esac;;
    esac
done