-
Notifications
You must be signed in to change notification settings - Fork 3
/
ReconInformer-v1.3.py
933 lines (790 loc) · 35 KB
/
ReconInformer-v1.3.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
# -*- coding: utf-8 -*-
import logging,os,ctypes,sys,argparse,time,re
from subprocess import *
from datetime import datetime
from pkgutil import iter_modules
import pkg_resources
#ReconInformer v1.3 Copyright (c) MIT License
#By John Page (aka hyp3rlinx)
#ApparitionSec
#hyp3rlinx.altervista.org
#twitter.com/hyp3rlinx
#PoC Video URL: https://www.youtube.com/watch?v=XM-G9Udbphc
#==========================================================
#Feb 15, 2021
#v1.3 added: using -t flag we can process packets from a specific inbound IP address of interest.
#v1.3 added timestamp for the detection results in console output window.
#v1.3 fix: utf-8 directive, for encoding error encountered in some older versions of Python.
#v1.3 fix: check for where window size is not relevant for UDP packets to prevent errors.
#v1.3 removed: script name in console window title to view CL arguments.
#v1.3 suppressed: output for fragmented packets that don't show any useful info.
#For best realtime console output call ReconInformer using python -u ReconInformer.py <args>...
#
#Recon Informer is a basic real-time anti-reconnaissance (nmap) detection tool for offensive
#security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy.
#
#Purpose:
#Recon-Informer is NOT meant for protecting public facing or lan critical enterprise systems whatsoever.
#Its purpose is detect possible recon against our attacker system on a LAN to provide us defensive intel.
#Therefore, this script is most useful for basic short-term defensive visibility.
#
#Features:
#Attempt to detect and identify typical port scans generated using Nmap including scan type.
#-sS, -sC, -F, -sR, -sT, -sA, -sW, -sN, -sF, -sX, -sM, -sZ, -sY, -sO, -sV, -sP, -sn, -f (fragment scan), -D (Decoy).
#
#FYI, scans such as FIN don't work well on windows OS and firewalls can make scans return incorrect result.
#XMAS scans work against systems following RFC 793 for TCP/IP and don’t work against any Windows versions,
#NULL is another type that don't work well on Windows.
#
#However, Fin, Null and Xmas scans can work on Linux machines. Therefore, Recon-Informer checks the OS
#its run on and reports on scans that affect that OS, unless the -s "scan_type" flag is supplied.
#With -s flag you can add extra scan types to detect that otherwise would be ignored.
#
#PING SWEEP (-sP, -sn, -sn -PY, -sY -PY) disabled by default.
#Not enabled by default as most Nmap scans begin with an ARP who-has request, when using -p flag you
#will see this detection preceding most scans. Also, you may see (noise) non-reconaissance related ARP
#requests or even ones resulting from your own ICMP pings, this exclusive detection may fail if a scan uses -Pn flag.
#
#ICMP
#Note: If nmap --disable-arp-ping flag is supplied for the scan it will be detected as ICMP ping.
#
#BLOCK -b offending IP(s) default is no blocking as packets can be spoofed causing DoS.
#Firewall rule for blocks are in-bound "ANY" but still allows out-bound.
#FW rules are named like ReconInformer_<HOST-IP>.
#
#DELETE FW RULE -d <IP-ADDR> to remove FW rules for blocked hosts.
#
#WHITELIST -w HOST-IP(s) you never want to block on.
#
#FILTER DEST PORTS -f (filter_dst_port) cut down noisy ports like TCP 2869, NetBIOs 137 etc.
#ignore packets destined for specific ports to try reduce false positive probe alerts.
#
#IGNORE HOST -n don't process packets from specific hosts, e.g. intranet-apps, printers and ACKS
#from SMB connected shares to try reduce false positives.
#
#LOG -l flag, default size limit for writing to disk is 1MB.
#
#UDP protocol is ignored by default to try reduce false positives from sources like NetBIOS, SNMP etc.
#To detect UDP scans use the -u flag, then can also combine with -f port filter
#(reduce noise) on specific dest ports like 137,161,1900,2869,7680.
#
#PCAP saving -s flag, default size limit is also 1MB.
#
#RESTORE CONSOLE -r focus the console window (Win OS) if console is minimized on port scan detect.
#
#Private Network range:
#Wrote this for basic LAN visibility for my attacker machine, packets from public IP ranges are ignored.
#
#BYPASS examples --scanflags and custom packet window sizes:
#Recon-Informer does not try to detect every case of --scanflags or specially crafted packets.
#
#These scans can bypass Recon-Informer and correctly report open ports found.
#nmap -n -Pn -sS --scanflags PSHSYN x.x.x.x -p139
#nmap -P0 -T4 -sS --scanflags=SYNPSH x.x.x.x
#
#Therefore, I accounted for some of these in Recon-Informer to report these detections.
#
#SCANFLAGS
#nmap -P0 -T4 -sS --scanflags=SYNURG x.x.x.x -p139 (returns correct)
#nmap -P0 -T4 -sS --scanflags=PSHSYNURG x.x.x.x -p21-445 (returns correct)
#nmap -P0 -T4 -sS --scanflags=ECE x.x.x.x shows up as NULL scan (nothin useful returned)
#nmap -n -Pn -sS --scanflags 0x42 x.x.x.x -p139 (useful)
#nmap -n -Pn -sS --scanflags=SYNPSH x.x.x.x -p135 (useful)
#
#The above scanflag examples, would have bypassed detection if we didn't check packets for them.
#Useful scanflags that return open ports and bypassed Recon-Informer prior to scanflag checks:
#
#10=(0x00a) SYNPSH
#34= (0x22) SYNURG
#42=(0x02a) SYNPSHURG
#66 (0x42) SYNECN
#74 (0x04a) SYNPSHECN
#98 (0x062) SYNURGECN
#106 (0x06a) SYNPSHURGECN
#130 (0x082) SYNCWR
#138 (0x08a) SYNPSHCWR
#162 (0x0a2) SYNURGCWR
#170 (0x0aa) SYNPSHURGCWR
#194 (0x0c2) SYNECNCWR
#202 (0x0ca) SYNPSHECNCWR
#226 (0x0e2) SYNURGECNCWR
#234 (0x0ea) SYNPSHURGECNCWR
#
#Custom packet window size from 1024 typical of Nmap SYN scans to a size of 666 for the bypass!.
#ip=IP(dst="192.168.1.104")
#syn=TCP(sport=54030,dport=139,window=666,flags="S")
#send(ip/syn)
#
#Custom packet tests were tested on Kali to Win7/10 machines.
#Recon-Informer trys to inform about most typical out-of-the-box type of scans.
#
#Service scans -A detection:
#nmap -n -Pn -T4 -A x.x.x.x -p22
#If we scan from Kali Linux to Windows machine port 23 using -A we see SYN followed by XMAS
#also we see an immediate high port of like 30000 or more.
#
#But scanning Windows ports 135 - 139 we see FSPU flags set so we can be fairly confident
#it is a Service scan -A also it usually is followed by scanning high ports of 30000 or greater.
#
#However, I found that an easier way to pick up service -A scans is checking the window size.
#If the window size is 65535 we can be fairly certain its a service -A scan.
#Sometimes -A scan seems only to be detected when certain ports are hit.
#
#Example, Windows ports 135,139 or Kali Linux ports 1, 22 etc...
#If not targeting port 135/139 (windows) -A detect may get missed.
#Testing on newest nmap on Kali seemed to be easier to detect -A scan on ports other than 135/139.
#Anyway, added this to try get more intel about possible incoming probes.
#
#DECOY SCAN -D detection set to a threshold of two or more ip-addresses.
#
#Examples:
#capture TCP packets only, restores console on detection, detect ping sweep and ICMP
#Recon-Informer.py -i <ATTACKER-BOX> -r -p
#
#capture UDP, whitelist ips, block, log, restore console, save pcap, detect XMAS,NULL on Win OS box.
#Recon-Informer.py -i <ATTACKER-BOX> -u -w -b -l -r -a -s X,N
#
#capture UDP, filter ports, whitelist ips, block and deletes a previous FW rule
#Recon-Informer.py -i <ATTACKER-BOX> -u -f 137,161 -w -b -d <HOST-IP>
#
#ignore specific hosts for whatever reason you may have
#Recon-Informer.py -i <ATTACKER-BOX> -n host1, host2
#
#capture TCP packets block all offending hosts (in-bound only) on detection, filter port 7680 MS WUDO
#Recon-Informer.py -i <ATTACKER-BOX> -b -f 7680
#
#Dependencies:
#npcap or winpcap, scapy, clint.
#
#Tested Win7/10/Linux/Kali - Wired Ethernet LAN and Wifi networks.
#
#Scapy Errors:
#If get scapy runtime error "NameError: global name 'log_runtime' is not defined on scapy"
#OR you get "ImportError: cannot import name NPCAP_PATH"
#Download the latest https://github.com/secdev/scapy
#They were bugs in scapy thats been fixed in 2.4.3.
#
#========================================================================================
#Packet window size tests:
#
#CONNECT -sT scan window size anomalies and example of port detection bypass.
#Whats nice about detecting CONNECT scans is if someone does a telnet x.x.x.x <port> it
#should also get flagged by Recon-Informer. FYI, if SYN scan is run as non-root user
#it becomes CONNECT scan.
#
#1) Custom scapy CONNECT scan from Kali to Win7/Win10 box with SYN flag set window size is 8192
#2) Nmap -sT CONNECT Win10 to Win7 used window size of 64240
#3) Nmap -sT CONNECT i686 i386 GNU/Linux box with Nmap v4.11 to Win7/Win10 had window size 5840
#4) Nmap -sT CONNECT Kali to Win7/Win10 used window size of 29200
#5) Nmap -sT CONNECT Win7 to Win10 also window size was 8192 as in case 1)
#
#Nmap versions 4.11, 7.70 and 7.80 were used for port scan testing:
#However, we may not be able to catch them all, like when custom window size is used.
#
#False positives:
#Some ports (MS UPNP Host port 2869) as they show up as CONNECT or MAIMON
#scans on some noisy networks. HTTP GET requests can also be flagged as CONNECT scans.
#TCP source port 443 can also get picked up from web browsers or webapps.
#=======================================================================================
#
#VM and NAT setups:
#
#TEST -sZ COOKIE_ECHO:
#1) Kali to Win (NAT) we see 3-way handshake and no SCTP packets
#2) Win to Win 10. range we see the SCTP packets
#
#TEST -sT CONNECT
#1) Win to Win 10.x.x.x range we see correct packets in wireshark
#SYN packet with a large amount of TCP options
#
#If use NAT mode on VM the machine may perform 3-way handshake
#Recon-Informer may report SYN scans as CONNECT scans as they become ambigous.
#
#
#DISCLAIMER:
#Author is NOT responsible for any damages whatsoever by using this software,
#by using Recon Informer you assume and accept all risk implied or otherwise.
#=======================================================================================
BANNER="""
____ ____ ____
/ __ \___ _________ ____ / _/___ / __/___ _________ ___ ___ _____
/ /_/ / _ \/ ___/ __ \/ __ \ / // __ \/ /_/ __ \/ ___/ __ `__ \/ _ \/ ___/
/ _, _/ __/ /__/ /_/ / / / / _/ // / / / __/ /_/ / / / / / / / / __/ /
/_/ |_|\___/\___/\____/_/ /_/ /___/_/ /_/_/ \____/_/ /_/ /_/ /_/\___/_/
v1.3
Intel for offensive systems
---------------------------
By Hyp3rlinx
ApparitionSec
"""
local_ip_address=""
only_this_ip=""
OS="win32"
whitelist_conf="Recon-Whitelist.txt"
ip_whitelist=set()
attacker_ip_set=set()
priv24 = re.compile("^10\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
priv20 = re.compile("^192\.168\.\d{1,3}.\d{1,3}$")
priv16 = re.compile("^172.(1[6-9]|2[0-9]|3[0-1]).[0-9]{1,3}.[0-9]{1,3}$")
recon_log="ReconLog.txt"
pcap_file="ReconPcap.pcap"
max_log_sz=1024.0 #1MB default log and pcap file size limit
service_scan_win_sz=65535 #Detect -A scan
ip_proto_scan_lst=[] #Detect -sO scan
scan_detect_lst=[] #Deal with OS and scans like FIN,NUL,XMAS
#Enforce run as admin.
def isAdmin():
try:
is_admin = (os.getuid() == 0)
except AttributeError:
is_admin = ctypes.windll.shell32.IsUserAnAdmin() != 0
if not is_admin:
print("[!] Run me from an elevated command line.")
exit()
#Check FW rules exist.
def getFirewall_rules(IP):
global OS
try:
if OS=="win32":
CMD="netsh advfirewall firewall show rule name=ReconInformer_"+IP+" verbose"
else:
CMD="iptables -L INPUT -v -n"
net=Popen(CMD, shell=True, stderr=PIPE, stdout=PIPE )
output, errors = net.communicate()
if IP in output:
return True
else:
return False
except Exception as e:
pass
return False
#Block IP in-bound, allow out.
def firewall_ip(ip):
global OS
try:
if OS=="win32":
if not getFirewall_rules(IP):
os.system("netsh advfirewall firewall add rule name=ReconInformer_"+ip+" dir=in interface=any action=block remoteip="+ip+ ">nul 2>&1")
else:
#Block ANY new in-bound connection but allow outbound.
if not getFirewall_rules(IP):
os.system("iptables -A INPUT -s "+ip+" -m state --state NEW -j DROP")
except Exception as e:
print(str(e))
#Delete FW rules.
def rem_firewall_rule(ip_lst):
global OS
try:
for addr in ip_lst:
time.sleep(0.3)
if is_ip_private(addr):
CMD="netsh advfirewall firewall delete rule name=ReconInformer_"+addr
if OS!="win32":
CMD="iptables -D INPUT -s "+addr+" -m state --state NEW -j DROP"
if getFirewall_rules(addr):
os.system(CMD)
print(colored.cyan("[!] deleted fw rule: ReconInformer_"+addr))
time.sleep(2)
else:
print(colored.cyan("[!] Firewall rule: ReconInformer_"+addr+" does not exist."))
else:
print(colored.cyan("[!] Invalid or non private ip-address."))
sys.stdout.flush()
except Exception as e:
print(str(e))
def valid_ip(addr):
try:
socket.inet_aton(addr)
return True
except socket.error:
return False
#Never block on specified hosts
def whitelist():
global whitelist_conf, ip_whitelist
if os.path.exists(whitelist_conf):
if os.stat(whitelist_conf).st_size == 0:
print(colored.cyan("[!] Recon_Whitelist.txt is empty."))
exit()
wl=open(whitelist_conf, "r")
for ip in wl:
ip = ip.strip()
if not valid_ip(ip):
print(colored.cyan("[!] Invalid IP: "+ip))
else: #Check IP is in LAN range.
if is_ip_private(ip):
ip_whitelist.add(ip)
else:
print(colored.cyan("[!] Non private IP(s) will not be added: "+ip))
print(colored.cyan("[-] Whitelisting: ")+colored.green(ip))
time.sleep(0.1)
wl.close()
print("\n")
else:
print(colored.cyan(whitelist_conf+" does not exist."))
exit()
sys.stdout.flush()
#Disk write chk.
def getsize(log_file):
sz=0
try:
if os.path.exists(log_file):
sz = round(os.path.getsize(log_file)/float(1<<10))
except Exception as e:
pass
return sz
def log(data):
global recon_log, max_log_sz
try:
if getsize(recon_log) < max_log_sz:
f=open(recon_log,"a")
f.write(data+"\r\n")
f.close()
else:
print(colored.cyan("[!] Log size of "+str(max_log_sz)+" limit reached, logging stopped."))
sys.stdout.flush()
except Exception as e:
pass
def detection_time():
recon_time = str(datetime.now())
recon_time = recon_time.replace(":","-").replace(" ","_")
return recon_time
#Filter.
def capture_filter(udp_capture, ping_sweep):
global local_ip_address
HOST="(dst net "+local_ip_address+")"
WINDOW_SZ="tcp[14:2]==1024||tcp[14:2]==2048||tcp[14:2]==3072||tcp[14:2]==4096||tcp[14:2]==29200||tcp[14:2]==5840||tcp[14:2]==8192||tcp[14:2]==64240"
SYN_SCAN="tcp[13]==2 && tcp[13]!=16"
NULL_SCAN="tcp[13]==0"
XMAS="tcp[13] & 1!=0 && tcp[13] & 32!=0 && tcp[13] & 8!=0"
SCTP="sctp"
FRAG="ip[6] = 32 or icmp[1]==4"
ICMP="icmp"
ARP="arp[6:2]==1" #opcode 1 (request) or 2 (reply).
if udp_capture and not ping_sweep:
return (HOST+"&&"+SYN_SCAN+"||"+XMAS+"||"+NULL_SCAN+"||"+WINDOW_SZ+"||"+SCTP+"||"+"udp"+"&&"+"dst net "+local_ip_address)
elif udp_capture and ping_sweep:
return (HOST+"&&"+SYN_SCAN+"||"+XMAS+"||"+NULL_SCAN+"||"+WINDOW_SZ+"||"+SCTP+"||"+ARP+"||"+"udp"+"&&"+"dst net "+local_ip_address)
elif ping_sweep:
return (HOST+"&&"+SYN_SCAN+"||"+XMAS+"||"+NULL_SCAN+"||"+WINDOW_SZ +"||"+SCTP+"||"+ICMP+"||"+FRAG+"||"+ARP+"&&"+"dst net "+local_ip_address)
else:
return (HOST+"&&"+SYN_SCAN+"||"+XMAS+"||"+NULL_SCAN+"||"+WINDOW_SZ +"||"+SCTP+"||"+ICMP+"||"+FRAG+"&&"+"dst net "+local_ip_address)
#Private ip range.
def is_ip_private(ip):
global priv24,priv20,priv16
res = priv24.match(ip) or priv20.match(ip) or priv16.match(ip)
return res is not None
def fw_block_inbound(addr):
fw_rules = getFirewall_rules(addr)
if not fw_rules and addr in ip_whitelist:
return colored.cyan("[!] Machine whitelisted.")
elif not fw_rules and addr not in ip_whitelist:
#Extra network range check
if is_ip_private(addr):
firewall_ip(addr)
return colored.cyan(colored.magenta("[+] Blocking IP: "+addr))
else:
return colored.cyan("[!] "+addr+" is blocked at the Firewall.")
sys.stdout.flush()
def save_pcap(pkt):
global pcap_file, max_log_sz
if getsize(pcap_file) < max_log_sz:
try:
wrpcap(pcap_file, pkt, append=True)
except Exception as e:
pass
else:
print(colored.cyan("[!] Pcap size of "+str(max_log_sz)+" limit reached, pcap not saved."))
sys.stdout.flush()
def restore_console():
global recon_win, OS
if recon_win and OS=="win32":
#Restore console if minimized
try:
ctypes.windll.user32.ShowWindow( ctypes.windll.kernel32.GetConsoleWindow(), 9)
except Exception as e:
print(str(e))
def doit(pkt):
global local_ip_address, _args, attacker_ip_set, ip_proto_scan_lst, OS, recon_win
global gw, no_report_scan_list, dst_port_whitelist, scan_detect_lst, only_this_ip
SCAN_TYPE=""
scan_flags=""
service_scan=""
fragmented=False
addr=""
dest=""
mac=""
pnum=""
lines=86
#Deal with ping sweep -sn -sP (if attacker uses -Pn it may fail)
try:
if pkt.haslayer(ARP):
addr = str(pkt[ARP].psrc)
mac = str(pkt[Ether].src)
print(colored.red("[+] Recon:"+" "*(len("ARP Ping sweep")-1)+"IP:"+" "*(len(addr)+2)+"MAC:"+" "*(len(mac)+1)+"Time:"))
print(colored.cyan("[*] ARP Ping sweep" +" | " + addr + " | " + str(mac) + " "*1 + "| " + detection_time()))
print(colored.red("-"*lines))
sys.stdout.flush()
#IP layer, LAN and Check Target
if IP not in pkt or not is_ip_private(pkt[0][IP].src) or pkt[0][IP].dst != local_ip_address:
sys.stdout.flush()
return
#Ping
if str(pkt.haslayer(ICMP)):
if str(pkt.getlayer(ICMP).type) == "8":
print(colored.cyan("[*] Ping from: "+pkt[0][IP].src + " | "+"Time: " + detection_time()))
print(colored.red("-"*lines))
sys.stdout.flush()
except Exception as e:
sys.stdout.flush()
pass
try:
#Handle fragmented packets -f
if str(pkt[0][IP].flags)=="MF":
fragmented=True
dest=str(pkt[0][IP].dst)
addr=str(pkt[0][IP].src)
mac=str(pkt[Ether].src)
pnum=str(pkt[IP].dport)
#Check if use -t flag.
if only_this_ip != "" and addr != only_this_ip:
return
#Skip ignored hosts or filtered dest ports.
if addr in no_report_scan_list or pnum in dst_port_whitelist:
return
if UDP not in pkt[0]:
win_sz = pkt[0][IP].window
except Exception as e:
#print(str(e))
sys.stdout.flush()
pass
#Report fragmented packets -f.
if fragmented==True:
SCAN_TYPE="Fragmented"
try:
if pnum != "":
print(colored.red("[+] Recon:"+" "*(len("Frag")-1)+"IP:"+" "*(len(addr)+2)+"MAC:"+" "*(len(mac)+1)+"Port:"+" "*(len(pnum)+2)+"Time:"))
print(colored.cyan("[+] Frag" + " | " + addr + " | " + str(mac) + " | " + pnum + " "*2 + "| " + detection_time()))
sys.stdout.flush()
#Suppress output fragmented packets without meaningful info, as it just clutters the console anyways.
else:
print(colored.red("*"))
##print(colored.red("[+] Recon:"+" "*(len("Frag")-1)+"IP:"+" "*(len(addr)+2)+"MAC:"+" "*(len(mac)+1)+"Time:"))
##print(colored.cyan("[*] Frag" +" | " + addr + " | " + str(mac)+ " "*2 + "| " + detection_time()))
lines = lines + len(pnum) + 2
print(colored.red("-"*lines))
sys.stdout.flush()
except Exception as e:
sys.stdout.flush()
pass
if _args.block_mode:
print(fw_block_inbound(addr))
sys.stdout.flush()
if _args.log_probe:
info = "Source: " +addr + " | " + "Dest: "+dest + " | " + mac + " | " + "Fragmented packet | " + detection_time()
log(info)
if _args.archive:
save_pcap(pkt)
if recon_win and OS=="win32":
restore_console()
sys.stdout.flush()
return
#Noisy port
if OS == "win32" and pnum == "2869":
print(colored.cyan("[!] Port 2869 MS UPNP noise?, see -f flag"))
sys.stdout.flush()
#Noisy port
if pnum == "7680":
print(colored.cyan("[!] Port 7680 MS WUDO noise?, see -f flag"))
sys.stdout.flush()
if UDP in pkt[0]:
SCAN_TYPE = "UDP"
if TCP in pkt:
try:
flags = str(pkt[0][TCP].flags)
options = str(pkt[0][TCP].options)
if (flags=="S" or pkt[0][TCP].flags==0x002) and len(flags)==1:
SCAN_TYPE = "SYN"
#Handle useful --scanflags 0 - 255
if (flags=="SP") or (pkt[0][TCP].flags==0x00a) and len(flags)==2:
SCAN_TYPE = "SYN"
scan_flags="SYN, PSH"
if (flags=="SU") or (pkt[0][TCP].flags==0x022) and len(flags)==2:
SCAN_TYPE = "SYN"
scan_flags = "SYN, URG"
if (flags=="SPU") or (pkt[0][TCP].flags==0x02a) and len(flags)==3:
SCAN_TYPE = "SYN"
scan_flags = "SYN, PSH, URG"
if (flags=="SE") or (pkt[0][TCP].flags==0x42) and len(flags)==2:
SCAN_TYPE = "SYN"
scan_flags = "SYN, ECN"
if (flags=="SPE") or (pkt[0][TCP].flags==0x04a) and len(flags)==3:
SCAN_TYPE = "SYN"
scan_flags = "SYN, PSH, ECN"
if (flags=="SUE") or (pkt[0][TCP].flags==0x062) and len(flags)==3:
SCAN_TYPE = "SYN"
scan_flags = "SYN, URG, ECN"
if (flags=="SPUE") or (pkt[0][TCP].flags==0x06a) and len(flags)==4:
SCAN_TYPE = "SYN"
scan_flags = "SYN, PSH, URG, ECN"
if (flags=="SC") or (pkt[0][TCP].flags==0x082) and len(flags)==2:
SCAN_TYPE = "SYN"
scan_flags = "SYN, CWR"
if (flags=="SPC") or (pkt[0][TCP].flags==0x08a) and len(flags)==3:
SCAN_TYPE = "SYN"
scan_flags = "SYN, PSH, CWR"
if (flags=="SUC") or (pkt[0][TCP].flags==0x0a2) and len(flags)==3:
SCAN_TYPE = "SYN"
scan_flags = "SYN, URG, CWR"
if (flags=="SPUC") or (pkt[0][TCP].flags==0x0a2) and len(flags)==4:
SCAN_TYPE = "SYN"
scan_flags = "SYN, PSH, URG, CWR"
if (flags=="SPUC") or (pkt[0][TCP].flags==0x0aa) and len(flags)==4:
SCAN_TYPE = "SYN"
scan_flags = "SYN, PSH, URG, CWR"
if (flags=="SEC") or (pkt[0][TCP].flags==0x0c2) and len(flags)==3:
SCAN_TYPE = "SYN"
scan_flags = "SYN, ECN, CWR"
if (flags=="SPEC") or (pkt[0][TCP].flags==0x0ca) and len(flags)==4:
SCAN_TYPE = "SYN"
scan_flags = "SYN, PSH, ECN, CWR"
if (flags=="SUEC") or (pkt[0][TCP].flags==0x0e2) and len(flags)==4:
SCAN_TYPE = "SYN"
scan_flags = "SYN, URG, ECN, CWR"
if (flags=="SPUEC") or (pkt[0][TCP].flags==0x0ea) and len(flags)==5:
SCAN_TYPE = "SYN"
scan_flags = "SYN, PSH, URG, ECN, CWR"
#Handle -A Service scans.
if (flags=="SE" or pkt[0][TCP].flags==0x042) and len(flags)==2:
#We can miss detects from old systems unless hits port 135/139 (Win OS).
service_scan="Service Scan -A"
if (flags=="SEC" or pkt[0][TCP].flags==0x8c2) and len(flags)==3:
service_scan="Service Scan -A"
if (flags=="FSPU" or pkt[0][TCP].flags==0x02b) and len(flags)==4:
service_scan="Service Scan -A"
if win_sz == service_scan_win_sz:
service_scan="Service Scan -A"
if (flags=="S" or pkt[0][TCP].flags==0x002) and len(flags)==1 and len(options)>15:
SCAN_TYPE = "CONNECT"
lines=93
#FW scan -sA
if (flags=="A" or pkt[0][TCP].flags==0x010) and len(flags)==1:
SCAN_TYPE = "ACK"
if "F" in scan_detect_lst or OS != "win32":
if (flags=="F" or pkt[0][TCP].flags==0x001) and len(flags)==1:
SCAN_TYPE = "FIN"
if "N" in scan_detect_lst or OS != "win32":
if (flags=="" or pkt[0][TCP].flags==0x000) and len(flags)==0:
SCAN_TYPE = "NULL"
if "X" in scan_detect_lst or OS != "win32":
if (flags=="FPU" or pkt[0][TCP].flags==0x029) and len(flags)==3:
SCAN_TYPE = "XMAS"
if "M" in scan_detect_lst or OS != "win32":
if (flags=="FA" or pkt[0][TCP].flags==0x011) and len(flags)==2:
SCAN_TYPE = "MAIMON"
lines=93
except Exception as e:
sys.stdout.flush()
pass
else:
try:
if IP in pkt:
if "SCTP":
if (str(pkt[0][IP].flags)=="" or pkt[0][IP].flags == 0) and pkt[0][IP].len==52 and pkt[0][IP].type==1:
SCAN_TYPE = "SCTP"
if "SCTP_COOKIE_ECHO":
if (str(pkt[0][IP].flags)=="" or pkt[0][IP].flags==0) and pkt[0][IP].type==10:
SCAN_TYPE = "SCTP_COOKIE_ECHO"
lines=103
except Exception as e:
sys.stdout.flush()
pass
#Bail if no scan type.
if SCAN_TYPE=="":
return
#Try detect IP Protocol scan, not full proof as consecutive ACK, SCTP packets will be flagged.
if SCAN_TYPE=="ACK" or SCAN_TYPE=="SCTP" and len(ip_proto_scan_lst) < 2:
#Don't add same scan type twice.
if SCAN_TYPE not in ip_proto_scan_lst:
ip_proto_scan_lst.append(SCAN_TYPE)
if len(ip_proto_scan_lst)==2:
print(colored.cyan("[*] Possible IP Protocol Scan -sO"))
sys.stdout.flush()
#Reset the list.
ip_proto_scan_lst=[]
#Clear any old one off ACK or SCTP scan flags hanging around.
elif SCAN_TYPE != "ACK" or SCAN_TYPE != "SCTP":
ip_proto_scan_lst=[]
print(colored.red("[+] Recon:"+" "*(len(SCAN_TYPE)-1)+"IP:"+" "*(len(addr)+2)+"MAC:"+" "*(len(mac)+1)+"Port:"+" "*(len(pnum)+2)+"Time:"))
print(colored.green("[+] "+SCAN_TYPE + " | " + addr + " | " + str(mac) + " | " + pnum + " "*2 + "| " + detection_time()))
sys.stdout.flush()
if scan_flags != "":
print(colored.cyan("[*] --scanflags "+scan_flags))
if service_scan != "":
print(colored.cyan("[*] "+service_scan))
if _args.block_mode:
print(fw_block_inbound(addr))
if addr not in attacker_ip_set:
attacker_ip_set.add(addr)
if len(attacker_ip_set) >= 2:
print(colored.cyan("[!] Multiple hosts detected, possible -D decoy scan."))
attacker_ip_set=set()
print(colored.red("-"*lines))
sys.stdout.flush()
#Log
if _args.log_probe:
try:
info = ("Source: "+ addr + " | " + "Dest: "+local_ip_address+" | "+SCAN_TYPE+" | "+
"MAC: "+str(pkt[0][Ether].src)+" | "+ "Port: " + str(pkt[0][IP].dport)+" | "+detection_time())
if scan_flags != "":
info = info + " | " + "--scanflags: " + scan_flags
elif service_scan != "":
info = info + " | " + service_scan
elif scan_flags != "" and service_scan != "":
info = info + " | " + "--scanflags: " + scan_flags + " | " + service_scan
except Exception as e:
sys.stdout.flush()
pass
finally:
log(info)
#Save PCAP
if _args.archive:
save_pcap(pkt)
#Restore console
if recon_win and OS=="win32":
restore_console()
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-i", "--ip_addr", required=True, help="<ATTACKER-IP-ADDR>.")
parser.add_argument("-b", "--block_mode", nargs="?", const="1", help="Block IP at Firewall, default block any in-bound, allow out.")
parser.add_argument("-d", "--delete_fw", help="Unblock firewalled IP(s) <-d host1, host2>.")
parser.add_argument("-u", "--udp", nargs="?", const="1", help="UDP capture.")
parser.add_argument("-s", "--scan_type", help="Report non-workable anomalous (on Windows OS) scan types XMAS,FIN,NULL,MAIMON <-s X, F, N, M>.")
parser.add_argument("-p", "--ping_sweep", nargs="?", const="1", help="Detect ping sweeps -sP, -sn, may fail if -Pn is used in the scan.")
parser.add_argument("-f", "--filter_dst_port", help="Filter dest ports <-f 53,137,161,2869,..> reduce noise NBNS, DNS etc.")
parser.add_argument("-w", "--whitelist", nargs="?", const="1", help="Whitelist IP from FW block.")
parser.add_argument("-n", "--no_report", help="Ignore packets from server <-n host1, host2>.")
parser.add_argument("-r", "--restore_console", nargs="?", const="1", help="Restores console window if minimized (Window only).")
parser.add_argument("-a", "--archive", nargs="?", const="1", help="Save PCAP (appends to pcap) size limit 1MB.")
parser.add_argument("-l", "--log_probe", nargs="?", const="1", help="Log detected probes (appends log) size limit set at 1MB.")
parser.add_argument("-t", "--process_specific_ip", help="Process packets only from a IP of interest and nothing else. <-t x.x.x.x>")
return parser.parse_args()
#Ensure module exists
def haslib(lib):
if not lib in (name for loader, name, ispkg in iter_modules()):
print("[!] "+lib+ " does not exist, pip install "+lib)
exit()
return True
#Try deal with known bugs in some scapy versions so people don't lose their minds.
def scapy_ver():
ver = pkg_resources.get_distribution("scapy").version
if ver=="2.4.1" or ver=="2.4.2":
print("[!] Known bugs in scapy versions 2.4.1 and 2.4.2")
print("[!] Scapy version detected is " +ver+" update to 2.4.3 or latest.")
return False
return True
def recon_init(udp, ping_sweep):
while True:
try:
sniff(filter = capture_filter(udp, ping_sweep), prn=doit, count=10, store=0)
sys.stdout.flush()
time.sleep(1)
except Exception as e:
pass
def main(args):
global _args, local_ip_address, OS, block_ip, recon_log, dst_port_whitelist
global pcap_file, recon_win, gw, no_report_scan_list, scan_detect_lst, only_this_ip
if len(sys.argv)==1:
parser.print_help(sys.stderr)
sys.exit(1)
#Assign args to global var to ref in other functions.
_args = args
print(colored.red("[*] Packets can be forged."))
print(colored.red("[*] False positives may occur."))
print(colored.red("[*] Attackers need protection too."))
print(colored.red("[*] Anything can be bypass, use at own risk."))
print(colored.red("[*] Best realtime output use: python -u"))
print(colored.red("[/] Listening...\n"))
sys.stdout.flush()
_os = sys.platform
if _os!="win32":
OS="Linux"
recon_win=False
dst_port_whitelist=""
no_report_scan_list=""
src_port_whitelist=""
if args.restore_console and OS=="win32":
recon_win = True
elif args.restore_console and OS!="win32":
print(colored.cyan("[!] Skipped -r Windows only."))
if args.ip_addr:
if not valid_ip(args.ip_addr):
print(colored.cyan("[!] Invalid IP."))
exit()
else:
local_ip_address=args.ip_addr
if args.block_mode:
print(colored.cyan("[!] Warning -b, spoofing can DoS in-bound."))
if not args.whitelist:
print(colored.cyan("[!] No whitelist, all IPs blocked."))
if args.udp:
print(colored.cyan("[!] udp equals more noise, see -f or -n flags."))
if args.ping_sweep:
print(colored.cyan("[!] See your using -p, most Nmap scans start with ARP, if the attacker uses -Pn detection may fail."))
if args.filter_dst_port:
dst_port_whitelist=args.filter_dst_port.upper().split(",")
if OS=="win32" and args.scan_type:
scan_detect_lst=args.scan_type.upper().split(",")
elif OS != "win32" and args.scan_type:
print(colored.cyan("[!] Ignoring -s flag, Non Windows OS."))
if OS=="win32" and len(scan_detect_lst)==0:
print(colored.cyan("[!] FIN,NULL,XMAS,MAIMON scans are ignored on Windows, still wish to detect them? use -s flag, see -h."))
if args.whitelist and not args.block_mode:
(colored.cyan("[!] -w has no block mode (-b)."))
exit()
if args.block_mode and args.whitelist:
whitelist()
if args.no_report:
no_report_scan_list=args.no_report.split(",")
if args.log_probe:
if os.path.exists(recon_log):
if round(os.path.getsize(recon_log)/float(1<<10)) >= max_log_sz:
print(colored.cyan("[!] Log file size of "+str(max_log_sz)+" limit reached, delete log file to continue logging."))
exit()
if args.archive:
if os.path.exists(pcap_file):
if round(os.path.getsize(pcap_file)/float(1<<10)) >= max_log_sz:
print(colored.cyan("[!] PCAP file size of "+str(max_log_sz)+" limit reached, delete pcap to continue saving."))
exit()
if args.delete_fw:
rem_firewall_rule(args.delete_fw.split(","))
#Process only packets from a certain host.
if args.process_specific_ip:
only_this_ip = args.process_specific_ip
#Listen for recon attempts.
recon_init(args.udp, args.ping_sweep)
if __name__=="__main__":
isAdmin()
try:
if haslib("scapy"):
from scapy.all import *
scapy_ver()
except Exception as e:
if str(e) == "cannot import name NPCAP_PATH":
scapy_ver()
try:
if haslib("clint"):
from clint.textui import colored
except Exception as e:
print(str(e))
try:
print(colored.red(BANNER))
time.sleep(0.2)
sys.stdout.flush()
except Exception as e:
print(str(e))
parser = argparse.ArgumentParser()
if len(sys.argv)==1:
parser.print_help(sys.stderr)
exit()
main(parse_args())