Information Security: April 2020

18 Apr 2020

Python : SSL Version Scanner

Python package to find SSL/TLS version of a Host. You can modify the script for host, and get the SSL/TLS version number in order to find their vulnerabilities.

Follow this below link, to get your package ready :

https://khirawadhi.blogspot.com/2018/04/how-to-build-python-package-and-keep.html

After setting up, use this in your script to get the ssl/tls version number.

1) This is your __init__.py script

#! usr/bin/python

import socket
import nmap

def printSSL(h):
host = h
addrs = socket.gethostbyname(host)

nm = nmap.PortScanner()
nm.scan(hosts= addrs, arguments='-n -sV --script ssl-enum-ciphers -Pn -p 443')
ssl = nm[addrs]['tcp'][443]['script']['ssl-enum-ciphers']

for item in ssl.split("\n"):
if "TLSv" in item:
version = item.strip()
print ("SSL/TLS Version of " + str(host) + " is %s" % version)

2) This is your setup.py script

from setuptools import setup

setup(name='SSL_Scanner',
version='0.1',
description='Version Scanner',
url='http://maddog.com',
author='Hooman',
author_email='hooman@example.com',
license='CAT',
packages=['SSL_Scanner'],
zip_safe=False)

3) Install twine to register the package

# pip install twine

4) Register your package

# python setup.py sdist

5) Upload your package to PYPI

# twine upload dist/*

6) pip install this package

# pip install SSL_Scanner

7) Use the package in your script

>>> import SSL_Scanner
>>> SSL_Scanner.printSSL("yahoo.com")
or
>>> SSL_Scanner.printSSL("bingo.com")

There you have it, above script(s) will give us the list of ssl/tls version number which can further be used to get the vulnerabilities of an host.

How to build python package and keep your sanity

Python is a cool language, we can do near to everything, whether to run a Hello World to developing a tool. Here we'll see how to create your own sample python package in easy steps.

1) Package Structure (Very Important )

your_directory/
sub_directory/
__init__.py
setup.py
e.g.,
sample/
sample/
__init__.py
setup.py

2) Create __init__.py file

We need __init__.py file, to initialize the python package and to differentiate from other files.
This file contains only the function to be executed. e.g,

def hello( ):
return (u'Hello Evil Wolrd')

3) Create setup.py file

This is very important file , it contains a global setup( ) function. It gives specific details of your package.
Create a setup.py file in the main directory and outside sub-directory and write the following below

from setuptools import setup

setup(name='Sample',
version='0.1',
description='Sample Demo',
url='http://maddog.com',
author='HocusPocus',
author_email='Hocus@example.com',
license='DEMO',
packages=['Sample'],
zip_safe=False)

4) pip install < . >

This will install your package on your local system. (This can only be used locally. )

# pip install .

Remember there is ( . ) at the end of the command.

5) Use twine, for your package.

# pip install twine

6) Register your package in PYPI

Now to make your package available globally, register your package into PYPI. Go to the directory containing setup.py file and sub-directory and run the following :

# python setup.py sdist

This will generate a zip file of your package as source distributor.

# twine upload dist/*

This will upload your package to PYIP.

Ihis command will ask for user name and passwd. Give a username and passwd, and it will upload your package to PYPI.

Check: https://pypi.org/project/<your_package_name>

Whether your package exists or not.

7) pip install <your_package_name>

This will install your package from anywhere to any machine, as long it has python installed.

# pip install <your_pacakge_name>

There you have it, your python package.

17 Apr 2020

What is Snort Rule and How to write one ?

What is Snort Rule ?
It is a Network Intrusion Detection and Prevention System which uses Rules.

These rules are the combinations of the signatures, protocols, inspection method like expected malicious behaviour in the network like DDOS, Buffer overflow, OS Fingerprinting, stealth scan.

It also does real time analysis of the network traffic. It uses libpcap for linux/unix environment and for windows it uses winpcap.

How to write Snort Rule ?
It contains Rule Header and Rule Option.

Rule Header:
It identifies actions such as alerts, logs, passwords.

Rule Action : It is used to tell what actions to take when certain conditions are met.
Pass : It tells Snort Rule to ignore the packets.
Log: It is used to Log the packets.
Alert: It is used to generate a alert message when conditions are true for a traffic.
Activate: It is used to create a alert and also activate another rule to check for more conditions.
Dynamic: These rules are triggered by a different rule using activate rule option.
User Defined Action: It is used to create a our own rule option(s).

Rule Option :
It identifies rule alert's message.

Message: It is used to log the packets and alert when a rule is fired.
Reference: It includes the reference to the external attack identification system.
Generator ID: It identifies what part of the snort rule to fired when certain event has occurred.
Snort Rule Id: It uniquely identifies the snort rule.
Revision: It uniquely identifies the revision of snort rule.
ClassType: It is used to categorize a rule as it detects a attack from the attack class.
Priority: It is used to assign the security level to the rule.
Metadata: It is used to give more information to the Rule.

Examples :

alert tcp any any -> any 80 ( msg: "TCP Traffic alert"; content: "login"; flags:s; sid:100;)

alert udp any any -> any any ( msg: "UDP Traffic alert"; content: "login"; sid:101;)

alert : It is a Rule Action. Snort will generate the alert when the conditions are satisfied.
any : It's for Source IP address. By setting it as "any", snort will look for all the source IP's.
any : It's for Source Port number. With "any", snort will look in all the ports.
-> : It's for the direction to flow. From Source to Destination.
any : It's for Destination IP address. By setting it as "any", snort will look for all the destination IP's.
any : It's for Destination Port number. With "any", snort will look in all the ports.

msg : It contains the message with the alert.

content : It tell rule, on what action this rule should be fired.

flags : It's used to define the type of flag to look upon.

sid : It is a snort unique ID for that rule.

Let's see our Rules in Action:

Example 1)

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:1001; rev:1; classtype:icmp-event;)

This is simple example of Snort Rule, which generate alert when we perform icmp request and get icmp response back to home network, aka Ping.

We ping to google dns ( 8.8.8.8 ) in terminal :

Check Squirt in Security Onion for Snort alert.

Let's see some more Examples:

Example 2)

Snort Rule For EternalBlue Vulnerability:

Refer to the previous blog "Eternalblue vulnerability" to perform exploit on SMB.

There we have captured the pcap and we can see that, there we've got lots of 'A' character in the pacp

We will use the hex value of this 'A' character which is '41' in our snort rule, as it is more efficient then ACSII value. We have 1449 'A' characters, so we will put 1449 '41' inside our rule.

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Possible buffer overflow attempt over port 445."; content:"|4141...14141|";sid:10000006; rev:1;)

As you can see, in our Security Onion, Squirt is able to fired up our Rule:

Example 3)

Snort Rule For Heartbleed Vulnerability:

Follow this link below to perform exploit with Heartbleed vulnerability.

( https://khirawadhi.blogspot.com/2018/03/exploitation-heartbleed-vulnerability.html )

Here in the pcap, we can see the data flow in plain text. We will use that info in our rule.

alert tcp $External_NET 443 -> $HOME_NET any (msg:"Plaintest HTTP headers User-Agent and Host detected over port 443 (response from server).";flow:from-server, established; content;"User|2d|Agent"; content:"Host|3a|"; sid:10000008; rev:1;)

Here, you can see, our snort rule for Heartbleed vulnerability is being fired in Squirt, Security Onion :