Hii again...
Hope you liked my previous post "Post XSS At : research.microsoft.com".
Finally its 8th semester the 4 years of fun was going to end in next 5 months and the gang decided to attend first day class on time as a rituals. Professors were well aware that, there will be full strengths on first day, the last day & the day before exams so, they were ready with there A-Bomb for students.
This time the A-Bomb was "Capstone Project". The 10 credit game changing 5 months task either put your grades inside tombstone or rise it above stars. So we hear about the task and with in a week we have to make a 4-5 persons group, choose project & mentors.
The group was made in less then a minute but choosing of project was a tough call so we decided to come up with as many ideas as possible in next 3 days. IIIrd day the team member gather out in class and contributed our ideas eg. shopping website, social networking website, skype like software, google drive like systems etc...
NOTE : Personal advice to students out there looking for projects :
1. Always choose the project that no one is making. [ Different Project ]
2. Project should be sound complex and tough to understand but easiest to program.
So, we thought of above guidelines and neglects the idea of making websites, software because they were so common, similar among other students & came to the conclusion that we are going to make a project related to cyber security as security will be least considerable among other students and professors.
But in cyber security we came across many projects like RAT, Anti-Virus, DMZ etc...
The projects were awesome but the problem was of practical implementation Eg. If we made RAT (Remote Administration Tool) the main task was to get remote connection of our victim PC. That was easy if victim has not disabled there firewall & anti-virus but while giving viva to professors there will be not point saying that "we have to disable the firewall of victim ." It will be a huge fail for the team. So, we go with the easiest one in the book called "IDS" (Intrusion Detection System) it was a perfect project it sounds difficult but once you understand the concept easy to code.
As a developer the biggest question after choosing the project was 3W1H....?????
How to start ?
When to start ?
Where we should start from ?
Who will start ?
The solutions in the books was simple SDLC (Systems Development Life Cycle) but it only works when you know about, what are our you going to start. We only have an idea that ids means "Intrusion Detection System" & its work is to do detection of intruder Eg. If the attacker is trying to get access to our system we should get an alert of his presence.
So ignoring the SDLC concept we started working blind, problem followed by solution concept. Now the ultimate problem was how to code ? which programming language should we choose.
The answer was make is as simple as you can for user & other programmers to understand so we choose Perl & Linux bash scripting.
The week pass we register our project & choose our mentor. The dead line for our first month Report was near and we didn't started our project. We have to show the interface and its features of our projects.By then we know what we have to do we categorized our system in four:
1. Firewall
2. Honeypot
3. DOS Detection
4. Logs Management
& came with the interface. Our main objective was to create simple scripts for each category.
Eg. For firewall : IP, Port blocking etc...
Month, 1st we wrote simple scripts for Firewall like :
1. Blacklisting IP Address
2. Blacklisting MAC Address
3. Blacklisting Ports
4. Block Website
5. Block Ads
6. Backdoor scanner
7. Trojans scanner
We use simple trick to our use for building these scripts like...
for blacklisting IP, MAC, Ports we use IP Tables Command :
1. IP Blocking :
iptables -A INPUT -s $ip -j DROP
2. MAC Blocking :
iptables -A INPUT -m mac --mac-source $mac -j DROP
iptables -A FORWARD -m mac --mac-source $mac -j DROP
3. Ports Blocking :
iptables -A INPUT -p tcp --destination-port $Po -j DROP
4. Ads Block :
Parsing the IPS from http://www.spamhaus.org/drop/drop.lasso & blocking with iptables.
5. Backdoor Scanner
Comparing known backdoor signatures with source of the file we want to scan.
6. Blocking Website
using simple DNS HOST file IP Blocking Concept
Month 2nd Creating Honeypot.
Simplest way to understand honeypot is to pretend to be vulnerable for attackers attacks & trap attacker at the time of attack.
How to build a trap ?
Think like an attacker. Attacker always do foot printing, scanning before launching his attack its simple if you do not know about the target you can't move further.
so, building simple trap called PSAD (Port Scan Attack Detection)
In this if attacker try to use different type of N-Map Scan on our system we ill get the alert of IP address doing that scan.
Trick was use a network sniffer Eg. Wireshark, Tshark and create a rule to look for specific TCP flags in the packet that are coming from attacker side.
tshark -i $fa -f "ip proto 6 or ip proto 17" -R "tcp.flags == 16 or tcp.flags == 1 or tcp.flags == 2 or tcp.flags == 18 or tcp.flags == 41 or tcp.flags == 16 or tcp.flags == 0 or ip.len == 28 or icmp.type == 8"
You must be wondering what is the above tshark command for ok the trick was to view all nmap scan in detail and check for which TCP flag is tried to used for scanning.
Eg. TCP Flags With Decimal Numbers Assigned :
FIN = 1
SYN = 2
RST = 4
PSH = 8
ACK = 16
URG = 32
ECE = 64
CWR = 128
Different Types Scan Using TCP Flags That you can filter out using tshark.
TCP Connect Scan
Filter : ip.proto == 6 and tcp.flags == 18
TCP SYN Scan
Filter : ip.proto == 6 and tcp.flags == 2
TCP FIN Scan
Filter : ip.proto == 6 and tcp.flags == 1
TCP XMAS Scan
Filter : ip.proto == 6 and tcp.flags == 41
TCP NULL Scan
Filter : ip.proto == 6 and tcp.flags == 0
TCP ACK Scan
Filter : ip.proto == 6 and tcp.flags == 16
UDP Scan
Filter : ip.proto == 17 and ip.len = 28
Month 3rd Writing Scripts for DOS / DDos Detection & Log Management.
1. ARP Poisoning Check
The trick was to compare Original Gateway MAC to after attack start MAC
Command Used : arp -a $ip
Create a program first store the original I MAC1 the compare the current MAC2 .
If Poison is not MAC1==MAC2
else
Poison is in process
2. HTTP DDos Check
do
check=$(netstat -nap | grep HTTP | wc -l)
if [ $check -gt 20 ]
If Netstat is showing different IP address connection requesting for server in same time DDos is in process.
3. UDP Dos Check
do
check=$(netstat -anp | grep 'udp' | wc -l)
if [ $check -gt 20 ]
If Netstat is showing different IP address connection requesting for server in same time DDos is in process.
4.TCP / IP Dos
use netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | wc -l for seeing both tcp & udp
5. SYN Dos Check
do
check=$(netstat -nap | grep SYN | wc -l)
if [ $check -gt 20 ]
If Netstat is showing different IP address connection requesting for server in same time DDos is in process.
6. Ping Of Death Check
Sniff network & Check for the size of ICMP Buffer
tshark -i wlan0 -R "icmp.type == 8" -c 200
Log Managements :
In log management use of syslog, command like stat, faillog, last etc were used.
Linux log files were used, checked for update & modification :
/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp",
"/var/log/secure","/root/.ksh_history", "/root/.bash_history",
"/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp",
"/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs",
"/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
"/var/log/messages/", "/var/log/proftpd/xferlog.legacy",
"/var/log/proftpd.xferlog", "/var/log/proftpd.access_log",
"/var/log/httpd/error_log", "/var/log/httpsd/ssl_log",
"/var/log/httpsd/ssl.access_log", "/etc/mail/access",
"/var/log/qmail", "/var/log/smtpd", "/var/log/samba", "/var/lock/samba", "/root/.Xauthority",
"/var/log/poplog", "/var/log/news.all", "/var/log/spooler",
"/var/log/news", "/var/log/news/news", "/var/log/news/news.all",
"/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice", "/var/log/news/suck.err", "/var/log/news/suck.notice",
"/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks",
"/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log",
"/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth"
So finally after 3 months we have completed our Project & started making Report.
Link For Report : http://www.slideshare.net/raghavbisht9/personal-final-report
Download Project : https://github.com/raghav007bisht/Intrusion-Detection-System-IDS-v5.0
Hope you liked my previous post "Post XSS At : research.microsoft.com".
Finally its 8th semester the 4 years of fun was going to end in next 5 months and the gang decided to attend first day class on time as a rituals. Professors were well aware that, there will be full strengths on first day, the last day & the day before exams so, they were ready with there A-Bomb for students.
This time the A-Bomb was "Capstone Project". The 10 credit game changing 5 months task either put your grades inside tombstone or rise it above stars. So we hear about the task and with in a week we have to make a 4-5 persons group, choose project & mentors.
The group was made in less then a minute but choosing of project was a tough call so we decided to come up with as many ideas as possible in next 3 days. IIIrd day the team member gather out in class and contributed our ideas eg. shopping website, social networking website, skype like software, google drive like systems etc...
NOTE : Personal advice to students out there looking for projects :
1. Always choose the project that no one is making. [ Different Project ]
2. Project should be sound complex and tough to understand but easiest to program.
So, we thought of above guidelines and neglects the idea of making websites, software because they were so common, similar among other students & came to the conclusion that we are going to make a project related to cyber security as security will be least considerable among other students and professors.
But in cyber security we came across many projects like RAT, Anti-Virus, DMZ etc...
The projects were awesome but the problem was of practical implementation Eg. If we made RAT (Remote Administration Tool) the main task was to get remote connection of our victim PC. That was easy if victim has not disabled there firewall & anti-virus but while giving viva to professors there will be not point saying that "we have to disable the firewall of victim ." It will be a huge fail for the team. So, we go with the easiest one in the book called "IDS" (Intrusion Detection System) it was a perfect project it sounds difficult but once you understand the concept easy to code.
As a developer the biggest question after choosing the project was 3W1H....?????
How to start ?
When to start ?
Where we should start from ?
Who will start ?
The solutions in the books was simple SDLC (Systems Development Life Cycle) but it only works when you know about, what are our you going to start. We only have an idea that ids means "Intrusion Detection System" & its work is to do detection of intruder Eg. If the attacker is trying to get access to our system we should get an alert of his presence.
So ignoring the SDLC concept we started working blind, problem followed by solution concept. Now the ultimate problem was how to code ? which programming language should we choose.
The answer was make is as simple as you can for user & other programmers to understand so we choose Perl & Linux bash scripting.
The week pass we register our project & choose our mentor. The dead line for our first month Report was near and we didn't started our project. We have to show the interface and its features of our projects.By then we know what we have to do we categorized our system in four:
1. Firewall
2. Honeypot
3. DOS Detection
4. Logs Management
& came with the interface. Our main objective was to create simple scripts for each category.
Eg. For firewall : IP, Port blocking etc...
Month, 1st we wrote simple scripts for Firewall like :
1. Blacklisting IP Address
2. Blacklisting MAC Address
3. Blacklisting Ports
4. Block Website
5. Block Ads
6. Backdoor scanner
7. Trojans scanner
We use simple trick to our use for building these scripts like...
for blacklisting IP, MAC, Ports we use IP Tables Command :
1. IP Blocking :
iptables -A INPUT -s $ip -j DROP
2. MAC Blocking :
iptables -A INPUT -m mac --mac-source $mac -j DROP
iptables -A FORWARD -m mac --mac-source $mac -j DROP
3. Ports Blocking :
iptables -A INPUT -p tcp --destination-port $Po -j DROP
4. Ads Block :
Parsing the IPS from http://www.spamhaus.org/drop/drop.lasso & blocking with iptables.
5. Backdoor Scanner
Comparing known backdoor signatures with source of the file we want to scan.
6. Blocking Website
using simple DNS HOST file IP Blocking Concept
Month 2nd Creating Honeypot.
Simplest way to understand honeypot is to pretend to be vulnerable for attackers attacks & trap attacker at the time of attack.
How to build a trap ?
Think like an attacker. Attacker always do foot printing, scanning before launching his attack its simple if you do not know about the target you can't move further.
so, building simple trap called PSAD (Port Scan Attack Detection)
In this if attacker try to use different type of N-Map Scan on our system we ill get the alert of IP address doing that scan.
Trick was use a network sniffer Eg. Wireshark, Tshark and create a rule to look for specific TCP flags in the packet that are coming from attacker side.
tshark -i $fa -f "ip proto 6 or ip proto 17" -R "tcp.flags == 16 or tcp.flags == 1 or tcp.flags == 2 or tcp.flags == 18 or tcp.flags == 41 or tcp.flags == 16 or tcp.flags == 0 or ip.len == 28 or icmp.type == 8"
You must be wondering what is the above tshark command for ok the trick was to view all nmap scan in detail and check for which TCP flag is tried to used for scanning.
Eg. TCP Flags With Decimal Numbers Assigned :
FIN = 1
SYN = 2
RST = 4
PSH = 8
ACK = 16
URG = 32
ECE = 64
CWR = 128
Different Types Scan Using TCP Flags That you can filter out using tshark.
TCP Connect Scan
Filter : ip.proto == 6 and tcp.flags == 18
TCP SYN Scan
Filter : ip.proto == 6 and tcp.flags == 2
TCP FIN Scan
Filter : ip.proto == 6 and tcp.flags == 1
TCP XMAS Scan
Filter : ip.proto == 6 and tcp.flags == 41
TCP NULL Scan
Filter : ip.proto == 6 and tcp.flags == 0
TCP ACK Scan
Filter : ip.proto == 6 and tcp.flags == 16
UDP Scan
Filter : ip.proto == 17 and ip.len = 28
Month 3rd Writing Scripts for DOS / DDos Detection & Log Management.
1. ARP Poisoning Check
The trick was to compare Original Gateway MAC to after attack start MAC
Command Used : arp -a $ip
Create a program first store the original I MAC1 the compare the current MAC2 .
If Poison is not MAC1==MAC2
else
Poison is in process
2. HTTP DDos Check
do
check=$(netstat -nap | grep HTTP | wc -l)
if [ $check -gt 20 ]
If Netstat is showing different IP address connection requesting for server in same time DDos is in process.
3. UDP Dos Check
do
check=$(netstat -anp | grep 'udp' | wc -l)
if [ $check -gt 20 ]
If Netstat is showing different IP address connection requesting for server in same time DDos is in process.
4.TCP / IP Dos
use netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | wc -l for seeing both tcp & udp
5. SYN Dos Check
do
check=$(netstat -nap | grep SYN | wc -l)
if [ $check -gt 20 ]
If Netstat is showing different IP address connection requesting for server in same time DDos is in process.
6. Ping Of Death Check
Sniff network & Check for the size of ICMP Buffer
tshark -i wlan0 -R "icmp.type == 8" -c 200
Log Managements :
In log management use of syslog, command like stat, faillog, last etc were used.
Linux log files were used, checked for update & modification :
/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp",
"/var/log/secure","/root/.ksh_history", "/root/.bash_history",
"/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp",
"/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs",
"/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
"/var/log/messages/", "/var/log/proftpd/xferlog.legacy",
"/var/log/proftpd.xferlog", "/var/log/proftpd.access_log",
"/var/log/httpd/error_log", "/var/log/httpsd/ssl_log",
"/var/log/httpsd/ssl.access_log", "/etc/mail/access",
"/var/log/qmail", "/var/log/smtpd", "/var/log/samba", "/var/lock/samba", "/root/.Xauthority",
"/var/log/poplog", "/var/log/news.all", "/var/log/spooler",
"/var/log/news", "/var/log/news/news", "/var/log/news/news.all",
"/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice", "/var/log/news/suck.err", "/var/log/news/suck.notice",
"/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks",
"/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log",
"/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth"
So finally after 3 months we have completed our Project & started making Report.
Link For Report : http://www.slideshare.net/raghavbisht9/personal-final-report
Download Project : https://github.com/raghav007bisht/Intrusion-Detection-System-IDS-v5.0