This simple Bash script will output the lsof end of any foreign network connection:
[Set to the interface of your choice]
while [ 1 ]
do
for i in `tcpdump -i rl0 -c 1 -l dst $(hostname) | awk '{print $2}' | awk -F"." '{print $1"."$2"."$3"."$4}'`
do lsof -i@$i
done
done
with time/date stamp added and headers removed:
while [ 1 ]
do
for i in `tcpdump -i rl0 -c 1 -l dst $(hostname) | awk '{print $2}' | awk -F"." '{print $1"."$2"."$3"."$4}'`
do echo `date -u` `lsof -i@$i | grep -v PID`
done
done
Run like this:
./tcp_lsof.sh >> tcp.lsof.log &
the script produces output like this:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 18392 rferrisx 5u IPv4 0xd699ac80 0t0 TCP rmflaptop.rmfdevelopment.com:ssh->192.168.0.3:13974 (ESTABLISHED)
sshd 29850 root 5u IPv4 0xd699ac80 0t0 TCP rmflaptop.rmfdevelopment.com:ssh->192.168.0.3:13974 (ESTABLISHED)
or
Wed May 26 15:22:06 UTC 2010 sshd 9448 root 5u IPv4 0xd699ac80 0t0 TCP rmflaptop.rmfdevelopment.com:ssh->192.168.0.3:15729 (ESTABLISHED)
sshd 29734 rferrisx 5u IPv4 0xd699ac80 0t0 TCP rmflaptop.rmfdevelopment.com:ssh->192.168.0.3:15729 (ESTABLISHED)
Wed May 26 15:22:07 UTC 2010 sshd 9448 root 5u IPv4 0xd699ac80 0t0 TCP rmflaptop.rmfdevelopment.com:ssh->192.168.0.3:15729 (ESTABLISHED)
sshd 29734 rferrisx 5u IPv4 0xd699ac80
Tuesday, May 25, 2010
Wednesday, May 19, 2010
A prototype test harness...but needs lots of work
I have spent too much time here in the last few days working on a test harness for live network files in Vista. As a prototype, what I have written may be useful. However, numerous problems were uncovered. The idea was this: At any moment they are a discoverable set of files that are being accessed by the network. In theory, you should be able to list those files and then query them for their integrity. The heart of this is something like:
icacls %dir_file% &(
if /I [%filetype% EQU [regular sfc /verifyfile=%dir_file% ) &(
if /I [%filetype% EQU [regular accesschk -qv %dir_file% ) &(
if /I [%filetype% EQU [regular sigcheck -q %dir_file% )
Definitely some useful information is returned. But the project will have to be rewritten in a faster language with better string support. Interesting to see what information it did return. Like the file - C:\Windows\System32\nsi.dll - below.
Running icacls, sfc, accesschk, sigcheck for FileType,FileID,Path: regular 1220: "C:\Windows\System32\nsi.dll "
filetype=regular
C:\Windows\System32\nsi.dll NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administrators:(RX)
NT AUTHORITY\SYSTEM:(RX)
BUILTIN\Users:(RX)
Successfully processed 1 files; Failed processing 0 files
Windows Resource Protection could not perform the requested operation.
C:\Windows\System32\nsi.dll
Medium Mandatory Level (Default) [No-Write-Up]
RW NT SERVICE\TrustedInstaller
FILE_ALL_ACCESS
R BUILTIN\Administrators
FILE_EXECUTE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_TRAVERSE
SYNCHRONIZE
READ_CONTROL
R NT AUTHORITY\SYSTEM
FILE_EXECUTE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_TRAVERSE
SYNCHRONIZE
READ_CONTROL
R BUILTIN\Users
FILE_EXECUTE
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_DATA
FILE_READ_EA
FILE_TRAVERSE
SYNCHRONIZE
READ_CONTROL
c:\windows\system32\nsi.dll:
Verified: Signed
Signing date: 8:08 AM 1/19/2008
Strong Name: Unsigned
Publisher: Microsoft Corporation
Description: NSI User-mode interface DLL
Product: Microsoft« Windows« Operating System
Version: 6.0.6001.18000
File version: 6.0.6001.18000 (longhorn_rtm.080118-1840)
Monday, May 17, 2010
Car hacking....
"Indeed, we have demonstrated the ability to systematically control a wide array of components including engine, brakes, heating and cooling, lights, instrument panel, radio, locks, and so on. Combining these we have been able to mount attacks that represent potentially significant threats to personal safety. For example, we are able to forcibly and completely disengage the brakes while driving, making it difficult for the driver to stop. Conversely, we are able to forcibly activate the brakes, lurching the driver forward and causing the car to stop suddenly."
Great Reading! Great Research!
How would you like to pwn your first car?
Great Reading! Great Research!
How would you like to pwn your first car?
Friday, May 7, 2010
lsof for Windows subsitute
5/10/2010 update to this post (see below)
I've created a couple of Vista cmd files that pump netstat output to tasklist to help substitute for the missing`lsof -Ts` in Linux (see below). The TCP/TCPv6 output logs the time, IP address (foreign endpoint), application information. The (stateless) UDP/UDPv6 output just logs time and application information. (See output below). The value of logging network endpoints and their process information is incalculable in security. Mark Russinovich's procmon (when run with the network filter) does this quite thoroughly. Microsoft's Netmon 3.3 correlates endpoint data packets to most applications. However, I was interesting in developing something cmd line, perhaps not so heavy, using all native Vista commands. The crux of the scripts are:
:: pipe appropriate netstat output to tasklist
for /f "tokens=1-5" %%a in ('@netstat -%netstat_option% -p %connection_type% ^| findstr /V Active ^| findstr /V Proto') do set EP=%%c& set PID=%%e& call :loop
..
::log Endpoint and network process PID
@echo "%timestamp%","%EP%", | findstr /V "ECHO"
@tasklist /FO CSV /V /FI "PID eq %PID%" /NH
With an automated check of network %PID% in place, you can add options to check/log the open files of each network application with the (very slow) 'openfiles' command:
[The 'openfiles' cmd works once global flags are enabled.]
for /f "tokens=1-5" %a in ('openfiles /query /FO TABLE /NH /V') do @if %c==%PID% echo %e >> temp
...
C:\Users\Admin\AppData\Local\Google\Chrome\Application\4.1.249.1064
...
Adding Mark Russinovich's accesschk will show the security permissions on those files:
for /f %i in ('more temp') do @accesschk -qv %i | more
....
C:\Users\Admin\AppData\Local\Google\Chrome\Application\4.1.249.1064\avcodec-52.dll
Medium Mandatory Level (Default) [No-Write-Up]
RW RMFVista\Admin
FILE_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\Administrators
FILE_ALL_ACCESS
....
The cmd files can be found here:
http://www.rmfdevelopment.com/PowerShell_Scripts/ano_TCP.cmd
http://www.rmfdevelopment.com/PowerShell_Scripts/ano_UDP.cmd
5/10/2010 update:
An update which takes any of four arguments (TCP,TCPv6,UDP, UDPv6) and logs to a CSV file output as below can be found at http://www.rmfdevelopment.com/PowerShell_Scripts/ano_all.cmd
ano_all.cmd output for TCP
"05.10.2010_11.35.21.34","LISTENING","0.0.0.0:1029","0.0.0.0:0","services.exe","740","Services","0","9,532"
ano_TCP.cmd output for TCP
(note: It would be trivial to add the connection state as well. I did in ano_all.cmd as remarked above -RMF)
"05.06.2010_21.30.31.74","174.133.89.198:80",
"pctsSvc.exe","3368","Services","0","24,588 K","Unknown","NT AUTHORITY\SYSTEM","0:15:51","N/A"
"05.06.2010_21.30.32.20","72.14.213.99:80",
"Picasa3.exe","4248","Console","1","128,588 K","Running","RMFVista\Admin","0:02:16","Picasa 3"
"05.06.2010_21.30.32.69","72.14.213.101:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.33.15","74.125.127.191:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.33.60","74.125.127.105:443",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.34.12","74.125.127.139:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
ano_UDP.cmd output for UDP
(note: No foreign IP addresses ever shows up in Microsoft's netstat for protocol UDP...as far as I can tell.)
"05.06.2010_21.29.42.51","*:*",
"nc.exe","4120","Console","1","572 K","Unknown","RMFVista\Admin","0:00:00","N/A"
"05.06.2010_21.29.44.07","*:*",
"svchost.exe","1196","Services","0","3,400 K","Unknown","NT AUTHORITY\LOCAL SERVICE","0:00:01","N/A"
"05.06.2010_21.29.44.50","*:*",
"svchost.exe","636","Services","0","52,188 K","Unknown","NT AUTHORITY\SYSTEM","0:07:36","N/A"
"05.06.2010_21.29.44.99","*:*",
"svchost.exe","636","Services","0","52,188 K","Unknown","NT AUTHORITY\SYSTEM","0:07:36","N/A"
"05.06.2010_21.29.45.42","*:*",
"svchost.exe","1288","Services","0","17,136 K","Unknown","NT AUTHORITY\NETWORK SERVICE","0:00:03","N/A"
"05.06.2010_21.29.45.87","*:*",
"VCSW.exe","5644","Services","0","3,540 K","Unknown","NT AUTHORITY\SYSTEM","0:00:04","N/A"
lsof (Linux 4.78) sample output
lsof -Ts | grep -i Firefox | grep IPv4
firefox 5756 root 5lu IPv4 22403 TCP 192.168.0.5:40814->nuq04s01-in-f113.le100.net:www (ESTABLISHED)
I've created a couple of Vista cmd files that pump netstat output to tasklist to help substitute for the missing`lsof -Ts` in Linux (see below). The TCP/TCPv6 output logs the time, IP address (foreign endpoint), application information. The (stateless) UDP/UDPv6 output just logs time and application information. (See output below). The value of logging network endpoints and their process information is incalculable in security. Mark Russinovich's procmon (when run with the network filter) does this quite thoroughly. Microsoft's Netmon 3.3 correlates endpoint data packets to most applications. However, I was interesting in developing something cmd line, perhaps not so heavy, using all native Vista commands. The crux of the scripts are:
:: pipe appropriate netstat output to tasklist
for /f "tokens=1-5" %%a in ('@netstat -%netstat_option% -p %connection_type% ^| findstr /V Active ^| findstr /V Proto') do set EP=%%c& set PID=%%e& call :loop
..
::log Endpoint and network process PID
@echo "%timestamp%","%EP%", | findstr /V "ECHO"
@tasklist /FO CSV /V /FI "PID eq %PID%" /NH
With an automated check of network %PID% in place, you can add options to check/log the open files of each network application with the (very slow) 'openfiles' command:
[The 'openfiles' cmd works once global flags are enabled.]
for /f "tokens=1-5" %a in ('openfiles /query /FO TABLE /NH /V') do @if %c==%PID% echo %e >> temp
...
C:\Users\Admin\AppData\Local\Google\Chrome\Application\4.1.249.1064
...
Adding Mark Russinovich's accesschk will show the security permissions on those files:
for /f %i in ('more temp') do @accesschk -qv %i | more
....
C:\Users\Admin\AppData\Local\Google\Chrome\Application\4.1.249.1064\avcodec-52.dll
Medium Mandatory Level (Default) [No-Write-Up]
RW RMFVista\Admin
FILE_ALL_ACCESS
RW NT AUTHORITY\SYSTEM
FILE_ALL_ACCESS
RW BUILTIN\Administrators
FILE_ALL_ACCESS
....
The cmd files can be found here:
http://www.rmfdevelopment.com/PowerShell_Scripts/ano_TCP.cmd
http://www.rmfdevelopment.com/PowerShell_Scripts/ano_UDP.cmd
5/10/2010 update:
An update which takes any of four arguments (TCP,TCPv6,UDP, UDPv6) and logs to a CSV file output as below can be found at http://www.rmfdevelopment.com/PowerShell_Scripts/ano_all.cmd
ano_all.cmd output for TCP
"05.10.2010_11.35.21.34","LISTENING","0.0.0.0:1029","0.0.0.0:0","services.exe","740","Services","0","9,532"
"05.10.2010_11.35.21.82","LISTENING","0.0.0.0:9000","0.0.0.0:0","System","4","Services","0","21,204"
"05.10.2010_11.35.22.34","LISTENING","192.168.0.3:139","0.0.0.0:0","System","4","Services","0","21,204"
"05.10.2010_11.35.22.84","CLOSE_WAIT","192.168.0.3:1059","174.133.89.198:80","pctsSvc.exe","856","Services","0","195,660"
"05.10.2010_11.35.23.33","ESTABLISHED","192.168.0.3:1072","85.13.200.108:21","ftp.exe","2568","Console","1","6,388"
"05.10.2010_11.35.23.82","ESTABLISHED","192.168.0.3:1080","74.125.155.139:80","chrome.exe","4404","Console","1","62,576"
"05.10.2010_11.35.24.31","ESTABLISHED","192.168.0.3:1082","72.14.213.191:80","chrome.exe","4404","Console","1","62,576"
ano_TCP.cmd output for TCP
(note: It would be trivial to add the connection state as well. I did in ano_all.cmd as remarked above -RMF)
"05.06.2010_21.30.31.74","174.133.89.198:80",
"pctsSvc.exe","3368","Services","0","24,588 K","Unknown","NT AUTHORITY\SYSTEM","0:15:51","N/A"
"05.06.2010_21.30.32.20","72.14.213.99:80",
"Picasa3.exe","4248","Console","1","128,588 K","Running","RMFVista\Admin","0:02:16","Picasa 3"
"05.06.2010_21.30.32.69","72.14.213.101:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.33.15","74.125.127.191:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.33.60","74.125.127.105:443",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
"05.06.2010_21.30.34.12","74.125.127.139:80",
"chrome.exe","4232","Console","1","79,432 K","Running","RMFVista\Admin","0:01:49","Network Security - Google Chrome"
ano_UDP.cmd output for UDP
(note: No foreign IP addresses ever shows up in Microsoft's netstat for protocol UDP...as far as I can tell.)
"05.06.2010_21.29.42.51","*:*",
"nc.exe","4120","Console","1","572 K","Unknown","RMFVista\Admin","0:00:00","N/A"
"05.06.2010_21.29.44.07","*:*",
"svchost.exe","1196","Services","0","3,400 K","Unknown","NT AUTHORITY\LOCAL SERVICE","0:00:01","N/A"
"05.06.2010_21.29.44.50","*:*",
"svchost.exe","636","Services","0","52,188 K","Unknown","NT AUTHORITY\SYSTEM","0:07:36","N/A"
"05.06.2010_21.29.44.99","*:*",
"svchost.exe","636","Services","0","52,188 K","Unknown","NT AUTHORITY\SYSTEM","0:07:36","N/A"
"05.06.2010_21.29.45.42","*:*",
"svchost.exe","1288","Services","0","17,136 K","Unknown","NT AUTHORITY\NETWORK SERVICE","0:00:03","N/A"
"05.06.2010_21.29.45.87","*:*",
"VCSW.exe","5644","Services","0","3,540 K","Unknown","NT AUTHORITY\SYSTEM","0:00:04","N/A"
lsof (Linux 4.78) sample output
lsof -Ts | grep -i Firefox | grep IPv4
firefox 5756 root 5lu IPv4 22403 TCP 192.168.0.5:40814->nuq04s01-in-f113.le100.net:www (ESTABLISHED)
Subscribe to:
Posts (Atom)