Developing A Security Suite

Hello readers,

Recently I’ve been working alongside the folks at Cyber Rehab developing new software and new methodologies to combat some of the emerging threats in the Norwegian, European, and U.S. markets. Our work has focused at least in part on creating intelligent botnet prevention techniques that can be implemented at a variety of scales.

Some of the techniques include:

  • Adaptive scripting for port monitoring software
  • Honeypots and automating call to actions for negligent ISP’s
  • Rehabilitation strategies
  • Cloud based applications for port mirroring
  • Packet recursion for analysis purposes
  • Server software and hardware improvements

Putting together ideas and crafting prototypes is fun and challenging but testing them will be a lengthy process that could require plenty of time and patience so in the meanwhile we’ll be doing some related security work.

Scripting your own security suite consists mostly of knowing which tools you need and only implementing them case by case. This can be done easily in python, C++, SQL, and that isn’t as hard as it sounds – if you use bash you can probably figure it out. If you script your own firewall you certainly can.

In bash a script to add just the tools can be a simple install list – where as scripting just specific functions like port scanning is quite similar. You mostly need the library and if – else (or in this case try – except statements.) I’ll show an example from python for beginners:

#!/usr/bin/env python
import socket
import subprocess
import sys
from datetime import datetime

# Clear the screen
subprocess.call('clear', shell=True)

# Ask for input
remoteServer    = raw_input("Enter a remote host to scan: ")
remoteServerIP  = socket.gethostbyname(remoteServer)

# Print a nice banner with information on which host we are about to scan
print "-" * 60
print "Please wait, scanning remote host", remoteServerIP
print "-" * 60

# Check what time the scan started
t1 = datetime.now()

# Using the range function to specify ports (here it will scans all ports between 1 and 1024)

# We also put in some error handling for catching errors

try:
    for port in range(1,1025):  
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        result = sock.connect_ex((remoteServerIP, port))
        if result == 0:
            print "Port {}: 	 Open".format(port)
        sock.close()

except KeyboardInterrupt:
    print "You pressed Ctrl+C"
    sys.exit()

except socket.gaierror:
    print 'Hostname could not be resolved. Exiting'
    sys.exit()

except socket.error:
    print "Couldn't connect to server"
    sys.exit()

# Checking the time again
t2 = datetime.now()

# Calculates the difference of time, to see how long it took to run the script
total =  t2 - t1

# Printing the information to screen
print 'Scanning Completed in: ', total

Naturally you’ll all be invited to bring your thoughts and strategies to the table – that is part of the fun.

Running in virtualbox

One of our tools is this OS developed on Suse Studios. It serves as a base upon which to build several of these strategies and works as a nice server distro even in virtualbox with 1 Gb Ram. It has a KDE desktop and many tools built in but is far from a completed project so bear that in mind while testing.

To get more involved with CyberRehab click here. In the subject line mention you heard about it from Brian. If you are doing any kind of scripting or coding you might very well find yourself contributing code sooner than later.

One of the python scripts we might adapt if we all agree it will benefit the project looks like this one taken from BinaryTides:

#Packet sniffer in python for Linux
#Sniffs only incoming TCP packet
import socket, sys
from struct import *
#create an INET, STREAMing socket
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
except socket.error , msg:
    print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
    sys.exit()
# receive a packet
while True:
    packet = s.recvfrom(65565)
    
    #packet string from tuple
    packet = packet[0]
    
    #take first 20 characters for the ip header
    ip_header = packet[0:20]
    
    #now unpack them :)
    iph = unpack('!BBHHHBBH4s4s' , ip_header)
    
    version_ihl = iph[0]
    version = version_ihl >> 4
    ihl = version_ihl & 0xF
    
    iph_length = ihl * 4
    
    ttl = iph[5]
    protocol = iph[6]
    s_addr = socket.inet_ntoa(iph[8]);
    d_addr = socket.inet_ntoa(iph[9]);
    
    print 'Version : ' + str(version) + ' IP Header Length : ' + str(ihl) + ' TTL : ' + str(ttl) + ' Protocol : ' + str(protocol) + ' Source Address : ' + str(s_addr) + ' Destination Address : ' + str(d_addr)
    
    tcp_header = packet[iph_length:iph_length+20]
    
    #now unpack them :)
    tcph = unpack('!HHLLBBHHH' , tcp_header)
    
    source_port = tcph[0]
    dest_port = tcph[1]
    sequence = tcph[2]
    acknowledgement = tcph[3]
    doff_reserved = tcph[4]
    tcph_length = doff_reserved >> 4
    
    print 'Source Port : ' + str(source_port) + ' Dest Port : ' + str(dest_port) + ' Sequence Number : ' + str(sequence) + ' Acknowledgement : ' + str(acknowledgement) + ' TCP header length : ' + str(tcph_length)
    
    h_size = iph_length + tcph_length * 4
    data_size = len(packet) - h_size
    
    #get data from the packet
    data = packet[h_size:]
    
    print 'Data : ' + data
    print

While we won’t use this one itself – something quite similar will probably be implemented soon and if getting involved excites you but you don’t know how to code – perhaps visit SoloLearn.com. If you complete a few courses there we can certainly get you involved.

Let us know in the comments what you think!

Spread the love

One thought on “Developing A Security Suite

Leave a Reply

Your email address will not be published. Required fields are marked *