I'm thinking about writing an anti-keylogger/anti RAT application. Basically, what I want it to do is this:
Monitor outgoing ftp traffic (maybe monitor all outgoing traffic and have an option to filter by ftp)
Analyze headers to find potential keyloggers/RATs
Sniff out the FTP address for any such connections
Block (or give user the option to block) connections to these addresses
I think I can handle steps 1-3, and I know I could block all FTP traffic, but how could I go about blocking specific addresses?
On a side note, can anyone suggest some libraries that might make steps 1-3 easier? Or libaries that'll do step 4, if they exist. I don't mind writing code to target multiple OS.
Snort allows you to monitor incoming/outgoing traffic and works based on a set of rules specified in a file. Once you've detected traffic going out that has a certain IP/port/body using snort, use SnortSAM in conjunction with a firewall to block traffic to that IP/port.
Related
I've literally searched the internet for the last 5 hours and I have tried every suggestion out there and I'm starting to wonder if what I want to do is simply not possible....
Most webservers only allow X simultaneous connections for uploading/downloading. I simply want to upload my many files faster, by connecting/uploading through various proxies. However, no program I can find has anything for automatic proxy configuration, and only for a specific proxy IP. I have an account with a proxy service that gives you a different IP address for every request/connection made through it. I can connect to this fine from any FTP program but it appears that the servers are confused when they see different IP's connecting, and there's no way to manually whitelist/authenticate them on the server side, so it simply closes all connections. I even have a list of IP addresses with port/user/pass that I am willing to use, but I can't figure out how to do anything other than use a specific proxy to upload/download from servers.... Is this even possible????
ANY HELP/INPUT IS GREATLY APPRECIATED!!
I discovered almost accidentally that my machine was sending and receiving UDP packets to a machine in Poland. Not that I have any problem with Poland, I just don't know why my laptop has the need to communicate with a server there. Reverse DNS shows just the ISP providing the address to some end user. Using Wireshark, I can monitor the messages, which were indecipherable as they were probably encrypted. All packets sent from my machine had the same source port, so clearly the application that sent them opened this UDP socket to use it. I am searching for ways to:
1) enumerate all current sockets open in the system, including the process that created it and, for both TCP and UDP, what ports and addresses they are current bound to.
2) because applications can open these sockets, use them, and close them right away, I would love to find (or perhaps even write) a program that once started would somehow get notification each time a socket gets created, or really more importantly when bound to a source and/or destination address and port. For UDP, I would love to also be able to monitor/keep track of the destination IP addresses and ports that socket has sent messages to.
I don't want to monitor the traffic itself, I have Wireshark if I want to view the traffic. I want to be able to then cross reference to discover what application is generating the packets. I want to know if it is from a process I trust, or if it is something I need to investigate further.
Does anybody know of any applications (for the Windows platform) that can do this? If not, any ideas about a .NET or Windows API that provides this capability, should I want to write it myself?
Edit:
After further research - looks like the APIs to use are GetExtendedUdpTable and GetExtendedTcpTable, CodeProject.com has some samples wrapping these in .NET (see http://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G). So a combination of this API and some sniffer code would be needed to monitor and keep track of what hosts at what ports using what protocol any particular application on your machine is talking to. If I ever get some free time, I'll consider creating this, if you know of an app that does all this, please let me know.
Try SysInternals TCPView. Despite its name, it handles UDP as well.
netstat -b to enumerate all ports along with the process names.
You can try using SysInternals' Process MOnitor (ProcMon.exe or ProcMon64.exe).
It allows for filtering of Processes by "UDP Send" Operation - and provides detailed UDP Connection data, including source and destination addresses(IP) and ports etc.
I have a router running Linux that acts as the central gateway to the Internet for a network of embedded devices that use IPv6 to communicate. I would like to intercept, inspect, and rewrite every packet that goes in and out from the Internet to this subnetwork. The reason I need to do this is that I want to create a transparent (to both ends) proxy service that will redirect packets, ingoing and outgoing, to a cache that lives elsewhere depending on the packet content.
These devices communicate using their own application protocol that runs over UDP so I can't re-use something like Squid straight out of the box. Is the best place to start somewhere like libpcap? Or should I start from the top and rewrite Squid? This is the first time I've had to really dive deep into networking, and I'm unsure where to begin.
You are probably better off rewriting the DNS responses to point to your Linux gateway instead. Something similar to this has been done to allow IPv6 only nodes to talk to the IPv4 internet. You can inspire yourself from that.
See for ideas for your Linux gateway box
http://www.ietf.org/id/draft-ietf-behave-v6v4-xlate-stateful-08.txt
and ideas for your DNS box
http://www.ietf.org/id/draft-ietf-behave-dns64-06.txt
I am trying to simulate a scenario where connection to the server of one process is down while the connection to another server is up. Just pulling the network cable won't work in my case since I need another process connection to stay up.
Is there any tool for this kind of job? I am on Windows. Thanks!
There's a few layers which you can simulate this at. The easiest would be if your two servers listen on two distinct TCP ports. In that case, you could run two tcp proxies, and stop/pause one when you want to simulate a failure. For Windows I would suggest using tcpTrace to do this.
Another option would be to have the two servers bound to two virtual NICs, which are bridged to the physical NIC. Of course if you have two physical NICs, you could bind each server process to a different physical NIC.
At a lower level, you can ran a WAN simulator. Most simulators allow you to impair specific types of traffic or specific ports. One such simulator is Packetstorm.
One other method which I would suggest is attaching a debugger to one process, and halting all threads on the process with the debugger. Often, a process doesn't die, but gets stuck in garbage collection, or in a loop. As the sockets don't close, many 'high availability' solutions won't automatically failover.
One approach would be to mock the relevant network connection code for the purposes of testing. In this case you would probably want to mock it returning whatever it usually would if the connection was down.
A poor man's approach if you can use sleep/hibernate mode on your machine :
Set an Outbound rule in the Windows Firewall to disallow connection for a particular Program.
Already connected sockets stay connected: put the machine in sleep/hibernate mode for a brief moment to force those sockets to disconnect.
When the system is restored, the program cannot establish new connections.
New connections are made possible as soon as you disable the firewall rule.
Note that it does not simulate network outage because each connection fails immediately with an permission error. But it prevents a process to establish connections.
alt text http://img440.imageshack.us/img440/6950/problemyd1.png
(The curly lines with dots represent a network route.)
Having a process called "foo.exe", is there a way to forward everything it communicates over TCP/IP to a forwarding proxy located elsewhere? This forwarding should not reflect to other processes.
Another question: if there are multiple network adapters, is it possible to force a process to use one specific adapter.
Since in this example the targethost.com is known, I could just edit "system32\drivers\etc\hosts" to map targethost.com's IP to localhost, where on port 8765 would be the first forwarder waiting for an incoming connection and pass everything forward to proxy.foo.com. I was wondering if there's a more elegant way of doing this.
This is not for malware, I'm doing some network testing with my complex home network. Thank you for warning us.
Some free software for this would be perfect, alternatively a code idea (native or .net). Thank you very much.
It's not too hard if you make your own computer a firewall, then your app connects to a port on your own computer, and that port is forwarded to both the original destination and logged or forwarded on to your spying computer.
Alternatively you can make your other computer the firwall and have it log/forward the info.
Finally you could use a sniffer.
SocksCap will probably do the job (if you're OK with establishing a SOCKS proxy at proxy.foo.com).
You could hook into the TCP stack, for example, by using the Windows Filtering Platform or its predecessors, or you could substitute the network libraries/calls of that particular process.