ACTIVE DEFENSE
Active Defense is a topic that has captured lots
of attention in the info security industry lots has been said about it being
the offensive way of hacking, Hacking Back and counter attack measure oh is
legal anyway?
Active defense being legal or legal i have no
lots to say but active defense has no gotten any resistance from governments
and low enforcement officers reason being that laws are too slow to catch up
with the speed of technology.
Active defense first of all is a way of monitoring
networks by putting together systems to act as honey pots and capture
information about the the enemy trying to put you down. Many tools have emerged
to be used in active defense from mere applications to dependent virtual
machines to help you monitor the attacker and his deeds.
Some of the tools that have emerged are
NOVA
Nova which can be downloaded from https://github.com/DataSoft/Nova Nova is an easy to
use honeypot configuration, deployment, and monitoring
network security tool for preventing and
detecting potentially hostile network
reconnaissance (including port scanning, machine fingerprinting, and service
probing). As this is often the first things hackers will do once they've
gained a foothold into a network, Nova can act as an Intrusion Detection
System (IDS) by alerting when a machine has been compromised and is attempting
to scan the network. Even if a machine hasn't been compromised, Nova can help
protect against Inside Threats from unauthorized employees attempting to probe
the network infrastructure.
reconnaissance (including port scanning, machine fingerprinting, and service
probing). As this is often the first things hackers will do once they've
gained a foothold into a network, Nova can act as an Intrusion Detection
System (IDS) by alerting when a machine has been compromised and is attempting
to scan the network. Even if a machine hasn't been compromised, Nova can help
protect against Inside Threats from unauthorized employees attempting to probe
the network infrastructure.
HOW NOVA WORKS
- The Quasar web interface of Nova provides easy
access to configuration and
monitoring of the system from your standard web browser. From there, you can
configure the Haystack: a large set of lightweight honeypots (powered by
Honeyd). These honeypots can be configured to match the operating systems and
services that are already on your network, making it difficult for attackers
to distinguish them from real machines; these honeypots will appear just like
real machines when scanned with standard network reconnaissance tools such as
Nmap or Nessus. Nova also includes the ability to create a haystack
configuration automatically by scanning your network and configuring the
honeypot operating systems and services to match as close as possible.
- Once the honeypots are running, Nova alerts the users about potentially
hostile activity by email, rsyslog, or the web interface. The detection of
this activity is accomplished via one of several methods.
- First, Nova uses machine learning algorithms to attempt to match patterns of
hostile network traffic based on statistics gathered about packet sizes,
distributions, and TCP flag ratios.
- Second, Nova will trigger an alert if one of the statistical features
gathered surpasses a certain threshold. The most common setting for this is
to trigger and alert if an IP address contacts more than a certain number of
honeypots or ports on a single honeypot.
- Thirdly, the services running on the honeypots have the ability to monitor
for login attempts and trigger alerts. For instance, if someone attempts to
log into a honeypot's telnet or FTP service, this can be assumed to be
hostile, because the honeypot serves no actual users and any attempts to
utilize or probe its services are likely for the sake of reconnaissance or
attack.
- Nova provides information gathered on the honeypots in a number of charts,
graphs, and tables, which give security analysts and systems administrators
the needed data to dive into alerts and determine if there is a threat on the
network.
A security ninja & penetration tester develop Another amazing tool for Linux Protection, Named "Artillery". This Article is written by Dave for our January Issue of The Hacker News Magazine, We like to share with our website Readers also:
I’ve traditionally been on the offensive side of security through my career. With tools that I’ve developed like Fast-Track and The Social-Engineer Toolkit (SET), it’s primarily focused on the attack front. Awhile back I had an idea of creating a more defensive tool around both Windows and *nix systems and keep things open-source as usual. I started Artillery about three months ago with the intent of developing an open-source project that does a bit of everything.
monitoring of the system from your standard web browser. From there, you can
configure the Haystack: a large set of lightweight honeypots (powered by
Honeyd). These honeypots can be configured to match the operating systems and
services that are already on your network, making it difficult for attackers
to distinguish them from real machines; these honeypots will appear just like
real machines when scanned with standard network reconnaissance tools such as
Nmap or Nessus. Nova also includes the ability to create a haystack
configuration automatically by scanning your network and configuring the
honeypot operating systems and services to match as close as possible.
- Once the honeypots are running, Nova alerts the users about potentially
hostile activity by email, rsyslog, or the web interface. The detection of
this activity is accomplished via one of several methods.
- First, Nova uses machine learning algorithms to attempt to match patterns of
hostile network traffic based on statistics gathered about packet sizes,
distributions, and TCP flag ratios.
- Second, Nova will trigger an alert if one of the statistical features
gathered surpasses a certain threshold. The most common setting for this is
to trigger and alert if an IP address contacts more than a certain number of
honeypots or ports on a single honeypot.
- Thirdly, the services running on the honeypots have the ability to monitor
for login attempts and trigger alerts. For instance, if someone attempts to
log into a honeypot's telnet or FTP service, this can be assumed to be
hostile, because the honeypot serves no actual users and any attempts to
utilize or probe its services are likely for the sake of reconnaissance or
attack.
- Nova provides information gathered on the honeypots in a number of charts,
graphs, and tables, which give security analysts and systems administrators
the needed data to dive into alerts and determine if there is a threat on the
network.
A security ninja & penetration tester develop Another amazing tool for Linux Protection, Named "Artillery". This Article is written by Dave for our January Issue of The Hacker News Magazine, We like to share with our website Readers also:
I’ve traditionally been on the offensive side of security through my career. With tools that I’ve developed like Fast-Track and The Social-Engineer Toolkit (SET), it’s primarily focused on the attack front. Awhile back I had an idea of creating a more defensive tool around both Windows and *nix systems and keep things open-source as usual. I started Artillery about three months ago with the intent of developing an open-source project that does a bit of everything.
ARTILLERYhe name “Artillery” spawns from one of my favorite techno
bands Infected Mushroom and enhances the overall security of whatever touches
it. Artillery supports both Linux and Windows and is a purely open-source/free
toolset. The concept is relatively simple; combine multiple avenues to harden
an overall platform. Artillery has multiple modules, the first is the active
honeypot technique which sets up a number of ports (configurable) on the given
server. If a stable TCP connection is established with the remote port, the
opposing IP address is blocked. The second portion is the file-integrity
monitoring which monitors configured directories to see if changes occurred
(similar to OSSEC HIDS). The last portion monitors certain files for
configuration flaws, for example default SSH ports, insecure PHP configurations
and other aspects.
Installing Artillery
Artillery is programmed purely in python and has native support for Linux and Windows. Thus far, there are no external dependencies required. Some features are not fully functional within the Windows platform however Artillery is still in alpha mode. In order to install Artillery, simply run python install.py install. This will install a service within /etc/init.d/. On Windows, it’s the same install however need to manually start Artillery. A service that runs each time is in development and should be finished shortly.
Active Honeypot
Once Artillery is launched, you can configure the ports in the Artillery config file. You can add as many ports as you want. Artillery comes with a select set of default (and commonly attacked) ports on which it listens on. Doing a simple netstat –antp | grep LISTEN shows the ports actively running:
root@bt:~/Desktop/artillery# netstat -antp | grep LISTEN
tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:5800 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 20319/python
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN 916/sendmail: MTA:
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 20319/python
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1225/cupsd
tcp 0 0 0.0.0.0:1337 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:1433 0.0.0.0:* LISTEN 20319/python
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 916/sendmail: MTA:
tcp 0 0 0.0.0.0:44443 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 20319/python
tcp6 0 0 ::1:631 :::* LISTEN 1225/cupsd
root@bt:~/Desktop/artillery#
Anything labeled with python would be Artillery running. When an attacker attempts to connect to the port, a random set of data is sent back to the attacker (to make it look like a funky protocol) and then the connection is terminated and the attacker banned.
attacker-macine:~ relik$ nc 192.168.235.129 135
s??m|??Йӕ??5????????VK@)?+?7?[V
s*?D???6????>,??b&?.?x??Ջ?0㶖?w???Bo??]+?7p?qxZ???G?k?>?#?Sv???Y??b???S?IU5?
Looking back at the Artillery machine, you can now see the system is blocked and can no longer connect with the machine:
root@bt:~/Desktop/artillery# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ARTILLERY all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ARTILLERY (1 references)
target prot opt source destination
DROP all -- 192.168.235.1 anywhere
Configuration Changes
Artillery can detect changes in files on the operating system and specific directories that are defined in the config. In order to edit the config, head over to the default install path over at /var/artillery. Edit the config, and there are options you can configure for monitoring:
# DETERMINE IF YOU WANT TO MONITOR OR NOT
MONITOR=NO
#
# THESE ARE THE FOLDERS TO MONITOR, TO ADD MORE, JUST DO "/root","/var/", etc.
MONITOR_FOLDERS="/var/www","/etc/"
#
# BASED ON SECONDS, 2 = 2 seconds.
MONITOR_FREQUENCY=60
#
# EXCLUSE CERTAIN DIRECTORIES OR FILES. USE FOR EXAMPLE: /etc/passwd,/etc/hosts.allow
EXCLUDE=
You can exclude directories or files that often change and don’t want to monitor. You can also include different directories. By default, Artillery will monitor /var/www and /etc/ for major configuration changes. The monitor_frequency is also set to a default every 60 minutes. The way SET performs the configuration changes is it generates hash values using SHA-512 and stores them in a local database. If changes occur to the filesystem, the signatures mismatch and trigger an alert. If active notifications are sent, an email will be delivered to the individual, otherwise it will store it locally on a local log.
Features
Artillery is still heavily under development. Currently, it supports being able to send GMAIL alerts to whomever when an IP address is blocked, configurations have changed, SSH brute force attacks, or insecure configurations have been detected. There is also anti-dos protection built into Artillery by limited the amount of active connections per IP as well as alert on specific DOS attacks. Artillery is still a work in progress and still in an early alpha release. The overall goal with Artillery was to develop an open-source platform that combined active responses, lead in attackers with false data, and ultimately monitor the overall health of the system.
Things to come
Artillery is a side project I started along with the Social-Engineer Toolkit. It’s a work in progress and a number of features are already in development. A few of these are a full-fledged windows service for monitoring/starting Artillery for Windows based systems. The ability to use other email providers or your own email server versus only being able to use GMAIL. Move off diff and use the native python difflib libraries for doing the file comparisons. Add more integrity checks into Linux and Windows based systems looking for insecure configurations.
Download Artillery 0.3 Alpha
Artillery is programmed purely in python and has native support for Linux and Windows. Thus far, there are no external dependencies required. Some features are not fully functional within the Windows platform however Artillery is still in alpha mode. In order to install Artillery, simply run python install.py install. This will install a service within /etc/init.d/. On Windows, it’s the same install however need to manually start Artillery. A service that runs each time is in development and should be finished shortly.
Active Honeypot
Once Artillery is launched, you can configure the ports in the Artillery config file. You can add as many ports as you want. Artillery comes with a select set of default (and commonly attacked) ports on which it listens on. Doing a simple netstat –antp | grep LISTEN shows the ports actively running:
root@bt:~/Desktop/artillery# netstat -antp | grep LISTEN
tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:5800 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 20319/python
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN 916/sendmail: MTA:
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 20319/python
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1225/cupsd
tcp 0 0 0.0.0.0:1337 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:1433 0.0.0.0:* LISTEN 20319/python
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 916/sendmail: MTA:
tcp 0 0 0.0.0.0:44443 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 20319/python
tcp6 0 0 ::1:631 :::* LISTEN 1225/cupsd
root@bt:~/Desktop/artillery#
Anything labeled with python would be Artillery running. When an attacker attempts to connect to the port, a random set of data is sent back to the attacker (to make it look like a funky protocol) and then the connection is terminated and the attacker banned.
attacker-macine:~ relik$ nc 192.168.235.129 135
s??m|??Йӕ??5????????VK@)?+?7?[V
s*?D???6????>,??b&?.?x??Ջ?0㶖?w???Bo??]+?7p?qxZ???G?k?>?#?Sv???Y??b???S?IU5?
Looking back at the Artillery machine, you can now see the system is blocked and can no longer connect with the machine:
root@bt:~/Desktop/artillery# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ARTILLERY all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ARTILLERY (1 references)
target prot opt source destination
DROP all -- 192.168.235.1 anywhere
Configuration Changes
Artillery can detect changes in files on the operating system and specific directories that are defined in the config. In order to edit the config, head over to the default install path over at /var/artillery. Edit the config, and there are options you can configure for monitoring:
# DETERMINE IF YOU WANT TO MONITOR OR NOT
MONITOR=NO
#
# THESE ARE THE FOLDERS TO MONITOR, TO ADD MORE, JUST DO "/root","/var/", etc.
MONITOR_FOLDERS="/var/www","/etc/"
#
# BASED ON SECONDS, 2 = 2 seconds.
MONITOR_FREQUENCY=60
#
# EXCLUSE CERTAIN DIRECTORIES OR FILES. USE FOR EXAMPLE: /etc/passwd,/etc/hosts.allow
EXCLUDE=
You can exclude directories or files that often change and don’t want to monitor. You can also include different directories. By default, Artillery will monitor /var/www and /etc/ for major configuration changes. The monitor_frequency is also set to a default every 60 minutes. The way SET performs the configuration changes is it generates hash values using SHA-512 and stores them in a local database. If changes occur to the filesystem, the signatures mismatch and trigger an alert. If active notifications are sent, an email will be delivered to the individual, otherwise it will store it locally on a local log.
Features
Artillery is still heavily under development. Currently, it supports being able to send GMAIL alerts to whomever when an IP address is blocked, configurations have changed, SSH brute force attacks, or insecure configurations have been detected. There is also anti-dos protection built into Artillery by limited the amount of active connections per IP as well as alert on specific DOS attacks. Artillery is still a work in progress and still in an early alpha release. The overall goal with Artillery was to develop an open-source platform that combined active responses, lead in attackers with false data, and ultimately monitor the overall health of the system.
Things to come
Artillery is a side project I started along with the Social-Engineer Toolkit. It’s a work in progress and a number of features are already in development. A few of these are a full-fledged windows service for monitoring/starting Artillery for Windows based systems. The ability to use other email providers or your own email server versus only being able to use GMAIL. Move off diff and use the native python difflib libraries for doing the file comparisons. Add more integrity checks into Linux and Windows based systems looking for insecure configurations.
Download Artillery 0.3 Alpha
You can get more tools by clicking just on the link below the
tools are too many making your active deffense more interesting.thank you.
by benjamin Ngobi email:
shamirtho@gmail.comhttp://sourceforge.net/p/adhd/wiki/browse_pages/