terça-feira, 19 de abril de 2011

IDSwakeup - Simulador de ataques e falso positivos para testar IDS

Autor: Mauro Risonho de Paula Assumpção A.K.A firebits
Data: 06/08/2008

IDSwakeup - Simulador de ataques e falso positivos para testar IDS

Tudo bem, você já configurou seu IDS preferido, mas como saber se ele realmente está funcional? Para isso vamos usar o IDSWAKEUP, um gerador de ataques e falsos positivos.

Passo1:

# apt-get install idswakeup

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- IDSwakeup : false positive generator -
- Stephane Aubert -
- Hervé Schauer Consultants (c) 2000 -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Usage:
/usr/sbin/idswakeup [nb] [ttl]

Para usar você deve executar o comando:

Passo2:

# idswakeup

Passo3:

O processo será iniciado quando exibir algumas informações como estas:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- IDSwakeup : false positive generator -
- Stephane Aubert -
- Hervé Schauer Consultants (c) 2000 -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

src_addr:10.68.40.92 dst_addr:10.68.40.77 nb:1 ttl:1

sending : teardrop ...
sending : land ...
sending : get_phf ...
sending : bind_version ...
sending : get_phf_syn_ack_get ...
sending : ping_of_death ...
sending : syndrop ...
sending : newtear ...
sending : X11 ...
sending : SMBnegprot ...
sending : smtp_expn_root ...
sending : finger_redirect ...
sending : ftp_cwd_root ...
sending : ftp_port ...
sending : trin00_pong ...
sending : back_orifice ...
sending : msadcs ...
10.68.40.92 -> 10.68.40.77 80/tcp GET /msadc/msadcs.dll HTTP/1.0
sending : www_frag ...
10.68.40.92 -> 10.68.40.77 80/fragmented-tcp GET /................. .................. HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/fragmented-tcp GET /AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/../cgi- bin/phf HTTP/1.0
sending : www_bestof ...
10.68.40.92 -> 10.68.40.77 80/tcp GET / HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET //////// HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp HEAD / HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp HEAD/./
10.68.40.92 -> 10.68.40.77 80/tcp /cgi-bin\\handler
10.68.40.92 -> 10.68.40.77 80/tcp /cgi-bin\\webdist.cgi
10.68.40.92 -> 10.68.40.77 80/tcp /mlog.phtml
10.68.40.92 -> 10.68.40.77 80/tcp /mylog.phtml
10.68.40.92 -> 10.68.40.77 80/tcp /cfide\\administrator\\startstop.html
10.68.40.92 -> 10.68.40.77 80/tcp /cfappman\\index.cfm
10.68.40.92 -> 10.68.40.77 80/tcp /mall_log_files\\order.log
10.68.40.92 -> 10.68.40.77 80/tcp /admin_files\\order.log
10.68.40.92 -> 10.68.40.77 80/tcp /cgi-bin\\wrap
10.68.40.92 -> 10.68.40.77 80/tcp GET /cgi-bin/ph%66 HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET /sahsc.lnk HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET /sahsc.bat HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET /sahsc.url HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET /sahsc.ida HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET /default.asp::$DATA HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET / HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp PUT /scripts/cmd.exe HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET /scripts/cmd.exe HTTP/1.0
^A 10.68.40.92 -> 10.68.40.77 80/tcp BAD /scripts/cmd.exe HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET /_vti_pvt/administrators.pwd HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET /cgi-bin/handler HTTP/1.0
10.68.40.92 -> 10.68.40.77 80/tcp GET /../../../../../../etc/passwd HTTP/1.0

-=- Bye ! - sa/hsc -=-

Verifique o log do seus IDS e veja os ataques.

Até a próxima pessoal!


http://www.vivaolinux.com.br/dica/IDSwakeup-Simulador-de-ataques-e-falso-positivos-para-testar-IDS

Nenhum comentário:

Postar um comentário

Observação: somente um membro deste blog pode postar um comentário.