IDSwakeup

	See also...  Babelweb  BlueBerry  Delphes  Dislocker  Dns2tcp    filterrules  IDSwakeup  nstreams  passe-partout  Patator    PktFilter  Net::RawSock  rkscan  skyrack  smbsniff    SSLTunnel  SSToPer  Subweb  Webef  WifiScanner    WSPP  xml-logs

IDSwakeup is a collection of tools that allows to test network intrusion detection systems.

The main goal of IDSwakeup is to generate false attack that mimic well known ones, in order to see if NIDS detects them and generates false positives.

Like nidsbench, IDSwakeup is being published in the hopes that a more precise testing methodology might be applied to network intrusion detection, which is *still* a black art at best.

Download

This release of IDSwakeup includes:

• IDSwakeup

  The main shell script that permits to launch hping2 or iwu. The user just has to choose which attack or set of attacks he or she want to mimic. The user can also fix the TTL to produce short TTL and impact only NIDS and not the servers.

  Usage: ./IDSwakeup <src addr> <dst addr> [nb] [ttl]

  Example: see screenshot.

  IDSwakeup requires hping2.

• iwu

  Sends a buffer as a datagram. It allows to change the source address, the destination address, the TTL (in order to produce short TTL). It also takes as parameter the number of times the user wants to send the same datagram.

  Usage: ./iwu <srcIP> <dstIP> <nb> <ttl> <ip-datagram>

  Example: ./iwu 10.0.0.1 20.0.0.2 200 4 \
          "4500 0018 00f2 0003 4011 73db 0101 0101 0202 0202 e63e 4494"

  iwu requires libnet 1.x.

IDSwakeup suite is written by Stéphane Aubert, it is available in a beta version and published under a BSD-style license.

Screenshot ;-) :

# ./IDSwakeup 0 127.0.0.1 1 1 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - IDSwakeup : false positive generator - Stephane Aubert - Hervé Schauer Consultants (c) 2000 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- src_addr:0 dst_addr:127.0.0.1 nb:1 ttl:1 sending : teardrop ... sending : land ... sending : get_phf ... sending : bind_version ... sending : get_phf_syn_ack_get ... sending : ping_of_death ... sending : syndrop ... sending : newtear ... sending : X11 ... sending : SMBnegprot ... sending : smtp_expn_root ... sending : finger_redirect ... sending : ftp_cwd_root ... sending : ftp_port ... sending : trin00_pong ... sending : back_orifice ... sending : msadcs ... 245.146.219.144 -> 127.0.0.1 80/tcp GET /msadc/msadcs.dll HTTP/1.0 sending : www_frag ... 225.158.207.188 -> 127.0.0.1 80/fragmented-tcp GET /................................... HTTP/1.0 181.114.219.120 -> 127.0.0.1 80/fragmented-tcp GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/../cgi-bin/phf HTTP/1.0 sending : www_bestof ... 137.78.167.188 -> 127.0.0.1 80/tcp GET / HTTP/1.0 165.90.83.96 -> 127.0.0.1 80/tcp GET //////// HTTP/1.0 249.174.111.124 -> 127.0.0.1 80/tcp HEAD / HTTP/1.0 101.146.51.80 -> 127.0.0.1 80/tcpHEAD/./ 137.126.215.76 -> 127.0.0.1 80/tcp /cgi-bin\\handler 101.226.235.216 -> 127.0.0.1 80/tcp /cgi-bin\\webdist.cgi 241.70.55.180 -> 127.0.0.1 80/tcp /mlog.phtml 69.138.75.176 -> 127.0.0.1 80/tcp /mylog.phtml 137.86.207.116 -> 127.0.0.1 80/tcp /cfide\\administrator\\startstop.html 53.90.147.104 -> 127.0.0.1 80/tcp /cfappman\\index.cfm 201.110.175.156 -> 127.0.0.1 80/tcp /mall_log_files\\order.log 221.226.155.208 -> 127.0.0.1 80/tcp /admin_files\\order.log 137.222.71.244 -> 127.0.0.1 80/tcp /cgi-bin\\wrap 85.82.147.96 -> 127.0.0.1 80/tcp GET /cgi-bin/ph%66 HTTP/1.0 57.230.199.52 -> 127.0.0.1 80/tcp GET /sahsc.lnk HTTP/1.0 221.74.227.112 -> 127.0.0.1 80/tcp GET /sahsc.bat HTTP/1.0 201.206.207.124 -> 127.0.0.1 80/tcp GET /sahsc.url HTTP/1.0 69.138.171.192 -> 127.0.0.1 80/tcp GET /sahsc.ida HTTP/1.0 145.94.199.68 -> 127.0.0.1 80/tcp GET /default.asp::$DATA HTTP/1.0 69.218.155.216 -> 127.0.0.1 80/tcp GET / HTTP/1.0 65.166.87.92 -> 127.0.0.1 80/tcp PUT /scripts/cmd.exe HTTP/1.0 133.186.155.192 -> 127.0.0.1 80/tcp GET /scripts/cmd.exe HTTP/1.0 201.102.239.204 -> 127.0.0.1 80/tcp BAD /scripts/cmd.exe HTTP/1.0 101.122.75.192 -> 127.0.0.1 80/tcp GET /_vti_pvt/administrators.pwd HTTP/1.0 193.238.239.212 -> 127.0.0.1 80/tcp GET /cgi-bin/handler HTTP/1.0 149.98.227.160 -> 127.0.0.1 80/tcp GET /../../../../../../etc/passwd HTTP/1.0 153.54.55.124 -> 127.0.0.1 80/tcp GET /cgi-bin/perl.exe HTTP/1.0 181.122.51.104 -> 127.0.0.1 80/tcp GET /scripts/tools/newdsn.exe HTTP/1.0 121.222.199.84 -> 127.0.0.1 80/tcp GET /search97.vts HTTP/1.0 245.202.123.232 -> 127.0.0.1 80/tcp GET /IISADMIN HTTP/1.0 sending : ddos_bestof ... 86.175.100.245 -> 127.0.0.1 15104/tcp -S 219.152.249.118 -> 127.0.0.1 1613/tcp -PA > 244.157.170.179 -> 127.0.0.1 12754/tcp -PA > 225.62.71.60 -> 127.0.0.1 10498/udp pong 138.243.72.241 -> 127.0.0.1 10498/udp ping 71.156.85.130 -> 127.0.0.1 10498/udp stream/ 152.73.182.207 -> 127.0.0.1 6838/udp newserver 76.117.90.59 -> 127.0.0.1 27665/tcp killme 233.110.119.156 -> 127.0.0.1 31335/udp PONG 154.91.200.89 -> 127.0.0.1 1624/udp l44 119.76.125.202 -> 127.0.0.1 1713/udp *HELLO* 131.184.89.206 -> 127.0.0.1 27665/tcp gOrave 175.108.53.106 -> 127.0.0.1 20432/tcp 152.73.126.135 -> 127.0.0.1 18753/udp alive tijgu 117.74.59.112 -> 127.0.0.1 20433/udp alive 214.239.148.93 -> 127.0.0.1 1676/tcp -S --setseq 674711609 sending : ftp_bestof ... 50.235.72.153 -> 127.0.0.1 21/tcp PORT 127,0,0,1,0,23 214.127.236.157 -> 127.0.0.1 21/tcp PORT 10,6,6,6,0,23 242.115.176.201 -> 127.0.0.1 21/tcp PORT 127,0,0,1,255,510 198.175.140.85 -> 127.0.0.1 21/tcp passwd 58.75.96.65 -> 127.0.0.1 21/tcp site exec %p%p%p%p%p%p 246.159.196.181 -> 127.0.0.1 21/tcp SITE exec cat /etc/passwd ;-) 106.91.176.121 -> 127.0.0.1 21/tcp SYST /etc/passwd ;-) 230.119.84.157 -> 127.0.0.1 21/tcp SYST 194.139.224.209 -> 127.0.0.1 21/tcp CWD ~root 158.231.76.53 -> 127.0.0.1 21/tcp STOR | 130.59.112.241 -> 127.0.0.1 21/tcp RETR | sending : telnet_bestof ... 238.71.116.245 -> 127.0.0.1 23/tcp ciscociscociscociscociscociscociscociscociscociscocisco 58.227.120.121 -> 127.0.0.1 23/tcp bof 214.79.76.173 -> 127.0.0.1 23/tcp IFS=/ 50.219.120.225 -> 127.0.0.1 23/tcp su - root 158.95.100.149 -> 127.0.0.1 23/tcp su root 50.139.120.65 -> 127.0.0.1 23/tcp id; cat /etc/shadow 214.231.196.77 -> 127.0.0.1 23/tcp echo "+ +">.rhosts 130.235.64.209 -> 127.0.0.1 23/tcp resolv_host_conf 190.127.172.69 -> 127.0.0.1 23/tcp ld_preload 170.211.224.105 -> 127.0.0.1 23/tcp ld_library_pat sending : rlogin_bestof ... 94.159.236.229 -> 127.0.0.1 513/tcp IFS=/ 106.107.144.193 -> 127.0.0.1 513/tcp su - root 134.167.196.69 -> 127.0.0.1 513/tcp su root 218.171.96.113 -> 127.0.0.1 513/tcp id; cat /etc/shadow 118.127.196.165 -> 127.0.0.1 513/tcp echo "+ +">.rhosts sending : tcpflag_bestof ... 171.160.241.54 -> 127.0.0.1 80/tcp -SF 108.221.194.155 -> 127.0.0.1 80/tcp -SR 153.86.71.140 -> 127.0.0.1 80/tcp 210.227.112.89 -> 127.0.0.1 80/tcp -A 135.236.53.98 -> 127.0.0.1 80/tcp -SFR 152.225.134.119 -> 127.0.0.1 80/tcp -SFARPXY 181.202.139.200 -> 127.0.0.1 80/tcp -SA 166.63.188.101 -> 127.0.0.1 80/tcp -SAFR 195.200.65.126 -> 127.0.0.1 80/tcp -XY 124.61.90.107 -> 127.0.0.1 1999/tcp -S sending : icmp_bestof ... 160.249.86.199 -> 127.0.0.1 icmp type:0 code:0 92.165.90.51 -> 127.0.0.1 icmp type:0 code:0 Hi B0B !... 152.201.62.207 -> 127.0.0.1 icmp type:3 code:0 228.125.74.67 -> 127.0.0.1 icmp type:3 code:1 56.161.54.143 -> 127.0.0.1 icmp type:3 code:2 148.245.114.131 -> 127.0.0.1 icmp type:3 code:3 208.169.142.247 -> 127.0.0.1 icmp type:3 code:4 188.237.218.219 -> 127.0.0.1 icmp type:3 code:5 88.137.134.159 -> 127.0.0.1 icmp type:3 code:13 156.141.130.235 -> 127.0.0.1 icmp type:3 code:14 232.105.102.191 -> 127.0.0.1 icmp type:3 code:15 132.133.58.91 -> 127.0.0.1 icmp type:4 code:0 56.113.190.183 -> 127.0.0.1 icmp type:5 code:0 52.53.74.163 -> 127.0.0.1 icmp type:5 code:1 160.137.206.111 -> 127.0.0.1 icmp type:5 code:2 196.77.58.91 -> 127.0.0.1 icmp type:5 code:3 160.89.158.215 -> 127.0.0.1 icmp type:8 code:0 236.245.82.115 -> 127.0.0.1 icmp type:11 code:0 192.137.54.71 -> 127.0.0.1 icmp type:11 code:1 180.69.154.147 -> 127.0.0.1 icmp type:12 code:0 200.129.238.55 -> 127.0.0.1 icmp type:13 code:0 172.53.82.91 -> 127.0.0.1 icmp type:14 code:0 128.169.182.71 -> 127.0.0.1 icmp type:15 code:0 84.245.210.59 -> 127.0.0.1 icmp type:16 code:0 112.233.94.167 -> 127.0.0.1 icmp type:17 code:0 60.213.146.91 -> 127.0.0.1 icmp type:18 code:0 sending : smtp_bestof ... 232.233.54.247 -> 127.0.0.1 25/tcp rcpt to: bouncebounce 108.69.162.163 -> 127.0.0.1 25/tcp expn root 160.73.198.87 -> 127.0.0.1 25/tcp expn decode 236.53.202.115 -> 127.0.0.1 25/tcp debug 104.129.70.63 -> 127.0.0.1 25/tcp vrfy smtp 52.141.74.123 -> 127.0.0.1 25/tcp mail from: | 144.177.78.215 -> 127.0.0.1 25/tcp rcpt to: | sending : misc_bestof ... 109.122.163.216 -> 127.0.0.1 161/udp public 230.119.116.197 -> 127.0.0.1 161/udp private 75.64.145.70 -> 127.0.0.1 161/udp all private 180.245.234.235 -> 127.0.0.1 162/udp trap trap trap ... 96.217.70.215 -> 127.0.0.1 5631/tcp ADMINISTRATOR 101.186.83.120 -> 127.0.0.1 32771/tcp -S 249.174.223.148 -> 127.0.0.1 6699/tcp .mp3 133.210.131.80 -> 127.0.0.1 8888/tcp .mp3 145.54.151.68 -> 127.0.0.1 7777/tcp .mp3 53.50.83.248 -> 127.0.0.1 6666/tcp .mp3 217.54.239.68 -> 127.0.0.1 5555/tcp .mp3 237.114.51.232 -> 127.0.0.1 4444/tcp .mp3 169.118.63.156 -> 127.0.0.1 8875/tcp anon@napster.com sending : dos_chargen ... 189.210.139.176 -> 127.0.0.1 19/udp hello sending : dos_snork ... 249.182.63.76 -> 127.0.0.1 135/udp hi !... sending : dos_syslog ... 146.195.88.161 -> 127.0.0.1 514/udp B0MB