| [Top] | [Contents] | [Index] | [ ? ] |
Impost is still in early stages of development so there is a lot of work that needs to be done. Even in these early stages, Impost proves to be an extremely powerful multi-purpose network debugging tool. Whether you're a software developer, a security consultant, systems administrator or hacker - you'll find Impost very useful if applied properly to whatever it is you do.
1. Introduction Basic description and purpose of Impost 2. Building Instructions Compiling instructions for Impost 3. Installing Installing Impost properly 4. Invoking Impost Invoking Impost; command-line options 5. Usage Usage Examples 6. Scripting Developing perl scripts for Impost 7. Reporting bugs
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Description
Impost is a network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons. There's two different kinds of operating modes used by Impost; It can either act as a honey pot and take orders from a Perl script controlling how it responds and communicates with connecting clients; or it can operate as a packet sniffer and monitor incoming data to specified destination port supplied by the command-line arguments.
While running, Impost keeps a history of incoming buffers for every connection it has to deal with. These histories are normally dropped when a socket is closed or a TH_FIN|TH_ACK flagged packet is received. However, if at anytime during a live connection a 'suspicious' buffer is detected, Impost will use the history corresponding with the connection to create a log file containing all of the received data including the suspicious buffer.
A side from creating a log file, Impost will also try to analyze the buffer which had been thought of as suspicious. Some of the things which Impost will look for are machine codes, nop sleds, shellcode signatures and a lot of other junk.
Impost is still in early stages of development so there is a lot of work that needs to be done. Even in these early stages, Impost proves to be an extremely powerful multi-purpose network debugging tool. Whether you're a software developer, a security consultant, systems administrator or hacker - you'll find Impost very useful if applied properly to whatever it is you do.
Mail suggestions to sickbeatz@hotmail.com
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The simplest way to compile this package is:
cd to the directory containing the package's source code and type
`./configure' to configure the package for your system. If you're
using csh on an old version of System V, you might need to type
`sh ./configure' instead to prevent csh from trying to
execute configure itself.
Running configure takes awhile. While running, it prints some
messages telling which features it is checking for.
Some systems require unusual options for compilation or linking that the
configure script does not know about. Run `./configure
--help' for details on some of the pertinent environment variables.
You can give configure initial values for configuration
parameters by setting variables in the command line or in the environment.
Here is an example:
./configure CC=c89 CFLAGS=-O2 LIBS=-lposix |
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The first thing you need to do is install the programs and documentation:
configure created (so you can compile the package for a
different kind of computer), type `make distclean'. There is also
a `make maintainer-clean' target, but that is intended mainly for
the package's developers. If you use it, you may have to get all sorts
of other programs in order to regenerate files that came with the
distribution.
The next step is to copy the file `impost.conf', located in the source directory, to `.impostrc' in the home directory belonging to the user who will be using Impost.
You will also need to copy the file `impost.shellcodes' to a safe location. After doing so, modify the `.impostrc' file and make sure that you put the correct pathname for `impost.shellcodes'.
If you don't have the priveledges to install impost, that's okay. Just copy the binary file `src/impost' to your home directory and follow the steps in the above two paragraphs.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Main options:
Packet sniffing:
Additional options:
Other options
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
impost -p 500 -s /path/to/scripts/identd.pl |
This will load the perl script `/path/to/scripts/identd.pl', which is supplied as an sample script in Impost's source directory. After loading the perl script, Impost will bind a socket to port 500 and act like a honey pot -- everytime a buffer is received or a connection is made a sub routine will be called in the perl script which can be used to control how Impost responds and communicates with clients.
If a script is not supplied in the command-line, Impost will not be able to respond or communicate with clients; however it will still be able to detect and analyze suspicious buffers.
impost -p 100 -u 500 |
Options `-u' and `--unusual' will allow you to do just that. The default value is `256' as configured in the generic configuration script supplied in with Impost. The above example will set the "suspect" buffer size to `500' -- no detections will be trigged by buffers under `500' bytes unless they contain valid operation codes.
impost --sniff -p 21 |
This will enable Impost's packet sniffer and watch incoming packets destined for port `21'. Impost will use the first default device found by Libpcap.
You need to set Impost's device setting to your systems local loopback device (for instance linux's local loopback device is `lo' and the local loopback device on OpenBSD is lo0). You can do this by specifying the `--device' option:
impost --sniff -p 21 --device=lo0 |
For more info about command-line options:
See section 4. Invoking Impost.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Developing Perl scripts for Impost
Impost uses Perl as a scripting engine. Perl is very common on most systems and is very easy to learn. When making a script to control Impost's behaviour for client / server communication, every script is required to have these 2 sub routines:
on_server_accept on_server_read |
Without these sub routines, Impost will not function properly!
The 'on_server_accept' sub routine is called everytime a new connection is established. The function receives two arguments, $_[0] is the I.P. address of the connecting client, and $_[1] is the file descriptor pointing to the socket the connection is on.
This sub routine is mainly for telling Impost what to say to the client when the client first connects. Impost reads the array @welcome_message after the sub routine is evaluated by Perl and sends each item, if any, from @welcome_message to the newly connected client.
The 'on_server_read' sub routine is called everytime Impost receives data from the client. This function also receives only two arguments. The first, $_[0] is the data that has been received, and $_[1] is the file descriptor of the socket in which Impost received the data from. Impost will then read the array @reply_data from this routine after it is evaluated and sends the items from that array to the socket in which the data was received similar to the @welcome_message in the on_server_accept routine.
After the @reply_data array is read by Impost and all the data from the array is sent to the client, Impost checks if the variable $close_connection exists. If it does exist and the value is "1", Impost will close the socket disconnecting the client from the Impost server.
Any data outside of these two sub routines will be evaluated when the perl script is loaded, which is when Impost starts.
You can include as many sub routines as you please, however they will never be called directly from Impost. You'll only be able to call them from either 'on_server_accept' or 'on_server_read' or via the code which is evaluated when the script is loaded.
I have included a well documented example script, example1.pl, which is located in the scripts/ directory. There are several other scripts also included which mimic several popular daemons, these scripts could be useful for sitting ducks or they could provide you with ideas for your own scripts.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Please submit bug reports here:
Bugs -- http://sourceforge.net/tracker/?group_id=115549&atid=672265 Patches -- http://sourceforge.net/tracker/?group_id=115549&atid=672263 |
| [Top] | [Contents] | [Index] | [ ? ] |
| [Top] | [Contents] | [Index] | [ ? ] |
1. Introduction
2. Building Instructions
3. Installing
4. Invoking Impost
5. Usage
6. Scripting
7. Reporting bugs
| [Top] | [Contents] | [Index] | [ ? ] |
| Button | Name | Go to | From 1.2.3 go to |
|---|---|---|---|
| [ < ] | Back | previous section in reading order | 1.2.2 |
| [ > ] | Forward | next section in reading order | 1.2.4 |
| [ << ] | FastBack | previous or up-and-previous section | 1.1 |
| [ Up ] | Up | up section | 1.2 |
| [ >> ] | FastForward | next or up-and-next section | 1.3 |
| [Top] | Top | cover (top) of document | |
| [Contents] | Contents | table of contents | |
| [Index] | Index | concept index | |
| [ ? ] | About | this page |