RubyGems - dvash - Versions diffs - 0.0.8 → 0.0.9 - Mend

dvash 0.0.8 → 0.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

data/README.md ADDED

@@ -0,0 +1,38 @@
+Dvash Defense
+=============
+Part modular honeypot, part defense system, multithreaded and ready for IPv6.  Opens up ports and simulates services in order to look like an attractive target.  Hosts that try to connect to the fake services are considered attackers and blocked from all access.  Heavily inspired by <a href="https://github.com/trustedsec/artillery/">The Artillery Project</a> by Dave Kennedy (ReL1K) with a passion for ruby and a thirst for knowledge.
+How Does Dvash Work?
+--------------------
+It's very alpha right now but here's where we are:
+>1. Dvash is ready for Linux, Mac OS X and Windows 7 (or higher). It must be run with elevated privileges.
+>2. Set parameters in the default configuration file according to your system and honeyports you want to use.
+>3. Run dvash and watch it block hosts that attempt to connect to honeyports.
+What are Honeyports?
+--------------------
+Dvash is a defensive honeypot, each service that is emulated is called a honeyport as each can be designed to have it's own behaviors.  Dvash is designed to be modular so adding a new honeyport service to emulate is a templated code base.  Each built-in honeyport follows a few steps:
+>1. When a honeyport thread starts it sits and listens for a connection.
+>2. The thread forks the process when a client connects and accepts the connection.
+>3. The forked process then sends the client connection junk data.
+>4. The peer address is validated since anything in a packet can be manipulated.
+>5. A valid IPv4 or IPv6 address is then blocked.
+ * Linux - blocked using IPTables/IP6Tables.
+ * Mac OS X - blocked using ipfw.
+ * Windows - blocked by blackhole routing.
+>6. Finally, the connection is closed and the forked process killed.
+How to configure Dvash
+----------------------
+The default Dvash configuration file can be found <a href="https://github.com/codemunchies/dvash/blob/master/etc/dvash-baseline.conf">here</a>.  Copy this file to your system and set the parameters within it.  Dvash will look for /etc/dvash.conf by default for the configuration file or you can manually point to any copy using the `--config-file` option in a terminal.
+How to get Dvash
+----------------
+To install: `gem install dvash`
+To run: `sudo dvash --help`

data/dvash.gemspec CHANGED

@@ -2,7 +2,7 @@
 Gem::Specification.new do |s|
   s.name = "dvash"
-  s.version = "0.0.8"
+  s.version = "0.0.9"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Ari Mizrahi"]
@@ -10,11 +10,12 @@ Gem::Specification.new do |s|
   s.description = "Part honeypot, part defense system.  Opens up ports and simulates services in order to look like an attractive target.  Hosts that try to connect to the fake services are considered attackers and blocked from all access."
   s.email = "codemunchies@gmail.com"
   s.executables = ["dvash"]
-  s.files = ["etc/dvash-baseline.conf", "lib/dvash/honeyports/ipv4/http.rb", "lib/dvash/honeyports/ipv4/rdp.rb", "lib/dvash/honeyports/ipv4/ssh.rb", "lib/dvash/honeyports/ipv4/telnet.rb", "lib/dvash/honeyports/ipv6/http.rb", "lib/dvash/honeyports/ipv6/rdp.rb", "lib/dvash/honeyports/ipv6/ssh.rb", "lib/dvash/os/linux.rb", "lib/dvash/os/mac.rb", "lib/dvash/os/windows.rb", "lib/dvash/application.rb", "lib/dvash/core.rb", "lib/dvash.rb", "dvash.gemspec", "Gemfile"]
+  s.files = ["etc/dvash-baseline.conf", "lib/dvash/honeyports/ipv4/http.rb", "lib/dvash/honeyports/ipv4/rdp.rb", "lib/dvash/honeyports/ipv4/ssh.rb", "lib/dvash/honeyports/ipv4/telnet.rb", "lib/dvash/honeyports/ipv6/http.rb", "lib/dvash/honeyports/ipv6/rdp.rb", "lib/dvash/honeyports/ipv6/ssh.rb", "lib/dvash/os/linux.rb", "lib/dvash/os/mac.rb", "lib/dvash/os/windows.rb", "lib/dvash/application.rb", "lib/dvash/core.rb", "lib/dvash.rb", "dvash.gemspec", "Gemfile", "README.md"]
   s.homepage = "http://github.com/codemunchies/dvash"
   s.require_paths = ["lib"]
   s.rubygems_version = "1.8.25"
   s.summary = "Honeypot defense system"
+  s.license = "GPL-3"
   if s.respond_to? :specification_version then
     s.specification_version = 3

data/etc/dvash-baseline.conf CHANGED

@@ -44,4 +44,5 @@ ipv6 = /usr/sbin/ip6tables
 ###############################################################################
 [ipfw]
 ipfw = /sbin/ipfw
+ip6fw = /sbin/ip6fw

data/lib/dvash.rb CHANGED

@@ -14,6 +14,10 @@ require 'optparse'
 # Heavily inspired by The Artillery Project by Dave Kennedy (ReL1K) with a
 # passion for ruby and a thirst for knowledge.
 #
+# Many thanks to Ryan Scott Lewis (https://github.com/RyanScottLewis) for
+# his contribution to this project and showing me the true Ruby way.  I still
+# have ways to go.
+#
 module Dvash
@@ -30,7 +34,7 @@ module Dvash
     # A command-line interface using OptionParser
     #
     OptionParser.new do |opts|
-      opts.banner = "Dvash 0.0.8 ( http://www.github.com/codemunchies/dvash )\n"
+      opts.banner = "Dvash 0.0.9 ( http://www.github.com/codemunchies/dvash )\n"
       opts.banner += "Usage: dvash [options]"
       #
       # Option to set an alternate configuration file

data/lib/dvash/os/mac.rb CHANGED

@@ -18,7 +18,16 @@ module Dvash
 			#
 			# Block the client IP address using ipfw binaries set in the configuration file
 			#
-			system("#{@@cfgfile['ipfw']['ipfw']} -q add deny src-ip #{address}")
+			if IPAddr.new("#{address}").ipv4? then
+				system("#{@@cfgfile['ipfw']['ipfw']} -q add deny all from #{address} to any")
+			end
+			#
+			# Block the client IP address using ip6fw binaries set in the configuration file
+			#
+			if IPAddr.new("#{address}").ipv6? then
+				system("#{@@cfgfile['ipfw']['ip6fw']} -q add deny all from #{address} to any")
+			end
 		end
 	end

data/lib/dvash/os/windows.rb CHANGED

@@ -4,10 +4,25 @@ module Dvash
 		def block_ip(address)
 			#
-			# Windows 7 and newer compatible
-			# Blackholes the client IP address by sending traffic to a non-existing gateway
+			# Windows XP/Server 2003 compatible but we don't have a way to determine
+			# what version of Windows is running, so we assume the newer versions
 			#
-			system("route add #{address} mask 255.255.255.255 10.255.255.255 if 1 -p")
+			# system("route add #{address} mask 255.255.255.255 10.255.255.255 metric 1 -p")
+			#
+			# Windows 7/Server 2008 and newer compatible (IPv4)
+			# Blackholes the client IP address by routing traffic to a null route
+			#
+			if IPAddr.new("#{address}").ipv4? then
+				system("route add #{address} mask 255.255.255.255 10.255.255.255 if 1 -p")
+			end
+			#
+			# Windows 7/Server 2008 and newer compatible (IPv6)
+			# Blackholes the client IP address by routing traffic to localhost
+			#
+			if IPAddr.new("#{address}").ipv6? then
+				system("netsh interface ipv6 add route #{address} \"Local Area Connection\" ::1")
 		end
 	end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dvash
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.0.9
   prerelease:
 platform: ruby
 authors:
@@ -68,9 +68,11 @@ files:
 - lib/dvash.rb
 - dvash.gemspec
 - Gemfile
+- README.md
 - bin/dvash
 homepage: http://github.com/codemunchies/dvash
-licenses: []
+licenses:
+- GPL-3
 post_install_message:
 rdoc_options: []
 require_paths: