dvash 0.0.8 → 0.0.9

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. data/README.md +38 -0
  2. data/dvash.gemspec +3 -2
  3. data/etc/dvash-baseline.conf +1 -0
  4. data/lib/dvash.rb +5 -1
  5. data/lib/dvash/os/mac.rb +10 -1
  6. data/lib/dvash/os/windows.rb +18 -3
  7. metadata +4 -2
data/README.md ADDED
@@ -0,0 +1,38 @@
1
+ Dvash Defense
2
+ =============
3
+
4
+ Part modular honeypot, part defense system, multithreaded and ready for IPv6. Opens up ports and simulates services in order to look like an attractive target. Hosts that try to connect to the fake services are considered attackers and blocked from all access. Heavily inspired by <a href="https://github.com/trustedsec/artillery/">The Artillery Project</a> by Dave Kennedy (ReL1K) with a passion for ruby and a thirst for knowledge.
5
+
6
+ How Does Dvash Work?
7
+ --------------------
8
+
9
+ It's very alpha right now but here's where we are:
10
+ >1. Dvash is ready for Linux, Mac OS X and Windows 7 (or higher). It must be run with elevated privileges.
11
+ >2. Set parameters in the default configuration file according to your system and honeyports you want to use.
12
+ >3. Run dvash and watch it block hosts that attempt to connect to honeyports.
13
+
14
+ What are Honeyports?
15
+ --------------------
16
+
17
+ Dvash is a defensive honeypot, each service that is emulated is called a honeyport as each can be designed to have it's own behaviors. Dvash is designed to be modular so adding a new honeyport service to emulate is a templated code base. Each built-in honeyport follows a few steps:
18
+ >1. When a honeyport thread starts it sits and listens for a connection.
19
+ >2. The thread forks the process when a client connects and accepts the connection.
20
+ >3. The forked process then sends the client connection junk data.
21
+ >4. The peer address is validated since anything in a packet can be manipulated.
22
+ >5. A valid IPv4 or IPv6 address is then blocked.
23
+ * Linux - blocked using IPTables/IP6Tables.
24
+ * Mac OS X - blocked using ipfw.
25
+ * Windows - blocked by blackhole routing.
26
+ >6. Finally, the connection is closed and the forked process killed.
27
+
28
+ How to configure Dvash
29
+ ----------------------
30
+
31
+ The default Dvash configuration file can be found <a href="https://github.com/codemunchies/dvash/blob/master/etc/dvash-baseline.conf">here</a>. Copy this file to your system and set the parameters within it. Dvash will look for /etc/dvash.conf by default for the configuration file or you can manually point to any copy using the `--config-file` option in a terminal.
32
+
33
+ How to get Dvash
34
+ ----------------
35
+
36
+ To install: `gem install dvash`
37
+
38
+ To run: `sudo dvash --help`
data/dvash.gemspec CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |s|
4
4
  s.name = "dvash"
5
- s.version = "0.0.8"
5
+ s.version = "0.0.9"
6
6
 
7
7
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
8
8
  s.authors = ["Ari Mizrahi"]
@@ -10,11 +10,12 @@ Gem::Specification.new do |s|
10
10
  s.description = "Part honeypot, part defense system. Opens up ports and simulates services in order to look like an attractive target. Hosts that try to connect to the fake services are considered attackers and blocked from all access."
11
11
  s.email = "codemunchies@gmail.com"
12
12
  s.executables = ["dvash"]
13
- s.files = ["etc/dvash-baseline.conf", "lib/dvash/honeyports/ipv4/http.rb", "lib/dvash/honeyports/ipv4/rdp.rb", "lib/dvash/honeyports/ipv4/ssh.rb", "lib/dvash/honeyports/ipv4/telnet.rb", "lib/dvash/honeyports/ipv6/http.rb", "lib/dvash/honeyports/ipv6/rdp.rb", "lib/dvash/honeyports/ipv6/ssh.rb", "lib/dvash/os/linux.rb", "lib/dvash/os/mac.rb", "lib/dvash/os/windows.rb", "lib/dvash/application.rb", "lib/dvash/core.rb", "lib/dvash.rb", "dvash.gemspec", "Gemfile"]
13
+ s.files = ["etc/dvash-baseline.conf", "lib/dvash/honeyports/ipv4/http.rb", "lib/dvash/honeyports/ipv4/rdp.rb", "lib/dvash/honeyports/ipv4/ssh.rb", "lib/dvash/honeyports/ipv4/telnet.rb", "lib/dvash/honeyports/ipv6/http.rb", "lib/dvash/honeyports/ipv6/rdp.rb", "lib/dvash/honeyports/ipv6/ssh.rb", "lib/dvash/os/linux.rb", "lib/dvash/os/mac.rb", "lib/dvash/os/windows.rb", "lib/dvash/application.rb", "lib/dvash/core.rb", "lib/dvash.rb", "dvash.gemspec", "Gemfile", "README.md"]
14
14
  s.homepage = "http://github.com/codemunchies/dvash"
15
15
  s.require_paths = ["lib"]
16
16
  s.rubygems_version = "1.8.25"
17
17
  s.summary = "Honeypot defense system"
18
+ s.license = "GPL-3"
18
19
 
19
20
  if s.respond_to? :specification_version then
20
21
  s.specification_version = 3
data/etc/dvash-baseline.conf CHANGED
@@ -44,4 +44,5 @@ ipv6 = /usr/sbin/ip6tables
44
44
  ###############################################################################
45
45
  [ipfw]
46
46
  ipfw = /sbin/ipfw
47
+ ip6fw = /sbin/ip6fw
47
48
 
data/lib/dvash.rb CHANGED
@@ -14,6 +14,10 @@ require 'optparse'
14
14
  # Heavily inspired by The Artillery Project by Dave Kennedy (ReL1K) with a
15
15
  # passion for ruby and a thirst for knowledge.
16
16
  #
17
+ # Many thanks to Ryan Scott Lewis (https://github.com/RyanScottLewis) for
18
+ # his contribution to this project and showing me the true Ruby way. I still
19
+ # have ways to go.
20
+ #
17
21
 
18
22
  module Dvash
19
23
 
@@ -30,7 +34,7 @@ module Dvash
30
34
  # A command-line interface using OptionParser
31
35
  #
32
36
  OptionParser.new do |opts|
33
- opts.banner = "Dvash 0.0.8 ( http://www.github.com/codemunchies/dvash )\n"
37
+ opts.banner = "Dvash 0.0.9 ( http://www.github.com/codemunchies/dvash )\n"
34
38
  opts.banner += "Usage: dvash [options]"
35
39
  #
36
40
  # Option to set an alternate configuration file
data/lib/dvash/os/mac.rb CHANGED
@@ -18,7 +18,16 @@ module Dvash
18
18
  #
19
19
  # Block the client IP address using ipfw binaries set in the configuration file
20
20
  #
21
- system("#{@@cfgfile['ipfw']['ipfw']} -q add deny src-ip #{address}")
21
+ if IPAddr.new("#{address}").ipv4? then
22
+ system("#{@@cfgfile['ipfw']['ipfw']} -q add deny all from #{address} to any")
23
+ end
24
+
25
+ #
26
+ # Block the client IP address using ip6fw binaries set in the configuration file
27
+ #
28
+ if IPAddr.new("#{address}").ipv6? then
29
+ system("#{@@cfgfile['ipfw']['ip6fw']} -q add deny all from #{address} to any")
30
+ end
22
31
  end
23
32
 
24
33
  end
data/lib/dvash/os/windows.rb CHANGED
@@ -4,10 +4,25 @@ module Dvash
4
4
 
5
5
  def block_ip(address)
6
6
  #
7
- # Windows 7 and newer compatible
8
- # Blackholes the client IP address by sending traffic to a non-existing gateway
7
+ # Windows XP/Server 2003 compatible but we don't have a way to determine
8
+ # what version of Windows is running, so we assume the newer versions
9
9
  #
10
- system("route add #{address} mask 255.255.255.255 10.255.255.255 if 1 -p")
10
+ # system("route add #{address} mask 255.255.255.255 10.255.255.255 metric 1 -p")
11
+
12
+ #
13
+ # Windows 7/Server 2008 and newer compatible (IPv4)
14
+ # Blackholes the client IP address by routing traffic to a null route
15
+ #
16
+ if IPAddr.new("#{address}").ipv4? then
17
+ system("route add #{address} mask 255.255.255.255 10.255.255.255 if 1 -p")
18
+ end
19
+
20
+ #
21
+ # Windows 7/Server 2008 and newer compatible (IPv6)
22
+ # Blackholes the client IP address by routing traffic to localhost
23
+ #
24
+ if IPAddr.new("#{address}").ipv6? then
25
+ system("netsh interface ipv6 add route #{address} \"Local Area Connection\" ::1")
11
26
  end
12
27
 
13
28
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dvash
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.8
4
+ version: 0.0.9
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -68,9 +68,11 @@ files:
68
68
  - lib/dvash.rb
69
69
  - dvash.gemspec
70
70
  - Gemfile
71
+ - README.md
71
72
  - bin/dvash
72
73
  homepage: http://github.com/codemunchies/dvash
73
- licenses: []
74
+ licenses:
75
+ - GPL-3
74
76
  post_install_message:
75
77
  rdoc_options: []
76
78
  require_paths: