This project will assume that you have already completed the preceding project (Transcoder), as details regarding environment set-up, documentation and testing are not included in this project page. You will be expected to write tests and documentation whilst working on this project.
Port scanning is common in security audits and penetration tests. It involves checking which ports are open or closed on a given target (or a list/range of targets).
You are required to modify the port scanner project, so it is able to scan for a new piece of malware, known as Wyhdah. This is a previously unseen piece of malware that has been found on the target machine. The malware works by opening a port on the infected machine that can be used for command control - i.e. it gets messages from the creator and then acts upon these messages.
When connected to one of these infected ports, the client will receive a special message of:
57 65 6c 63 6f 6d 65 20 74 6f 20 57 79 64 61 68
This message is used to identify it. The malware has only opened up one of the following port numbers: \(37000, 37102, 37204, 37306, 37408, 37510, 37612, 37714\) or \(37816\) which are also useful for scanning.
Using the Linux terminal in the left-hand pane, you can use the nmap command to scan the open and closed ports of a target. For example, a port scan can be executed on www.coventry.ac.uk using the following terminal command:
$ nmap www.coventry.ac.uk -Pn -sT -F
You may be required to install this tool in the virtual machine or your local machine (running Linux), to do this use the command:
$ sudo apt install nmap
Upon executing the command an output similar to below will be displayed:
$ nmap www.coventry.ac.uk -Pn -sT -F
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-24 10:08 BST
Nmap scan report for www.coventry.ac.uk (104.18.28.61)
Host is up (0.045s latency).
Other addresses for www.coventry.ac.uk (not scanned): 104.18.29.61 2606:4700::6812:1d3d 2606:4700::6812:1c3d
Not shown: 96 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
8443/tcp open https-alt
Nmap done: 1 IP address (1 host up) scanned in 3.34 seconds
From the excerpt above, you can see that it reports four ports are open: \(80, 443, 8080, 8443\) what it suspects they are for: http, https, http-proxy and https-alt, respectively. Using the nmap tool is something you will become familiar with when working within the cybersecurity domain. The tool consists of many options, and it would be wise to check the manual (man nmap).
There may be instances where nmap may not be useful and you require something more customised. For example, scanning for a zero-day attack, which nmap (as of writing) is unable to perform. In this instance, there may be a service that is running on one (or a range) of port(s) that can be compromised. For this, you will need to write your own scanning tool to find it and then exploit it.
To begin this project, you will need to clone the Port Scanner repository, which is available at the following URL:
https://github.coventry.ac.uk/CUEH/4061CEM_PortScanner/
You should create a fork of the repository first, and then clone it. This will create a local copy which enables you to make edits.
As Python is a popular programming language, there are a lot of libraries/modules available to help you achieve certain functionality with minimal effort. However, when you write code that rely upon these libraries/modules there may be instances where they do not exist on the target platform, or they are incompatible with other libraries/modules on the target system.
In this instance, a virtual environment is used. It is not like a virtual machine, a virtual environment is a directory that consists of a copy of the Python interpreter and libraries; and they are localised for that project only.
For this project, you will use a virtual environment. In order to enable this, you will need to create the new environment using the following command in the root directory of the repository 4061CEM_PortScanner:
$ python3 -m venv portscanner_venv
This action is only performed once, so there is no need to recall this action each time the project is worked upon. The only instance in which you would repeat this process is when the development machine has been changed.
To use the virtual environment, you need to activate it from within the root directory of the project using the following command:
$ . ./portscanner_venv/bin/activate
There is an extra period (.) at the start, this tells the shell to import the environment variables from within the file portscanner_venv/bin/activate/ into the current environment. This action may need to be repeated each time you begin working on the project.
When it comes to using the particular libraries/modules required for this project, you can install them using the following command:
(portscanner_venv) $ pip install -r requirements.txt
or
(portscanner_venv) $ python3 -m pip install -r requirements.txt
Before the dollar symbol ($) is (portscanner_venv); this denotes that you are working inside the virtual environment.
pip is the Python package installer, and it will read the contents of requirements.txt and download/install the libraries/modules that are listed within it. This action is only performed once, so there is no need to recall this action each time the project is worked upon. The only instance in which you would repeat this process is when the development machine has been changed, or if you have added libraries/modules to the file.
Included as part of the project is a Makefile. This file consists of functions that the make command can read and execute in the terminal. This file will not be discussed in-depth, but it enables you to set up the virtual environment and install requirements with ease by using two commands:
$ make venv
This will create the virtual environment, and once activated you can install the pre-requisite libraries and modules by using:
$ make prereqs
The project utilises a Docker container, called harbourmaster_target. The container has been uploaded to 'dockerhub', therefore you only require to use the following command to run it:
$ docker run -t --name target csx239/harbourmaster_target:latest
The provided Makefile also has a command to clean up any existing versions and start a new one of the docker image:
$ make start_target
When running the image, the target machine will show its IP address and run some services, this machine will be useful for checking that the port scanner works correctly.
When the repository has been cloned to your machine, it will be in a working state; but with similar functionality to the nmap tool. The source code of src/harbourmaster.py imports some functionality from src/h_sockets.py. You can manually view the source of sockets.py to understand its functionality, or view the documentation using the make docs command.
The source code of harbourmaster.py consists of a fixed target $172.17.0.24. If you want it to try it on something other than the target machine in the docker (or the target machine is running a different IP address) you will need to change the target variable. The code also consists of a fixed range of ports (range('1, 100')). Executing the harbourmaster.py file will get an output similar to:
$ python3 src/harbourmaster.py
1: Closed
2: Closed
3: Closed
4: Closed
5: Closed
... (more closed ports, removed to shorten the page)
20: Closed
21: Closed
22: Open - Data Received
SSH-2.0-OpenSSH_7.6pl Ubuntu-4ubuntu0.3
23: Closed
24: Closed
25: Closed
26: Closed
27: Closed
... (more closed ports, removed to shorten the page)
76: Closed
77: Closed
78: Closed
79: Closed
80: Open
81: Closed
... (more closed ports, removed to shorten the page)
99: Closed
From the excerpt above, you can see that two ports were open in the range of \(1\) to \(99\): \(22\) and \(80\). You can look these up on the internet to see what these ports might be used for.
For this task, you will need to modify the current port scanner. Currently, a scan is performed between the range of 1 and 99. Instead, the scanner needs to scan the range of ports that the Wydah malware uses and for each one display either: "Closed", "Open: Non-Wydah" or "Wydah Malware Detected". Here is an example of the intended output:
22: Open: Non-Wydah (SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3)
80: Open: Non-Wydah
37816: Wydah Malware Detected (57 65 6c 63 6f 6d 65 20 74 6f 20 57 79 64 61 68)
You will need to check the data that is sent back and compare that with what you know the Wydah server will send on connection, showing an appropriate message for the user.
The ability to scan a single host is useful, but if we have to maintain a set of machines it can be time-consuming. For this task, you need to modify the code so it accepts a series of addresses from the command line:
$ ./harbourmaster.py 192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.4
Any number of the hosts could be included in this command, and the bash ability can be used to expand the sequences. A numeric range on the command line can be given as \({1..10}\) and this becomes \(1 2 3 4 5 6 7 8 9 10\). This can be used for IP address ranges, i.e. \(192.168.{0..255}.{0.255}\).
The function test_port() takes a parameter called poke. This parameter is used to tell the function to send something to the port upon a successful connection. This can be used to trigger a response from some services.
In the project repository is another implementation: src/web_scan.py. Try running this, ensuring that you set the target variable to point towards the IP address of the docker container. Notice that this implementation can interact with the web server sockets as it can send a request and capture the output:
$ python3 src/webscan.py
80: Open: (response follows)
HTTP/1.1 200 OK
Date: Sat, 08 Aug 2020 18:07:27 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Thu, 30 Jul 2020 13:07:29 GMT
ETag: "19b-5aba85ac0e640"
Accept-Ranges: bytes
Content-Length: 411
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
<html>
<head><title>Wydah</title></head>
<body>
<iframe width="560" height="315"
src="https://www.youtube.com/embed/TZw4M1yHta8"
frameborder="0" allow="accelerometer; autoplay; encrypted-media;
gyroscope; picture
Using the extra parameter it is possible to interact with the Wydah malware. For example, if you send it the command SHADOW it will try and send back the /etc/shadow file from the host it is on. This file contains the hashes of the user account passwords.
Your tasked with trying to make the scanner send this command to any open port. It would be useful to store the information to a log file. So implement a method to open a file and write the result of any successful interactions with a Wydah-infected host.
TCP/IP Ports and Sockets Explained. (2021, April 14). Steve’s Internet Guide. http://www.steves-internet-guide.com/tcpip-ports-sockets/
House, N. (2020, August 17). Nmap Cheat Sheet. Station X. https://www.stationx.net/nmap-cheat-sheet/
Service Name and Transport Protocol Port Number Registry. (2021, August 18). Iana. https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml