______ Y ______

My own personal time capsule.

IDS/IPS Testing with EICAR

Leave a comment Posted by on January 26, 2012

Following script will attempt to submit common malware string EICAR on multiple ports for IDS/IPS system to alert on in. It can be used to test how well does IDS pick up various malware that can be seen on the wire. 

# IMPORTS
import socket
import httplib,urllib
import ftplib
import telnetlib

# the eicar string to test with
EICAR = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" 
############# CONFIGURATION #############
IP = "127.0.0.1"
############# END OF CONF #############


def info():
    print "[+] Multi-Protocol EICAR tester by Y"
    print "[+] contact : If you know me then give me a shout"
    print "[+] Supports - HTTP, FTP, TELNET, SSL , TCP , UDP , DNS"
    print "[+] NOTE: Set NC listener on specific ports between the hosts and DIS and watch IDS alerting on protocols"
    print "[+] Following ports are used: 21(TCP),23(TCP),25(TCP),100(UDP),80(TCP),22(TCP),443(TCP),53(UDP)"

def sendHTTP(data,target,port):
    try:
        print "[+] Sending HTTP request"
        conn = httplib.HTTPConnection(target,port)
        try:
            print "\t HEAD"
            conn.request("HEAD",EICAR)
        except:
            pass
        try:
            print "\t GET"
            conn.request("GET",EICAR)
        except:
            pass
        try:
            print "\t POST"
            params = urllib.urlencode({'eicar': EICAR})
            headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
            conn.request("POST", "", params, headers)
        except:
            pass
        try:
            print "\t PUT"
            conn.request("PUT",EICAR)
        except:
            pass
        try:
            print "\t DELETE"
            conn.request("DELETE",EICAR)
        except:
            pass
    except Exception,e:
        print "[-] Unable to send HTTP data due to : ",e
        pass
    
def sendFTP(data,target,port):
    try:
        print "[+] Sending FTP request"
        ftp = ftplib.FTP()
        ftp.connect(target, port)
        ftp.putline(data) # send single EICAR request
        ftp.close()
    except Exception,e:
        print "[-] Unable to send FTP data due to : ",e
        pass
def sendTelnet(data,target,port):
    try:
        print "[+] Sending TELNET request"
        tn = telnetlib.Telnet(target,port)
        tn.write(EICAR)
        tn.close()
    except Exception,e:
        print "[-] Unable to send TELNET data due to : ",e
        pass

def sendSMTP(data,target,port):
    try:
        print "[+] Sending SMTP request"
        tn = telnetlib.Telnet(target,port)
        tn.write("HELO localhost")
        tn.write("MAIL FROM: root@localhost")
        tn.write("RCPT TO: root@localhost")
        tn.write("DATA \n")
        tn.write(EICAR)
        tn.write("\n\t\n\t")
        tn.write("QUIT")
        tn.close()     
    except Exception,e:
        print "[-] Unable to send SMTP data due to : ",e
        pass
    
def sendSSH(data,targer,port):
    pass

def sendSSL(data,target,port):
    try:
        print "[+] Sending HTTP request"
        conn = httplib.HTTPSConnection(target,port)
        try:
            print "\t HEAD"
            conn.request("HEAD",EICAR)
        except:
            pass
        try:
            print "\t GET"
            conn.request("GET",EICAR)
        except:
            pass
        try:
            print "\t POST"
            params = urllib.urlencode({'eicar': EICAR})
            headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
            conn.request("POST", "", params, headers)
        except:
            pass
        try:
            print "\t PUT"
            conn.request("PUT",EICAR)
        except:
            pass
        try:
            print "\t DELETE"
            conn.request("DELETE",EICAR)
        except:
            pass
    except Exception,e:
        print "[-] Unable to send HTTP data due to : ",e
        pass
    
def sendICMP(data,target):
    pass

def sendRCP(data,target,port):       
    pass

def sendTCP(data,target,port):
    try:
        print "[+] Sending TCP data "
        socket.setdefaulttimeout(4)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target, int(port)))
        s.send(data)
        s.close()
    except Exception,e:
        print "[-] Unable to send TCP data due to : ",e
        pass

def sendUDP(data,target,port):
    try:
        print "[+] Sending UDP data "
        sock = socket.socket( socket.AF_INET, socket.SOCK_DGRAM ) 
        sock.sendto( data, (target, port))
    except Exception,e:
        print "[-] Unable to send UDP data due to : ",e
        pass

def sendNETBIOS(data,target,port):
    pass

def sendDNS(data,target,port):
    try:
        print "[+] Sending DNS request "
        sendUDP(data, target, port) # dirty trick
    except Exception,e:
        print "[-] Unable to send DNS data due to : ",e
        pass


def end():
    print "Done, now review IDS logs for each protocol"

def start_test():
    info()

    sendFTP(EICAR, IP, 21)
    sendTelnet(EICAR, IP, 23)
    sendSMTP(EICAR, IP, 25)
    sendUDP(EICAR,IP, 100)
    sendHTTP(EICAR, IP, 80)
    sendTCP(EICAR, IP, 22)
    sendSSL(EICAR, IP, 443)
    sendDNS(EICAR,IP,53)
    
    #TODO:
    #Protocol play ( these are HPING2 wrappers )
    #sendICMP(EICAR,'192.168.2.79')
    #sendRCP(EICAR, '192.168.2.79', 445)
    #sendNETBIOS(EICAR, '192.168.2.79', 139)
    #sendSSH(EICAR, '192.168.2.79', 22)
    sendDNS(EICAR,IP,53)
    
    
    end()
    
# start_test the test    
start_test()
ids/ips, python, testing , , , ,

Leave a comment