______ Y ______
My own personal time capsule.
IDS/IPS Testing with EICAR
January 26, 2012
Posted by on Following script will attempt to submit common malware string EICAR on multiple ports for IDS/IPS system to alert on in. It can be used to test how well does IDS pick up various malware that can be seen on the wire.
# IMPORTS import socket import httplib,urllib import ftplib import telnetlib # the eicar string to test with EICAR = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ############# CONFIGURATION ############# IP = "127.0.0.1" ############# END OF CONF ############# def info(): print "[+] Multi-Protocol EICAR tester by Y" print "[+] contact : If you know me then give me a shout" print "[+] Supports - HTTP, FTP, TELNET, SSL , TCP , UDP , DNS" print "[+] NOTE: Set NC listener on specific ports between the hosts and DIS and watch IDS alerting on protocols" print "[+] Following ports are used: 21(TCP),23(TCP),25(TCP),100(UDP),80(TCP),22(TCP),443(TCP),53(UDP)" def sendHTTP(data,target,port): try: print "[+] Sending HTTP request" conn = httplib.HTTPConnection(target,port) try: print "\t HEAD" conn.request("HEAD",EICAR) except: pass try: print "\t GET" conn.request("GET",EICAR) except: pass try: print "\t POST" params = urllib.urlencode({'eicar': EICAR}) headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"} conn.request("POST", "", params, headers) except: pass try: print "\t PUT" conn.request("PUT",EICAR) except: pass try: print "\t DELETE" conn.request("DELETE",EICAR) except: pass except Exception,e: print "[-] Unable to send HTTP data due to : ",e pass def sendFTP(data,target,port): try: print "[+] Sending FTP request" ftp = ftplib.FTP() ftp.connect(target, port) ftp.putline(data) # send single EICAR request ftp.close() except Exception,e: print "[-] Unable to send FTP data due to : ",e pass def sendTelnet(data,target,port): try: print "[+] Sending TELNET request" tn = telnetlib.Telnet(target,port) tn.write(EICAR) tn.close() except Exception,e: print "[-] Unable to send TELNET data due to : ",e pass def sendSMTP(data,target,port): try: print "[+] Sending SMTP request" tn = telnetlib.Telnet(target,port) tn.write("HELO localhost") tn.write("MAIL FROM: root@localhost") tn.write("RCPT TO: root@localhost") tn.write("DATA \n") tn.write(EICAR) tn.write("\n\t\n\t") tn.write("QUIT") tn.close() except Exception,e: print "[-] Unable to send SMTP data due to : ",e pass def sendSSH(data,targer,port): pass def sendSSL(data,target,port): try: print "[+] Sending HTTP request" conn = httplib.HTTPSConnection(target,port) try: print "\t HEAD" conn.request("HEAD",EICAR) except: pass try: print "\t GET" conn.request("GET",EICAR) except: pass try: print "\t POST" params = urllib.urlencode({'eicar': EICAR}) headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"} conn.request("POST", "", params, headers) except: pass try: print "\t PUT" conn.request("PUT",EICAR) except: pass try: print "\t DELETE" conn.request("DELETE",EICAR) except: pass except Exception,e: print "[-] Unable to send HTTP data due to : ",e pass def sendICMP(data,target): pass def sendRCP(data,target,port): pass def sendTCP(data,target,port): try: print "[+] Sending TCP data " socket.setdefaulttimeout(4) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target, int(port))) s.send(data) s.close() except Exception,e: print "[-] Unable to send TCP data due to : ",e pass def sendUDP(data,target,port): try: print "[+] Sending UDP data " sock = socket.socket( socket.AF_INET, socket.SOCK_DGRAM ) sock.sendto( data, (target, port)) except Exception,e: print "[-] Unable to send UDP data due to : ",e pass def sendNETBIOS(data,target,port): pass def sendDNS(data,target,port): try: print "[+] Sending DNS request " sendUDP(data, target, port) # dirty trick except Exception,e: print "[-] Unable to send DNS data due to : ",e pass def end(): print "Done, now review IDS logs for each protocol" def start_test(): info() sendFTP(EICAR, IP, 21) sendTelnet(EICAR, IP, 23) sendSMTP(EICAR, IP, 25) sendUDP(EICAR,IP, 100) sendHTTP(EICAR, IP, 80) sendTCP(EICAR, IP, 22) sendSSL(EICAR, IP, 443) sendDNS(EICAR,IP,53) #TODO: #Protocol play ( these are HPING2 wrappers ) #sendICMP(EICAR,'192.168.2.79') #sendRCP(EICAR, '192.168.2.79', 445) #sendNETBIOS(EICAR, '192.168.2.79', 139) #sendSSH(EICAR, '192.168.2.79', 22) sendDNS(EICAR,IP,53) end() # start_test the test start_test()