[Asmodeus Security Scanner] Current Release Notes Topics Asmodeus Beta Release 1.04 Click here for a screen shot * Using the ------------------------------------------------------------------------ program NEWS * Old Downloads * Scripting [Image]PC Magazine uses Asmodeus, along with many other freeware and commercial tools, to test the * Documentation integrity of firewalls and other products. Look for Asmodeus in the "Best products of 1997" * Bugs issue, and upcoming Firewall review. * Response * Exploit Also, I would like to thank everyone who has been helping me test the software. To date, Asmodeus has Archive been downloaded OVER 20,000 times! * History Cool Stuph The following was added in release 1.04: * Rootshell * Attack XRef * IfSrcPort/IfDestPort no longer substring matches. It's a perfect match or nothing at all. Port * Geek-Girl "23" is port "23".. NOT port "4230"..etc etc * Fyodor's * LogAppSegment() with the $SESSION_ID identifier NOW correctly names all the capture files, AND, 'sploits only logs IP frames, so you WON'T get weird files with convoluted names... * Hrvoje * Counters are added so you know how well your scan is doing (yeah! about time...). Crvelin's * You can start/stop both the sniffer, and the parsing/script engine at any time. This is handy when 'sploit you are on a busy network and your logging tons of data. (Wow, that's a novel good idea isn't archive it...) (Phat!) * Significant amounts of changes to the framework (mainly, using windows messaging between threads and new buffer chaining in the sniffer). This is internal and you won't notice it on the outside, except that sniffing performance and reliability has increased a great deal. Because of all the framework changes, there may be some new evil bugs waiting (especially centered around the MFC MessageMap crap). IF you get any access violations, be sure to write down the address for me.. I can cross referance in my debugger. If you really care, shoot me over the core file if you have it. * The ping sweep mechanism has been changed a bit. If your scanning over a PPP modem link, you should find this new version to be TONS better at detecting hosts. If your scanning on a local LAN, the ping sweep may appear to be slower (taking up to 30-60 seconds to complete, rather than only 10-20). Take note that it IS more reliable, and has been catered somewhat to PPP dialup performance. * The asmodeus.ini file is not used in this release. You cannot put your own script files in the drag and drop window. The reason is that the scripting language itself is going through a major overhaul right now. If you need to have this functionality, use release 1.031 instead. Previously added in release 1.031: * Added system() command to pass commands to shell * Added IfSrcPort() and IfDestPort() to test the TCP port of a sniffed packet * Added LogAppSegment(), which sniffs a unique session. Useful for telnet session snooping. (works with all protocols, but port numbers are not valid for non-tcp based traffic). * Also! I increased the size of the packet buffer (yay) so you should be able to capture entire packets on most ethernet segments. Download Now ---==*> Asmodeus Release 1.04 beta <*==--- [Greg Hoglund] The following issues are still on the burner: You can't print more than the first page... that's because I used MFC for the printing portion and I didn't implement it right.. i'll get to it.. If a script file goes haywire, or the paths aren't decompressed properly, you WILL get insane numbers of modal dialog boxes in your face... hey, it's a debug version.. i throw chow at the slightest sign of trouble, but don't fret.. i'll probaly have a little more time than usual to work on it soon.. Oh, i discovered something interesting about Lophtcrack 2.0.. if you install the packet driver that comes with it.. it will replace the one I wrote for Asmodeus.. imagine that. AND, Asmodeus still works with the new one! (doesn't go the other way, however). I guess we both used the same sources. Can you say DDK? Good to know the two apps co-exist pleasently... it's a good pair. Why: How come, when I turn the sniffer off, do packets keep coming in for a few seconds.. isn't the sniffer shut down immediately?. If you turn the sniffer off, it DOES shut down immediately. The reason you may continue to get packets on the monitor is the sniffer and the LED monitor run in different threads. The sniffer thread's ONLY purpose in life is to service the interrupt on the ethernet card, grab them packets as fast as it can, and drop them into a buffer chain. A dispatcher thread then grabs the packet and processes it, passing the data off to the scripting engine, the LED panel, and update various counters. The sniffer thread can capture many many packets in the time it takes the dispatcher or the scripting engine to process just one packet... SO, the buffer chain can fill up "ahead" of the rest of the engine, so when the sniffer is shut down, the rest of the engine continues to process what's left in the buffer chain.. hence the remaining few seconds of activity. Using this App Using this app. There are a million ways you can configure this program.. but let me suggest a few. * Page your alphanumeric pager if that hacker tries to telnet to your new alpha server * Drop a log of every netbios name-broadcast on your network * Scan your class C network, and if a host has port 139 open, send a BSOD just to see if it works * Scan a small country overnight, and spawn perl scripts against certain host:port pairs * See every http request on your network (woopee) * See every http request from the guy in the next cubicle (maybe a little more interesting) * Log the entire telnet session for anyone coming from that ISP downtown * If you see a hostile packet, log it and send a synflood back to the originating source IP * do all of this while sleeping, or out on the town, or having a real life.. because this is all automated and runs in the dark. Download History Asmodeus has gone thru several revisions within the last 2 months. You can download any of the following versions for testing: Asmodeus Release 1.0 beta Asmodeus Release 1.02 beta Asmodeus Release 1.03 beta Asmodeus Release 1.031 beta Asmodeus Release 1.04 beta [Greg Hoglund] Tuning Windows NT 4.0 with service pack 3 can be choked if ping sweeps are issued too fast. Starting with version 1.04, Asmodeus has the ability to meter the speed at which a ping sweep loads the stack. This greatly increases both reliability and speed. Massive Loading on the stack gives local LAN scans the "blazing speed" but basically prevents any type of PPP dialup scan from performing at all. Metering is better. Speeding things up Go ahead and press the Tune button. This allows you to change settings. If you are scanning your local IP domain, then select the local defaults. These are very fast and you need to make sure you have a pentium with 64 megs of ram, otherwise you will peg your meter. If you are on T-1 and you want to scan remote domains, you can get away with setting your timeout value to 10000-15000 ms. The timeout value greatly impacts the speed of your scan. If you trim the timeout value down very small, you will still detect ports on remote machines, but you will fail to grab the banners (returned data) from those ports. Sometimes this is OK if your just browsing thru. A setting of 5000 ms summons a very fast scan, with little banner data actually captured. The exception is your local domain. 5000 ms is a good timeout for very close networks, or networks that a connected via high speed links. Max Sockets.. This is the other setting that will really reflect upon your speed. You can keep pushing the max sockets until you start getting 10055 errors (Out of Buffer Space). These will pop up in your scan results. On my system with 64 megs, I can run 2500 max sockets.. On the Pro System at work, with 128 Megs, 5000 sockets are easy. It REALLY HAULS with 5000 sockets and a 5000 ms timeout!!! Scripting As of version 0.22 alpha, there is now the ability to create your own scripts. This will allow you to run your own custom checks against target hosts. This first version of the language is very simple and only supports a few commands. Included in the Asmodeus download is a sample script file. It is called "default.spn". This is the default script file that is called every single time Asmodeus captures a banner from a target host. You can use this script file to post data to each database node. Just for your drool factor, however, know that I have the skeleton code in place for an actual abstract stack machine, a real compiler.. with support for conditional looping, variables, the whole works... The asmodeus program is going to start getting command-line friendly.. nice for those admins out there who want to use this w/ perl and the like... For example, if I telnet to port 23 on a linux box, and it reports "Linux version 1.6", I can write a function that checks for the substrings "Linux" and "1.6" and posts data back saying something like "Possible LD_ environment exploit - telnetd -remote root". The default.spn script has examples and should be fairly self explanatory. The default.spn script is used to check against the data retreived at the current node. Keep in mind that Asmodeus will be handling hundreds of these nodes at any one time, so this script file shouldn't really be playing .wav files or doing other time-intensive things. Here is a rundown of the commands: # a hash mark indicates a comment. Anything after the hash is ignored until we encounter a newline IfCompare(substring){function block}; IfCompare("ZPOP") { PostChild("Post Office software.com Zmail", 4); ExpandThis(); } This command will compare the substring against the banner retreived at the current node. If the substring is located, then the block is executed. Else, it is skipped. As always, function blocks can be nested within one another. PostChild(string to be posted, icon number); PostChild("Post Office software.com Zmail", 4); PostChild is fairly simple. It posts information to the database tree. It does not use a function block. You can change the icon used to represent this data. Try values between 1 and 7. Another version of this command is PostParent. PostParent is exactly the same except that it posts the data to the parent node. ExpandThis(); ExpandThis(); Expands the current node so all children are visible. This is very handy. It operates only in context of the current node. PrintLED(string); PrintLED("-------------=Microsoft ==Windows ==System == == =------------"); This is a cool little function. It prints whatever data you want to the LED sign. Keep in mind the number of characters you are passing. Alignment is crucial here. If you play with the command you will get the idea. See the examples in the default.spn file. Also, note that if you pass more charcaters than will fit on the sign at once, the sign will actually cycle through the entire string.. giving you a sort of rudimentary ASCII animation. PlaySnd(filename.wav); PlaySnd("mushroom.wav"); This is something you would want to use sparingly. Make sure your .wav file in the same directory w/ Asmodeus. The thread is blocked until the wav file has completed, so this would slow you down ALOT if you had sound everywhere. However, it is very handy when you are running huge scans and you need to be alerted to a particular detail of some kind.. The last thing to note. The scripting is very sensetive to mistakes. I have tried to do my best to catch typo's and mis-aligned function blocks.. but if you type a bunch of garbage into a script file, Asmodeus isn't going to like it. So watch your coding very carefully.. if Asmodeus does find weird stuff, it tries to report it to you.. and it also will make a backup of your database in case something goes haywire. Documentation List There is no documentation other than what comes with the compressed package, and what is located on this web site. Known Problems Insane numbers of dialog boxes in my face: Make sure you have packets.spn, default.spn, and asmodeus.ini in the same directory as the asmodeus binary, AND, make sure you have a Captures subdirectory.. that said, everything should be OK... It SHOULD decompress this way by default, but some people don't have PKUnzip setup to do that... Only Prints one Page: Yep yep yep.. It's on the list... Video Mode: Asmodeus doesn't like 640x480 mode. If you this use mode, it's just not going to work out for you. You need 800x600. I will try to install scrollbars in a future version. Network Load: Please be advised that Asmodeus can generate extreme network load for a short period of time. I have tested the program extensively upon my own networks with no apparent service loss. However, I have received at least one report where the administrator appeared to DOS his own network with Asmodeus. The TCP scan will generate logs and it is quite obvious that you have been scanned. If the network you are scanning is sensetive, you may want to execute caution and use moderate performance settings. Response to Asmodeus It seems that the general response to this program has been very positive. Significant interest in a fully working version is being demonstrated by university and military sites, who would like to scan their networks for vulnerability. A new version that supports a more robust database and scanning system will be out soon. I beleive all of the criticism has been constructive, except maybe once or twice ;) Exploit Archive by OS ------------------------------------------------------------------------ 6/30/97 4:42 PM Aix 6/30/97 4:42 PM Bios 6/30/97 4:42 PM BSD 6/30/97 4:43 PM crack-scan 6/30/97 4:43 PM Crypt 6/30/97 4:43 PM DEC 6/30/97 4:43 PM Dictionaries 6/30/97 4:43 PM dont_know 6/30/97 4:43 PM HP 6/30/97 4:43 PM IP_toolz 6/30/97 4:43 PM Irix 6/30/97 4:45 PM linux 6/30/97 4:45 PM NeXT 6/30/97 4:45 PM NT 6/30/97 4:45 PM Routers 6/18/97 3:19 AM 23139 security_holes_by_os_1994,txt 6/30/97 4:46 PM shell_toolz 6/30/97 4:46 PM slowaris 6/30/97 4:46 PM SunOS 6/30/97 4:46 PM ultrix 6/30/97 4:46 PM web_java 6/30/97 4:46 PM Win95 6/30/97 4:46 PM Xnix ------------------------------------------------------------------------ History The following are journal entries, and are in context of the date they were written. Aug 2, 1997 Version 0.22 alpha. The next big step was creating a scripting language so users could configure their own scans, etc. As of this release, the scripting language is very simple. It supports about 5 commands, nested function blocks, and function parameters. Using this release, a user can post data to any node in the database, run substring comparisons on any data (banners) retreived from the target hosts, and print data to the LED sign. There is also a command to play a .wav file. This is only the beginning. Further releases will give hooks into the socket engine to allow actual exploits to be written. Also, an attempt was made to repait the "could not set recv timeout" error that some users were reporting. ------------- - Some Personal Notes - Well, I just got back from DefCon 5.. I finally got to see DT again after 6 years. I met Veggie and The Hobbit and some other faces. It was fun, and I got some good exposure for Asmodeus. So far I have had good feedback. Check this... my friends and I flipped our Dodge Intrepid on the way down. We were going over 100 miles an hour, Nevada, right outside Area 51 (Nellis) and we flipped it on the freeway, 1:30 AM in the morning. It was totalled, and one of our 4 gig drives went sailing. One of our party (the driver) has a new handle... RabbitSlayer.. figure that one out. The people at the Con got a laugh out of it... we were only an hour outside of Vegas when we wrecked. Beleive or not, nobody was hurt, not even a bruise. The car was upside down over a 15 foot embankment. A few hours later the ambulances came and we threw all of our computer equipment into the back of the ambulance. We then rode the rest of the way to DefCon.. I think we had the most unique method to get to the Con.. it was quite a story. July 4, 1997 As stated above, I rewrote the socket functions. This really sped the system up. The GUI is a bit different now. Lastly, Asmodeus is a bit more user friendly. I spent a few days working on the code. I changed the entire structure of the scanning engine. Namely, I converted the system over to Winsock 2. Also, I changed the way jobs are handled. Now Asmodeus runs with less threads, but more work is done per thread. With the most agressive settings, Asmodeus can complete a Class C Scan in about 15-30 seconds (an obvious improvement from the last version). The GUI is written using MFC. The rest is all Win32 with calls to the Winsock 2 library. Data is stored in a couple of Hash Tables. Stacks are used when serializing data for loading or saving from disk. Threads are syncronized using critical sections. Event Objects are used with the sockets to increase speed. The scanning engine relies heavily on multithreading and Overlapped I/O. Lastly, I have put crucial sections within Try/Except blocks, so if something goes awry, you can save your data and exit gracefully. ------------- June 1997 For those of you that know me.. well, you know I've been screwin' around with this for a while.. Well, I seem to be emerging from the drunken haze of the last few months.. As characterized by a single night spent at coffee. I wrote the meanest scanning engine I've ever seen. Soon to be implemented I might add. This should bring the speed of our fiend, Asmodeus, to about 30 seconds to scan a Class C. I am porting all of my Tiamat code over also, which will allow Asmodeus to perform all manner of clever Denial of Service attacks.. now, I know you'll be responsible, right? To top it off, I have a few fresh remote root exploits for you too. ------------- January 27, 1997 Version 0.7 old I did significant amounts of work on the core threading code. This baby rocks. Now you can specify to Asmodeus which IP Address you would like to TCP Port scan. The scan is SHIT FAST. The Tree-List Database is completely functional, serializes to disk, and reloads when you start/re-start the program. Make sure to click on SAVE before exiting. I fixed yet another memory leak, so the little-cool graphic panel doesn't update right now. It's not really used yet, so I'm not worried about it. What's important is that, on my NT Server machine, using a 28.8 modem, I am able to scan an ENTIRE class C address space in about 10-15 minutes or less. The code is designed for my machine right now, so my O/S runs at a solid 47-48 Mb's of consumed RAM during the entire scan. With Asmodeus shut down, it runs about 20+ Megs, so Asmodeus eats a good chunk. I have a hard coded limit of 200 simultaneous threads, which is alot. If your machine doesn't have at least 32 megs of RAM you might crash trying to run this baby. A future version will have user configurable performance options. Also, my screen is 1280x1024, so I might not have the splitter windows arranged correctly for your display. You can drag them to fit for now.... If the little sound effects bug you, you can delete the .wav files. A future version will have all this configurable. That REAL NEATO TOY is the TCP BURST SCAN. This will intiate a scan on an entire class C address range. Try it out, like I said, I can complete one in about 10-15 minutes. Let me know how it runs on your machine configuration. hoglund@ieway.com. Happy Hunting! -Greg Hoglund [Image] all material copyright©1997 Greg Hoglund - all rights reserverd [hoglund@ieway.com] ------------------------------------------------------------------------