[Asmodeus Security Scanner]

Current Release Notes                                                                                           Topics
Asmodeus Beta Release 1.04
Click here for a screen shot                                                                                 * Using the
  ------------------------------------------------------------------------                                     program
NEWS                                                                                                         * Old Downloads
                                                                                                             * Scripting
 [Image]PC Magazine uses Asmodeus, along with many other freeware and commercial tools, to test the          * Documentation
        integrity of firewalls and other products. Look for Asmodeus in the "Best products of 1997"          * Bugs
issue, and upcoming Firewall review.                                                                         * Response
                                                                                                             * Exploit
Also, I would like to thank everyone who has been helping me test the software. To date, Asmodeus has          Archive
been downloaded OVER 20,000 times!                                                                           * History
                                                                                                              Cool Stuph
The following was added in release 1.04:                                                                     * Rootshell
                                                                                                             * Attack XRef
   * IfSrcPort/IfDestPort no longer substring matches. It's a perfect match or nothing at all. Port          * Geek-Girl
     "23" is port "23".. NOT port "4230"..etc etc                                                            * Fyodor's
   * LogAppSegment() with the $SESSION_ID identifier NOW correctly names all the capture files, AND,           'sploits
     only logs IP frames, so you WON'T get weird files with convoluted names...                              * Hrvoje
   * Counters are added so you know how well your scan is doing (yeah! about time...).                         Crvelin's
   * You can start/stop both the sniffer, and the parsing/script engine at any time. This is handy when        'sploit
     you are on a busy network and your logging tons of data. (Wow, that's a novel good idea isn't             archive
     it...)                                                                                                    (Phat!)
   * Significant amounts of changes to the framework (mainly, using windows messaging between threads
     and new buffer chaining in the sniffer). This is internal and you won't notice it on the outside,
     except that sniffing performance and reliability has increased a great deal. Because of all the
     framework changes, there may be some new evil bugs waiting (especially centered around the MFC
     MessageMap crap). IF you get any access violations, be sure to write down the address for me.. I
     can cross referance in my debugger. If you really care, shoot me over the core file if you have
     it.
   * The ping sweep mechanism has been changed a bit. If your scanning over a PPP modem link, you
     should find this new version to be TONS better at detecting hosts. If your scanning on a local
     LAN, the ping sweep may appear to be slower (taking up to 30-60 seconds to complete, rather than
     only 10-20). Take note that it IS more reliable, and has been catered somewhat to PPP dialup
     performance.
   * The asmodeus.ini file is not used in this release. You cannot put your own script files in the
     drag and drop window. The reason is that the scripting language itself is going through a major
     overhaul right now. If you need to have this functionality, use release 1.031 instead.

Previously added in release 1.031:

   * Added system() command to pass commands to shell
   * Added IfSrcPort() and IfDestPort() to test the TCP port of a sniffed packet
   * Added LogAppSegment(), which sniffs a unique session. Useful for telnet session snooping. (works
     with all protocols, but port numbers are not valid for non-tcp based traffic).
   * Also! I increased the size of the packet buffer (yay) so you should be able to capture entire
     packets on most ethernet segments.

Download Now

---==*> Asmodeus Release 1.04 beta <*==---
[Greg Hoglund]

The following issues are still on the burner: You can't print more than the first page... that's
because I used MFC for the printing portion and I didn't implement it right.. i'll get to it.. If a
script file goes haywire, or the paths aren't decompressed properly, you WILL get insane numbers of
modal dialog boxes in your face... hey, it's a debug version.. i throw chow at the slightest sign of
trouble, but don't fret.. i'll probaly have a little more time than usual to work on it soon.. Oh, i
discovered something interesting about Lophtcrack 2.0.. if you install the packet driver that comes
with it.. it will replace the one I wrote for Asmodeus.. imagine that. AND, Asmodeus still works with
the new one! (doesn't go the other way, however). I guess we both used the same sources. Can you say
DDK? Good to know the two apps co-exist pleasently... it's a good pair.

Why: How come, when I turn the sniffer off, do packets keep coming in for a few seconds.. isn't the
sniffer shut down immediately?. If you turn the sniffer off, it DOES shut down immediately. The reason
you may continue to get packets on the monitor is the sniffer and the LED monitor run in different
threads. The sniffer thread's ONLY purpose in life is to service the interrupt on the ethernet card,
grab them packets as fast as it can, and drop them into a buffer chain. A dispatcher thread then grabs
the packet and processes it, passing the data off to the scripting engine, the LED panel, and update
various counters. The sniffer thread can capture many many packets in the time it takes the dispatcher
or the scripting engine to process just one packet... SO, the buffer chain can fill up "ahead" of the
rest of the engine, so when the sniffer is shut down, the rest of the engine continues to process
what's left in the buffer chain.. hence the remaining few seconds of activity.

Using this App
Using this app. There are a million ways you can configure this program.. but let me suggest a few.

   * Page your alphanumeric pager if that hacker tries to telnet to your new alpha server
   * Drop a log of every netbios name-broadcast on your network
   * Scan your class C network, and if a host has port 139 open, send a BSOD just to see if it works
   * Scan a small country overnight, and spawn perl scripts against certain host:port pairs
   * See every http request on your network (woopee)
   * See every http request from the guy in the next cubicle (maybe a little more interesting)
   * Log the entire telnet session for anyone coming from that ISP downtown
   * If you see a hostile packet, log it and send a synflood back to the originating source IP
   * do all of this while sleeping, or out on the town, or having a real life.. because this is all
     automated and runs in the dark.

Download History
Asmodeus has gone thru several revisions within the last 2 months. You can download any of the
following versions for testing:

Asmodeus Release 1.0 beta
Asmodeus Release 1.02 beta
Asmodeus Release 1.03 beta
Asmodeus Release 1.031 beta
Asmodeus Release 1.04 beta
[Greg Hoglund]

Tuning
Windows NT 4.0 with service pack 3 can be choked if ping sweeps are issued too fast. Starting with
version 1.04, Asmodeus has the ability to meter the speed at which a ping sweep loads the stack. This
greatly increases both reliability and speed. Massive Loading on the stack gives local LAN scans the
"blazing speed" but basically prevents any type of PPP dialup scan from performing at all. Metering is
better.

Speeding things up Go ahead and press the Tune button. This allows you to change settings. If you are
scanning your local IP domain, then select the local defaults. These are very fast and you need to make
sure you have a pentium with 64 megs of ram, otherwise you will peg your meter.

If you are on T-1 and you want to scan remote domains, you can get away with setting your timeout value
to 10000-15000 ms. The timeout value greatly impacts the speed of your scan. If you trim the timeout
value down very small, you will still detect ports on remote machines, but you will fail to grab the
banners (returned data) from those ports. Sometimes this is OK if your just browsing thru. A setting of
5000 ms summons a very fast scan, with little banner data actually captured. The exception is your
local domain. 5000 ms is a good timeout for very close networks, or networks that a connected via high
speed links.

Max Sockets.. This is the other setting that will really reflect upon your speed. You can keep pushing
the max sockets until you start getting 10055 errors (Out of Buffer Space). These will pop up in your
scan results. On my system with 64 megs, I can run 2500 max sockets.. On the Pro System at work, with
128 Megs, 5000 sockets are easy. It REALLY HAULS with 5000 sockets and a 5000 ms timeout!!!

Scripting
As of version 0.22 alpha, there is now the ability to create your own scripts. This will allow you to
run your own custom checks against target hosts. This first version of the language is very simple and
only supports a few commands. Included in the Asmodeus download is a sample script file. It is called
"default.spn". This is the default script file that is called every single time Asmodeus captures a
banner from a target host. You can use this script file to post data to each database node. Just for
your drool factor, however, know that I have the skeleton code in place for an actual abstract stack
machine, a real compiler.. with support for conditional looping, variables, the whole works... The
asmodeus program is going to start getting command-line friendly.. nice for those admins out there who
want to use this w/ perl and the like...

     For example, if I telnet to port 23 on a linux box, and it reports "Linux version 1.6", I can
     write a function that checks for the substrings "Linux" and "1.6" and posts data back saying
     something like "Possible LD_ environment exploit - telnetd -remote root". The default.spn
     script has examples and should be fairly self explanatory.

The default.spn script is used to check against the data retreived at the current node. Keep in mind
that Asmodeus will be handling hundreds of these nodes at any one time, so this script file shouldn't
really be playing .wav files or doing other time-intensive things. Here is a rundown of the commands:

# a hash mark indicates a comment. Anything after the hash is ignored until we encounter a newline

IfCompare(substring){function block};

IfCompare("ZPOP")
        {
          PostChild("Post Office software.com Zmail", 4);
          ExpandThis();
        }

This command will compare the substring against the banner retreived at the current node. If the
substring is located, then the block is executed. Else, it is skipped. As always, function blocks can
be nested within one another.

PostChild(string to be posted, icon number);

PostChild("Post Office software.com Zmail", 4);

PostChild is fairly simple. It posts information to the database tree. It does not use a function
block. You can change the icon used to represent this data. Try values between 1 and 7. Another version
of this command is PostParent. PostParent is exactly the same except that it posts the data to the
parent node.

ExpandThis();

ExpandThis();

Expands the current node so all children are visible. This is very handy. It operates only in context
of the current node.

PrintLED(string);

PrintLED("-------------=Microsoft  ==Windows    ==System     ==           ==           =------------");

This is a cool little function. It prints whatever data you want to the LED sign. Keep in mind the
number of characters you are passing. Alignment is crucial here. If you play with the command you will
get the idea. See the examples in the default.spn file. Also, note that if you pass more charcaters
than will fit on the sign at once, the sign will actually cycle through the entire string.. giving you
a sort of rudimentary ASCII animation.

PlaySnd(filename.wav);

PlaySnd("mushroom.wav");

This is something you would want to use sparingly. Make sure your .wav file in the same directory w/
Asmodeus. The thread is blocked until the wav file has completed, so this would slow you down ALOT if
you had sound everywhere. However, it is very handy when you are running huge scans and you need to be
alerted to a particular detail of some kind..

The last thing to note. The scripting is very sensetive to mistakes. I have tried to do my best to
catch typo's and mis-aligned function blocks.. but if you type a bunch of garbage into a script file,
Asmodeus isn't going to like it. So watch your coding very carefully.. if Asmodeus does find weird
stuff, it tries to report it to you.. and it also will make a backup of your database in case something
goes haywire.

Documentation List
There is no documentation other than what comes with the compressed package, and what is located on
this web site.

Known Problems

     Insane numbers of dialog boxes in my face: Make sure you have packets.spn, default.spn, and
     asmodeus.ini in the same directory as the asmodeus binary, AND, make sure you have a Captures
     subdirectory.. that said, everything should be OK... It SHOULD decompress this way by
     default, but some people don't have PKUnzip setup to do that...

     Only Prints one Page: Yep yep yep.. It's on the list...

     Video Mode: Asmodeus doesn't like 640x480 mode. If you this use mode, it's just not going to
     work out for you. You need 800x600. I will try to install scrollbars in a future version.

     Network Load: Please be advised that Asmodeus can generate extreme network load for a short
     period of time. I have tested the program extensively upon my own networks with no apparent
     service loss. However, I have received at least one report where the administrator appeared
     to DOS his own network with Asmodeus. The TCP scan will generate logs and it is quite obvious
     that you have been scanned. If the network you are scanning is sensetive, you may want to
     execute caution and use moderate performance settings.

Response to Asmodeus

It seems that the general response to this program has been very positive. Significant interest in a
fully working version is being demonstrated by university and military sites, who would like to scan
their networks for vulnerability. A new version that supports a more robust database and scanning
system will be out soon. I beleive all of the criticism has been constructive, except maybe once or
twice ;)

Exploit Archive by OS

  ------------------------------------------------------------------------

   6/30/97  4:42 PM        <dir> Aix
   6/30/97  4:42 PM        <dir> Bios
   6/30/97  4:42 PM        <dir> BSD
   6/30/97  4:43 PM        <dir> crack-scan
   6/30/97  4:43 PM        <dir> Crypt
   6/30/97  4:43 PM        <dir> DEC
   6/30/97  4:43 PM        <dir> Dictionaries
   6/30/97  4:43 PM        <dir> dont_know
   6/30/97  4:43 PM        <dir> HP
   6/30/97  4:43 PM        <dir> IP_toolz
   6/30/97  4:43 PM        <dir> Irix
   6/30/97  4:45 PM        <dir> linux
   6/30/97  4:45 PM        <dir> NeXT
   6/30/97  4:45 PM        <dir> NT
   6/30/97  4:45 PM        <dir> Routers
   6/18/97  3:19 AM        23139 security_holes_by_os_1994,txt
   6/30/97  4:46 PM        <dir> shell_toolz
   6/30/97  4:46 PM        <dir> slowaris
   6/30/97  4:46 PM        <dir> SunOS
   6/30/97  4:46 PM        <dir> ultrix
   6/30/97  4:46 PM        <dir> web_java
   6/30/97  4:46 PM        <dir> Win95
   6/30/97  4:46 PM        <dir> Xnix

  ------------------------------------------------------------------------

History
The following are journal entries, and are in context of the date they were written.

     Aug 2, 1997

     Version 0.22 alpha. The next big step was creating a scripting language so users could
     configure their own scans, etc. As of this release, the scripting language is very simple. It
     supports about 5 commands, nested function blocks, and function parameters. Using this
     release, a user can post data to any node in the database, run substring comparisons on any
     data (banners) retreived from the target hosts, and print data to the LED sign. There is also
     a command to play a .wav file. This is only the beginning. Further releases will give hooks
     into the socket engine to allow actual exploits to be written.

     Also, an attempt was made to repait the "could not set recv timeout" error that some users
     were reporting.

                                              -------------

     - Some Personal Notes -

          Well, I just got back from DefCon 5.. I finally got to see DT again after 6 years.
          I met Veggie and The Hobbit and some other faces. It was fun, and I got some good
          exposure for Asmodeus. So far I have had good feedback. Check this... my friends
          and I flipped our Dodge Intrepid on the way down. We were going over 100 miles an
          hour, Nevada, right outside Area 51 (Nellis) and we flipped it on the freeway, 1:30
          AM in the morning. It was totalled, and one of our 4 gig drives went sailing. One
          of our party (the driver) has a new handle... RabbitSlayer.. figure that one out.
          The people at the Con got a laugh out of it... we were only an hour outside of
          Vegas when we wrecked. Beleive or not, nobody was hurt, not even a bruise. The car
          was upside down over a 15 foot embankment. A few hours later the ambulances came
          and we threw all of our computer equipment into the back of the ambulance. We then
          rode the rest of the way to DefCon.. I think we had the most unique method to get
          to the Con.. it was quite a story.

     July 4, 1997

     As stated above, I rewrote the socket functions. This really sped the system up. The GUI is a
     bit different now. Lastly, Asmodeus is a bit more user friendly.

     I spent a few days working on the code. I changed the entire structure of the scanning
     engine. Namely, I converted the system over to Winsock 2. Also, I changed the way jobs are
     handled. Now Asmodeus runs with less threads, but more work is done per thread. With the most
     agressive settings, Asmodeus can complete a Class C Scan in about 15-30 seconds (an obvious
     improvement from the last version). The GUI is written using MFC. The rest is all Win32 with
     calls to the Winsock 2 library. Data is stored in a couple of Hash Tables. Stacks are used
     when serializing data for loading or saving from disk. Threads are syncronized using critical
     sections. Event Objects are used with the sockets to increase speed. The scanning engine
     relies heavily on multithreading and Overlapped I/O. Lastly, I have put crucial sections
     within Try/Except blocks, so if something goes awry, you can save your data and exit
     gracefully.

                                              -------------

     June 1997

     For those of you that know me.. well, you know I've been screwin' around with this for a
     while.. Well, I seem to be emerging from the drunken haze of the last few months.. As
     characterized by a single night spent at coffee. I wrote the meanest scanning engine I've
     ever seen. Soon to be implemented I might add. This should bring the speed of our fiend,
     Asmodeus, to about 30 seconds to scan a Class C. I am porting all of my Tiamat code over
     also, which will allow Asmodeus to perform all manner of clever Denial of Service attacks..
     now, I know you'll be responsible, right? To top it off, I have a few fresh remote root
     exploits for you too.

                                              -------------

     January 27, 1997

     Version 0.7 old
     I did significant amounts of work on the core threading code. This baby rocks. Now you can
     specify to Asmodeus which IP Address you would like to TCP Port scan. The scan is SHIT FAST.
     The Tree-List Database is completely functional, serializes to disk, and reloads when you
     start/re-start the program. Make sure to click on SAVE before exiting. I fixed yet another
     memory leak, so the little-cool graphic panel doesn't update right now. It's not really used
     yet, so I'm not worried about it. What's important is that, on my NT Server machine, using a
     28.8 modem, I am able to scan an ENTIRE class C address space in about 10-15 minutes or less.

     The code is designed for my machine right now, so my O/S runs at a solid 47-48 Mb's of
     consumed RAM during the entire scan. With Asmodeus shut down, it runs about 20+ Megs, so
     Asmodeus eats a good chunk. I have a hard coded limit of 200 simultaneous threads, which is
     alot. If your machine doesn't have at least 32 megs of RAM you might crash trying to run this
     baby. A future version will have user configurable performance options. Also, my screen is
     1280x1024, so I might not have the splitter windows arranged correctly for your display. You
     can drag them to fit for now....

     If the little sound effects bug you, you can delete the .wav files. A future version will
     have all this configurable. That REAL NEATO TOY is the TCP BURST SCAN. This will intiate a
     scan on an entire class C address range. Try it out, like I said, I can complete one in about
     10-15 minutes. Let me know how it runs on your machine configuration. hoglund@ieway.com.

Happy Hunting!
-Greg Hoglund

[Image]

all material copyright©1997 Greg Hoglund - all rights reserverd [hoglund@ieway.com]
  ------------------------------------------------------------------------