[Asmodeus Security Scanner] Current Release Notes Topics Asmodeus Beta Release 1.04 Click here for a screen shot * Using the ------------------------------------------------------------------------ program NEWS * Old Downloads * Scripting [Image]PC Magazine uses Asmodeus, along with many other freeware and commercial tools, to test the * Documentation integrity of firewalls and other products. Look for Asmodeus in the "Best products of 1997" * Bugs issue, and upcoming Firewall review. * Response * Exploit Also, I would like to thank everyone who has been helping me test the software. To date, Asmodeus has Archive been downloaded OVER 20,000 times! * History Cool Stuph The following was added in release 1.04: * Rootshell * Attack XRef * IfSrcPort/IfDestPort no longer substring matches. It's a perfect match or nothing at all. Port * Geek-Girl "23" is port "23".. NOT port "4230"..etc etc * Fyodor's * LogAppSegment() with the $SESSION_ID identifier NOW correctly names all the capture files, AND, 'sploits only logs IP frames, so you WON'T get weird files with convoluted names... * Hrvoje * Counters are added so you know how well your scan is doing (yeah! about time...). Crvelin's * You can start/stop both the sniffer, and the parsing/script engine at any time. This is handy when 'sploit you are on a busy network and your logging tons of data. (Wow, that's a novel good idea isn't archive it...) (Phat!) * Significant amounts of changes to the framework (mainly, using windows messaging between threads and new buffer chaining in the sniffer). This is internal and you won't notice it on the outside, except that sniffing performance and reliability has increased a great deal. Because of all the framework changes, there may be some new evil bugs waiting (especially centered around the MFC MessageMap crap). IF you get any access violations, be sure to write down the address for me.. I can cross referance in my debugger. If you really care, shoot me over the core file if you have it. * The ping sweep mechanism has been changed a bit. If your scanning over a PPP modem link, you should find this new version to be TONS better at detecting hosts. If your scanning on a local LAN, the ping sweep may appear to be slower (taking up to 30-60 seconds to complete, rather than only 10-20). Take note that it IS more reliable, and has been catered somewhat to PPP dialup performance. * The asmodeus.ini file is not used in this release. You cannot put your own script files in the drag and drop window. The reason is that the scripting language itself is going through a major overhaul right now. If you need to have this functionality, use release 1.031 instead. Previously added in release 1.031: * Added system() command to pass commands to shell * Added IfSrcPort() and IfDestPort() to test the TCP port of a sniffed packet * Added LogAppSegment(), which sniffs a unique session. Useful for telnet session snooping. (works with all protocols, but port numbers are not valid for non-tcp based traffic). * Also! I increased the size of the packet buffer (yay) so you should be able to capture entire packets on most ethernet segments. Download Now ---==*> Asmodeus Release 1.04 beta <*==--- [Greg Hoglund] The following issues are still on the burner: You can't print more than the first page... that's because I used MFC for the printing portion and I didn't implement it right.. i'll get to it.. If a script file goes haywire, or the paths aren't decompressed properly, you WILL get insane numbers of modal dialog boxes in your face... hey, it's a debug version.. i throw chow at the slightest sign of trouble, but don't fret.. i'll probaly have a little more time than usual to work on it soon.. Oh, i discovered something interesting about Lophtcrack 2.0.. if you install the packet driver that comes with it.. it will replace the one I wrote for Asmodeus.. imagine that. AND, Asmodeus still works with the new one! (doesn't go the other way, however). I guess we both used the same sources. Can you say DDK? Good to know the two apps co-exist pleasently... it's a good pair. Why: How come, when I turn the sniffer off, do packets keep coming in for a few seconds.. isn't the sniffer shut down immediately?. If you turn the sniffer off, it DOES shut down immediately. The reason you may continue to get packets on the monitor is the sniffer and the LED monitor run in different threads. The sniffer thread's ONLY purpose in life is to service the interrupt on the ethernet card, grab them packets as fast as it can, and drop them into a buffer chain. A dispatcher thread then grabs the packet and processes it, passing the data off to the scripting engine, the LED panel, and update various counters. The sniffer thread can capture many many packets in the time it takes the dispatcher or the scripting engine to process just one packet... SO, the buffer chain can fill up "ahead" of the rest of the engine, so when the sniffer is shut down, the rest of the engine continues to process what's left in the buffer chain.. hence the remaining few seconds of activity. Using this App Using this app. There are a million ways you can configure this program.. but let me suggest a few. * Page your alphanumeric pager if that hacker tries to telnet to your new alpha server * Drop a log of every netbios name-broadcast on your network * Scan your class C network, and if a host has port 139 open, send a BSOD just to see if it works * Scan a small country overnight, and spawn perl scripts against certain host:port pairs * See every http request on your network (woopee) * See every http request from the guy in the next cubicle (maybe a little more interesting) * Log the entire telnet session for anyone coming from that ISP downtown * If you see a hostile packet, log it and send a synflood back to the originating source IP * do all of this while sleeping, or out on the town, or having a real life.. because this is all automated and runs in the dark. Download History Asmodeus has gone thru several revisions within the last 2 months. You can download any of the following versions for testing: Asmodeus Release 1.0 beta Asmodeus Release 1.02 beta Asmodeus Release 1.03 beta Asmodeus Release 1.031 beta Asmodeus Release 1.04 beta [Greg Hoglund] Tuning Windows NT 4.0 with service pack 3 can be choked if ping sweeps are issued too fast. Starting with version 1.04, Asmodeus has the ability to meter the speed at which a ping sweep loads the stack. This greatly increases both reliability and speed. Massive Loading on the stack gives local LAN scans the "blazing speed" but basically prevents any type of PPP dialup scan from performing at all. Metering is better. Speeding things up Go ahead and press the Tune button. This allows you to change settings. If you are scanning your local IP domain, then select the local defaults. These are very fast and you need to make sure you have a pentium with 64 megs of ram, otherwise you will peg your meter. If you are on T-1 and you want to scan remote domains, you can get away with setting your timeout value to 10000-15000 ms. The timeout value greatly impacts the speed of your scan. If you trim the timeout value down very small, you will still detect ports on remote machines, but you will fail to grab the banners (returned data) from those ports. Sometimes this is OK if your just browsing thru. A setting of 5000 ms summons a very fast scan, with little banner data actually captured. The exception is your local domain. 5000 ms is a good timeout for very close networks, or networks that a connected via high speed links. Max Sockets.. This is the other setting that will really reflect upon your speed. You can keep pushing the max sockets until you start getting 10055 errors (Out of Buffer Space). These will pop up in your scan results. On my system with 64 megs, I can run 2500 max sockets.. On the Pro System at work, with 128 Megs, 5000 sockets are easy. It REALLY HAULS with 5000 sockets and a 5000 ms timeout!!! Scripting As of version 0.22 alpha, there is now the ability to create your own scripts. This will allow you to run your own custom checks against target hosts. This first version of the language is very simple and only supports a few commands. Included in the Asmodeus download is a sample script file. It is called "default.spn". This is the default script file that is called every single time Asmodeus captures a banner from a target host. You can use this script file to post data to each database node. Just for your drool factor, however, know that I have the skeleton code in place for an actual abstract stack machine, a real compiler.. with support for conditional looping, variables, the whole works... The asmodeus program is going to start getting command-line friendly.. nice for those admins out there who want to use this w/ perl and the like... For example, if I telnet to port 23 on a linux box, and it reports "Linux version 1.6", I can write a function that checks for the substrings "Linux" and "1.6" and posts data back saying something like "Possible LD_ environment exploit - telnetd -remote root". The default.spn script has examples and should be fairly self explanatory. The default.spn script is used to check against the data retreived at the current node. Keep in mind that Asmodeus will be handling hundreds of these nodes at any one time, so this script file shouldn't really be playing .wav files or doing other time-intensive things. Here is a rundown of the commands: # a hash mark indicates a comment. Anything after the hash is ignored until we encounter a newline IfCompare(substring){function block}; IfCompare("ZPOP") { PostChild("Post Office software.com Zmail", 4); ExpandThis(); } This command will compare the substring against the banner retreived at the current node. If the substring is located, then the block is executed. Else, it is skipped. As always, function blocks can be nested within one another. PostChild(string to be posted, icon number); PostChild("Post Office software.com Zmail", 4); PostChild is fairly simple. It posts information to the database tree. It does not use a function block. You can change the icon used to represent this data. Try values between 1 and 7. Another version of this command is PostParent. PostParent is exactly the same except that it posts the data to the parent node. ExpandThis(); ExpandThis(); Expands the current node so all children are visible. This is very handy. It operates only in context of the current node. PrintLED(string); PrintLED("-------------=Microsoft ==Windows ==System == == =------------"); This is a cool little function. It prints whatever data you want to the LED sign. Keep in mind the number of characters you are passing. Alignment is crucial here. If you play with the command you will get the idea. See the examples in the default.spn file. Also, note that if you pass more charcaters than will fit on the sign at once, the sign will actually cycle through the entire string.. giving you a sort of rudimentary ASCII animation. PlaySnd(filename.wav); PlaySnd("mushroom.wav"); This is something you would want to use sparingly. Make sure your .wav file in the same directory w/ Asmodeus. The thread is blocked until the wav file has completed, so this would slow you down ALOT if you had sound everywhere. However, it is very handy when you are running huge scans and you need to be alerted to a particular detail of some kind.. The last thing to note. The scripting is very sensetive to mistakes. I have tried to do my best to catch typo's and mis-aligned function blocks.. but if you type a bunch of garbage into a script file, Asmodeus isn't going to like it. So watch your coding very carefully.. if Asmodeus does find weird stuff, it tries to report it to you.. and it also will make a backup of your database in case something goes haywire. Documentation List There is no documentation other than what comes with the compressed package, and what is located on this web site. Known Problems Insane numbers of dialog boxes in my face: Make sure you have packets.spn, default.spn, and asmodeus.ini in the same directory as the asmodeus binary, AND, make sure you have a Captures subdirectory.. that said, everything should be OK... It SHOULD decompress this way by default, but some people don't have PKUnzip setup to do that... Only Prints one Page: Yep yep yep.. It's on the list... Video Mode: Asmodeus doesn't like 640x480 mode. If you this use mode, it's just not going to work out for you. You need 800x600. I will try to install scrollbars in a future version. Network Load: Please be advised that Asmodeus can generate extreme network load for a short period of time. I have tested the program extensively upon my own networks with no apparent service loss. However, I have received at least one report where the administrator appeared to DOS his own network with Asmodeus. The TCP scan will generate logs and it is quite obvious that you have been scanned. If the network you are scanning is sensetive, you may want to execute caution and use moderate performance settings. Response to Asmodeus It seems that the general response to this program has been very positive. Significant interest in a fully working version is being demonstrated by university and military sites, who would like to scan their networks for vulnerability. A new version that supports a more robust database and scanning system will be out soon. I beleive all of the criticism has been constructive, except maybe once or twice ;) Exploit Archive by OS ------------------------------------------------------------------------ 6/30/97 4:42 PM