Category Archives: Dev

Soktspy

Soktspy is a small script that may be helpful for some investigation.

Sometimes, you may detect that some suspicious network traffic coming out from a machine. In general, it is easy to spot the process from which the packets originate. You somehow connect to the PC and look for open sockets.

But sometimes, the behavior may be very sneaky, consisting of one or two packets, at rare and random intervals. Unless you spend all the day before the screen, it may be very difficult to trace.

Especially with stock tools or without installing any intrusive hardware, which is also the reason why I did this tool. On a production server, you want to install as little dependencies as possible, right?

So here is the Soktspy, a python script that easily build into a portable and standalone executable to deploy on the target machine.

Once launched, it just loops in the background and log sockets that are created for some given peers (the IP addresses you found involved in the suspicious network activity).

Maybe, some other tool exist, but I could not find anything similar. Let me know if you have any suggestion. Anyway, it was a nice exercise to do :)

Download

soktSpy v1.2

Pre-requisites

  • Install Visual C++ Runtime libraries with vcredist_x86.exe (not necessary if the target machine happens to have Python already installed)
So far, I tested it successfully on Windows XP, Windows 2003, Ubuntu 11.10 and Mac OS Lion. But as it is a simple Python script, it is supposed to work on all platform.

Compiling

You may recompile the program as a Windows binary executable by issuing this command:

> setup.py py2exe

How to use

  • Copy soktSpy.exe and its configuration file config.cfg.
  • Edit config.cfg with the IP you want to monitor
  • Start soktSpy.exe.

Then, as soon as the sneaky process will send out a packet toward the monitored IP, a log record will be triggered:

The log file contains the following info, in that order:

  • Detection time (based on the system local time)
  • Process creation time
  • PID
  • Process Name
  • Protocol Family (2 = IPv4, 23 = IPv6)
  • Process Owner
  • Source socket (IP, port)
  • Destination socket (IP, port)
  • Socket Status

Future Plans

Please tell me if you have any idea on how to improve it.

For now, I plan to add a feature that will dump the memory of the suspicious processes when it is executing.

Netios 0.76

Netios 0.76 is out!

Complete changelog :

* fix prompt for enable issue
* fix issue with log directory
* add timeout option
* remove fail check for password mode (source of confusion and not so useful on second thought)

Check there for more details and a download link.

Netios 0.75

Netios 0.75 is out.

Complete changelog :

2010-04-24  (0.75) Phocean <jc@phocean.net>

* always force to specify the user to update and remove useless options concerning tacacs and newuser mode

Check there for more details and a download link.

Netios 0.74

Netios 0.74 is out.

Complete changelog :

2010-04-08  (0.74) phocean <jc@phocean.net>

* improve logging and  error handling
* clean up some crapy code

Check there for more details and a download link.

Hostcheck

I continue to publish some my coding.

Hostcheck is a simple Perl script that can be useful to quickly check if a list of host is up.
It just read a host file and check if the host are available doing a ping test or trying to open a socket.

Nothing great, but it may help to quickly check that most of things are right after a network change, for instance.
Because we want to test many hosts, and not to scan, the pace is fast so it may not be 100% reliable. The idea is to see roughly is the connectivity is correct or if your whole LAN is down.
It uses colors and is easy to read, so it might be good to show to your manager ! :)

I hope it will be useful. More info and download link are there.