Confusing Attackers with Artillery By Dave Kennedy (ReL1K)
The Hacker News

Dave Kennedy (ReL1K), A security ninja & penetration tester develop Another amazing tool for Linux Protection, Named "Artillery". This Article is written by Dave for our January Issue of The Hacker News Magazine, We like to share with our website Readers also:

I've traditionally been on the offensive side of security through my career. With tools that I've developed like Fast-Track and The Social-Engineer Toolkit (SET), it's primarily focused on the attack front. Awhile back I had an idea of creating a more defensive tool around both Windows and *nix systems and keep things open-source as usual. I started Artillery about three months ago with the intent of developing an open-source project that does a bit of everything.
Cybersecurity

The name "Artillery" spawns from one of my favorite techno bands Infected Mushroom and enhances the overall security of whatever touches it. Artillery supports both Linux and Windows and is a purely open-source/free toolset. The concept is relatively simple; combine multiple avenues to harden an overall platform. Artillery has multiple modules, the first is the active honeypot technique which sets up a number of ports (configurable) on the given server. If a stable TCP connection is established with the remote port, the opposing IP address is blocked. The second portion is the file-integrity monitoring which monitors configured directories to see if changes occurred (similar to OSSEC HIDS). The last portion monitors certain files for configuration flaws, for example default SSH ports, insecure PHP configurations and other aspects.

Installing Artillery
Artillery is programmed purely in python and has native support for Linux and Windows. Thus far, there are no external dependencies required. Some features are not fully functional within the Windows platform however Artillery is still in alpha mode. In order to install Artillery, simply run python install.py install. This will install a service within /etc/init.d/. On Windows, it's the same install however need to manually start Artillery. A service that runs each time is in development and should be finished shortly.
The Hacker News

Active Honeypot
Once Artillery is launched, you can configure the ports in the Artillery config file. You can add as many ports as you want. Artillery comes with a select set of default (and commonly attacked) ports on which it listens on. Doing a simple netstat –antp | grep LISTEN shows the ports actively running:

root@bt:~/Desktop/artillery# netstat -antp | grep LISTEN
tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:5800 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 20319/python
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN 916/sendmail: MTA:
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 20319/python
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1225/cupsd
tcp 0 0 0.0.0.0:1337 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:1433 0.0.0.0:* LISTEN 20319/python
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 916/sendmail: MTA:
tcp 0 0 0.0.0.0:44443 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN 20319/python
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 20319/python
tcp6 0 0 ::1:631 :::* LISTEN 1225/cupsd
root@bt:~/Desktop/artillery#

Anything labeled with python would be Artillery running. When an attacker attempts to connect to the port, a random set of data is sent back to the attacker (to make it look like a funky protocol) and then the connection is terminated and the attacker banned.

attacker-macine:~ relik$ nc 192.168.235.129 135
s??m|??Йӕ??5????????VK@)?+?7?[V
s*?D???6????>,??b&?.?x??Ջ?0㶖?w???Bo??]+?7p?qxZ???G?k?>?#?Sv???Y??b???S?IU5?

Looking back at the Artillery machine, you can now see the system is blocked and can no longer connect with the machine:
root@bt:~/Desktop/artillery# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ARTILLERY all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain ARTILLERY (1 references)
target prot opt source destination
DROP all -- 192.168.235.1 anywhere

Configuration Changes
Artillery can detect changes in files on the operating system and specific directories that are defined in the config. In order to edit the config, head over to the default install path over at /var/artillery. Edit the config, and there are options you can configure for monitoring:

# DETERMINE IF YOU WANT TO MONITOR OR NOT
MONITOR=NO
#
# THESE ARE THE FOLDERS TO MONITOR, TO ADD MORE, JUST DO "/root","/var/", etc.
MONITOR_FOLDERS="/var/www","/etc/"
#
# BASED ON SECONDS, 2 = 2 seconds.
MONITOR_FREQUENCY=60
#
# EXCLUSE CERTAIN DIRECTORIES OR FILES. USE FOR EXAMPLE: /etc/passwd,/etc/hosts.allow
EXCLUDE=

You can exclude directories or files that often change and don't want to monitor. You can also include different directories. By default, Artillery will monitor /var/www and /etc/ for major configuration changes. The monitor_frequency is also set to a default every 60 minutes. The way SET performs the configuration changes is it generates hash values using SHA-512 and stores them in a local database. If changes occur to the filesystem, the signatures mismatch and trigger an alert. If active notifications are sent, an email will be delivered to the individual, otherwise it will store it locally on a local log.

Features
Artillery is still heavily under development. Currently, it supports being able to send GMAIL alerts to whomever when an IP address is blocked, configurations have changed, SSH brute force attacks, or insecure configurations have been detected. There is also anti-dos protection built into Artillery by limited the amount of active connections per IP as well as alert on specific DOS attacks. Artillery is still a work in progress and still in an early alpha release. The overall goal with Artillery was to develop an open-source platform that combined active responses, lead in attackers with false data, and ultimately monitor the overall health of the system.

Things to come
Artillery is a side project I started along with the Social-Engineer Toolkit. It's a work in progress and a number of features are already in development. A few of these are a full-fledged windows service for monitoring/starting Artillery for Windows based systems. The ability to use other email providers or your own email server versus only being able to use GMAIL. Move off diff and use the native python difflib libraries for doing the file comparisons. Add more integrity checks into Linux and Windows based systems looking for insecure configurations.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.