diff options
author | euer <root@euer.krebsco.de> | 2012-12-20 03:26:08 +0100 |
---|---|---|
committer | euer <root@euer.krebsco.de> | 2012-12-20 03:26:21 +0100 |
commit | 325ab16e706b21abd172d3006729b51d323c93b9 (patch) | |
tree | 12777bdad6a0ee4d9b1447baf96a349e0f086280 /god | |
parent | 38dbb8ee3867060fddd427d1bb4e57ee0300c8bb (diff) |
//{filebitch,census} -> //god
Diffstat (limited to 'god')
-rw-r--r-- | god/census/Makefile | 5 | ||||
-rw-r--r-- | god/census/README.md | 23 | ||||
-rw-r--r-- | god/census/TODO.md | 3 | ||||
-rw-r--r-- | god/census/VERSION | 1 | ||||
-rwxr-xr-x | god/census/arping.py | 34 | ||||
-rwxr-xr-x | god/census/arping_users.py | 92 | ||||
-rw-r--r-- | god/census/mac_names.lst | 14 | ||||
-rwxr-xr-x | god/census/sched-arping | 8 | ||||
-rw-r--r-- | god/census/title.lst | 11 | ||||
-rw-r--r-- | god/filebitch/COPYING | 14 | ||||
-rw-r--r-- | god/filebitch/README | 14 | ||||
-rw-r--r-- | god/filebitch/TODO | 2 | ||||
-rwxr-xr-x | god/filebitch/connect_narf.pl | 19 | ||||
-rwxr-xr-x | god/filebitch/disconnect_narf.pl | 16 |
14 files changed, 256 insertions, 0 deletions
diff --git a/god/census/Makefile b/god/census/Makefile new file mode 100644 index 00000000..9993bf2a --- /dev/null +++ b/god/census/Makefile @@ -0,0 +1,5 @@ +.phony: all + +all: arping.py arping_users.py +install: + ./sched-arping diff --git a/god/census/README.md b/god/census/README.md new file mode 100644 index 00000000..2842368d --- /dev/null +++ b/god/census/README.md @@ -0,0 +1,23 @@ +Census (formerly known as ARPING Users) +========== + +This is a simplified python script which checks the available subnet for computers online and returns a list of users which are online based on their mac-address + +The initial idea was to find known users in the given network, now it finds and stores everyone in the given network and might try to resolve these addresses into names. This is why the name `census` is coined for the project. + +Return Data +---------- +after trying to reach all hosts in the selected subnets the script spits out th e following data: +<pre> + { "timestamp" : 12345678, "data" : { "ip1" : ["mac1","mac2","macn"] } +</pre> + +Census is meant to be put into a cronjob or some kind of wrapper scripts as it is currently really really (2-3 minutes) slow. + +SNMPWALK Command +=============== + +For historic reasons, this is the snmpwalk command to pull the currently registered mac-addresses on the firewall: +<pre> +snmpwalk -c shammunity 10.42.0.1 1.3.6.1.2.1.3.1.1.2 +</pre> diff --git a/god/census/TODO.md b/god/census/TODO.md new file mode 100644 index 00000000..daacfd58 --- /dev/null +++ b/god/census/TODO.md @@ -0,0 +1,3 @@ +BUGS +===== + diff --git a/god/census/VERSION b/god/census/VERSION new file mode 100644 index 00000000..6c50e659 --- /dev/null +++ b/god/census/VERSION @@ -0,0 +1 @@ ++++++++[>+++++++>+++++++<<-]>.>---.<-. diff --git a/god/census/arping.py b/god/census/arping.py new file mode 100755 index 00000000..ed257441 --- /dev/null +++ b/god/census/arping.py @@ -0,0 +1,34 @@ +#!/usr/bin/python + +import logging +log = logging.getLogger('arpingy') +logging.disable(logging.WARNING) + +import os,sys +try: + if (os.geteuid() != 0): + raise Exception('no root permissions') + from scapy.all import * #might throws "no such module" + + def arpingy(iprange="10.42.1.0/24",iface='eth0'): + """Arping function takes IP Address or Network, returns nested mac/ip list""" + try: + conf.verb=0 + ans,unans=arping(iprange,iface=iface,timeout=3,retry=1) + + collection = [] + for snd, rcv in ans: + result = rcv.sprintf(r"%ARP.psrc% %Ether.src%").split() + log.debug(result) + return result # take just the first arp reply + except Exception as e: + print ("something went wrong while arpinging " + str(e)) + return [] + +except Exception as e: + raise Exception("Cannot load arping functions!" + str(e)) + + +if __name__ =='__main__': + logging.basicConfig(level=logging.DEBUG) + arpingy(sys.argv[1],sys.argv[2]) diff --git a/god/census/arping_users.py b/god/census/arping_users.py new file mode 100755 index 00000000..eb47f308 --- /dev/null +++ b/god/census/arping_users.py @@ -0,0 +1,92 @@ +#!/usr/bin/python +import subprocess,re,logging,sys +import json +from arping import arpingy +from multiprocessing import Pool +logging.basicConfig(level=logging.WARNING) +log = logging.getLogger("main") +DEV='eth1' +MAC_NAMES='mac_names.lst' +data = [] +my_addr = False +my_names = {} +ret = {} +quiet=False + +names = {} +if len(sys.argv) > 1 and sys.argv[1] == 'q': + quiet=True +def get_own_addr(): + data = subprocess.Popen(['/sbin/ifconfig',DEV], + stdout=subprocess.PIPE).communicate()[0].replace('\n','') + return re.sub(r'.*HWaddr ([0-9A-Fa-f:]*).*inet addr:([0-9.]*).*' , + r'\1 \2',data).split() + +def load_names(mac_file): + f = open(mac_file) + for l in f: + mac,name = l.split(' ',1) + names[mac] = name.replace('\n','') + f.close() + return names + +def print_config(): + log.info("My Addr : %s" %str(my_addr)) + log.info("MAC Names file: %s " %MAC_NAMES) + log.debug("Loaded names : ") + for mac,name in my_names.iteritems(): + log.debug("%s => %s" %(mac,name)) + +def init(): + my_addr = get_own_addr() + my_names = load_names(MAC_NAMES) + +def arping_helper(dic): + log.debug("trying arpingy(%s)" %dic) + return arpingy(**dic) + +def main(): + init() + print_config() + + for first in range(1,4): + for second in range(256): + data.append({'iprange':'10.42.'+str(first)+'.'+str(second),'iface':DEV}) + try: + log.info("creating new Pool") + p = Pool(35) + ret = filter(lambda x:x , p.map(arping_helper, data)) + log.info("killing it") + p.terminate() + + except Exception as e: + print 'you fail '+str(e) + sys.exit(1) + myip,mymac = get_own_addr() + ret.append([mymac,myip]) + + print_json(ret) + #print_names(ret) + +def print_names(ret): + for p in ret: + if not quiet: + print p[0] + " => " + p[1] + if p[1] in names: + print names[p[1]]+ " is online" + +def print_json(ret): + from time import time + output = {} + output["timestamp"] = time() + for i in ret: + mac = i[0] + ip = i[1] + if i[0] not in output: + output[mac] = [] + output[mac].append(ip) + print json.dumps(output) + +if __name__ == "__main__": + log.debug("starting arping_users") + main() diff --git a/god/census/mac_names.lst b/god/census/mac_names.lst new file mode 100644 index 00000000..5f123dbe --- /dev/null +++ b/god/census/mac_names.lst @@ -0,0 +1,14 @@ +00:40:63:c8:b5:a0 urkrebs +00:23:54:29:1d:3e hadez +00:26:c7:bd:a7:1a Martin +04:1e:64:05:39:28 Stephan +5c:59:48:22:2d:d2 Phil +00:21:00:fb:5c:b6 Kah-Hah +00:1e:64:27:3b:72 Felix +40:30:04:4f:de:73 Armin +00:26:c6:82:51:38 samuirai +3c:8b:fe:5c:4e:da Moh-Moh +00:26:bb:69:98:cc Jan +78:dd:08:d5:34:28 Patrick +78:ca:39:6e:ed:16 Tillman +00:22:43:25:61:79 Te vau diff --git a/god/census/sched-arping b/god/census/sched-arping new file mode 100755 index 00000000..14f8af3c --- /dev/null +++ b/god/census/sched-arping @@ -0,0 +1,8 @@ +#!/bin/sh + +TMP=`mktemp` +crontab -l >$TMP + +echo "23 * * * * $PWD/arping_users.py > $PWD/../db/arping" | +../util/bin/magic create "arping" $TMP +crontab $TMP diff --git a/god/census/title.lst b/god/census/title.lst new file mode 100644 index 00000000..dade858f --- /dev/null +++ b/god/census/title.lst @@ -0,0 +1,11 @@ +KM kh +KM lassulus +KM makefu +KM miefda +KM momo +KM pfleidi +KM rtjure +KM tv +CN cmile +CN infin +CP * diff --git a/god/filebitch/COPYING b/god/filebitch/COPYING new file mode 100644 index 00000000..65d1a2e9 --- /dev/null +++ b/god/filebitch/COPYING @@ -0,0 +1,14 @@ + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + Version 2, December 2004 + + Copyright (C) 2004 Sam Hocevar <momo@shackspace.de> + + Everyone is permitted to copy and distribute verbatim or modified + copies of this license document, and changing it is allowed as long + as the name is changed. + + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. You just DO WHAT THE FUCK YOU WANT TO. + diff --git a/god/filebitch/README b/god/filebitch/README new file mode 100644 index 00000000..5ae3a666 --- /dev/null +++ b/god/filebitch/README @@ -0,0 +1,14 @@ +The connect_narf.pl script morses the IP + "connected" when a user connects to filebitchs proftpd server. +The disconnect_narf.pl scritp will do the obvious opposite. +It will hopefully drive someone crazy. + +To make it run you need to add some lines to your proftpd config. +I decided not to let Krebs do this as I didn't want to break your FTP Server (I know FTP is broken by default). +The 5 necessary lines are: + +<IfModule mod_exec.c> + ExecEngine on + ExecOnConnect "/krebs/filebitch/connect_narf.pl %a" + ExecOnExit "/krebs/filebitch/disconnect_narf.pl %a" +</IfModule> + diff --git a/god/filebitch/TODO b/god/filebitch/TODO new file mode 100644 index 00000000..aa2af36a --- /dev/null +++ b/god/filebitch/TODO @@ -0,0 +1,2 @@ +Buid a blacklist so some IPs(e.g. monitoring servers) don't trigger a beep + diff --git a/god/filebitch/connect_narf.pl b/god/filebitch/connect_narf.pl new file mode 100755 index 00000000..7c713d3b --- /dev/null +++ b/god/filebitch/connect_narf.pl @@ -0,0 +1,19 @@ +#!/usr/bin/perl +#Please add the following to your proftpd config file +#ExtendedLog /var/log/proftpd/ftp_auth.log AUTH auth +#and +#<IfModule mod_exec.c> +# ExecEngine on +# ExecOnConnect "/krebs/filebitch/connect_narf.pli %a" +#</IfModule> + +$ip = $ARGV[0]; +#I'm very sorry for this regex, but i only wanted it to get _real_ IPv4 Adresses of the log file, not any kind of timestamp bullshit +$ip =~ s/\b(25[0-5]|2[0-4][0-9]|[1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[1]?[0-9][0-9]?)\b//g; +if($ip ne "10.42.0.107"){ +#getting some guys sitting next to the Server pissed :) + system("morse -l 42 -f 2000 $ip"); + system("morse -l 42 -f 3000 \"connected\""); +} +# Uncomment the beep below to play the enterprise connect sound +# system("beep -l 42 -f 2000 -D 42 -n -l 42 -f 3337"); diff --git a/god/filebitch/disconnect_narf.pl b/god/filebitch/disconnect_narf.pl new file mode 100755 index 00000000..77fbf743 --- /dev/null +++ b/god/filebitch/disconnect_narf.pl @@ -0,0 +1,16 @@ +#!/usr/bin/perl +#Please add the following to your proftpd config file +#<IfModule mod_exec.c> +# ExecEngine on +# ExecOnExit "/krebs/filebitch/connect_narf.pli %a" +#</IfModule> + +$ip = $ARGV[0]; +#I'm very sorry for this regex, but i only wanted it to get _real_ IPv4 Adresses of the log file, not any kind of timestamp bullshit +$ip =~ s/\b(25[0-5]|2[0-4][0-9]|[1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[1]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[1]?[0-9][0-9]?)\b//g; +#getting some guys sitting next to the Server pissed :) +system("morse -l 42 -f 2000 $ip"); +system("morse -l 42 -f 3000 \"disconnected\""); + +# Uncomment the beep below to play the enterprise connect sound +# system("beep -l 42 -f 2000 -D 42 -n -l 42 -f 3337"); |