Category Archives: python

odd scapy issue (with work around!)

with scapy i was trying to do a traceroute:

traceroute(["www.example.com","pronto185.com"],maxttl=20)

and was getting this annoying error (…not sure why)

Traceback (most recent call last):
  File "", line 1, in 
  File "scapy/layers/inet.py", line 1294, in traceroute
    timeout=timeout, filter=filter, verbose=verbose, **kargs)
  File "scapy/sendrecv.py", line 309, in sr
    s = conf.L3socket(filter=filter, iface=iface, nofilter=nofilter)
  File "scapy/arch/linux.py", line 316, in __init__
    attach_filter(self.ins, filter)
  File "scapy/arch/linux.py", line 132, in attach_filter
    s.setsockopt(SOL_SOCKET, SO_ATTACH_FILTER, bpfh)
  File "", line 1, in setsockopt
socket.error: [Errno 22] Invalid argument

so i ran same thing with ipython (gives better error output)
and it showed this

/usr/lib/python2.7/socket.pyc in meth(name, self, *args)
    222 
    223 def meth(name,self,*args):
--> 224     return getattr(self._sock,name)(*args)
    225 
    226 for _m in _socketmethods:

so on line 223 for def meth(), i edited it: /usr/lib/python2.7/socket.py

def meth(name,self,*args):                                                     
    try:
        return getattr(self._sock,name)(*args)
    except:
        return 'wat'

and this seems to of fixed it! :D

>>> traceroute(["www.example.com","pronto185.com"],maxttl=20)
Begin emission:
.........*....*......*...*...*.....*......*.............*........*.......*....*......*.....*............**...........*...*........*.............**...........*.*............**................**............*.*...........*..*...........*..*.........*..*..........*.*....Finished to send 40 packets.
........*............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Received 928 packets, got 37 answers, remaining 3 packets
   208.100.54.15:tcp80 93.184.216.119:tcp80 
1  207.99.1.13     11  207.99.1.13     11   
2  207.99.53.41    11  207.99.53.41    11   
3  209.123.10.117  11  209.123.10.26   11   
4  -                   107.6.71.209    11   
5  -                   107.6.84.209    11   
6  154.54.6.226    11  208.122.44.201  11   
7  154.54.43.101   11  93.184.216.119  SA   
8  154.54.6.190    11  93.184.216.119  SA   
9  154.54.41.202   11  93.184.216.119  SA   
10 -                   93.184.216.119  SA   
11 154.54.1.210    11  93.184.216.119  SA   
12 38.104.103.238  11  93.184.216.119  SA   
13 208.100.32.78   11  93.184.216.119  SA   
14 208.100.54.15   SA  93.184.216.119  SA   
15 208.100.54.15   SA  93.184.216.119  SA   
16 208.100.54.15   SA  93.184.216.119  SA   
17 208.100.54.15   SA  93.184.216.119  SA   
18 208.100.54.15   SA  93.184.216.119  SA   
19 208.100.54.15   SA  93.184.216.119  SA   

SSH ranking update!

Firstly, links!:

http://vps2.pronto185.com/ssh_rank/lists/all
https://github.com/pronto/SSH-Ranking
also: follow me: https://github.com/pronto/ https://twitter.com/moo_pronto

Now for “wtf is all this?!”

Intro bit:
On linux boxes theres a file called /var/log/auth.log where all login attempts to the system are logged, and other things.
If you’ve ever run a linux box on the web with port 22 open you’ll know that it gets hit, and hit hard (especially so if your IP is in a well known ‘server range’ eg:linode.com)
Now most sane people will either just use fail2ban(or something similar) or change the ssh port.
But craycray people like myself like it when auth.log* gets filled up with these attempts for a fun dataset!
About the project:
This project mainly started as something to do using python, sql-alchemy, flask/jinja2 and other things.
What it does is parse though auth.log getting very failed login attempt and tosses it into a database.
then the web-part will query the DB and display interesting things, e.g: http://vps2.pronto185.com/ssh_rank/user/r00t  which IP’s have tried the user name ‘r00t’
Remember this project is still in the early phases, and could be unstable. I wouldn’t run this on production boxes. If you want to see data from production boxes, I recommend moving the auth.logs off to some test-server and telling the sshrank.py to parse those
Whats next?:
Going to start doing more digging into the top offenders. Doing port scans, keeping an rdns history for changes, grab the whois data to compare with other offenders.
Also thinking about logging the passwords for failed attempts, Eric Gragsone had an interesting idea on how to do that with pam

‘This is neat, i want this’ and ‘how can i help?’

Get it running?

The readme on github should help you get started. note: it was tested on debain7.2 so if you use something else, you might have to do things different
i have gotten it working on python 2.7 and 2.6.6

How I help?

All the code is on github, feel free to fork/etc… and if I like your changes, I’ll merge it into the main one.
If you don’t know how to use github, I high recommend learning how to use it you can find a lot of links here to figure it out :)

Talk to ….me?!

Best way is via: irc(pronto on: efnet,freenode,snoonet,and other nets…) email: pronto185@gmail.com, or google chat/hangouts

SSH fail ranking!

is now back in action :D
rewrote my old ssh-rank script, this time doing things ‘better’

using sql-alchemy for mysql access (no longer python lists+pickles)
proper use of flask/jinja2 (i think)

more info over at github

 

if it’s currently up, example web-ui here

Python function to update a var in a list of tuple

As part of my new ssh-fail script, now written in python I found myself needing to update a var in a list of a list, but you can’t just do list_a[3][3]= ‘new thing’ :(

so i wrote this function:

def tuple_update(touple, varloc, newval):
    temp = []
    for a in range(len(tuple)):
        if varloc != a:
            temp.append(tuple[a])
        else:
            temp.append(newval)
    return temp

and you can use it like this:

>>>ip_test=[('8.8.8.8', 423, None, 0), ('4.2.2.2', 64, None, 3), ('42.42.42.42', 23, None, 10)]
 
>>> ip_test[1]
('4.2.2.2', 64, None, 3)
>>> ip_test[1]=tuple_update(ip_test[1],1,38)
>>> ip_test[1]
['4.2.2.2', 38, None, 3]
>>> ip_test[2]=tuple_update(ip_test[2],0,'100.100.2.3')
>>> ip_test[2]
['100.100.2.3', 23, None, 10]
>>> ip_test
[['9.9.9.9', 423, None, 0], ['4.2.2.2', 38, None, 3], ['100.100.2.3', 23, None, 10]]

that’s: tuple_update(list,location,newval)