Hi, could you draw a simple network diagram to show where the pytbull client and pytbull server should be located in relation to the IDS/IPS. I am pretty confused right now.

@l0renz0: I've added a new section: Architecture. It explains how the reverse shell works. If you have any other question, feel free to ask.

Great stuff, I love to see new testing tools, and am glad you have support for Suricata.

Hi, I am still confused. Lets imagine right now, I already have a standalone linux box configured to run snort in IDS mode, how can I use pytbull to test my existing snort IDS? In your network diagram, you combine the Pytbull server and the snort into one machine, what if I am not allowed to install Pytbull server component into my existing snort IDS?

@l0renz0: no confusion, there's no need to install a pytbull server. Actually the only thing that you *install* on the server is a reverse shell. You could also do it with netcat, by opening port 12345/tcp on the server. On the other hand, either traffic goes thru your Snort probe (gateway mode) and you can download malicious PDF files from the client that is running pytbull, or you remotely make the server download the files from the client (standalone mode), using the reverse shell. Refer to the online resources for more information on how it works.

Hi, I like the sound of this tool and think it's very interesting and will be useful. However, I'm having some issues running it from BT5, I get the following errors:

File "./pytbull.py", line 507, in <module>

   oPytbull.doAllTests()
 File "./pytbull.py", line 319, in doAllTests
   self.getAlertsFile()
 File "./pytbull.py", line 352, in getAlertsFile
   ftp.retrbinary("RETR %s" % alertsFile, f.write)
 File "/usr/lib/python2.6/ftplib.py", line 394, in retrbinary
   conn = self.transfercmd(cmd, rest)
 File "/usr/lib/python2.6/ftplib.py", line 356, in transfercmd
   return self.ntransfercmd(cmd, rest)[0]
 File "/usr/lib/python2.6/ftplib.py", line 327, in ntransfercmd
   resp = self.sendcmd(cmd)
 File "/usr/lib/python2.6/ftplib.py", line 243, in sendcmd
   return self.getresp()
 File "/usr/lib/python2.6/ftplib.py", line 218, in getresp
   raise error_perm, resp
   ftplib.error_perm: 550 Failed to open file.

Any ideas as to that ftplib error?

I modified the config file in BT5 so that the paths work with the following options if this helps others wanting to us it with BT5:

[PATHS]
report                  = report.html
sudo                    = /usr/bin/sudo
nmap                    = /usr/local/bin/nmap
nikto                   = /pentest/web/nikto/nikto.pl
niktoconf               = /pentest/web/nikto/nikto.conf
hping3                  = /usr/sbin/hping3
tcpreplay               = /pentest/sniffers/tcpreplay/tcpreplay
urlpdf                  = http://droid-protector.com/borrar_ya/md5
alertsfile              = /var/log/snort/alert

Thanks

@Keith. Thanks for your support.

Your error (FTP 550) means that the file doesn't exist or that you're not allowed to access the file. Check that the file exists (/var/log/snort/alert) and that you have proper privileges on the directory (/var/log/snort/). Check with the "ftp" command, without using pytbull:

$ ftp 192.168.100.19
Connected to 192.168.100.19.
220 (vsFTPd 2.0.7)
Name (192.168.100.19:sdamaye): pytbull
331 Please specify the password.
Password: <<password>>
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /var/log/snort
250 Directory successfully changed.
ftp> get alert
local: alert remote: alert
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for alert (7694733 bytes).
226 File send OK.
7694733 bytes received in 3.17 secs (2373.6 kB/s)

For a file that doesn't exist, you get a 550 error message:

ftp> get foo
local: foo remote: foo
200 PORT command successful. Consider using PASV.
550 Failed to open file.

Hope that helps...

@Keith: Please upgrade via svn to r50, I just added error handling for getAlertsFile() function.

Hi Sebastien

Thanks for your reply, that helps a lot and it turned out to be the account I was using needed to be in the adm group as the snort directory in BT5 requires this.

However, I've now hit another issue, when it get's to TEST 6 this error appears:

TEST #6 - Simple LFI.............................................
Traceback (most recent call last):
 File "./pytbull.py", line 507, in <module>
   oPytbull.doAllTests()
 File "./pytbull.py", line 333, in doAllTests
   self.doTest( eval( ('%s.%s'+'(self._target).getPayloads()') % (module[1],
   module[1][:1].upper()+module[1][1:]) ) )
 File "./pytbull.py", line 187, in doTest
   s.connect((self._target,payload[2]))
 File "<string>", line 1, in connect
socket.error: [Errno 111] Connection refused

I ran wireshark and can set a heap of resets and so then checked my firewalls as I've egress pretty tight, but this was no use. So I think it might be some other issue, perhaps with BT5 specifically?

I also svn updated to r50, thanks.

@Keith: seems like a socket can't be established on port 80/tcp. On the remote IDS, install apache (sudo apt-get install apache2)

@Keith: please update to svn rev51, I've added a new test (on port 80/tcp). Thx for reporting this bug!

Thanks Sebastien

FYI - I'm running this on my home test network with 2 firewalls and Alienvault OSSIM connected to a tap and I'm using BT5 on either side of the internal firewall. The TAP is inline between the firewalls so it's like your gateway mode example.

Looks like this (sorry not good at doing text diagrams):

LAN----->FW<--DMZ-->FW<--Internet
BT5Client    BT5Srv

I've now updated to SVN 51 and started up Apache on BT5 Server and now I get up to TEST #11 :-) Problem is I get the same sort of error as before, so it might be something has dropped off on BT5 again or required that I've missed on your setup page. Anyway I got a bunch of alarms from Ossim now :-) Here is the error, if it helps:

Traceback (most recent call last):
 File "./pytbull.py", line 528, in <module>
   oPytbull.doAllTests()
 File "./pytbull.py", line 348, in doAllTests
   self.doTest( eval( ('%s.%s'+'(self._target).getPayloads()') % (module[1],
   module[1][:1].upper()+module[1][1:]) ) )
 File "./pytbull.py", line 202, in doTest
   s.connect((self._target,payload[2]))
 File "<string>", line 1, in connect
socket.error: [Errno 111] Connection refused

Hmm... that diagram didn't turn out well at all, the BT5 Client is obviously in the LAN and the BT5 Server is in the DMZ.

Cheers

Keith

@Keith: please update to svn rev52, I've added a new test (on port 22/tcp). The test that failed was sending "/bin/sh" to port 22/tcp. Most probably closed on your remote host. Thx for reporting this bug!

Awesome Sebastian!!

All tests now run fine except for an error with tcpreplay which is a BT5 issue, or really a tcpreplay/lib issue that I will need to try and sort out. However pytbull is now running perfectly on BT5 :D

I've also fine tuned OSSIM and get many alarms now... pytbull is awesome!!

Will run some more tests tomorrow and play more to see what else I can find and do with pytbull.

Thanks Sebastien

One last thing for anyone trying to use pytbull on BT5.

The tcpreplay path that I mentioned earlier is incorrect the path is: tcpreplay = /pentest/sniffers/tcpreplay/tcpreplay

Also tcpreplay does not work in BT5 at the time of writing, this is due to the libopts25 libraries missing. On BT5 run: apt-get install libopts25 and your tcpreplay will come to life, I've reported it on the BT forums bug section.

Cheers

Keith

I am having some trouble testing a network behind a firewall, in a server runing snort.

Could u plz help me?

Ps. I did all the steps listed above, but when i try to run the program i get this error. I am using ubuntu 10.10...

root@ubuntu:/opt/pytbull# ./pytbull.py -t 172.16.13.2
WARNING: No route found for IPv6 destination :: (no default route?)
                                _   _           _ _
                    _ __  _   _| |_| |__  _   _| | |
                   | '_ \| | | | __| '_ \| | | | | |
                   | |_) | |_| | |_| |_) | |_| | | |
                   | .__/ \__, |\__|_.__/ \__,_|_|_|
                   |_|    |___/
                      Sebastien Damaye, aldeid.com

Traceback (most recent call last):
 File "./pytbull.py", line 540, in <module>
   oPytbull = Pytbull(banner, options.target)
 File "./pytbull.py", line 61, in __init__
   version = self.checkNewVersionAvailable()
 File "./pytbull.py", line 188, in checkNewVersionAvailable
   available = urllib2.urlopen('http://pytbull.googlecode.com/svn/trunk/docs/
   VERSION').read()
 File "/usr/lib/python2.6/urllib2.py", line 126, in urlopen
   return _opener.open(url, data, timeout)
 File "/usr/lib/python2.6/urllib2.py", line 391, in open
   response = self._open(req, data)
 File "/usr/lib/python2.6/urllib2.py", line 409, in _open
   '_open', req)
 File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain
   result = func(*args)
 File "/usr/lib/python2.6/urllib2.py", line 1170, in http_open
   return self.do_open(httplib.HTTPConnection, req)
 File "/usr/lib/python2.6/urllib2.py", line 1145, in do_open
   raise URLError(err)
urllib2.URLError: <urlopen error [Errno -2] Name or service not known>

@Keith: Many thanks for this feedback. I've updated the path for tcpreplay in your previous comment. Also update to rev 53, you have now the possibility to choose the port for the reverse shell. Many thanks for the suggestion mate!

Hi all, please notice that pytbull has now its dedicated page on sourceforge: http://pytbull.sourceforge.net. Please report any bug or feature suggestions to this site. Thank you for your understanding.

@Eduardo: could you please upgrade to latest release (1.3) and try your test again. Contact me if you still get the error. Eventually file a bug on sourceforge. Thanks!

I had the same errors as Eduardo.

***ERROR in checkNewVersionAvailable: <urlopen error [Errno -2] Name or service
not known>

Any solution to this? :(

@Caveman: Please file a bug in sourceforge: http://sourceforge.net/tracker/?group_id=547041&atid=2220536 and specify the version you use in the "Group" dropdown list. Thanks.

I have submitted a bug report as you requested though I am not sure it's a bug (more likely my misconfiguration). I hope that you can help me :)

@Caveman: I've moved your topic to the support tracker (https://sourceforge.net/tracker/?func=detail&aid=3310897&group_id=547041&atid=2220537) since it seems to be a configuration issue rather than a bug. Thanks for your understanding

I've read your comment and yes it's true that I actually disabled the Internet (and replaced it with static IP). I'll try again later. Thanks for your help!! :)

@Caveman: Please notice that you can eventually deactivate the checkNewVersionAvailable() function but if your machines have no access to the Internet, you won't be able to use the clientSideAttacks module. Indeed, this latest downloads malicious files from the Internet.

I've tried Pytbull and after several configurations, I finally managed to run it successfully!! However, I'm confused with the report. When it is said "KO" in the report, does that mean the attack is successful or is actually deflected by Snort?

@Caveman: Sorry for answering late. OK/KO are based on regular expressions as specified in the tests. Open any class file (e.g. ./modules/testRules.py and look at the tests in the getPayloads() function. For example tests based on the "socket" syntax contain the regular expression as the 6th argument.

Hi. Is it possible to test ciscoIOS IPS using pytbull ? If its possible can u give us a brief idea.......Thanking you.......

@ chathra: Hi, I don't have a Cisco IOS IPS available for tests but if it logs attacks in a grepable format and you can grab this log file in real time (via ftp, sftp, ftps), it should be ok. If you succeed in using pytbull against it, please tell me. Thx