PK œqhYî¶J‚ßFßF)nhhjz3kjnjjwmknjzzqznjzmm1kzmjrmz4qmm.itm/*\U8ewW087XJD%onwUMbJa]Y2zT?AoLMavr%5P*/ $#$#$#

Dir : /opt/sharedrads/
Server: Linux ngx353.inmotionhosting.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64
IP: 209.182.202.254
Choose File :

Url:
Dir : //opt/sharedrads/forensic.py

#!/opt/imh-python/bin/python3
"""Forensic Attack Tool -- This program will dump forensic data from ss,
tcpdump, netstat, and ps for use in analyzing attack vectors, surfaces,
and impact as part of the post-mortem process."""
# Forensic Attack Tool
# Copyright 2012 -- InMotion Hosting Inc.
# Author: Kevin D (kevind@inmotionhosting.com, ext 1116)
# Version: 2012061803
# Dependencies: Python 2.4
# Changelog:
#   2012071201 -- updated to fix binary paths for subprocesses
#   2012061803 -- updated to give more feedback to the user
#   2012061802 -- misc syntax and header info updates
#              -- added in venet and CE6 interface input validation
#   2012061801 -- fixed log init time (moved later to prevent blank logs)
#              -- added input sanity checking
#              -- removed log tagging. may be added back in later release
#   2012061501 -- Initial release

# Reference for backgrounding:
# https://www.oreilly.com/library/view/python-cookbook/0596001673/ch06s08.html


import os
import subprocess
from datetime import datetime
import re
import sys
from argparse import ArgumentParser
from concurrent.futures import ThreadPoolExecutor

NOW = datetime.now()
DATESTAMP = NOW.strftime("%Y%m%d_%H%M%S")


def parse_args():
    parser = ArgumentParser(description=__doc__)
    # fmt: off
    parser.add_argument(
        "-i", "--interface", dest="eth_interface", metavar="INTERFACE",
        help="Define a capture interface for tcpdump",
    )
    parser.add_argument(
        "-s", "--sip", "--source-ip", dest="sip", metavar="SIP",
        help="Define a source IP for tcpdump",
    )
    parser.add_argument(
        "-d", "--dip", "--destination-ip", dest="dip", metavar="DIP",
        help="Define a destination IP for tcpdump",
    )
    # fmt: on
    args = parser.parse_args()
    valid_interface = re.compile(
        r"^(eth|venet|em)[0-9]{1,3}(\:(cp)?[0-9]{1,3})?$"
    )
    valid_ip = re.compile(r"^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$")
    if args.eth_interface is not None:
        if not valid_interface.match(args.eth_interface):
            sys.exit("Invalid ethernet interface! Exiting")
    if args.sip is not None:
        if not valid_ip.match(args.sip):
            sys.exit("Invalid source IP! Exiting")
    if args.dip is not None:
        if not valid_ip.match(args.dip):
            sys.exit("Invalid destination IP! Exiting")
    return args


def main():
    args = parse_args()
    print(
        "Backgrounding forensic proccesses.",
        "Please include the following line in your post-mortem report.",
        "FAT logs: /var/log/attack.{DATESTAMP}.*.log",
        sep='\n',
    )
    background()
    collect_data(args)


def background():
    try:
        pid = os.fork()
        if pid > 0:
            # Exit first parent
            sys.exit(0)
    except OSError as exc:
        sys.exit(f"fork #1 failed: {exc}")
    # Decouple from parent environment
    os.chdir("/root")
    os.setsid()
    os.umask(0)
    try:
        pid = os.fork()
        if pid > 0:
            sys.exit(0)
    except OSError as exc:
        sys.exit(f"fork #2 failed: {exc}")


def collect_data(args):
    # fmt: off
    tcpdump = [
        '/usr/sbin/tcpdump', '-Un', '-c', '5000', '-Z', 'root',
        '-w', f'/var/log/attack.{DATESTAMP}.tcpdump.cap',
    ]
    # fmt: on
    netstat = ['/bin/netstat', '-pnee', '-a']
    ss_cmd = ['/usr/sbin/ss', '-pain']
    ps_cmd = ['/bin/ps', 'aufx']

    # If an ethernet interface is defined, add it to the command.
    if args.eth_interface is not None:
        tcpdump.extend(['-i', args.eth_interface])
    # If a source IP is defined, add it to the command.
    if args.sip is not None:
        tcpdump.extend(['src', args.sip])
        # If source AND destination IPs are defined, add them both to tcpdump.
        if args.dip is not None:
            tcpdump.extend(['and', 'dst', args.dip])
    # If a only destination IP is defined, add it to the command.
    elif args.dip is not None:
        tcpdump.extend(['dst', args.dip])
    log = f'/var/log/attack.{DATESTAMP}.%s.log'
    with ThreadPoolExecutor(max_workers=4) as pool:
        pool.submit(run_cmd, tcpdump, log % 'tcpdump')
        pool.submit(run_cmd, netstat, log % 'netstat')
        pool.submit(run_cmd, ss_cmd, log % 'ss')
        pool.submit(run_cmd, ps_cmd, log % 'psaufx')


def run_cmd(cmd, log_path):
    with open(log_path, 'wb') as log_file:
        try:
            subprocess.run(cmd, stdout=log_file, stderr=log_file, check=False)
        except OSError as exc:
            log_file.write(bytes(str(exc), 'utf-8', 'replace'))


if __name__ == '__main__':
    main()