Detecting New Network Devices with Python and Tkinter

By K4Paul 0 Enumeration, Fingerprinting, Networking, Python, Vulnerability Scanner , , , ,

UPDATE: I made a better version of this tool with server implementation here.

Today I felt like building a python 2.7 script that would enumerate a network along with alert me to the presence of a new device.

I limited my project to functions in the standard library.

So something lightweight and okay fast is a ping sweep. From an early post I included the Linux command for a sweep. I used this command along with the python commands to execute the ping sweep along with storing the results in a variable.

new = commands.getoutput('for i in {'+MIN+'..'+MAX+'}; do ping -c 1 -t 1 '+PREFIX+'.$i | grep "from"; done')

Following, I used some regular expressions to pull out the IP addresses detected in a given prefix range.

tmp = re.findall(PREFIX+"\.(\d+)", str(new)) #Pull out IP addresses from the ping results

Put that in a loop with some comparison data and you have a script that prints an alert whenever a new device is detected.

import commands, re
PREFIX = "192.168.1" #Network prefix
MIN = "0" #Starting network address, eg 192.168.1.0
MAX = "12" #Closing network address, e.g. 192.168.1.55
results = []
while 1:
new = commands.getoutput('for i in {'+MIN+'..'+MAX+'}; do ping -c 1 -t 1 '+PREFIX+'.$i | grep "from"; done') #Ping sweep the network to find connected devices
tmp = re.findall(PREFIX+"\.(\d+)", str(new)) #Pull out IP addresses from the ping results
if tmp != results:
for t in tmp:
if t not in results:
print "New device at" + PREFIX + "." + str(t)
results = tmp

There are a few short comings in the code but that’s the basic idea.

Now take this further, I hooked it up to a GUI with enumeration information! The new beastly application constantly flips through NMAP scan results of devices found connected to the network and displays the results in a GUI. I even placed a picture in the GUI. I call this app, the Hindenburg, its kind of hacked together.

The Hindenburg!
The Hindenburg!
from Tkinter import *
import time, commands, re
PREFIX = "192.168.1" #Network prefix
MIN = "0" #Starting network address, eg 192.168.1.0
MAX = "12" #Closing network address, eg 192.168.1.12
class flipGUI(Tk):
def __init__(self,*args, **kwargs): #Setup the GUI and make it pretty
Tk.__init__(self, *args, **kwargs)
self.label1 = Label(self, width= 65, justify=CENTER, padx=5, pady=5, text="Guests") #Text label
self.label2 = Label(self, text="Guests") #Photo label
self.label2.grid(row=0, column=1, sticky=W+E+N+S, padx=5, pady=5)
self.label1.grid(row=0, column=0)
self.flipping()    def flipping(self): #Flip through NMAP scans of detected devices
t = self.label1.cget(“text”)
t = self.label2.cget(“image”)
found = scanNetwork()
photo = PhotoImage(file=”picture.gif”)
for f in found[:-1]: #Loop through all but the last item
self.label1.config(text=f)
self.label1.update()
self.label2.config(image=photo)
self.label2.update()
time.sleep(15)
self.label1.config(text=found[-1]) #the last item doesn’t require the sleep, it takes enough time to run the scans
self.label1.update()
self.label2.config(image=photo)
self.label2.update()
self.after(1, flipping())

def scanNetwork():
found = []
new = commands.getoutput(‘for i in {‘+MIN+’..’+MAX+’}; do ping -c 1 -t 1 ‘+PREFIX+’.$i | grep “from”; done’) #Ping sweep the network to find connected devices
tmp = re.findall(PREFIX+”\.(\d+)”, str(new)) #Pull out IP addresses from the ping results
for ip in tmp: #Loop through each found IP
found.append(commands.getoutput(‘nmap -v -A -Pn ‘+PREFIX+’.’+ip))
return found

app = flipGUI()
app.mainloop()

It’s ideal for an environment where it can just sit on the screen without much of any type of activity going on. If you are enumerating the entire network, there will be a lag… it happens.

Distributed Agent Cloud-Sourced Malware Reporting

By K4Paul 0 Malware Reporting, Python , , , ,

I recently graduated from BYU with my masters degree. I really enjoyed my research I want to share what I worked on. For my thesis I looked into creating a distributed agent malware reportage framework.

“Malware is a fast growing threat that consists of a malicious script or piece of software that is used to disrupt the integrity of a user’s experience. Antivirus software can help protect a user against these threats and there are numerous vendors users can choose from for their antivirus protection. However, each vendor has their own set of virus definitions varying in resources and capabilities in recognizing new threats. Currently, a persistent system is not in place that measures and displays data on the performance of antivirus vendors to new malware over a continuous period of time. There is a need for a system that can evaluate antivirus performance in order to better inform end users of their security options in addition to informing clients of prevalent threats occurring in their network. This project is dedicated to developing a cloud sourced malware reporting system that uses distributed agents to assess the performance of antivirus software based on malware signatures.”

My research site: http://itsecurity.et.byu.edu:85

Publications: Using Agent Technologies to Correlate and Compare Anti-Malware Software

Currently, the study is being continued by the Cyber Security Research Lab (CSRL) at Brigham Young University.