How to monitor packets using Snort features? - ios

I want to create a network intrusion detection system for iOS application. The main function is to allow the user to select a home network (maybe prompt them to simply enter the IP address only) and to be able to monitor the packets and if there is anything suspicious- we need to alert user via push notification or email. i wanted to use the features and functions of Snort, an open source network intrusion detection system.
Any Suggestions,Sample code ?! Where to start?

VM's do not have native hardware access, which is necessary for monitor mode. Maybe IOMMU PCI passthrough or bridged devices might work. It is probable that it is possible to compile the iOS kernel with a module that works for the wireless nic. I don't think it's a proprietary chip specific to apple, because a chip with multie technology capabilities in RF wouldn't be cost effective qt all. I'm just not sure if the filesystem blocks access in the OS framework or whatever. I have tried to compile linux/iOS ARM packages natively in the shell with the aircrack-ng source, but have not had any luck. Maybe someone would have better luck actually cross-compiling a package and sideloading it somehow.

I don't think this is possible for multiple reasons:
You wouldn't be able to compile snort for iOS.
In order to run snort you have to have the interface (NIC) in promiscuous mode, which I really don't think you can do on an iOS device (iPhone, iPad, etc) but I have never really looked into it, but Apple probably locks this down and restricts this for security purposes so if you could do it you'd likely have to jail-break the device first. It's not even possible to put the wifi card in an Apple laptop into monitor mode, which is similar.
There are a lot of dependencies for snort, most importantly the DAQ. You would probably only be able to monitor the wifi interface (even this might not be possible), not the interface used for the cellular network as this is probably a different daq than standard Ethernet nics.
This very likely is not possible on iOS, if it is it would be VERY difficult to pull off and even if you did the use case isn't really good. Even if you could get a daq for the cellular card, I don't know if promiscuous mode even exists and if it did all of the traffic on the cellular network is encrypted, so inspecting this with snort would be pointless. If you could do it for the wifi traffic it's probably not worth the effort honestly, especially since almost all traffic nowadays is encrypted, you'd have to decrypt it first, which certainly isn't possible to do.

In the view of Johnjg12's comments, I am wondering about your goal. If you want to make a NIDS, you can make it OS independent, anyway. If you want to consider only HIDS that monitors packet destined to it, we don't need it to be in promiscuous mode (a comment to Johgj12's response). so, now it is something to do with Snort on iOS. I am wondering if we can do it on a VM and then turning its promiscuous mode? Having said that I came across a link: https://www.securemac.com/macosxsnort.php

Related

How to capture and send packets via Macbook

I want to capture and send some packets to the access point for testing purposes. I have the packet captures made via wireshark but I do not know how to proceed to be able to send these packets from my macbook.
I tried things like scapy, colasoft etc, but they do not seem to work as they require an external wifi adapter to be able to relay these packets outwards.
Two main questions:
Is it possible to send custom packets from macbook to a required access point. (Without using external network adapter).
If yes, what are some tooling/Scripting options that I can look at ? Any recommendations?
I am networking novice so please pardon me if the question is trivial. Thank you!
Your builtin Wifi adapter likely does not support Wifi injection.
You can check this by googling the Wifi chip that is within your computer (there are various methods to get that info depending on your OS) whether it supports Wifi injection or not.
So yeah, you'll likely need an external card (check the specs before buying it)

looking for alternative solution than IPFW for slowing down an internet connection

I need to slow down (simulate bad) internet connection, I found some documentation where it was achieved by "ipfw pipe" command , the thing is that in latest MAC OS versions , ipfw was deprecated (and removed)...
I was wondering if there are any alternative to the ipfw API ?
Does anyone know how latest Network Link Conditioner achieves it?
The original previous way which enabled to slow down an internet connection :
sudo ipfw pipe 1 config bw 56Kbit/s delay 200 plr 0.2
and to clear the pipe :
sudo ipfw delete 1
Thanks.
I don't know much about Mac OS (I use Linux myself), but I'll give this a shot.
A bunch of digging established that ipfw seems unavailable, as you say.
I was also unable to find a way to use the Network Link Conditioner from the command line. Everything should be usable from the command line, so that's stupid.
One work around would be to try to access the NLC from within AppleScript. The following will get you started on toggling the NLC:
property thePane : "com.apple.Network-Link-Conditioner"
tell application "System Preferences"
activate
set the current pane to pane id thePane
--delay 2
end tell
---
tell application "System Events"
tell application process "System Preferences"
try
click ((checkboxes of window "Network Link Conditioner") whose description is "enable switch")
on error
click ((checkboxes of window "Network Link Conditioner") whose description is "enable switch")
end try
end tell
end tell
I think that you can run a script from the terminal with osascript <SCRIPT>.
As an alternative, Charles Proxy is a pay-to-use program that can be used to perform throttling, provided you can convince the software you are testing to connect to the proxy's port rather than directly to the internet. Maybe there are free proxy solutions out there somewhere?
Perhaps Squid would work in that regard. SquidMan seems to be an easy-ish way to install it for Mac. It looks as though DelayPools and or Client Bandwidth Limits might be useful for simulating a low speed connection, though I can't find evidence of people having used them for such.
I found several solutions that might work. They come from some old threads, but they might help:
How to simulate slow internet connections on the mac
Apple has made a very handy official tool to slow down the network connections on you Mac for testing purposes.
The Network Link Conditioner preference is a free download from within Xcode (for Lion and later OS). Additionally, iOS has similar function accessible from within Xcode and iOS 6 or later.
How do I simulate a bad Wi-Fi connection on my iPad?
There are a few ways you can do this, depending on your situation:
Move further away from your router. While this may seem a bit obvious, I realize that it isn't always possible while testing/debugging (for example, if you are working on a desktop computer).
Put aluminum foil around the router and/or antenna. This will (partially) block some or all of the radio signals by creating a makeshift Faraday cage. The results you get will depend on the strength of your router signal, distance from the router, and other environmental factors.
Set your router's wireless signal power to a lower setting. The method for doing this is different for each router, so you will have to look at the user guide for instructions on how to do this.
Slow down internet for iOS simulator
You can set the network to slow characteristic by testing on devices. Go to Settings -> Developer Settings -> Network Link Conditioner -> Enable. This is for iPhone/iPad running iOS 6
I don't know if the last one you can still do.
I've used many methods in the past for slowing down network connections, among them:
performing a parallel download of some massive Linux ISO file;
physically pulling out the Ethernet cable (at one point, I actually toyed with the idea of building a push-button device that would sit between two cat5 cables and do this without having to physically disconnect the whole cable).
using ifconfig eth0 down ; sleep 1 ; ifconfig eth0 up.
Hopefully one or more of those methods will help.
If you're looking to slow down your network connection because you're doing testing/profiling work, one option is to get a specific device that can create network latency/noise.
For example Apposite Tech's mini2 WAN emulator allows you to change values for bandwidth and packet loss. You can roll your own device too using something like: http://wanem.sourceforge.net/ . It just depends on your needs, time and budget.

how do i access my cisco router details from ios mobile

Is it possible to access my Cisco router details like Name,Model,IP Address,Connection status etc from my iOS mobile.
I'm even ready to write small mobile app in iOS to get all router details.
Since I have just started learning in iOS, don't know if any library already exists for above task.
If my router does not work or gets hang.. I even want to try for restart of router using my mobile.
If example code exist, it will be very useful.
Like Cisco already has andriod and iOS app for same above function but dont want to use this app and want to write my own app with limited features only.
(http://www.addictivetips.com/mobile/cisco-connect-express-manage-router-settings-remotely-android-ios/)
Thanks,
Accessing network gear is best done by using SNMP. Cisco has extremely rich management/monitoring capabilities via SNMP and all of their MIBs are publicly available here.
Almost all Cisco gear supports the SNMPv2-SMI MIB (the 1.3.6.1.2.1 OID) so querying things like sysName, sysLocation, sysContact, sysDescription, sysUpTime should be very easy. This MIB even supports tables for listing all the interfaces and IP addresses and has a whole lot of other things that might be of interest to you.
If you have SNMP write access on the device then you can even make config changes and perform management functions like rebooting or bringing an interface up/down.
There are a few SNMP libraries for ObjectiveC and I think Net-SNMP is the most popular (It's not .net even though the title suggests that).
If you are new to SNMP then I suggest starting simple by querying easy objects like 1.3.6.1.2.1.1.5 (sysName) and 1.3.6.1.2.1.1.6 (sysLocation) before trying to jump into tables like 1.3.6.1.2.1.2.2 (ifTable)
Remember, you don't have to stick with the standard MIBs you can download all of the custom ones that are particular to your device which will give you incredible amounts of flexibility.
You could use a screen-scraping technique to telnet or ssh to the Cisco device and parse the "show version" output. This will give you some of the information you need. For others, like IP addresses, you can use "show ip interface brief", "show cdp neighbors" etc. as you need.
Keep security in mind: make sure that telnet/ssh credentials are adequately protected in your app's settings, and try to restrict your commands to those that do not need privileged access on the Cisco device.
Be aware that Cisco devices have a small pool of available VTYs, and every telnet/ssh access from your app will use up one VTY. So if you have for example 30 guys wanting to use the access the device simultaneously from their apps, some of those instances are not going to get access to the device.
If this is a concern, SNMP is a better and more scalable option as suggested by previous answer. Make sure that you (a) have a read-only community string configured on the device, and (b) use only the ro community string from the app.

Can I use the same wifi dongle for internet uplink and as a wireless access point

I have a headless raspberry pi with a wifi dongle and I want to use wifi two ways.
1) To make the rPI a wireless access point when there is no local wifi access point so I can connect to the rPI from my iPhone.
2) When wifi is available use the wifi dongle to do normal connection to the internet.
I think I know how to do each of these individually. It wasn't easy but I now have it connecting to my local wifi at home.
I see references to using hostapd and dnsmasq with wifi to make a local access point but they mostly assume internet connection comes from ethernet.
I'll be studying these in more detail. However I don't even know if the end goal of using the same configuration to fill both needs with one wifi dongle is even possible.
Obviously I can create two sets of config files and a script to swap them as needed but that only works if I have a connection already so I can log in.
If I add a jumper or switch to the rPI GPIO interface I could run the configuration script at startup and let it read the switch.
I might try to make the script look for an existing wifi link and go to access point mode if it doesn't find one it can access.
This would probably be a steep learning curve for me but I could probably figure it out eventually.
What I am trying to figure out now is whether I can avoid these potentially complex solutions by creating a single configuration that does both. Is a single wifi dongle sharable between these functions?
Note: I don't need it to do both at the same time. I just need the decision to be automated so it happens automatically during boot.
It is possible, although tricky to get right. (For example, what happens if you boot up, don't see an existing network for a second due to interference, then wrongly create your own network?)
Take a look at the "iwlist" command. It can scan and tell you what SSIDs (base stations) it sees. Then you can use 'grep' to see if your home network is on the list, and use that as your decision.

How to troubleshoot CAN bus communication

I am trying to connect ICP CON i-7565 (USB<->CAN interface) to a custom made device (supporting CAN2.0B, proved to work with PCL-841 card) Although I think I have configured BAUD and acceptance code/mask correctly I can see CAN no messages coming from the device (ICP provides a tool that should allow me to send and receive CAN messages).
I am new to CAN bus so I appreciate any help regarding how to identify the problem.
I-7565 might be wrong interface for me, I might have misconfigured it, or it is simply broken. Or I am just doing something wrong out of my ignorance. I don't think anyone can help me with my specific problem, so I am rather asking for general information on how are problems with CAN bus identified and analyzed. In TCP/IP for example, you would call ping, you'd recheck your ip and gateway settings etc. What do you do for CAN communication?
Additional info:
OS: Win7 64bit
connector: DB-9 with standard wiring (2,3,7)
Finally I tried to work with different USB<->CAN interface from different manufacturer and it worked like a charm. My old interface was either broken or incompatible for reasons unknown. While working on this problem I learned couple of things about CAN bus and so now I share what I think was the right answer to my original question: How to troubleshoot CAN bus communication?
read manual to your USB-CAN interface
install driver of your interface device and make sure it is working (check device manager, depending on the type of your device you will see new COM port added or new USB controller )
your device should be shipped with it's own test/analysis software (they might call it utility or similar), run it and check if it can connect to your device
CAN communication uses three wires that are referred to as High, Low and Ground and is usually connected with DB-9 connectors where High is linked to pin n. 7, Low to pin n. 2 and Ground to pin n. 3 or 5 - make sure this is connected correctly on both your USB interface and CAN device you want to communicate with
set properties of your connection, these are most of all: CAN type (2.0A or 2.0B) BAUD rate, Acceptance Code and Acceptance Mask
if you've done all of this and still you can see no CAN messages arriving in your utility program, check with a different USB-CAN interface or find some other way to test if your device is actually emitting CAN messages and your USB interface is in fact able to receive them. (this was actually my case)

Resources