discovery

package
v0.0.0-...-d459dd1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 1, 2022 License: MIT Imports: 20 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	L4ProtoTcp = iota
	L4ProtoUdp = iota
)

string parameter is the user who logged into a remote system.

View Source 
const (
	L3ProtoIpv4 = iota
	L3ProtoIpv6 = iota
)

Variables

View Source 
var (
	// Antivirus systems we detect
	AVSystems = []AVDiscoverer{
		OSSECAV{},
		SophosAV{},
		TripwireAV{},
		SamhainAV{},
	}
	// The typical location where auditd looks for its ruleset
	AuditdRules = "/etc/audit/audit.rules"
	// The typical location utmp stores login information
	UtmpPath                  = "/var/run/utmp"
	SSHControlMasterDirective = `` /* 143-byte string literal not displayed */

	TmpSSHSocketPattern = "/tmp/ssh-*/agent.*"
)

Functions

func AttemptRemoteExec 

func AttemptRemoteExec(user, cmd string) map[string][]sshLoginSuccess

AttemptRemoteExec will wait for signs that a user that can be hijacked is logged in. This means either a user with an ssh-agent running or with a ControlMaster socket active.

func GetArp 

func GetArp() []netlink.Neigh

GetArp fetches the current arp table, the map between known MACs and their IPs

func IsContainer 

func IsContainer() bool

IsContainer looks at init's cgroup and total process count to guess at whether we're in a container. These are basically informed *guesses*.

func SetSSHControlMaster 

func SetSSHControlMaster(user string) (bool, error)

SetSSHControlMaster places a ControlMaster directive in the user's ssh config file. bool return value is true if the config file is created, false if it already exists. If err != nil, bool return value can't be trusted.

func StalkLocalLogin 

func StalkLocalLogin(user string, action LocalLoginStalkAction) error

StalkLocalLogin performs an action when a specific user logs in at any point in the future. If user == "*", any user will trigger the action.

func StalkRemoteLogin 

func StalkRemoteLogin(p StalkRemoteLoginParams) error

StalkRemoteLogin attempts to log into a remote system via two methods: 1. If the presence of an ssh-agent is detected, attempt to use it to log into the same host. 2. [not implemented] If the Control Master socket is recently created, attempt to use it

func UnsetSSHControlMaster 

func UnsetSSHControlMaster(user string) error

UnsetSSHControlMaster removes the ControlMaster directive from user's ssh config file

Types

type AVDiscoverer 

type AVDiscoverer interface {
	// Filesystem paths of binaries
	Paths() []string
	// Running processes
	Procs() []Process
	// Loaded kernel modules
	KernelModules() []LoadedKernelModule
	// Name of the AV system
	Name() string
}

Each AV system implements this interface to expose artifacts of the detected system. These functions only yield artifacts that are present/running on the system.

type Av 

type Av struct {
	Paths         []string
	Procs         []Process
	KernelModules []LoadedKernelModule
	Name          string
}

Av houses information regarding detected AV

func GetAV 

func GetAV() []Av

type FilePerm 

type FilePerm struct {
	// contains filtered or unexported fields
}

type Host 

type Host struct {
	Ip    string
	Port  int64
	Proto NetProto
}

type LoadedKernelModule 

type LoadedKernelModule struct {
	// contains filtered or unexported fields
}

LoadedKernelModule houses information regarding a kernel module that is currently loaded

type LocalLoginStalkAction 

type LocalLoginStalkAction func(string, NetConn) error

string parameter is the user who logged into this system.

type NetConn 

type NetConn struct {
	Dst, Src Host
	Pid      int // process ID of this network connection, if applicable.
	Proto    NetProto
}

type NetProto 

type NetProto struct {
	// contains filtered or unexported fields
}

type OSSECAV 

type OSSECAV struct {
	AVDiscoverer
}

func (OSSECAV) KernelModules 

func (o OSSECAV) KernelModules() []LoadedKernelModule

KernelModules returns an empty list as OSSEC doesn't use kernel modules.

func (OSSECAV) Name 

func (o OSSECAV) Name() string

func (OSSECAV) Paths 

func (o OSSECAV) Paths() []string

func (OSSECAV) Procs 

func (o OSSECAV) Procs() []Process

type Output 

type Output struct {
	Name   string
	Values []interface{}
}

type Process 

type Process struct {
	// contains filtered or unexported fields
}

type RkHunterAV 

type RkHunterAV struct {
	AVDiscoverer
}

func (RkHunterAV) KernelModules 

func (t RkHunterAV) KernelModules() []LoadedKernelModule

KernelModules returns an empty list as Tripwire doesn't use kernel modules.

func (RkHunterAV) Name 

func (t RkHunterAV) Name() string

func (RkHunterAV) Paths 

func (t RkHunterAV) Paths() []string

func (RkHunterAV) Procs 

func (t RkHunterAV) Procs() []Process

type SamhainAV 

type SamhainAV struct {
	AVDiscoverer
}

func (SamhainAV) KernelModules 

func (o SamhainAV) KernelModules() []LoadedKernelModule

func (SamhainAV) Name 

func (s SamhainAV) Name() string

func (SamhainAV) Paths 

func (s SamhainAV) Paths() []string

Samhain paths and running processes are only detected if Samhain wasn't compiled and run with stealth mode enabled.

func (SamhainAV) Procs 

func (s SamhainAV) Procs() []Process

type SophosAV 

type SophosAV struct {
	AVDiscoverer
}

func (SophosAV) KernelModules 

func (o SophosAV) KernelModules() []LoadedKernelModule

func (SophosAV) Name 

func (o SophosAV) Name() string

func (SophosAV) Paths 

func (s SophosAV) Paths() []string

func (SophosAV) Procs 

func (s SophosAV) Procs() []Process

type SshPrivateKey 

type SshPrivateKey struct {
	Path      string
	Encrypted bool
}

func GetSSHKeys 

func GetSSHKeys(dirs string, sleep int) []SshPrivateKey

GetSSHKeys looks for readable ssh private keys. Optionally sleep for `sleep` milliseconds to evade detection.

type StalkRemoteLoginAction 

type StalkRemoteLoginAction func(string, string) map[string][]sshLoginSuccess

type StalkRemoteLoginParams 

type StalkRemoteLoginParams struct {
	// Function to execute when the stalked user logs into the local system.
	Action StalkRemoteLoginAction
	// Attempt to login only to hosts that match this regex.
	HostRegex string
	// Limit login attempts. If login attempt reaches this limit, stop attempting logins.
	LoginLimit uint
	// Frequency to look for the user to be logged in
	PollFrequency uint
	// Command to execute on remote host upon successful login.
	RemoteCommand string
	// Only attempt logins as this user. If user is "*", try to stalk any user.
	User string
}

StalkRemoteLoginParams holds options for the StalkRemoteLogin functionality.

type TripwireAV 

type TripwireAV struct {
	AVDiscoverer
}

func (TripwireAV) KernelModules 

func (t TripwireAV) KernelModules() []LoadedKernelModule

KernelModules returns an empty list as Tripwire doesn't use kernel modules.

func (TripwireAV) Name 

func (t TripwireAV) Name() string

func (TripwireAV) Paths 

func (t TripwireAV) Paths() []string

func (TripwireAV) Procs 

func (t TripwireAV) Procs() []Process

type Watch 

type Watch struct {
	// Path being watched.
	Path string
	// Action the watch is looking for, i.e. read/write/execute. For example "wa" would detect file writes or appendages.
	Action string
}

Watch holds the information for which the system is attempting to detect access.

func GetAuditWatches 

func GetAuditWatches() ([]Watch, error)

GetAuditWatches fetches a list of watches that auditd currently has on filesystem paths.

type Who 

type Who struct {
	// Username, line (tty/pty), originating host that user is logging in from
	User, Line, Host string
	// User's login process ID. Typically sshd process
	Pid int32
	// Login time
	Time int32
}

func GetWho 

func GetWho() []Who

GetWho fetches information about currently logged-in users.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.