├── LICENSE
├── README.md
├── networkassessment.py
├── requirements.txt
└── style
├── figletstyle.py
└── networkassessment.png
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2023 Halil Ibrahim Deniz
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in
13 | all copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | THE SOFTWARE.
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # NetworkAssessment: Network Compromise Assessment Tool
2 |
3 |
4 | The Network Compromise Assessment Tool is designed to analyze pcap files to detect potential suspicious network traffic. This tool focuses on spotting abnormal activities in the network traffic and searching for suspicious keywords.
5 | 
6 |
7 |
8 |
9 |
10 | 
11 |
12 |
13 | ## Features
14 |
15 | - **DNS Tunneling Detection**: Identifies potential covert communication channels over DNS.
16 | - **SSH Tunneling Detection**: Spots signs of SSH sessions which may be used to bypass network restrictions or cloak malicious activities.
17 | - **TCP Session Hijacking Identification**: Monitors for suspicious TCP sessions which might indicate unauthorized takeovers.
18 | - **Various Attack Signatures**: Recognizes indicators of SYN flood, UDP flood, Slowloris, SMB attacks, and more.
19 | - **Suspicious Keyword Search**: Actively scans the network traffic for user-defined keywords that could be indicative of malicious intent or sensitive data leakage.
20 | - **Protocol-Specific Scanning**: Allows users to specify which protocols to monitor, ensuring focused and efficient analysis.
21 | - **Output Logging**: Provides an option to save detailed analysis results to a file for further investigation or record-keeping.
22 | - **IPv6 Fragmentation Attack Detection**: Spots potential attempts to exploit the fragmentation mechanism in IPv6 for nefarious purposes.
23 | - **User-Friendly Display**: Color-coded outputs and progress indicators enhance readability and user experience.
24 |
25 | The tool is not just limited to the aforementioned features. With contributions from the community, its detection capabilities can continuously evolve and adapt to the latest threat landscape.
26 |
27 |
28 | ## Requirements
29 |
30 | - Python 3.x
31 | - scapy
32 | - argparse
33 | - pyshark
34 | - colorama
35 |
36 | ## Installation
37 |
38 | 1. Clone the repository:
39 |
40 | ```shell
41 | git clone https://github.com/HalilDeniz/NetworkAssessment.git
42 | ```
43 |
44 | 2. Navigate to the project directory:
45 |
46 | ```shell
47 | cd NetworkAssessment
48 | ```
49 |
50 | 3. Install the required dependencies:
51 |
52 | ```shell
53 | pip install -r requirements.txt
54 | ```
55 |
56 | ## Usage
57 |
58 | ```shell
59 | python3 networkassessment.py [-h] -f FILE [-p {TCP,UDP,DNS,HTTP,SMTP,SMB} [{TCP,UDP,DNS,HTTP,SMTP,SMB} ...]]
60 | [-o OUTPUT] [-n NUMBER_PACKET]
61 | ```
62 | - `-f` or `--file`: Path to the `.pcap` or `.pcapng` file you intend to analyze. This is a mandatory field, and the assessment will be based on the data within this file.
63 | - `-p` or `--protocols`: Protocols you specifically want to scan. Multiple protocols can be mentioned. Available choices are: "TCP", "UDP", "DNS", "HTTP", "SMTP", "SMB".
64 | - `-o` or `--output`: Path to save the scan results. This is optional. If provided, the findings will be saved in the specified file.
65 | - `-n` or `--number-packet`: Number of packets you wish to scan from the provided file. This is optional. If not specified, the tool will scan all packets in the file.
66 |
67 | In the above example, the tool will analyze the first 1000 packets of the `sample.pcap` file, focusing on the TCP and UDP protocols, and will then save the results to `output.txt`.
68 |
69 | ## Contributing
70 | Contributions are welcome! If you find any issues or have suggestions for improvements, feel free to open an issue or submit a pull request.
71 |
72 | ## Contact
73 | If you have any questions, comments, or suggestions about Dosinator, please feel free to contact me:
74 |
75 | - LinkedIn: [Halil Ibrahim Deniz](https://www.linkedin.com/in/halil-ibrahim-deniz/)
76 | - TryHackMe: [Halilovic](https://tryhackme.com/p/halilovic)
77 | - Instagram: [deniz.halil333](https://www.instagram.com/deniz.halil333/)
78 | - YouTube: [Halil Deniz](https://www.youtube.com/c/HalilDeniz)
79 | - Email: halildeniz313@gmail.com
80 |
81 | ## About the Original Author
82 |
83 | NetworkAssesment is a fork of the original tool called Network_Assessment, which was created by [alperenugurlu](https://github.com/alperenugurlu).
84 | I would like to express my gratitude to Alperen Uğurlu for the inspiration and foundation provided by the original tool. Without his work, this updated version would not have been possible.
85 | If you would like to learn more about the original tool, you can visit the [Network_Assessment repository](https://github.com/alperenugurlu/Network_Assessment).
86 |
87 |
88 |
89 | ## License
90 | This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for more details.
91 |
92 | ## 💰 You can help me by Donating
93 | Thank you for considering supporting me! Your support enables me to dedicate more time and effort to creating useful tools like DNSWatch and developing new projects. By contributing, you're not only helping me improve existing tools but also inspiring new ideas and innovations. Your support plays a vital role in the growth of this project and future endeavors. Together, let's continue building and learning. Thank you!"
94 | [](https://buymeacoffee.com/halildeniz)
95 | [](https://patreon.com/denizhalil)
96 |
97 |
98 |
--------------------------------------------------------------------------------
/networkassessment.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding: utf-8 -*-
3 |
4 | #creator : Alperen Uğurlu
5 | #updated by: Halil Deniz
6 |
7 |
8 | import os
9 | import sys
10 | import time
11 | from collections import defaultdict, Counter
12 | import argparse
13 | import pyshark
14 | from scapy.all import *
15 | from scapy.layers.dns import DNS
16 | from colorama import Fore, Style, init
17 | from style.figletstyle import colorStyle
18 |
19 | init(autoreset=True) # Automatically reset color after each print statement
20 |
21 | class NetworkCompromiseAssessment:
22 | def __init__(self, file_path, protocols=None):
23 | self.file_path = file_path
24 | self.protocols = protocols
25 | self.number_packet = args.number_packet
26 | self.suspicious_keywords = ["password", "login", "admin", "root", "bank", "credit", "card", "paypal", "malware", "virus", "trojan"]
27 | self.syn_counter = defaultdict(int)
28 | self.slowloris_counter = defaultdict(int)
29 | self.capture = pyshark.FileCapture(file_path, keep_packets=False)
30 | self.ip_addresses = self.get_all_ip_addresses()
31 |
32 | def save_to_file(self, message, file_path=None):
33 | if file_path:
34 | with open(file_path, 'a') as f:
35 | f.write(message + "\n")
36 |
37 | def get_all_ip_addresses(self):
38 | ip_addresses = set()
39 | index = 0
40 | for packet in self.capture:
41 | index += 1
42 | if hasattr(packet, 'IP'):
43 | ip_addresses.add(packet['IP'].src)
44 | ip_addresses.add(packet['IP'].dst)
45 | print(f"\r{Fore.CYAN}Scanned:{Style.RESET_ALL} {index}",end="")
46 | return ip_addresses
47 |
48 | def detect_dns_tunneling(self, packet):
49 | if 'DNS' in packet:
50 | dns_layer = packet['DNS']
51 | if hasattr(dns_layer, 'qr') and dns_layer.qr == '0':
52 | for i in range(len(dns_layer.answers)):
53 | if 'type' in dns_layer.answers[i] and dns_layer.answers[i].type == 'TXT' and len(
54 | dns_layer.answers[i].data) > 100:
55 | msg = f"[+] Suspicious activity detected: DNS Tunneling"
56 | print(msg)
57 | print(packet)
58 | self.save_to_file(msg, args.output)
59 | self.save_to_file(str(packet), args.output)
60 |
61 |
62 | def detect_ssh_tunneling(self, packet):
63 | if hasattr(packet, 'SSH') and hasattr(packet, 'TCP') and (
64 | packet['TCP'].sport > 1024 or packet['TCP'].dport > 1024):
65 | msg = f"[+] Suspicious activity detected: SSH Tunneling"
66 | print(msg)
67 | print(packet)
68 | self.save_to_file(msg, args.output)
69 | self.save_to_file(str(packet), args.output)
70 |
71 |
72 | def detect_tcp_session_hijacking(self, packet):
73 | if hasattr(packet, 'TCP') and packet['TCP'].flags == 'FA' and int(packet['TCP'].seq) > 0 and int(
74 | packet['TCP'].ack) > 0:
75 | msg = f"[+] Suspicious activity detected: TCP Session Hijacking"
76 | print(msg)
77 | print(packet)
78 | if args.output:
79 | self.save_to_file(msg, args.output)
80 | self.save_to_file(str(packet), args.output)
81 |
82 | def detect_smb_attack(self, packet):
83 | if hasattr(packet, 'SMB2') and packet['SMB2'].command == 5:
84 | msg = f"[+] Suspicious activity detected: SMB Attack"
85 | print(msg)
86 | print(packet)
87 | if args.output:
88 | self.save_to_file(msg, args.output)
89 | self.save_to_file(str(packet), args.output)
90 |
91 | def detect_smtp_dns_attack(self, packet):
92 | if (hasattr(packet, 'SMTP') and packet['SMTP'].command == 'HELO') or (
93 | hasattr(packet, 'DNS') and hasattr(packet['DNS'], 'opcode') and packet['DNS'].opcode == 2):
94 | msg = f"[+] Suspicious activity detected: SMTP or DNS Attack"
95 | print(msg)
96 | print(packet)
97 | if args.output:
98 | self.save_to_file(msg, args.output)
99 | self.save_to_file(str(packet), args.output)
100 |
101 | def detect_ipv6_fragmentation_attack(self, packet):
102 | if hasattr(packet, 'IPv6') and hasattr(packet, 'IPv6ExtHdrFragment') and int(
103 | packet['IPv6ExtHdrFragment'].plen) > 1500:
104 | msg = f"[+] Suspicious activity detected: IPv6 Fragmentation Attack"
105 | print(msg)
106 | print(packet)
107 | if args.output:
108 | self.save_to_file(msg, args.output)
109 | self.save_to_file(str(packet), args.output)
110 | def detect_tcp_rst_attack(self, packet):
111 | if hasattr(packet, 'TCP') and packet['TCP'].flags == 'R' and int(packet['TCP'].window) == 0:
112 | msg = f"[+] Suspicious activity detected: TCP RST Attack"
113 | print(msg)
114 | print(packet)
115 | if args.output:
116 | self.save_to_file(msg, args.output)
117 | self.save_to_file(str(packet), args.output)
118 | def detect_syn_flood_attack(self, packet):
119 | if hasattr(packet, 'TCP') and packet['TCP'].flags == 'S' and int(packet['TCP'].window) > 0:
120 | self.syn_counter[packet['IP'].src] += 1
121 | if self.syn_counter[packet['IP'].src] > 100: # Adjust the threshold as needed
122 | msg = f"[+] Suspicious activity detected: SYN Flood Attack"
123 | print(msg)
124 | print(packet)
125 | if args.output:
126 | self.save_to_file(msg, args.output)
127 | self.save_to_file(str(packet), args.output)
128 | def detect_udp_flood_attack(self, packet):
129 | if 'UDP' in packet and int(packet.udp.length) > 1024:
130 | msg = f"[+] Suspicious activity detected: UDP Flood Attack"
131 | print(msg)
132 | print(packet)
133 | if args.output:
134 | self.save_to_file(msg, args.output)
135 | self.save_to_file(str(packet), args.output)
136 | def detect_slowloris_attack(self, packet):
137 | if hasattr(packet, 'TCP') and packet['TCP'].flags == 'PA' and int(packet['TCP'].window) > 0 and int(
138 | packet['TCP'].len) < 10:
139 | self.slowloris_counter[packet['IP'].src] += 1
140 | if self.slowloris_counter[packet['IP'].src] > 100: # Adjust the threshold as needed
141 | msg = f"[+] Suspicious activity detected: Slowloris Attack"
142 | print(msg)
143 | print(packet)
144 | if args.output:
145 | self.save_to_file(msg, args.output)
146 | self.save_to_file(str(packet), args.output)
147 |
148 | def main(self):
149 | start_time = time.time() # Save start time
150 | colorStyle()
151 |
152 | time.sleep(1.0)
153 | index = 0
154 |
155 | packet_count = 0
156 | if self.number_packet:
157 | self.ip_addresses = sorted(list(self.ip_addresses))[:self.number_packet]
158 |
159 | for source_ip in self.ip_addresses:
160 | index += 1
161 | print(f"\n{Fore.CYAN}[+] {index}: Checking for IP address:{Style.RESET_ALL} {source_ip}")
162 | self.capture.reset()
163 | for packet in self.capture:
164 | if hasattr(packet, 'IP') and packet['IP'].src == source_ip:
165 | if self.protocols is None or packet.transport_layer in self.protocols:
166 | self.detect_dns_tunneling(packet)
167 | self.detect_ssh_tunneling(packet)
168 | self.detect_tcp_session_hijacking(packet)
169 | self.detect_smb_attack(packet)
170 | self.detect_smtp_dns_attack(packet)
171 | self.detect_ipv6_fragmentation_attack(packet)
172 | self.detect_tcp_rst_attack(packet)
173 | self.detect_syn_flood_attack(packet)
174 | self.detect_udp_flood_attack(packet)
175 | self.detect_slowloris_attack(packet)
176 | for keyword in self.suspicious_keywords:
177 | if keyword in str(packet):
178 | msg = f"{Fore.RED}[+] Suspicious keyword detected:{Style.RESET_ALL} {keyword}"
179 | print(msg)
180 | print(packet)
181 | if args.output:
182 | self.save_to_file(msg, args.output)
183 | self.save_to_file(str(packet), args.output)
184 | break
185 | packet_count += 1
186 |
187 | end_time = time.time()
188 | elapsed_time = end_time - start_time
189 | msg = f"Scanning completed in {elapsed_time:.2f} seconds"
190 | print(msg)
191 | if args.output:
192 | self.save_to_file(msg, args.output)
193 |
194 | if __name__ == "__main__":
195 | parser = argparse.ArgumentParser(description="Network Compromise Assessment Tool")
196 | parser.add_argument("-f","--file", type=str, required=True, help="Path to the .pcap or .pcapng file")
197 | parser.add_argument("-p","--protocols", nargs="+", type=str, choices=["TCP", "UDP", "DNS", "HTTP", "SMTP", "SMB"], help="Specify protocols to scan (e.g., TCP UDP)")
198 | parser.add_argument("-o", "--output", type=str, help="Path to save the scan results (optional)")
199 | parser.add_argument("-n", "--number-packet", type=int, help="Number of packets to scan (optional)")
200 | args = parser.parse_args()
201 |
202 | try:
203 | assessment = NetworkCompromiseAssessment(args.file, args.protocols)
204 | assessment.main()
205 | except KeyboardInterrupt:
206 | print("\n[!] Program by user request (Ctrl+C) was terminated.")
207 | sys.exit(0)
208 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | scapy
2 | pyshark
3 | colorama
4 | argparse
5 |
--------------------------------------------------------------------------------
/style/figletstyle.py:
--------------------------------------------------------------------------------
1 | # creater by Halil Deniz
2 |
3 | from colorama import Fore, Style, init
4 |
5 | init(autoreset=True) # Automatically reset color after each print statement
6 |
7 |
8 | def colorStyle():
9 | print(Fore.CYAN + '''
10 | _ ___
11 | | | / _ \
12 | _ __ ___ ___ __ __ | |_ __ __ | | | -|
13 | | '_ ` _ \ / _ \ \ \ /\ / / | __| \ \ /\ / / | | |----|
14 | | | | | | | | __/ \ V V / | |_ \ V V / | |_| --|
15 | |_| |_| |_| \___| \_/\_/ \__| \_/\_/ \___/
16 |
17 |
18 | _
19 | //\lperen |U|gurlu
20 | `-'
21 | ''')
22 |
23 | print(Fore.RED + '''''''''''''''
24 |
25 | Network Compromise Assessment
26 | * * * * * * *
27 | * * ****** * *
28 | ** * ** ** *
29 | *
30 | * ** **
31 | * * *
32 | * * * *
33 | * * * **
34 | * *
35 | * *
36 |
37 | * * *
38 |
39 |
40 | ''''''''''''''')
41 |
42 | print(Fore.GREEN + ''' ......Scanning In Progress......''')
43 |
44 |
45 | if __name__ == "__main__":
46 | colorStyle()
--------------------------------------------------------------------------------
/style/networkassessment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HalilDeniz/NetworkAssessment/d13e661a921609e7e2c64a5ccc92dcc9641a2ef0/style/networkassessment.png
--------------------------------------------------------------------------------