[TOOL] Impost - Network Security Auditing and Analyzing Tool

From: SecuriTeam (support_at_securiteam.com)
Date: 08/31/04


To: list@securiteam.com
Date: 31 Aug 2004 18:44:08 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Impost - Network Security Auditing and Analyzing Tool
------------------------------------------------------------------------

SUMMARY

DETAILS

Impost is a network security-auditing tool designed to analyze the
forensics behind compromised and/or vulnerable daemons. There's two
different kinds of operating modes used by Impost; It can either act as a
honey pot and take orders from a Perl script controlling how it responds
and communicates with connecting clients; or it can operate as a packet
sniffer and monitor incoming data to specified destination port supplied
by the command-line arguments.

While running, Impost keeps a history of incoming buffers for every
connection it has to deal with. These histories are normally dropped when
a socket is closed or a TH_FIN|TH_ACK flagged packet is received. However,
if at anytime during a live connection a 'suspicious' buffer is detected,
Impost will use the history corresponding with the connection to create a
log file containing all of the received data including the suspicious
buffer.

A side from creating a log file, Impost will also try to analyze the
buffer, which had been thought of as suspicious. Some of the things that
Impost will look for are machine codes, NOP sleds, shellcode signatures
and a lot of other junk.

Impost is still in early stages of development so there is a lot of work
that needs to be done. Even in these early stages, Impost proves to be an
extremely powerful multi-purpose network-debugging tool. Whether you're a
software developer, a security consultant, systems administrator or hacker
- you'll find Impost very useful if applied properly to whatever it is you
do.

ADDITIONAL INFORMATION

The information has been provided by <mailto:sickbeatz@hotmail.com>
ziplock.
The tool can be downloaded from: <http://impost.sourceforge.net/>
http://impost.sourceforge.net/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] LibSPF2 DNS TXT Record Parsing Bug
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... LibSPF2 DNS TXT Record Parsing Bug ... rdlen byte buffer. ...
    (Securiteam)
  • [EXPL] NetTerms NetFTPd Buffer Overflow (USER, Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Win32 telnet client software - "NetTerm is a network terminal which can ... NetTerm's NetFTPd has a buffer overflow on authentication buffer. ... def setebpaddr: ...
    (Securiteam)
  • [UNIX] Conquest Client Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Conquest Client Buffer Overflow ... SP_CLIENTSTAT is a type of packet used by the server for sending some ...
    (Securiteam)
  • [EXPL] Pavuk Digest Authentication Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Authentication Buffer Overflow Vulnerabilities, a buffer overflow ... char *method; ... * the auth_digest pointer, the user pointer, and the buf pointer. ...
    (Securiteam)
  • [NEWS] SAP Internet Graphics Service Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SAP Internet Graphics Service Buffer Overflow Vulnerability ... allow an attacker to execute remote code with the privileges of the SAP ...
    (Securiteam)