impost(er) by ziplock --b4b0
SYNOPSIS
impost [OPTION]...
DESCRIPTION
Impost is a scriptable network auditing tool with IDS style attack mon-
itoring, analyzing and logging capability. Impost has two modes of
operation. The first is a scriptable honey pot type server which will
allow you to either silently read data from connecting clients or
develop a script that will allow you to communicate with the clients
(ie., a script which behaves exactly like a web server with known prob-
lems).
The second mode of operation is packet sniffing. It will sniff a net-
work device and analyze packets being sent to the port you specified
with the command-line arguments. This tool can be used to either
research unfamiliar protocols and services or obtain detailed informa-
tion purtaining to foreign attacks.
The main concept behind researching attacks with Impost is to act like
a sitting duck, or vulnerable service, and wait for an attack to take
place. After an attack is executed (detected), impost will analyze the
buffer for various things such as NOPs, possible polymorphing/mutation,
shellcode, etc. After doing all that, unless operating as a packet
sniffer, impost will create a file and log all information pertaining
to that attack including a history of received data and the suspicious
buffer itself; This is called a capture file.
Using the information written to the capture file, one could easily
recreate the attack or get a better understanding about how the attack
was executed and where the vulnerability exists within the vulnerable
service.
OPTIONS
Arguments and options that are specified from the command-line will be
listed in this section. Here are the main options that apply to both of
Impost's operating modes: scriptable honey-pot server or packet sniffer
(except for the --script option which will be ignored when operating as
a packet sniffer)
--config=PATH
Use an alternative configuration file instead of ~/.impostrc
-s, --script=PATH
Load perl script to control server behaviour. For examples, look
in the ´scripts´ directory provided with this release.
-p, --port=PORT
Specify what port to bind the Impost server to. This option is
obviously required and Impost will exit without it.
-u, --unusual=SIZE
Use an alternative size to trigger "suspicious" buffers instead
of the one configured in the configuration file. When a buffer's
size exceeds this, Impost will start analyzing the buffer and
capture it to a newly created file in the capture directory
specified in the configuration file.
-d, --display
Displays current configuration on startup.
--raw-capture
Normally when capturing suspicious buffers, Impost will automat-
ically convert the buffer into a C language constant string
using hexidecimal values of each byte (for example: const char
buffer[] = { 0x41, 0x41 };). Using this option, Impost will
write the raw data to the capture file instead of converting it
into a constant string. This could make the buffer a lot more
difficult to work with in the future.
--disable-hex-dump
Buffers containing unprintable characters will not be printed to
stdout -- including dumping the hextable which would normally be
be displayed.
Here is the list of the options pertaining to packet sniffing opera-
tions with Impost. As mentioned in the beginning of this section, the
--script option will be ignored if --sniff is specified.
--sniff
This option enables packet sniffing and disables the Impost
server. If this option is specified, it will attempt to sniff
all incoming packets to the destination port specified by the -p
option. Scripts will not work with this feature and some of the
logging features will be some what limited.
--device=DEVICE
By default, libpcap will try and find a device on it's own. How-
ever if this option is specified, Impost will use the specified
device instead.
Help options and version information:
-v, --version
Display release and version information to STDOUT and exit.
-h, --help
Display summerized help message. A lot like this section of the
man page without as much detail.
EXAMPLES
$ impost -p400
This will tell impost to listen on port 400 for incoming connec-
tions. All established connections are logged and printed to
stdout. All of the data received is automatically scanned for
suspicious content and also logged and printed to stdout. If the
buffer contains unprintable characters, impost will display a
hex table of the buffer received. If anything suspicious is to
be found in a buffer after it is received, impost will try to
analyze all of the data to help you determine what kind of
attack was executed.
$ impost -p80 --script=scripts/apache.pl
Impost will do everything that was mentioned in the above exam-
ple plus use the script scripts/apache.pl to determine how to
behave and respond to incoming data. For more information about
scripting see README.scripting.
$ impost -p21 -u100 --script=scripts/proftpd
Aside from the script difference, this is pretty much exactly
the same as the last example except for the extra option. The
option -u was specified which allows you to specify a maximum
buffer size. Anything above this maximum buffer size will be
http://impost.sourceforge.net/testing.html
AUTHOR
Written by ziplock
REPORTING BUGS
Report bugs to <sickbeatz@hotmail.com>
CONTACT INFORMATION
Email: ziplock <sickbeatz@hotmail.com> IRC: #b4b0 on EFNet
COPYRIGHT
Copyright © 2004 ziplock <sickbeatz@hotmail.com>
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MER-
CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details
SEE ALSO
From the toplevel directory of the Impost release:
README, README.scripting and README.usage
Impost Version 0.1pre1 July 2004 IMPOST(1)
Man(1) output converted with
man2html