impost(er) by ziplock --b4b0


SYNOPSIS

       impost [OPTION]...


DESCRIPTION

       Impost is a scriptable network auditing tool with IDS style attack mon-
       itoring, analyzing and logging capability.  Impost  has  two  modes  of
       operation.  The  first is a scriptable honey pot type server which will
       allow you to either silently  read  data  from  connecting  clients  or
       develop  a  script  that will allow you to communicate with the clients
       (ie., a script which behaves exactly like a web server with known prob-
       lems).

       The  second  mode of operation is packet sniffing. It will sniff a net-
       work device and analyze packets being sent to the  port  you  specified
       with  the  command-line  arguments.  This  tool  can  be used to either
       research unfamiliar protocols and services or obtain detailed  informa-
       tion purtaining to foreign attacks.

       The  main concept behind researching attacks with Impost is to act like
       a sitting duck, or vulnerable service, and wait for an attack  to  take
       place.  After an attack is executed (detected), impost will analyze the
       buffer for various things such as NOPs, possible polymorphing/mutation,
       shellcode,  etc.  After  doing  all  that, unless operating as a packet
       sniffer, impost will create a file and log all  information  pertaining
       to  that attack including a history of received data and the suspicious
       buffer itself; This is called a capture file.

       Using the information written to the capture  file,  one  could  easily
       recreate  the attack or get a better understanding about how the attack
       was executed and where the vulnerability exists within  the  vulnerable
       service.


OPTIONS

       Arguments  and options that are specified from the command-line will be
       listed in this section. Here are the main options that apply to both of
       Impost's operating modes: scriptable honey-pot server or packet sniffer
       (except for the --script option which will be ignored when operating as
       a packet sniffer)

       --config=PATH
              Use an alternative configuration file instead of ~/.impostrc

       -s, --script=PATH
              Load perl script to control server behaviour. For examples, look
              in the ´scripts´ directory provided with this release.

       -p, --port=PORT
              Specify what port to bind the Impost server to. This  option  is
              obviously required and Impost will exit without it.

       -u, --unusual=SIZE
              Use  an alternative size to trigger "suspicious" buffers instead
              of the one configured in the configuration file. When a buffer's
              size  exceeds  this,  Impost will start analyzing the buffer and
              capture it to a newly created  file  in  the  capture  directory
              specified in the configuration file.
              
       -d, --display
              Displays current configuration on startup.

       --raw-capture
              Normally when capturing suspicious buffers, Impost will automat-
              ically convert the buffer into  a  C  language  constant  string
              using  hexidecimal  values of each byte (for example: const char
              buffer[] = { 0x41, 0x41 };).  Using  this  option,  Impost  will
              write  the raw data to the capture file instead of converting it
              into a constant string. This could make the buffer  a  lot  more
              difficult to work with in the future.

       --disable-hex-dump
              Buffers containing unprintable characters will not be printed to 
              stdout -- including dumping the hextable which would normally be
              be displayed.


       Here  is  the  list of the options pertaining to packet sniffing opera-
       tions with Impost. As mentioned in the beginning of this  section,  the
       --script option will be ignored if --sniff is specified.

       --sniff
              This  option  enables  packet  sniffing  and disables the Impost
              server. If this option is specified, it will  attempt  to  sniff
              all incoming packets to the destination port specified by the -p
              option. Scripts will not work with this feature and some of  the
              logging features will be some what limited.

       --device=DEVICE
              By default, libpcap will try and find a device on it's own. How-
              ever if this option is specified, Impost will use the  specified
              device instead.

       Help options and version information:

       -v, --version
              Display release and version information to STDOUT and exit.

       -h, --help
              Display  summerized help message. A lot like this section of the
              man page without as much detail.


EXAMPLES

       $ impost -p400
              This will tell impost to listen on port 400 for incoming connec-
              tions.  All  established  connections  are logged and printed to
              stdout. All of the data received is  automatically  scanned  for
              suspicious content and also logged and printed to stdout. If the
              buffer contains unprintable characters, impost  will  display  a
              hex  table  of the buffer received. If anything suspicious is to
              be found in a buffer after it is received, impost  will  try  to
              analyze  all  of  the  data  to  help you determine what kind of
              attack was executed.

       $ impost -p80 --script=scripts/apache.pl
              Impost will do everything that was mentioned in the above  exam-
              ple  plus  use  the script scripts/apache.pl to determine how to
              behave and respond to incoming data. For more information  about
              scripting see README.scripting.

       $ impost -p21 -u100 --script=scripts/proftpd
              Aside  from  the  script difference, this is pretty much exactly
              the same as the last example except for the  extra  option.  The
              option  -u  was  specified which allows you to specify a maximum
              buffer size. Anything above this maximum  buffer  size  will  be

       http://impost.sourceforge.net/testing.html


AUTHOR

       Written by ziplock


REPORTING BUGS

       Report bugs to <sickbeatz@hotmail.com>


CONTACT INFORMATION

       Email: ziplock <sickbeatz@hotmail.com> IRC: #b4b0 on EFNet


COPYRIGHT

       Copyright © 2004 ziplock <sickbeatz@hotmail.com>
       This program is distributed in the hope that it  will  be  useful,  but
       WITHOUT  ANY  WARRANTY;  without  even  the  implied  warranty  of MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  GNU  General
       Public License for more details


SEE ALSO

       From the toplevel directory of the Impost release:
       README, README.scripting and README.usage



Impost Version 0.1pre1             July 2004                         IMPOST(1)

Man(1) output converted with man2html