-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathlan_abuse_detector
executable file
·71 lines (60 loc) · 1.49 KB
/
lan_abuse_detector
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/bin/bash
GATEWAY=10.0.0.1
NETWORK=10.0.0.0/24
LAN_IF=eth1
DUMP_DIR=/storage/log
reserved_ips() {
fgrep 'fixed-address' </etc/dhcp/dhcpd.conf| sed 's/.*fixed-address \(.*\);/\1/'
echo 10.0.0.223
}
capture() {
lock="/tmp/$1.lock"
if [[ ! -r $lock ]]
then
touch $lock
dir="$DUMP_DIR/`date +'%Y-%m-%d'`/"
mkdir -p $dir
log="$dir/$1.traffic"
trap "rm -f $lock;exit" SIGINT SIGTERM
sudo tcpdump -i $LAN_IF host $1 -w $log 2> /dev/null
rm -f $lock
fi
}
if [[ "$1" == "capture" ]];then
capture $2
exit
fi
declare -A hosts
file='/tmp/device_log'
file_sum='/tmp/device_log.md5'
rm -f $file
touch $file $file_sum
hosts[$GATEWAY]=1
shopt -s lastpipe
reserved_ips | while read line
do
hosts[$line]=1
done
nmap -sn $NETWORK | fgrep 'Nmap scan report' | sed 's/Nmap scan report for \([^(]*\)\( (\(.*\))\)\?/\1 \3/' | while read line
do
host=$line
ip=$line
if [[ $line =~ ' ' ]];then
host=${line% *}
ip=${line##* }
fi
if [[ "${hosts[$ip]}" == "" ]];then
echo "Unregistered host detected: $host $ip" >> $file
sudo nmap -O --osscan-guess -Pn $ip >> $file 2>&1
nohup $0 capture $ip >/dev/null 2>&1 &
fi
done
if [[ -s $file ]]; then
new_hash=`md5sum $file | sed 's/\s.*//'`
old_hash=`cat $file_sum`
if [[ "$new_hash" != "$old_hash" ]]; then
echo $new_hash > $file_sum
cat $file | mutt -s "WiFi compromised" $ADMIN_MAIL
fi
fi