This post appeared originally in our sysadvent series and has been moved here following the discontinuation of the sysadvent microsite
A firewall activity plot
for showing port access. The temptation was
just a bit too great to ignore, so I chose to see it as a canvas for
artwork. All I should need to do is to convert a PNG image to series
of nmap
commands, easy right?
Plot size
First off, lets determine the actual size of the canvas – I mean plot. The graph area is 1040x417 pixels, but since the graph is logarithmic, the bottom part is not really usable, so I decide to limit the height to 237 pixels, which corresponds to port 80 and up. I need to find the logarithmic boundaries as well as the logarithmic value per vertical pixel, or “Y”:
Highest port available: log(65535) = 4.81647330376525
Lowest port I will use: log(80) = 1.90308998699194
Delta Y(port) = 65535-80 = 65455
Delta Y(log) = 4.81647330376525 - 1.90308998699194 = 2.91338331677331
Logarithmic value per pixel Y is: 2.91338331677331 / 65455 = 0.012292756610858
The coordinate system of a a PNG image starts at top left corner, so all port values have to be calculated from the top. A pixels Y value will therefor be calculated as:
Bottom margin (1.90308998699194) + ( height value (2.91338331677331) - ( pixel(Y) * 0.012292756610858 ) )
Use this as power to find the port: Port = 10^value
Although this may seem like high precision, the initial values are based on eyeballing, so we need to allow for some stretching in the final result.
It’s now easy to map each column in an image to ports, so the next step is to find the horizontal resolution. The plot is 1040 pixels wide, which spans exactly 24 hours, or 86400 seconds:
86400 sec / 1040 pixel = 83.0769230769231 sec/pixel
So I need to tickle the firewall every 83 seconds to get nice pixel values. The decimals can be ignored here, as the final script will introduce some delays anyway. After all, I’m drawing on a firewall, not trying to rescue Matt Damon from Mars…
Monochrome image
With the canvas in place, the next step is to prepare a monochrome PNG file from an image. The easiest type is an image with just 1 indexed colour. I created mine using Gimp, but I would think any decent image program would work.
Begin with creating a new image with the maximal usable size: 1040 x 237 pixels with transparent background. Now just draw what you want, using just one colour. Take care to use the top of the image as reference line. Then change the image mode to 1-bit “Indexed” (black and white). The transparent background should remain, and the single colour be white. Finally, crop the image to remove unneeded margins on the sides and bottom, but keep the top. Export as PNG.
Now, I used python to convert the image to a shell script. The code is not elegant, but it does the job.
#!/usr/bin/python
from PIL import Image
import math
inimage = "demo.png" # Hard coded filename
lowest = 1.90308998699194
deltay = 2.91338331677331
valuey = 0.012292756610858
target = "target.example.org"
im = Image.open(inimage) # Use im to find image size
pix = im.load() # Use pix to address individual pixels
print("#!/bin/bash")
for x in range(im.size[0]):
ports=[]
for y in range(im.size[1]):
if pix[x,y]==1:
ports.append(str(int(math.pow(10,(lowest+(deltay-(y*valuey)))))))
if ports:
print("nmap -4 -Pn -p {:s} {:s}".format(','.join(ports),target))
print("sleep 82") # nmap use around 1 second, so sleep the remaining 82.
Running the script
Now, run the python script and output to a shell script,
i.e. drawplot.sh
. Normally, nmap
needs to be run as root, so sudo
access is useful. Next to consider is when to run the script. I found
that on the target the plot is only updated once approx 20 minutes past every
hour. If the image is less than 40 pixels wide, it can fit within one hour,
and by starting it, say 22 minutes past the hour, the full image can appear
at once. Of course, if the image is wider, it will cover more than one hour,
and other start time concerns may be taken into account instead.
$ sudo at 16:22
at> drawplot.sh
All is left is to wait and see the results …
More colours
I know that IPv4 TCP-packets becomes green plots. The other colours are light blue for IPv4 UDP, red for IPv6 TCP, and white for IPv6 UDP. Not the greatest palette for artwork, and I’m no artist, but thought I would make a little something in the holiday spirit.
I’ll create a PNG image with four indexed colours on a transparent background,
making sure the colourmap is arranged correctly, and make a small addition
to the python script. One thing to remember is that each column will
consist of 0 to 4 nmap commands, so we cannot just sleep a constant
number of seconds between each. Adding a frequency variable, a column
counter, and calculating seconds using date
, should even out the
delays, averaging to one column every 83 seconds. Again, I’m not
trying to make the script elegant, it just has to work:
#!/usr/bin/python
from PIL import Image
import math
inimage = "xmastree.png" # Hard coded filename
lowest = 1.90308998699194
deltay = 2.91338331677331
valuey = 0.012292756610858
target = "target.example.org"
im = Image.open(inimage) # Use im to find image size
pix = im.load() # Use pix to address individual pixels
nmap_opts = [ None, "", "-sU", "-6", "-6 -sU" ]
print("#!/bin/bash")
print("FREQ=83")
print("START=$( date +%s )")
print("COLS=0")
for x in range(im.size[0]):
ports = [[],[],[],[],[]]
for y in range(im.size[1]):
port="{:d}".format(int(math.pow(10,(lowest+(deltay-(y*valuey))))))
colour = pix[x,y]
if colour >=1 and colour <=4:
ports[colour].append(port)
for colour in range(1,5):
if ports[colour]:
print("nmap {:s} -Pn -p {:s} {:s}".format(nmap_opts[colour],','.join(ports[colour]),target))
print("let COLS++")
print("sleep $(( ${START} + ${COLS} * ${FREQ} - $( date +%s ) ))")
As before, run the python script and output to shell script xmastree.sh
, and start that at a selected time…
The irony of insecure security software
It can probably be understood from my previous blog post that if it was up to me, I’d avoid products like CrowdStrike - but every now and then I still have to install something like that. It’s not the idea of “security software” per se that I’m against, it’s the actual implementation of many of those products. This post lists up some properties that should be fulfilled for me to happy to install such a product.