ok so let me begin with the video in cause: https://youtu.be/wReXqe8AFUM?si=%5C_Lm-5DwvffglCYLL
my setup
- 1 Oracle VM running Kali Linux with normal settings except bridge adaptor for the network Settings
- IP Address: 192.168.0.24
- This VM runs my firewall.py with Visual Studio Code inside a venv
- 1 Oracle VM running Kali Linux with normal settings except bridge adaptor for the network Settings
- IP Address: 192.168.0.80
- This VM runs my nimda_attack.py with Code - OSS
The code for the firewall.py
import os
import sys
import time
from collections import defaultdict
from scapy.all import sniff, IP, TCP
THRESHOLD = 40
print(f"THRESHOLD: {THRESHOLD}")
# Read IPs from a file
def read_ip_file(filename):
with open(filename, "r") as file:
ips = [line.strip() for line in file]
return set(ips)
# Check for Nimda worm signature
def is_nimda_worm(packet):
if packet.haslayer(TCP) and packet[TCP].dport == 80:
payload = packet[TCP].payload
return "GET /scripts/root.exe" in str(payload)
return False
# Log events to a file
def log_event(message):
log_folder = "logs"
os.makedirs(log_folder, exist_ok=True)
timestamp = time.strftime("%Y-%m-%d_%H-%M-%S", time.localtime())
log_file = os.path.join(log_folder, f"log_{timestamp}.txt")
with open(log_file, "a") as file:
file.write(f"{message}\n")
def packet_callback(packet):
src_ip = packet[IP].src
# Check if IP is in the whitelist
if src_ip in whitelist_ips:
return
# Check if IP is in the blacklist
if src_ip in blacklist_ips:
os.system(f"iptables -A INPUT -s {src_ip} -j DROP")
log_event(f"Blocking blacklisted IP: {src_ip}")
return
# Check for Nimda worm signature
if is_nimda_worm(packet):
print(f"Blocking Nimda source IP: {src_ip}")
os.system(f"iptables -A INPUT -s {src_ip} -j DROP")
log_event(f"Blocking Nimda source IP: {src_ip}")
return
packet_count[src_ip] += 1
current_time = time.time()
time_interval = current_time - start_time[0]
if time_interval >= 1:
for ip, count in packet_count.items():
packet_rate = count / time_interval
if packet_rate > THRESHOLD and ip not in blocked_ips:
print(f"Blocking IP: {ip}, packet rate: {packet_rate}")
os.system(f"iptables -A INPUT -s {ip} -j DROP")
log_event(f"Blocking IP: {ip}, packet rate: {packet_rate}")
blocked_ips.add(ip)
packet_count.clear()
start_time[0] = current_time
if __name__ == "__main__":
if os.geteuid() != 0:
print("This script requires root privileges.")
sys.exit(1)
# Import whitelist and blacklist IPs
whitelist_ips = read_ip_file("whitelist.txt")
blacklist_ips = read_ip_file("blacklist.txt")
packet_count = defaultdict(int)
start_time = [time.time()]
blocked_ips = set()
print("Monitoring network traffic...")
sniff(filter="ip", prn=packet_callback)
The code for the nimda_attack.py
from scapy.all import IP, TCP, Raw, send
def send_nimda_packet(target_ip, target_port=80, source_ip="192.168.0.80", source_port=12345):
try:
packet = (
IP(src=source_ip, dst=target_ip)
/ TCP(sport=source_port, dport=target_port)
/ Raw(load="GET /scripts/root.exe HTTP/1.0\r\nHost: example.com\r\n\r\n")
)
send(packet, verbose=True) # Set verbose=True to enable verbose output
except Exception as e:
print("An error occurred:", e)
if __name__ == "__main__":
target_ip = "192.168.0.24" # Replace with the IP address of the target machine
send_nimda_packet(target_ip)
The code seemed to be working for the man in the video but for some reason it does not work on my setup. I tried dropping the threshold to 1, sniffing TCP instead of IP for the nimda worm packet and its still not working. I ran the scripts with sudo and I have whitelist.txt and blacklist.txt in the same folder as the code for the firewall. If I missed something or I made a mistake in the implementation please let me know what I can do to fix it, I am a beginner that is trying to learn. Thank you for reading this and have a nice day!