HOWTO: Use Knoppix as a Windows malware network monitor

**johnrw** · 10-02-2008, 11:15 PM

Ever wondered what that windows box is up to? What spyware has managed to get
inside your friend's pc? Knoppix makes it very easy to setup a network monitor.
This was an idea I had... and like most brainstorm's I get... someone else has already
had the same brainstorm. These folks... describe a basic howto using Knoppix 4.0.2(Man was I late!!)

http://www.networkoptimizationnews.c...ringsetup.html
My trouble's began there. It was Knoppix 4.0.2. I was using 5.3.1!

Some time later... I had it working. Yes, after i downloaded 4.0.2 and confirmed
this actually DID work. Essentially, iptables was blocking the client pc.

The basic layout...
Windows Pc (Local Area Connection) plugs into (using a ethernet crossover cable)->Knoppix Host's eth1 port.
Knoppix Host's eth0 -> plugs into your Router, using an ordinary cat 5e cable.

The only thing unusual you will need to have (in hardware terms...) is:
The Knoppix Host machine needs to have 2 networking cards... IN<->OUT right?
(Time to drag out an old 3com pci card you saved from an old machine.)
A crossover cable or even just a crossover adapter.

In this howto...
Router is at 192.168.1.1 and giving out ip addresses.
Knoppix Host is at 192.168.1.149 (192.168.1.153 in the other howto)
Windows pc is getting it's address from the Router through the transparent bridge in Knoppix Host.

Turn your Windows pc off... if like most out there... it is set to get an ip address automatically.
Then booting up your Knoppix the usual way... you get to a root console in your favorite way as well.

Here is an amended script for later Knoppixes.

Code:

#!/bin/sh

Change these to fit your network layout.
UPSTREAMIP=192.168.1.1
# BRIDGEIP defaults to 192.168.1.153, mine was different.
BRIDGEIP=192.168.1.149

# Here we will turn off the firewall
# everything... so maybe saving the existing rules is prudent.
# Here's how to do that.
# iptables-save > /root/firewall.rules
# iptables-restore < /root/firewall.rules

iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT  ACCEPT


Make sure some directories are there and writable.
[ ! -e /var/log/ntop ] &&  mkdir -p /var/log/ntop/rrd
[ ! -e /var/lib/ntop ] &&  mkdir -p /var/lib/ntop
[ -e /var/lib/ntop ] &&  chmod -R 777 /var/lib/ntop
[ -e /var/log/ntop ] &&  chmod -R 777 /var/log/ntop

# Lame test to check if it is already running... but...
brctl stp br0 off 2> /dev/null
if [ "$?" == "0" ] 
    then
    echo "Killing existing bridge"
    ifconfig br0 down
    brctl delbr br0
fi

    ifconfig eth1 down
    ifconfig eth0 down
    sleep 2
    ifconfig eth0 promisc 0.0.0.0
    ifconfig eth1 promisc 0.0.0.0
    ifconfig eth0 up
    ifconfig eth1 up
    brctl addbr br0
    brctl addif br0 eth0
    brctl addif br0 eth1

    ifconfig br0 $BRIDGEIP netmask 255.255.255.0
    ifconfig br0 up
    sleep 2
    route add default gw $UPSTREAMIP

Now at this point... the next thing I do is to make sure there is a routing table.

Code:

 # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
default         Thibor          0.0.0.0         UG    0      0        0 br0

When you have done that... then typing route in a console
should give you something close to what I have here.
Notice now everything is going through br0

Here is the result of my ifconfig

Code:

br0       Link encap:Ethernet  HWaddr 00:00:92:a7:07:70  
          inet addr:192.168.1.149  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::200:92ff:fea7:770/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:503 errors:0 dropped:0 overruns:0 frame:0
          TX packets:152 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:124796 (121.8 KiB)  TX bytes:15556 (15.1 KiB)

eth0      Link encap:Ethernet  HWaddr 00:00:92:a7:07:70  
          inet6 addr: fe80::200:92ff:fea7:770/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:51540 errors:1 dropped:0 overruns:0 frame:0
          TX packets:24984 errors:3 dropped:0 overruns:0 carrier:3
          collisions:0 txqueuelen:1000 
          RX bytes:56747937 (54.1 MiB)  TX bytes:7775600 (7.4 MiB)
          Interrupt:11 Base address:0x2000 

eth1      Link encap:Ethernet  HWaddr 00:00:92:a7:07:71  
          inet6 addr: fe80::200:92ff:fea7:771/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:24374 errors:1 dropped:0 overruns:0 frame:0
          TX packets:40936 errors:3 dropped:0 overruns:0 carrier:3
          collisions:0 txqueuelen:1000 
          RX bytes:7763838 (7.4 MiB)  TX bytes:53734456 (51.2 MiB)
          Interrupt:11 Base address:0x2080 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:119 errors:0 dropped:0 overruns:0 frame:0
          TX packets:119 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:10484 (10.2 KiB)  TX bytes:10484 (10.2 KiB)

You should be ready to install ntop now... if you...
A. br0 has been assigned the ip address you gave it.
B. You can ping google.com from your windows pc.

It may take a few, 30 seconds or so, for the bridge to become ready... so be sure to give it a little time.
Now do an

Code:

apt-get update
apt-get install ntop

The installation asked me what Interfaces I wished to monitor?
You can probably tell it to use br0. (I told it to monitor eth0 eth1 and br0, but mine wasn't working yet!)

You will then just need to type ntop to start the logging.
Then from a machine on your subnet... a open browser and navigate to 192.168.1.149:3000 to see what info
ntop had gathered.

I will post some pics... later. and make corrections etc...
Now you really can find out what the heck that windows machine is up to!
I'd recommend getting it all set up... and then just boot the windows machine and then let it just sit there...
you know... let it think nobody is watching it.

One more thing... when you first start ntop... it will ask you for a password.
When you try and log in using a browser, and click the admin tab... It is going to ask.
You should use the username "admin" along with your password.

Ok... here is a pic of ntop. I had just cleared the logfile.

**borgward** · 12-10-2008, 05:09 AM

I did something similar using Ethereal. One PC is running Win98SE. the other was running Knoppix. Both are connected to a hub that is connected to a router w/a crossover cable. The router is connected to a USR external MODEM. I could then monitor traffic, but really did not know what to look for. How do I identify what is malware.