Background Reading

Before starting, you are encouraged to review the following paper to understand the RBS method, which is effective in detecting network worms and port scanners by measuring the rate of connections to new destinations:

Jung, Jaeyeon, Rodolfo A$.$ Milito, and Vern Paxson. $"$On the adaptive real$-$time detection of fast$-$propagating network worms." International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, Berlin, Heidelberg, $2007.$ Read the paper hereLinks to an external site.. Part $1$: PortScanner Detector

Task: Create a tool that records and analyzes first$-$contact connection requests $($ to $)$ within a LAN, including self$-$initiated scans.

Data Management: Use a Python dictionary to log these first$-$contact requests with their timestamps. Entries older than $10$ minutes should be continuously cleared.

Analysis: Calculate the "fan$-$out rate" for each source IP$,$ which is defined as the rate of establishing first$-$contact connections. Calculate this rate over three intervals: per second, per minute, and per $5$ minutes.

Detection Criteria: A source IP is flagged as a port scanner if its fan$-$out rate exceeds any of the following thresholds: $5$ per second, $100$ per minute, or $300$ per $5$ minutes.

Output: For each detected port scanner, display the source IP$,$ average fan$-$out rates, and the specific reason for detection.

Example Output:

A scanner detected on source IP x

avg. fan$-$out per sec: y$,$ avg fan$-$out per min: z$,$ fan$-$out per $5$min: d

reason for detection: fan$-$out rate per sec $=6($must be less than $5).$

Part $2$: PortScanner Update

Task: Modify the port scanner developed in Lab $2$ to accept a waiting time $($in milliseconds$)$ between each scan to different destinations. Also, enhance it to scan a range of network addresses $($CIDR notation$).$

Functionality: The updated scanner should adhere to the specified waiting time between consecutive scans. Below is my lab $2$ code : import socket

def tcp$\_$scanner$($target$,$ port$)$:

try:

tcp$\_$sock $=$ socket.socket$($socket$.$AF$\_$INET, socket.SOCK$\_$STREAM$)$

tcp$\_$sock.connect$(($target$,$ port$))$

tcp$\_$sock.close$()$

return True

except:

return False

def udp$\_$scanner$($target$,$ port$)$:

try:

udp$\_$sock $=$ socket.socket$($socket$.$AF$\_$INET, socket.SOCK$\_$DGRAM$)$

udp$\_$sock.settimeout$(2\mathrm{.}0)$

# udp$\_$sock.sendto$($bytes$("",$ "utf$-8"),($target$,$ port$))$ # Send a UDP packet to the IP and port of the target

data $=$ b$\text{'}\backslash$x$00\backslash$x$00\backslash$x$01\backslash$x$00\backslash$x$00\backslash$x$01\backslash$x$00\backslash$x$00\backslash$x$00\backslash$x$00\backslash$x$00\backslash$x$00\backslash$x$07$example$\backslash$x$03$com$\backslash$x$00\backslash$x$00\backslash$x$01\backslash$x$00\backslash$x$01\text{'}$

udp$\_$sock.sendto$($data$,($target$,$ port$))$

response, addr $=$ udp$\_$sock.recvfrom$(1024)$

if response:

return True

except socket.timeout as e:

return False

def main$()$:

target $=$ input$("[+]$ Enter Target IP: $")$

for portNumber in range$(1,1024)$:

if udp$\_$scanner$($target$,$ portNumber$)$:

print$(\text{'}$Port$\text{'},$ portNumber, $\text{'}/$udp$\text{'},\text{'}$is DEFINITELY open'$)$

for portNumber in range$(1,1024)$:

if tcp$\_$scanner$($target$,$ portNumber$)$:

print$(\text{'}[*]$ Port', portNumber, $\text{'}/$tcp$\text{'},\text{'}$is open'$)$

if $\_\_$name$\_\_=="\_\_$main$\_\_"$:

main$()**$lab $2$ code ends $**$

Part $3$: Testing Environment Setup

Configuration: Utilize two Kali VMs $($one original, one copy$)$ in the same LAN $(192\mathrm{.}168\mathrm{.}10\mathrm{.}0/24).$ Designate one VM for defense and the other for attacks.

Execution: Run the PortScanner Detector on the defense VM and execute the updated port scanner on the attack VM under five different waiting times $(1$ ms$,0\mathrm{.}5$s$,1$s$,5$s$,10$s$).$ Collect your results under each of these five scenarios.