Abyss
Author: Ryan J. O'Neill - Ryan@bitlackeys.com
News: Abyss 0.9.9-beta is outdated, get the latest Abyss on March 17th 2008
-[About]-
Abyss is a diverse network tool designed for unix/linux with both active, and passive capabilities. It performs various types of portscans, with remote OS detection, and uses a multi-threaded model for fast simultaneous network scans. Abyss also has sniffing capabilities based on complex BPF filters that display packet information, decode the payload, and perform passive OS detection.
It is still in early development, and all documentation reguarding the Abyss project will be
maintained on this webpage. Any feedback, and suggestions are appreciated.
-[Scan Types]-
Currently abyss performs 6 different types of portscans. First there is the nonblocking socket portscan which is always used when scanning multiple hosts in a multi-threaded fashion, and used by default when scanning a single host. When scanning single hosts you may also use the SYN stealth scan, the UDP scan, and other stealth scans like XMAS Tree scan, FIN scan, and NULL scan.
Many other features exist including icmp ping sweeps, vulnerability scanning, banner grabbing, service scans, classless ip subnetting, and an entire array of passive features only briefely touched upon below. More extensive information is found in the README file.
AbysS performs portscans based on different services file like those found in /etc/. Abyss uses /abyss/services/abyss.services which by default is based on the nmap-services file. There are several other services files which are located in the directory including abyss.services.alt which is the same as the nessus services file. You may use whichever services file you wish as long as it is in the standard format, and you name it abyss.services.
-[ OS detection ]-
Currently AbysS has a limited tcp/ip stack fingerprint database, somewhere around 40 OS fingerprints. If abyss does not know what operating system a host is running, and you know what the exact OS, and version # is... run abyss with -v
./abyss -s <host or ip> -v
That will print the fingerprints in the correct order. Calculating the initial ttl is not neccessary with abyss (see test.c). Append the OS name to the end of fingerprint using the ':' symbol as the delimiter, and add it to the .fingerprint/os.prints file. Please email any fingerprints to ryan@bitlackeys.com
The passive OS detection analyzes both the SYN, and the SYN/ACK packets in my development version, but only the SYN/ACK in the version here for download. I have not yet gathered enough fingerprints for SYN packets yet.
-[ Compile ]-
AbysS Compiles on Linux, and FreeBSD. It is POSIX compliant, and should work on other unix varients running on x86.
1. Download from the link below
2. Unpack the tar ball - tar zxvf abyss-0.9.6-beta.tar.gz
3. Compile - type make
The README-NOW file is very descriptive, and should give full instructions on using AbysS.
-[ Examples ]-
Scan all the live hosts on a 30 node LAN
./abyss -p target.net/27 192.168.1.2 -o iplist ./abyss -f iplist
Passive OS Detection, while also sniffing payload and packets from all tcp traffic
./abyss -O eth0 -b tcp -h -o logfile
Sniff ftp usernames, and passwords
./abyss -O eth0 -b tcp and dst port 21 -h -o logfile
Use abyss for NIDS purposes... this example captures any traffic attempting to send data on an initial SYN (just to demonstrate passive features with BPF capability)
./abyss -O eth0 -b 'tcp[13] & 0xff = 2 and ( ip[2:2] - ((ip[0] & 0x0f) * 4) - \ ((tcp[12] & 0xf0)/4)) != 0' -h -o idslog
************************************************************
0.9.15-beta will be released soon. New features include:
************************************************************
[ --vuln-check ] (Remote service vulnerability check)
[ --serv-probe ] (Query remote services)
[ --ip-logs ] (Logs scan results in seperate ip address files)
[ --lookup ] (Retrieves local ip address)
[ --src-route ] (Loose source routing option 'Use for ip spoofing / IDS Evasion')
As a result of the new --vuln-check feature, I will maintain a vulnerability
database here on bitlackeys that contains updated fingerprints.
Abyss 0.9.15-beta uses a vulnerability database that uses a type of fingerprinting.
- Expected release date is May 1st, 2008 -
In the mean time, I have made available a pre-release of 0.9.15... although not complete, its functionality far exceeds
the 0.9.9 version that has been up forever.
Download:
abyss-0.9.15-pre-release.tgz
- Other documentation -
Please report any found bugs, and any thoughts, or contributions to the author:
Lavren / Ryan O'Neill - ryan@bitlackeys.com
