Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add linux sockscan plugin #1120

Open
wants to merge 8 commits into
base: develop
Choose a base branch
from
Open

Add linux sockscan plugin #1120

wants to merge 8 commits into from
+384 −1

Conversation

eve-mem
Copy link
Contributor

@eve-mem eve-mem commented Mar 27, 2024

Hello 👋

This PR adds a first attempt at a sockscan plugin. Based heavily on the vol2 netscan plugin by @atcuno. I've also added another method following the path from a file object as per the sockstat plugin by @gcmoreira, and to display the results this plugin makes heavy use of the great socket handling from sockstat.

I've tried to include scanning for all the types of sockets supported rather than just the INET ones used un the vol2 plugin. I've hard coded the symbols to search for, I think it has reasonably good coverage of most cases but I'd welcome any feedback.

I've tried adding a test case as well - hopefully I've done that correctly.

Thanks for taking the time to review this, and I look forward to and feedback you might have.

Thank you!

Here is a sample of the results:

Volatility 3 Framework 2.6.0

Sock Offset	Family	Type	Proto	Source Addr	Source Port	Destination Addr	Destination Port	State	Filter

0x4416880	AF_UNIX	STREAM	-	/tmp/pulse-JldaJj8OxQLa/native	14054	-	14053	ESTABLISHED	-
0x445a080	AF_UNIX	STREAM	-	-	10706	-	10705	ESTABLISHED	-
0x445a3c0	AF_UNIX	STREAM	-	-	10705	-	10706	ESTABLISHED	-
<snip>
0x1ad6fbc0	AF_INET	STREAM	TCP	0.0.0.0	901	0.0.0.0	0	LISTEN	-
0x1ad78780	AF_UNIX	STREAM	-	-	9767	/var/run/dbus/system_bus_socket	9768	ESTABLISHED	-
<snip>
0x1b5a5000	AF_NETLINK	RAW	NETLINK_KOBJECT_UEVENT	groups:0x00000002	2403	group:0x00000000	0	UNCONNECTED	filter_type=socket_filter,bpf_filter_type=cBPF
0x1b5c8000	AF_NETLINK	RAW	NETLINK_ROUTE	groups:0x000a0501	2363	group:0x00000000	0	UNCONNECTED	-
0x1b5c8400	AF_NETLINK	RAW	NETLINK_KOBJECT_UEVENT	groups:0x00000002	4294963067	group:0x00000000	0	UNCONNECTED	filter_type=socket_filter,bpf_filter_type=cBPF
<snip>
0x1c56bb80	AF_INET	STREAM	TCP	192.168.201.161	22	192.168.201.1	59982	ESTABLISHED	-
<snip>

@eve-mem
Copy link
Contributor Author

eve-mem commented Mar 27, 2024
edited

Looks like I've not understood how the testing works, it's my own test that's failing. so I'll update that!

@eve-mem eve-mem marked this pull request as draft March 28, 2024 08:55
@eve-mem eve-mem marked this pull request as ready for review March 28, 2024 09:36
digitalisx
digitalisx reviewed Apr 2, 2024
View reviewed changes
Copy link
Contributor

@digitalisx digitalisx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for work @eve-mem

volatility3/framework/plugins/linux/sockscan.py Outdated Show resolved Hide resolved
@ikelos @digitalisx
Update volatility3/framework/plugins/linux/sockscan.py
3fa6306 
Co-authored-by: Donghyun Kim <digitalisx99@gmail.com>
@eve-mem
Copy link
Contributor Author

eve-mem commented Apr 30, 2024

Thanks for merging those changes in directly for me @ikelos, and for the suggested fix @digitalisx.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@digitalisx digitalisx digitalisx left review comments

Assignees

@atcuno atcuno

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@eve-mem @digitalisx @atcuno @ikelos