volatilityfoundation
Add linux sockscan plugin
Hello 👋
This PR adds a first attempt at a sockscan plugin. Based heavily on the vol2 netscan plugin by @atcuno. I've also added another method following the path from a file object as per the sockstat plugin by @gcmoreira, and to display the results this plugin makes heavy use of the great socket handling from sockstat.
I've tried to include scanning for all the types of sockets supported rather than just the INET ones used un the vol2 plugin. I've hard coded the symbols to search for, I think it has reasonably good coverage of most cases but I'd welcome any feedback.
I've tried adding a test case as well - hopefully I've done that correctly.
Thanks for taking the time to review this, and I look forward to and feedback you might have.
Thank you!
Here is a sample of the results:
Volatility 3 Framework 2.6.0
Sock Offset Family Type Proto Source Addr Source Port Destination Addr Destination Port State Filter
0x4416880 AF_UNIX STREAM - /tmp/pulse-JldaJj8OxQLa/native 14054 - 14053 ESTABLISHED -
0x445a080 AF_UNIX STREAM - - 10706 - 10705 ESTABLISHED -
0x445a3c0 AF_UNIX STREAM - - 10705 - 10706 ESTABLISHED -
<snip>
0x1ad6fbc0 AF_INET STREAM TCP 0.0.0.0 901 0.0.0.0 0 LISTEN -
0x1ad78780 AF_UNIX STREAM - - 9767 /var/run/dbus/system_bus_socket 9768 ESTABLISHED -
<snip>
0x1b5a5000 AF_NETLINK RAW NETLINK_KOBJECT_UEVENT groups:0x00000002 2403 group:0x00000000 0 UNCONNECTED filter_type=socket_filter,bpf_filter_type=cBPF
0x1b5c8000 AF_NETLINK RAW NETLINK_ROUTE groups:0x000a0501 2363 group:0x00000000 0 UNCONNECTED -
0x1b5c8400 AF_NETLINK RAW NETLINK_KOBJECT_UEVENT groups:0x00000002 4294963067 group:0x00000000 0 UNCONNECTED filter_type=socket_filter,bpf_filter_type=cBPF
<snip>
0x1c56bb80 AF_INET STREAM TCP 192.168.201.161 22 192.168.201.1 59982 ESTABLISHED -
<snip>
Looks like I've not understood how the testing works, it's my own test that's failing. so I'll update that!
Thanks for merging those changes in directly for me @ikelos, and for the suggested fix @digitalisx.