Subject: Poor mans Honeypot ( fun with script kids and worms)
ninjatech@ninjatech.cjb.net
Date: Wed Aug 13 2003 - 14:27:04 AKDT
Whenever a huge hole or worm is making the rounds , I like to set up a quick and easy trap to gather information like so.
First I set up a little honey daemon with a simple shell script like this:
!/bin/bash
#pmp.sh - Poor Man's Pot
#2003 t.c.v. ( Special DCOM Edition :p )
# http://ninjatech.cjb.net
#this can be re-used anytime a major hole comes out and you want to
#get packet captures of attacks to add signatures to your NIDS
#quick and dirty , but it does the job
#requires netcat: #http://www.atstake.com/research/tools/network_utilities/
nc -l -p 135 -vv >> loc-srv.txt &
nc -l -p 139 -vv >> netbios-ssn.txt &
nc -l -p 445 -vv >> microsoft-ds.txt &
nc -l -p 593 -vv >> http-rpc-epmap.txt &
#masquerade as vulnerable services and gather data
---------------------------------------------------------------------------------------------------------
Then to make sure my little info grabber doesn't cause me any grief I add a few quick iptables
entries to my firewall script that will both , keep track of the origin of attack as well as limit the connection attempts
to my listener so I don't get flooded:
$IPTABLES -A INPUT -p tcp --dport 135 -m limit -j LOG \
--log-prefix "Firewalled packet: loc-srv "
$IPTABLES -A INPUT -p tcp --dport 139 -m limit -j LOG \
--log-prefix "Firewalled packet: netbios-ssn "
$IPTABLES -A INPUT -p tcp --dport 445 -m limit -j LOG \
--log-prefix "Firewalled packet: microsoft-ds "
$IPTABLES -A INPUT -p tcp --dport 593 -m limit -j LOG \
--log-prefix "Firewalled packet: http-rpc-epmap "
--------------------------------------------------------------------------------------------------------------
Ok , now to put it all together:
bash-2.05b$chmod +x pmp.sh
bash-2.05b$/etc/init.d/firewall restart
#make sure all the new rules are running
Actually.... let's take a look from the outside without my firewall in place..
bash-2.05b$/etc/init.d/firewall stop
bash-2.05b$nmap -sS -O -F -vv 68.58.*.*
(The 1194 ports scanned but not shown below are in state: closed)
Port State Service
443/tcp open https
3306/tcp open mysql
5555/tcp open freeciv
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
OS Fingerprint:
(None)
Uptime 0.003 days (since Wed Aug 13 13:50:12 2003)
TCP Sequence Prediction: Class=random positive increments
Difficulty=4234777 (Good luck!)
TCP ISN Seq. Numbers: 1B65E8D5 1BBCF99D 1BA07CBF 1B46345C 1B2BAC73 1BF81744
IPID Sequence Generation: All zeros
Hrrrm. Ok , so let's check out our script and see if it does what we want:
bash-2.05b# ./pmp.sh
bash-2.05b# listening on [any] 593 ...
listening on [any] 135 ...
listening on [any] 139 ...
listening on [any] 445 ...
Now I'll ctl ^c the script into the background and see what I look like now
bash-2.05b$nmap -sS -O -F -vv 68.58.*.*
(The 1189 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
3306/tcp open mysql
5555/tcp open freeciv
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
OS Fingerprint:
(None)
Uptime 0.006 days (since Wed Aug 13 13:50:11 2003)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2755747 (Good luck!)
TCP ISN Seq. Numbers: 2C519537 2CCA6710 2CD8A3CF 2CD66CC6 2C97791E 2CBE9ED6
IPID Sequence Generation: All zeros
Ok , that's better. Good enough to fool a poorly written virus/worm/ , but probably not an attacker.
Let me load up my silly iptables setup ( I'll make it available on my site soon), and try it again.
bash-2.05b#/etc/init.d/wall start
bash-2.05b# nmap -sS -O -F -vv 66.58.***.***
(The 1189 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
3306/tcp open mysql
5555/tcp open freeciv
Device type: firewall|general purpose|PDA
Running (JUST GUESSING) : Checkpoint Windows NT/2K/XP (97%), Linux 2.4.X|2.5.X|2.3.X (97%), Sun Solaris 2.X (87%)
Aggressive OS guesses: Checkpoint SecurePlatform NG FP3 (97%), Linux Kernel 2.4.0 - 2.5.20 w/o tcp_timestamps (97%), Linux Kernel 2.4.0 - 2.5.20 (94%), Linux 2.4.7 (X86) (94%), Linux 2.4.6 as on Sharp Zaurus PDA (91%), Linux Kernel 2.4.20 (91%), Linux 2.5.25 - 2.5.70 or Gentoo 1.2 Linux 2.4.19 rc1-rc7) (91%), Linux 2.4.18 (91%), Linux Kernel 2.4.18 - 2.5.70 (X86) (88%), Gentoo 1.2 linux (Kernel 2.4.19-gentoo-rc5) (88%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
(None)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2629515 (Good luck!)
TCP ISN Seq. Numbers: 46D1AB1B 468B703A 471EB2EF 4702C84C 46CCE555 470A5F48
IPID Sequence Generation: All zeros
Heh!
*Much* better. Now I look like an inferior ( and expensive) firewall product with
ds and epmap open to the world. All I have to do is sit back and harvest attack signatures
for my NIDS ruleset and send mails to script kids demanding cases of Red Bull lest I turn them
over to their ISP. (kidding)
Hope this helps anyone interested in such things.
An in depth version of this , including my nmap-fooling iptables ruleset will be available at http://ninjatech.cjb.net later today
or early tomorrow.
If anyone captures any interesting attacks not mentioned on the netsys, bugtraq or vuln-dev lists , please let me know.
-------------------------------------------------------------------------------------------------------------------
pub 1024D/6F04299B 2003-08-10 T.C.V. (Postatem obscuri lateris nescitis) <tcv@ninjatech.cjb.net>
Key fingerprint = 2E8F 57BF 31FC 1344 7BB3 2D08 AB33 1185 6F04 299B
sub 2048g/431F3112 2003-08-10 [expires: 2004-08-09]
-------------------------------------------------------------------------------------------------------------------
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Wed Aug 13 2003 - 14:32:15 AKDT