Project 17: yesman--Scanner Honeypot with scapy (15 pts.)

What you need

A Linux machine, real or virtual. I used a Backtrack 4 R 2 virtual machine.
Any other computer as the target. I used a Windows 7 virtual machine.
A quiet network to work in--I recommend using NAT mode in VMware so the only network traffic you see is between your own two VMs.

Purpose

This script acts as a simple honeypot. It answers every SYN with a SYN/ACK. That will make port scans useless, as every port appears open.

I think if you run the interface in promiscuous mode, this script will defend a whole network, answering every SYN no matter what IP address it is directed to.

In order to make this script practical, you will need to add code to stop responding to any IP address & port combination that you are actually using. Otherwise this script will DoS your own network.

Preparing the Windows Machine

Start the Windows machine. If Nmap is not already installed, open a Web browser, and go to nmap.org. Click Downloads. Scroll halfway down the page and find the "Windows Binaries" section. Download the "Latest release self-installer", and install it with the default options.

Finding the IP Address of the Linux Machine

On the Linux machine, open a Terminal window (if you are using Ubuntu, click Applications, Accessories, Terminal).

On the Linux machine, in the Terminal window, execute the ifconfig command. Make a note of your IP address for later reference.

Blocking ACK Packets on the Linux Machine

As before, you must block ACK packets with iptables.

On the Linux Machine, open a Terminal window. In the Terminal window, execute this command:

sudo iptables -L

If you see a rule in the OUTPUT section that drops RST packets, as shown below on this page, your firewall is correctly configured. If the rule is not there, execute this command to add it:

sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

Installing scapy on the Linux Machine

If you are using BackTrack 4 R2, scapy is already installed.

If you are using Ubuntu, use this command on the Attacker Linux machine to install it:

sudo apt-get install python-scapy

Sniffing a Packet in scapy

On the Linux machine, in scapy, enter these commands:

sudo scapy
sniff(count=1)

Scapy sniffs a packet and shows you a summary of what it captured, as shown below on this page.

Sniffing 100 Packets in scapy

On the Linux machine, in scapy, enter this command:

p = sniff(count=100)

Scanning from Windows

On your Windows machine, click Start. In the Search box, type Nmap. Click "Nmap - Zenmap GUI". In the Target box, enter your Linux machine's IP address. Click the Scan button. The scan runs, as shown below on this page.

Examining the Captured Packets

On the Linux machine, in scapy, enter this command:

p

Scapy prints the summary line, showing how many packets were of each type, as shown below on this page. You should see a lot of TCP packets--when I did it, there were 86. If you don't have many TCP packets, restart the Nmap scan and repeat the p = sniff(count=100) command.

On the Linux machine, in scapy, enter this command:

p[0:20].summary()

Scapy prints out a handy summary of the first 20 packets, as shown below on this page.

On the left side of each line the OSI model layer protocols are shown.

Layer 2: Every segment starts with Ether because we are using an Ethernet network interface, so no other layer 2 protocol can be received. And, of course, no one is sending anything else onto your LAN these days anyway.

Layer 3: Most of the packets are IP, but you may see some ARP packets as well.

Layer 3: Here you will see more variety, including TCP, UDP, and ICMP.

Find a TCP packet. In the figure below, the last packet shown, p[19], is a TCP packet. (The packets are numbered from 0 to 19.) Several packets before that one are also TCP packets.

Look at the right side of the line summarizing your TCP packet. If it's a SYN from Nmap, it will show "S / Padding". The S means it's a SYN packet. To proceed, you need to find a TCP SYN packet to examine.

If you don't have any TCP SYN packets, try looking at the next 20 packets with p[20:40].summary()

If that fails, just repeat the capture process and run the Nmap scan again.

Examining a TCP Packet

Execute these commands, replacing [19] with the number of a TCP SYN packet that you captured:

p[19]
p[19].dst

Explanation:

p[19] shows the whole frame, with all the layers, as shown below on this page.

p[19].dst shows the layer 2 destination address, (a MAC address), also shown below on this page.

You can separate the layers easily. Execute these commands, replacing [19] with the number of a TCP SYN packet that you captured:

p[19][Ether] p[19][IP]
p[19][TCP]

Explanation:

p[19][Ether] shows the layer 2 frame and its contents, which include all higher layers, as shown below on this page.

p[19][IP] shows the layer 3 packet and its contents, which include all higher layers, as shown below on this page.

p[19][TCP] shows the layer 4 segment, as shown below on this page.

Now let's look at the values in the TCP segment.

Execute these commands, replacing [19] with the number of a TCP SYN packet that you captured:

p[19][TCP].sport p[19][TCP].seq p[19][TCP].flags p[19][TCP].sprintf("%flags%")

Explanation:

p[19][TCP].sport shows the TCP destination port of the captured packet, as shown below on this page.

p[19][TCP].seq shows the TCP sequence number of the captured packet, as shown below on this page.

p[19][TCP].flags should show the flags, but they show up as 2L, because the "flags" field has a non-printable data type.

p[19][TCP].sprintf("%flags%") prints the flags into a string variable, which is now printable, as shown below on this page. My packet was a SYN packet, so the value is 'S'.

Saving the Screen Image

Make sure you can see the 'S' flag.

Save a screen image with the filename Proj 17a from Your Name.

Exiting scapy

Now we want to write a script, so we'll exit scapy's interactive mode.

In scapy, execute this command:

exit()

Creating the yesman.py script

"yesman" will just answer every SYN packet with a SYN/ACK. This will confuse port scanners, and make every port appear to be open.

On the Linux machine, in a Terminal window, execute these commands:

cd
nano yesman.py

In the nano window, type (or copy and paste) this script:


#!/usr/bin/env python
import sys
from scapy.all import *

def findSYN(p):
        flags = p.sprintf("%TCP.flags%")
        if flags == "S":        # Only respond to SYN Packets
                ip = p[IP]      # Received IP Packet
                tcp = p[TCP]    # Received TCP Segment
                i = IP()        # Outgoing IP Packet
                i.dst = ip.src
                i.src = ip.dst
                t = TCP()       # Outgoing TCP Segment
                t.flags = "SA"
                t.dport = tcp.sport
                t.sport = tcp.dport
                t.seq = tcp.ack
                new_ack = tcp.seq + 1
                print "SYN/ACK sent to ",i.dst,":",t.dport
                send(i/t)

sniff(prn=findSYN)

Here is an image of the script:

Save the file with Ctrl+X, Y, Enter.

The yesman.py file won't run until you give it Execute permission. To do that, on the Linux machine, in the Terminal window, execute this command:

chmod a+x yesman.py

Scanning the Unprotected Linux Machine

On your Windows machine, run a default scan of the Linux machine using Nmap. The scan should not take long to complete, and it should show only a few open ports, or even none open at all. When I did it, I found that "All 1000 scanned ports are filtered", as shown below on this page.

Starting yesman

On the Linux machine, in the Terminal window, execute this command:

./yesman.py

Scanning the Protected Linux Machine

On your Windows machine, run another default scan of the Linux machine using Nmap. Nmap finds every port open, and yesman prints a lot of "SYN/ACK sent" messages, as shown below on this page.

Nmap will take much longer to scan now. It will run a Service Detection process against each open port, and then RPCgrind, thinking that RPC services are running. Then it will start NSE scanning, which will take 30 minutes or longer.

There's no point waiting for Nmap to finish--it is only going to find useless nonsense anyway. The honeypot has tricked Nmap into wasting its time on ports that go nowhere.

Saving the Screen Image

In the Zenmap window, scroll back so you can see a lot of "Discovered open port" messages, as shown above on this page.

Save a screen image with the filename Proj 17b from Your Name.

Turning in Your Project

Email the images to [email protected] with a Subject line of Proj 17 from Your Name.

Sources

http://www.devx.com/security/Article/34741/1954

http://trac.secdev.org/scapy/wiki/BuildAndDissect

http://trac.secdev.org/scapy/wiki/FtpPasswordSniffer

Last modified: 9-16-11