Project 17: yesman--Scanner Honeypot with scapy (15 pts.)

What you need

A Kali Machine, real or virtual, to act as the Target machine.
Any other computer to act as the Scanner machine. I used another Kali virtual machine.
A quiet network to work in--I recommend using NAT mode in VMware so the only network traffic you see is between your own two VMs.

Purpose

This script acts as a simple honeypot. It answers every SYN with a SYN/ACK. That will make port scans useless, as every port appears open.

I think if you run the interface in promiscuous mode, this script will defend a whole network, answering every SYN no matter what IP address it is directed to.

In order to make this script practical, you will need to add code to stop responding to any IP address & port combination that you are actually using. Otherwise this script will DoS your own network.

Finding the IP Address of the Target Machine

On the Target Machine, open a Terminal window (if you are using Ubuntu, click Applications, Accessories, Terminal).

On the Target Machine, in the Terminal window, execute the ifconfig command. Make a note of your IP address for later reference.

Blocking ACK Packets on the Target Machine

As before, you must block ACK packets with iptables.

On the Target Machine, open a Terminal window. In the Terminal window, execute this command:

iptables -L

If you see a rule in the OUTPUT section that drops RST packets, as shown below on this page, your firewall is correctly configured. If the rule is not there, execute this command to add it:

iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP

Sniffing a Packet in scapy

On the Target Machine, in scapy, enter these commands:

scapy
sniff(count=1)

Scapy sniffs a packet and shows you a summary of what it captured, as shown below on this page.

If the colors are difficult to see, adjust them by clicking Edit, "Profile Preferences", Colors. I used "Black on light yellow".

Sniffing 100 Packets in scapy

On the Target Machine, in scapy, enter this command:

p = sniff(count=100)

Scanning from the Scanner Machine

On your Scanner machine, click Start. In the Search box, type Nmap. Click "Nmap - Zenmap GUI". In the Target box, enter your Target Machine's IP address. Click the Scan button. The scan runs, as shown below on this page.

Examining the Captured Packets

On the Target Machine, in scapy, enter this command:

p

Scapy prints the summary line, showing how many packets were of each type, as shown below on this page. You should see a lot of TCP packets--when I did it, there were 86. If you don't have many TCP packets, restart the Nmap scan and repeat the p = sniff(count=100) command.

On the Target Machine, in scapy, enter this command:

p[50:70].summary()

Scapy prints out a handy summary of 20 packets, as shown below on this page.

On the left side of each line the OSI model layer protocols are shown.

Layer 2: Every segment starts with Ether because we are using an Ethernet network interface, so no other layer 2 protocol can be received. And, of course, no one is sending anything else onto your LAN these days anyway.

Layer 3: Most of the packets are IP, but you may see some ARP packets as well.

Layer 4: Here you will see more variety, including TCP, UDP, and ICMP.

Find a TCP packet. In the figure below, the last packet shown, p[50], is a TCP packet. (The packets are numbered from 0 to 19.) Several packets before that one are also TCP packets.

Look at the right side of the line summarizing your TCP packet. If it's a SYN from Nmap, it will show "S / Padding". The S means it's a SYN packet. To proceed, you need to find a TCP SYN packet to examine.

If you don't have any TCP SYN packets, try looking at the next 20 packets with p[20:40].summary()

If that fails, just repeat the capture process and run the Nmap scan again.

Examining a TCP Packet

Execute these commands, replacing [50] with the number of a TCP SYN packet that you captured:

p[50]
p[50].dst

Explanation:

p[50] shows the whole frame, with all the layers, as shown below on this page.

p[50].dst shows the layer 2 destination address, (a MAC address), also shown below on this page.

You can separate the layers easily. Execute these commands, replacing [50] with the number of a TCP SYN packet that you captured:

p[50][Ether] p[50][IP]
p[50][TCP]

Explanation:

p[50][Ether] shows the layer 2 frame and its contents, which include all higher layers, as shown below on this page.

p[50][IP] shows the layer 3 packet and its contents, which include all higher layers, as shown below on this page.

p[50][TCP] shows the layer 4 segment, as shown below on this page.

Now let's look at the values in the TCP segment.

Execute these commands, replacing [50] with the number of a TCP SYN packet that you captured:

p[50][TCP].sport p[50][TCP].seq p[50][TCP].flags p[50][TCP].sprintf("%flags%")

Explanation:

p[50][TCP].sport shows the TCP destination port of the captured packet, as shown below on this page.

p[50][TCP].seq shows the TCP sequence number of the captured packet, as shown below on this page.

p[50][TCP].flags should show the flags, but they show up as 2L, because the "flags" field has a non-printable data type.

p[50][TCP].sprintf("%flags%") prints the flags into a string variable, which is now printable, as shown below on this page. My packet was a SYN packet, so the value is 'S'.

Saving the Screen Image

Make sure you can see the 'S' flag.

Save a screen image with the filename Proj 17a from Your Name.

Exiting scapy

Now we want to write a script, so we'll exit scapy's interactive mode.

In scapy, execute this command:

exit()

Creating the yesman.py script

"yesman" will just answer every SYN packet with a SYN/ACK. This will confuse port scanners, and make every port appear to be open.

On the Target Machine, in a Terminal window, execute these commands:

cd
nano yesman.py

In the nano window, type (or copy and paste) this script:


#!/usr/bin/env python
import sys
from scapy.all import *

def findSYN(p):
    flags = p.sprintf("%TCP.flags%")
    if flags == "S":        # Only respond to SYN Packets
            ip = p[IP]      # Received IP Packet
            tcp = p[TCP]    # Received TCP Segment
            i = IP()        # Outgoing IP Packet
            i.dst = ip.src
            i.src = ip.dst
            t = TCP()       # Outgoing TCP Segment
            t.flags = "SA"
            t.dport = tcp.sport
            t.sport = tcp.dport
            t.seq = tcp.ack
            new_ack = tcp.seq + 1
            print "SYN/ACK sent to ",i.dst,":",t.dport
            send(i/t)

sniff(prn=findSYN)

Here is an image of the script:

Save the file with Ctrl+X, Y, Enter.

The yesman.py file won't run until you give it Execute permission. To do that, on the Target Machine, in the Terminal window, execute this command:

chmod a+x yesman.py

Scanning the Unprotected Target Machine

On your Scanner machine, run a default scan of the Target Machine using Nmap. The scan should not take long to complete, and it should show only a few open ports, or even none open at all. When I did it, I found that "All 1000 scanned ports are filtered", as shown below on this page.

Starting yesman

On the Target Machine, in the Terminal window, execute this command:

./yesman.py

Scanning the Protected Target Machine

On your Scanner machine, run another default scan of the Target Machine using Nmap. Nmap finds every port open, and yesman prints a lot of "SYN/ACK sent" messages, as shown below on this page.

Saving the Screen Image

Make sure the nmap scan shows a lot of open ports, as shown above on this page.

Save a screen image with the filename Proj 17b from Your Name.

Turning in Your Project

Email the images to cnit.123@gmail.com with a Subject line of Proj 17 from Your Name.

Sources

http://www.devx.com/security/Article/34741/1954

http://trac.secdev.org/scapy/wiki/BuildAndDissect

http://trac.secdev.org/scapy/wiki/FtpPasswordSniffer

Last modified: 6-27-16