Following on from my linux bash honeyport script (read this first if you don’t know what a Honeyport is), I wanted to write a script that works across platforms to accept connections on a given port and block that IP using the local firewall – IPFW on Mac OS X, iptables on Linux, or Windows Firewall – or using the Dome9 service (I’m hoping to add Unix support soon).
I chose to write this one in Python as the cross-platform language of choice, and it’s compatible with Python 2.7 to 3.4. One feature of this script is that you can optionally configure it to run another Python script whenever a client connects to the honeyport. The client’s IP will be passed to the called script as an argument, allowing you to do whatever you want with it. The script’s output is then sent back to the connected client before they are blacklisted.
Check it out on GitHub, improvements and additional ideas are welcome!
Dome9 just introduced the ability to set a time-to-live (TTL) option for blacklisted IPs, something I may have bugged them for about once or twice! This is nice as it allows items on your blacklist to expire after a pre-determined amount of time instead of living on in perpetuity. It’s particularly beneficial when you run something like my Honeyport that can end up blacklisting over 400 unique IPs in about two months — it saves having to go in and manually remove blacklisted IPs periodically.
I’ve updated my Honeyport script to include the option to set a TTL on blacklisted IPs when using Dome9. Note this doesn’t yet work when using IPtables as it doesn’t have an easy TTL-style option for rules. This functionality for IPtables is on my TODO list.
Check out honeyport-0.2.sh here!
After securing systems by hiding them completely from the network/internet using Single Packet Authorization, I’ve recently been interested in doing more so-called ‘active’ defense, by implementing solutions to delay, confuse, or thwart attackers. Completely hiding one’s system is not always feasible (ie. in the case of an internet-facing server), and monitoring, apart from being purely reactive, is not always easy and requires the involvement of a human. An alternative to these is to do some automated active defense. One simple tool in the bag of active defense tricks is the honeyport. Read more
The Pwnie Express (PwnPlug) is a great little tool for hackers, pentesters and social engineers alike. While I don’t advocate the use of a Pwnie for illicit purposes, I was intrigued about using it as an untraceable tap into a network. Out of the box the Pwnie allows you to configure reverse SSH connections, exfiltrated over a number of different protocols including HTTP, SSL, ICMP and DNS.
While these are great for getting out of controlled networks, they all require the Pwnie to be configured with the IP address of your SSH server, which could potentially be traced back to you. It also requires your SSH server to be able to directly receive connections at the IP/hostname configured on the Pwnie. While one could run an SSH server on a proxy box somewhere, I felt that was too primitive, so I installed Tor on my Pwnie and configured a Tor Hidden Service on my SSH server.
Note: For the purposes of this tutorial, the SSH server will be running on BackTrack 5. I’m assuming you’ve already performed the initial Pwnie Express setup steps on the server! Check out my PwnieScripts to help speed up and automate the Pwnie setup.
These instructions do not yet work on Pwn Plug software >= 1.1 as they’ve changed the layout of things! Will update this post when I get the time.
The Pwnie Express (PwnPlug) is a purpose-built penetration testing device in a plug form factor. A key feature is its ability to exfiltrate from a network and connect back to your SSH server using HTTP, SSL, ICMP or DNS tunnels. Check out my tutorial on how to hack your Pwnie to make untraceable reverse SSH connections over Tor.
There are a number of steps required to set up the computer on which the Pwnie’s reverse SSH connections will be received (setting up the listeners). To simplify and automate this process, I’ve put them together into a set of very simple bash scripts. I’m hoping to turn two of these into a proper init.d script, but haven’t yet had the time. The PwnieScripts set contains the following five bash scripts, and are designed to be used on BackTrack 5 (although they can easily be adapted to work on any other distro):
- pwnsetup.sh: Automates the Pwnie Express setup process by enabling SSHD, generating SSH keys, creating a ‘pwnplug’ user, installing HTTPTunnel, generating an SSL certificate, configuring stunnel, and configuring DNS2TCP.
- pwnstart.sh: Kills any existing listeners, and then starts SSHD as well as new HTTPTunnel, stunnel (SSL tunnel), DNS2TCP (DNS tunnel) and ptunnel (ICMP tunnel) listeners.
- pwnwatch.sh: One-line script to monitor netstat for incoming connections from Pwnie Express.
- pwnconnect.sh: aka. the Lazy Script – initiates an SSH connection to the first available established connection from Pwnie Express, so you don’t have to check which ones are active. It’ll use the more secure/relible ones first (SSL, HTTP) where available. Use the -t flag to only connect over Tor.
- pwnstop.sh: Kills all existing HTTPTunnel, stunnel, DNS2TCP and ptunnel listener processses.
Download PwnieScripts (tgz 4kb)
v0.1: Initial release.
BackTrack 5 – codenamed “Revolution” – is currently under development, and the team is working on updating both system and tools. At the moment it’s running a 2.6.38-rc5 kernel, improved wireless drivers, and a new KDE 4 theme is being put together.
An initial release won’t be available for at least a couple months. If you have any requests or recommendations, now’s the time to make them on the BackTrack forums.
Here are a few teaser screenshots of BT5.
[Updated 10/5/2011] BackTrack 5 is out!