The main idea, is to show that all your ports are OPEN!

What? You will probably say.
Yes. OPEN, for security reasons!
Let me explain.

When you scan your victim with “nmap” scan, you will find some open ports, they will help you to choose the right tools, to attack your victim.
For example:

nmap google.com
 
Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-11 01:20 IST
Nmap scan report for google.com (172.217.16.174)
Host is up (0.066s latency).
Other addresses for google.com (not scanned): 2a00:1450:4001:814::200e
rDNS record for 172.217.16.174: fra15s11-in-f14.1e100.net
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 6.48 seconds

The same way you can scan for all 65535 ports on your victims machine, yeah… this will take some time, but who said Hacking is fast and easy?
Here i’ll show you some examples of  “nmap” useful switches:

nmap -sV -Pn -p- <target>
-sV: Try to determinate service/version info
-Pn: Scan a host when protected by the firewall
-P-: Scan all ports, like -p 1-65535. scans random ports. eg. 1, 143, 43268, 6
<target>: IP or Domain adress

Okay, lets get back to the Honeypot!
So its great when you get 3, or even 5 open ports with the service name.
But! What will happen if after your scan, you will see that ALL 65535 ports are OPEN!?

Let me show you a little example… (refresh the page at this point to see the magic)

nmap -v -Pn -p 1-1000 csi-blog.com
 
Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-11 01:58 IST
Initiating Parallel DNS resolution of 1 host. at 01:58
Completed Parallel DNS resolution of 1 host. at 01:58, 0.11s elapsed
Initiating SYN Stealth Scan at 01:58
Scanning csi-blog.com (188.226.146.144) [1000 ports]
Discovered open port 443/tcp on 188.226.146.144
Discovered open port 23/tcp on 188.226.146.144
Discovered open port 993/tcp on 188.226.146.144
Discovered open port 53/tcp on 188.226.146.144
Discovered open port 113/tcp on 188.226.146.144
Discovered open port 445/tcp on 188.226.146.144
Discovered open port 256/tcp on 188.226.146.144
Discovered open port 22/tcp on 188.226.146.144
Discovered open port 110/tcp on 188.226.146.144
Discovered open port 21/tcp on 188.226.146.144
Discovered open port 80/tcp on 188.226.146.144
Discovered open port 135/tcp on 188.226.146.144
Discovered open port 139/tcp on 188.226.146.144
Discovered open port 587/tcp on 188.226.146.144
Discovered open port 25/tcp on 188.226.146.144
Discovered open port 554/tcp on 188.226.146.144
Discovered open port 143/tcp on 188.226.146.144
Discovered open port 199/tcp on 188.226.146.144

This script acts as a simple honeypot. It answers every SYN with a SYN/ACK. This will make port scanning useless, because all ports will be shown as OPEN.

I think that you got it; leave it alone 🙂
And trust me, all the ports are CLOSED

* Okay, if your still here, so i may think that you want to see this magic code? Alright

I will try to explain how it works, also i will show you how to run it on your machine!

Step 1: Preparation

To make this script work, we need to make a rule that will DROP Reset packet in the OUTPUT table.
To respond with reset packet, even when your port is closed.

Also python2.7 and scapy installed on your machine.

 

First run this command by typing:

sudo iptables -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j DROP

Than check your iptables by typing:

sudo iptables -L

If you got this rule under OUTPUT chain, you’re good to go on.

sudo iptables -L
 
Chain INPUT (policy ACCEPT)
target prot opt source            destination
 
Chain FORWARD (policy ACCEPT)
target prot opt source            destination
 
Chain OUTPUT (policy ACCEPT)
target prot opt source            destination
DROP   tcp  --- anywhere          anywhere            tcp flags:RST/RST

Now we need to save this rule to persist after a reboot.
The easiest way to save iptables rules, so they will survive a reboot, is to use the iptables-persistent package. Install it with apt-get like this:

sudo apt-get install iptables-persistent

During the installation, you will asked if you want to save your current firewall rules.
If you update your firewall rules and want to save the changes, run this command:

sudo invoke-rc.d iptables-persistent save

Step 2: Script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/python

"""
Honeypot made in Python 2.7 with Scapy.
Description: Displays all ports as OPEN.
Author: Alexander Kravchenko.

"""

import uuid
from scapy.all import *

# Get your MAC address with help of uuid library
my_mac = ':'.join(['{:02x}'.format((uuid.getnode() >> i) & 0xff) for i in range(0, 8 * 6, 8)][::-1])
# SSH banner for all SYNs
banner = "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2\n"


def captureSniff():
        #Sniff all TCP scans and proceed them to sendSyn function.
        sniff(filter="tcp and portrange 1-65535", prn=sendSyn)


#Send SYN-ACK for all ports
def sendSyn(pkt):
        if pkt.haslayer("Ethernet"):
                # if mac address is the same, abort.
                if my_mac.lower() == pkt['Ethernet'].src:
                        return

        if pkt.haslayer("IP") and pkt.haslayer("TCP"):
                # Syn scan.
                if pkt["TCP"].flags == 2:
                        d = pkt["IP"].src
                        s = pkt["IP"].dst
                        dp = pkt["TCP"].sport
                        sp = pkt["TCP"].dport
                        a = pkt["TCP"].seq + 1
                        send(IP(dst=d, src=s) / TCP(dport=dp, sport=sp, ack=a, flags="SA")/Raw(load=banner))

                # Response for Full Three Way Handshake scan (Ex. -sT) or nmap from MAC OS.
                if pkt["TCP"].flags == 1:
                        a = pkt["TCP"].seq + 1
                        send(IP(dst=d, src=s) / TCP(dport=dp, sport=sp, ack=a, flags="A")/Raw(load=banner))


try:
        captureSniff()

except:
        exit(0)

Copy this code to your machine.

sudo nano /usr/local/bin/honeypot.py

Give it executable permissions.

cd /usr/local/bin/
sudo chmod u+x honeypot.py

Step 3: Check it

Okay, if you got iptables rule, and Scapy on your machine;
Run this command:

sudo ./honeypot.py

From your attacking machine, eg. Kali
Run nmap scan on Honeypot machine:

nmap -F <Honeypot machine ip>

You should see that all ports are OPEN! Magic…

Also on your Honeypot machine, in the command line you should see lot of “Sent 1 packets.” messages:

sudo ./honeypot.py
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.
.
Sent 1 packets.

Great news, Honeypot is working great!

But you don’t want it to run on your terminal, right?
Lets make it run as a service on your machine!

Step 4: Run as Service

Now, lets create a service file that will turn on, after restarts or crashes, for the systemd as following. The file must have .service extension under /lib/systemd/system/ directory:

sudo nano /lib/systemd/system/honeypot.service

Now add the following code to it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[Unit]
Description=Honeypot Service
After=multi-user.target
Conflicts=getty@tty1.service

[Service]
Type=simple
ExecStart=/usr/bin/python2 /usr/bin/honeypot/honeypot.py
StandardInput=tty-force
Restart=always # Always restart
RestartSec=3 # Restart after 3 sec, if crushed or etc

[Install]
WantedBy=multi-user.target

Your system service has been added to your service. Let’s reload the systemctl daemon to read new file.

sudo systemctl daemon-reload

You need to reload this deamon each time after making any changes in the honeypot.service file.

Now lets enable the honeypot service?

sudo systemctl enable honeypot.service

Now lets start the honeypot!

sudo systemctl start honeypot.service

Now lets check the status of honeypot?

sudo systemctl status honeypot.service
● honeypot.service -- Honeypot Service
Loaded: loaded (/lib/systemd/system/honeypot.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2017-12-11 16:10:38 UTC; 1s ago
Main PID: 471 (python2)
Tasks: 1
Memory: 19.2M
CPU: 597ms
CGroup: /system.slice/honeypot.service
└─471 /usr/bin/python2 /usr/bin/honeypot/honeypot.py
Dec 11 16:10:38 CSIRiddle systemd[1]: Started Honeypot Service.

Want to stop the service?

sudo systemctl stop honeypot.service

That’s it. You’re ready to go 🙂
Please comment your review!

Proof of concept

This process took me about 12 hours of scanning, nmap -sT -T normal -p 1-65535 csi-blog.com

Final Note:

The idea was given by my teacher as my course project.
I have tested this script from Linux, win and mac OS.
Any suggestions are welcome!

Honeypot on GitHub! https://github.com/UtopiaBe/Honeypot

Credits:

Gil Rozenberg
  • Altoro Mutual – Get SHELL!

    Altoro Mutual ~$ Known as “Hack me” site made by IBM. This site got all possib…
  • Liors CTF2-2 Walkthrough

    Walkthrough № 1: Ports found: 21/tcp open ftp FileZilla ftpd 0.9.41 beta 80/tcp open http …
  • Protected: CHAOS Payload Generator Analysis

    There is no excerpt because this is a protected post. …

Comments on $ Honeypot – all ports are OPEN.

  • Shurik Kravchenko

    Comments are welcome!

  • Jan

    great script, i love to see UDP option as well.

Check Also

Protected: CHAOS Payload Generator Analysis

There is no excerpt because this is a protected post. …