On 01/08/19 16:07, Misc User wrote:
On 1/8/2019 3:16 PM, Aaron Mason wrote:
On Sat, Jan 5, 2019 at 5:46 AM Misc User
<open...@leviathanresearch.net> wrote:
On 1/3/2019 11:20 PM, Radek wrote:
A little ncat, sed, pfctl, and a dash of cron are able to do
the job just fine. cron is just there to start the ncat processes at
boot and run an hourly script to do a pfctl -T expire <table>
86400 to
keep the table clean of old attackers.
Sounds good. Could you share your script here?
I don't have access to my systems right now, but the script is pretty
much a couple of one-liners in crontab, somethings similar to:
ncat -l -k 23 -vv | sed s/..../..../ | xargs -R 1 -I % pfctl -t
honeypot
-T add %
I'll have to look up the exact command when I get get home tonight,
especially the sed I used. Running on my local system, the ncat
command
echoes out lines like:
Ncat: Connection from 172.16.11.152.
Ncat: Connection from 172.16.11.152:57562.
If I get the time today, I'll work on re-creating the regex, if not,
I'll share the one I've been using on my systems.
Hi
Any news on this? I've tried building my own and while I can get a
list of IP addresses, nothing gets sent through to xargs. They appear
if I leave off the xargs bit:
git# nc -vnkl 21 2>&1 | sed -E 's/^Connection from
([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) [0-9]*
received!$/\1/'
111.222.33.44
^C
git#
But if I include the pipe to xargs, nothing happens, I still get
nothing happening if I change it to a while loop, using read to pull
in the IP address.
This works, though, though it assumes that the output for nc(1) will
stay the same forever - it's also IPv6 ready unlike my example above:
nc -vnkl 21 2>&1 | while read dummy dummy ipaddr dummy dummy; do pfctl
-t honeypot -T add $ipaddr; done
Doing some work on it the other day, I noticed it opens a pretty big
command injection hole if pfctl doesn't kill the connection before the
connecting source gets a chance to send data. An attacker could
connect to the port and send the string "Ncat: Connection from
172.16.11.152.\ && <do things>" and whatever it uses for <do things>
will be done by a privileged account (At least one with permissions to
add entries to pf's tables)
I tested it using a telnet client connecting to one of the arbitrary
ports I set up. So I've been trying to figure out a better way to do
this. There has to be, maybe something with tcpdump.
I'm looking into patching ncat to have a flag where the -v option
doesn't output packet content, and only outputs packet metadata.
Probably also clean up what it outputs to produce a 'honeypot' mode or
something friendly to chaining to a firewall control program.
-CA
.
Yikes. Everything you are (erroneously) trying to do here can be done
without leaving your pf.conf.
Remember, KISS.