Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 112 lines (82 sloc) 4.428 kb
18502ce @txus add readme
authored
1 #micetrap
2 ___
3 _.-| | |\__/,| (`\
4 { | | |o o |__ _) )
5 "-.|___| _.( T ) ` /
6 .--'-`-. _((_ `^--' /_< \
7 .+|______|__.-||__)`-'(((/ (((/
8
9 Catch hackers on the fly with *micetrap*!
10
11 Micetrap opens a server on either a given or random port, emulating fake
12 vulnerable services. Port scanners such as Nmap, when fingerprinting ports
13 to discover service names and versions, will get apparently legitimate
14 responses from common services such as FTP, HTTP or MySQL servers,
15 therefore misleading potential attackers with false information.
16
17 Depending on the operating system you are using, micetrap will try its best
18 to _look feasible_ by choosing the appropriate fake services and versions
19 to emulate. Whenever possible, micetrap will provide a bit outdated versions
20 which are more likely to be vulnerable, and thus making the attacker focus
21 on those ports. While the attacker tries to exploit these ports, she is
22 essentially sending certain packets -- which get properly captured and
23 logged by micetrap. This information might be useful to discover what kind
24 of attacks are being tried against your machine, therefore giving you time
25 and the opportunity to defend appropriately.
26
27 Running micetrap with sudo will allow it to use default, unsuspicious ports,
28 which may give you advantage at tricking a smart attacker.
29
30 ##Install
31
5ad3e9e @txus fix url
authored
32 git clone git://github.com/txus/micetrap.c.git
33 cd micetrap.c
76d9e38 @txus fix readme
authored
34 make
35 ln -s ./src/micetrap /usr/local/bin/micetrap
18502ce @txus add readme
authored
36
37 ##Usage
38
39 Just fire up the server with some fake service, such an ftp server:
40
76d9e38 @txus fix readme
authored
41 micetrap ftp 8765
18502ce @txus add readme
authored
42
43 If everything is ok, you will see something like this:
44
e80f4c3 @txus make logging real and timestamped
authored
45 [Sun Oct 2 16:16:32 2011] Fake ftp server ready and listening on port 8765...
18502ce @txus add readme
authored
46
47 Most port scanners such as *nmap* have some kind of fingerprinting
48 capabilities. This means that, in order to discover which services and
49 versions run behind a specific port, they send special packets or _probes_
50 which make different services and versions react differently. By capturing
51 the response and matching against with a database, most of the time they
52 can reliably determine what service and version is running behind that port.
53
54 Port scanners usually start by sending a blank probe, since many servers
55 respond with a welcome banner telling interesting stuff about them. Micetrap
56 only responds to those early blank probes. Let's try to port-scan this fake
57 ftp service with nmap fingerprinting:
58
59 nmap 127.0.0.1 -p 8765 -A
60
61 We are scanning localhost, port 8765, and -A means service version detection
62 and OS guessing. After a while, in our micetrap server terminal we see:
63
e80f4c3 @txus make logging real and timestamped
authored
64 [Sun Oct 2 16:16:40 2011] Incoming connection from 127.0.0.1
65 [Sun Oct 2 16:16:46 2011] Message received:
66
67 [Sun Oct 2 16:16:46 2011] Sent a fake probe: 220-----------------------------
68 220-This is the "Banner" message for the Mac OS X Server's FTP server process.
18502ce @txus add readme
authored
69
70 And in the nmap terminal:
71
72 Starting Nmap 5.35DC1 ( http://nmap.org ) at (timestamp)
73 Nmap scan report for localhost (127.0.0.1)
74 Host is up (0.00017s latency).
75 PORT STATE SERVICE VERSION
76 8765/tcp open ftp Mac OS X Server ftpd
77
78 The faked service/version is random (you can start an ftp server which looks
79 like lukemftpd, Mac OS X server ftpd or PureFTPd for example), but it is
80 consistent within the same server, so that every scan reports the same service
81 and version.
82
83 ## U mad? Evil hackers
84
85 Probably.
86
87 ##Available services
88
89 For now there are a bunch of ftp, http, torrent, mysql and samba services,
90 mostly Mac-ish.
91
92 ##Contribute!
93
94 If you want to contribute with more services and versions to empower micetrap
95 and be a superhero, you shall follow these steps:
96
97 * Fork the project.
98 * Install _nmap_ and look for a file called nmap-service-probes in your system.
99 This file contains regexes used to match responses from scanned services.
100 * You only have to devise a string which fits in one of this regexes and then
101 add it in the corresponding service file (in lib/micetrap/services/ftp.rb for
102 example if it's an ftp server).
103 * Commit, do not mess with rakefile, version, or history.
104 If you want to have your own version, that is fine but bump version
105 in a commit by itself I can ignore when I pull.
106 * Send me a pull request. Bonus points for topic branches.
107 * Profit!
108
109 ## Copyright
110
111 Copyright (c) 2011 Josep M. Bach. See LICENSE for details.
Something went wrong with that request. Please try again.