Skip to content
Newer
Older
100644 115 lines (82 sloc) 4.34 KB
b1de0ee @txus first commit
authored
1 #micetrap
2 ___
3 _.-| | |\__/,| (`\
4 { | | |o o |__ _) )
5 "-.|___| _.( T ) ` /
6 .--'-`-. _((_ `^--' /_< \
7 .+|______|__.-||__)`-'(((/ (((/
8
0d95026 @txus Words
authored
9 Catch hackers on the fly with *micetrap*!
b1de0ee @txus first commit
authored
10
11 Micetrap opens a server on either a given or random port, emulating fake
12 vulnerable services. Port scanners such as Nmap, when fingerprinting ports
13 to discover service names and versions, will get apparently legitimate
14 responses from common services such as FTP, HTTP or MySQL servers,
15 therefore misleading potential attackers with false information.
16
17 Depending on the operating system you are using, micetrap will try its best
0d95026 @txus Words
authored
18 to _look feasible_ by choosing the appropriate fake services and versions
b1de0ee @txus first commit
authored
19 to emulate. Whenever possible, micetrap will provide a bit outdated versions
20 which are more likely to be vulnerable, and thus making the attacker focus
21 on those ports. While the attacker tries to exploit these ports, she is
22 essentially sending certain packets -- which get properly captured and
70bd3ce @txus Words
authored
23 logged by micetrap. This information might be useful to discover what kind
b1de0ee @txus first commit
authored
24 of attacks are being tried against your machine, therefore giving you time
25 and the opportunity to defend appropriately.
26
27 Running micetrap with sudo will allow it to use default, unsuspicious ports,
28 which may give you advantage at tricking a smart attacker.
29
70bd3ce @txus Words
authored
30 ##Install
31
0d95026 @txus Words
authored
32 gem install micetrap
70bd3ce @txus Words
authored
33
34 ...or, if you want to be able to use it with sudo:
35
0d95026 @txus Words
authored
36 sudo gem install micetrap
70bd3ce @txus Words
authored
37
6b12b66 @txus Notify what port is being used even if it is a default one
authored
38 Micetrap currently runs on Ruby versions 1.8.7 and 1.9.2.
39
70bd3ce @txus Words
authored
40 ##Usage
41
42 Just fire up the server with some fake service, such an ftp server:
43
0d95026 @txus Words
authored
44 micetrap ftp --port 8765
70bd3ce @txus Words
authored
45
46 If everything is ok, you will see something like this:
47
0d95026 @txus Words
authored
48 (some timestamp) ::: Ftp trap listening on ::ffff:0.0.0.0:8765 :::
70bd3ce @txus Words
authored
49
0d95026 @txus Words
authored
50 TL;DR: Most port scanners such as *nmap* have some kind of fingerprinting
70bd3ce @txus Words
authored
51 capabilities. This means that, in order to discover which services and
52 versions run behind a specific port, they send special packets or _probes_
53 which make different services and versions react differently. By capturing
54 the response and matching against with a database, most of the time they
55 can reliably determine what service and version is running behind that port.
56
57 Port scanners usually start by sending a blank probe, since many servers
58 respond with a welcome banner telling interesting stuff about them. Micetrap
59 only responds to those early blank probes. Let's try to port-scan this fake
60 ftp service with nmap fingerprinting:
61
0d95026 @txus Words
authored
62 nmap 127.0.0.1 -p 8765 -A
70bd3ce @txus Words
authored
63
64 We are scanning localhost, port 8765, and -A means service version detection
65 and OS guessing. After a while, in our micetrap server terminal we see:
66
0d95026 @txus Words
authored
67 (timestamp) Recorded a probe coming from ::ffff:127.0.0.1:51082 containing
68 the following: (empty line)
70bd3ce @txus Words
authored
69
0d95026 @txus Words
authored
70 (timestamp) ::: Responded misleadingly: let's drive those hackers nuts! :::
70bd3ce @txus Words
authored
71
db3766a @txus More words
authored
72 These gets logged inside a .log file within the current directory.
70bd3ce @txus Words
authored
73 And in the nmap terminal:
74
0d95026 @txus Words
authored
75 Starting Nmap 5.35DC1 ( http://nmap.org ) at (timestamp)
76 Nmap scan report for localhost (127.0.0.1)
77 Host is up (0.00017s latency).
78 PORT STATE SERVICE VERSION
79 8765/tcp open ftp Mac OS X Server ftpd
70bd3ce @txus Words
authored
80
81 The faked service/version is random (you can start an ftp server which looks
82 like lukemftpd, Mac OS X server ftpd or PureFTPd for example), but it is
83 consistent within the same server, so that every scan reports the same service
84 and version.
85
86 ## U mad? Evil hackers
87
88 Probably.
89
90 ##Available services
91
92 For now there are a bunch of ftp, http, torrent, mysql and samba services,
93 mostly Mac-ish.
94
95 ##Contribute!
96
97 If you want to contribute with more services and versions to empower micetrap
98 and be a superhero, you shall follow these steps:
b1de0ee @txus first commit
authored
99
100 * Fork the project.
70bd3ce @txus Words
authored
101 * Install _nmap_ and look for a file called nmap-service-probes in your system.
102 This file contains regexes used to match responses from scanned services.
103 * You only have to devise a string which fits in one of this regexes and then
104 add it in the corresponding service file (in lib/micetrap/services/ftp.rb for
105 example if it's an ftp server).
b1de0ee @txus first commit
authored
106 * Commit, do not mess with rakefile, version, or history.
107 If you want to have your own version, that is fine but bump version
108 in a commit by itself I can ignore when I pull.
109 * Send me a pull request. Bonus points for topic branches.
70bd3ce @txus Words
authored
110 * Profit!
b1de0ee @txus first commit
authored
111
112 ## Copyright
113
114 Copyright (c) 2011 Josep M. Bach. See LICENSE for details.
Something went wrong with that request. Please try again.