Browse files


  • Loading branch information...
1 parent 8cacb9c commit 70bd3ce6677401f10f62b777329586900e1dca49 @txus committed Jan 6, 2011
Showing with 73 additions and 8 deletions.
  1. +73 −8
@@ -20,26 +20,91 @@ to emulate. Whenever possible, micetrap will provide a bit outdated versions
which are more likely to be vulnerable, and thus making the attacker focus
on those ports. While the attacker tries to exploit these ports, she is
essentially sending certain packets -- which get properly captured and
-logged my micetrap. This information might be useful to discover what kind
+logged by micetrap. This information might be useful to discover what kind
of attacks are being tried against your machine, therefore giving you time
and the opportunity to defend appropriately.
Running micetrap with sudo will allow it to use default, unsuspicious ports,
which may give you advantage at tricking a smart attacker.
-Micetrap is currently under intensive development, and hopefully a first
-version will be soon available.
+ gem install micetrap
+...or, if you want to be able to use it with sudo:
+ sudo gem install micetrap
+Just fire up the server with some fake service, such an ftp server:
+ micetrap ftp --port 8765
+If everything is ok, you will see something like this:
+ (some timestamp) ::: Ftp trap listening on ::ffff: :::
+TL;DR: Most port scanners such as _nmap_ have some kind of fingerprinting
+capabilities. This means that, in order to discover which services and
+versions run behind a specific port, they send special packets or _probes_
+which make different services and versions react differently. By capturing
+the response and matching against with a database, most of the time they
+can reliably determine what service and version is running behind that port.
+Port scanners usually start by sending a blank probe, since many servers
+respond with a welcome banner telling interesting stuff about them. Micetrap
+only responds to those early blank probes. Let's try to port-scan this fake
+ftp service with nmap fingerprinting:
+ nmap -p 8765 -A
+We are scanning localhost, port 8765, and -A means service version detection
+and OS guessing. After a while, in our micetrap server terminal we see:
+ (timestamp) Recorded a probe coming from ::ffff: containing
+ the following: (empty line)
+ (timestamp) ::: Responded misleadingly: let's drive those hackers nuts! :::
+And in the nmap terminal:
+ Starting Nmap 5.35DC1 ( ) at (timestamp)
+ Nmap scan report for localhost (
+ Host is up (0.00017s latency).
+ 8765/tcp open ftp Mac OS X Server ftpd
+The faked service/version is random (you can start an ftp server which looks
+like lukemftpd, Mac OS X server ftpd or PureFTPd for example), but it is
+consistent within the same server, so that every scan reports the same service
+and version.
+## U mad? Evil hackers
+##Available services
+For now there are a bunch of ftp, http, torrent, mysql and samba services,
+mostly Mac-ish.
+If you want to contribute with more services and versions to empower micetrap
+and be a superhero, you shall follow these steps:
-##Note on Patches/Pull Requests
* Fork the project.
-* Make your feature addition or bug fix.
-* Add specs for it. This is important so I don't break it in a
- future version unintentionally.
+* Install _nmap_ and look for a file called nmap-service-probes in your system.
+ This file contains regexes used to match responses from scanned services.
+* You only have to devise a string which fits in one of this regexes and then
+ add it in the corresponding service file (in lib/micetrap/services/ftp.rb for
+ example if it's an ftp server).
* Commit, do not mess with rakefile, version, or history.
If you want to have your own version, that is fine but bump version
in a commit by itself I can ignore when I pull.
* Send me a pull request. Bonus points for topic branches.
+* Profit!
## Copyright

0 comments on commit 70bd3ce

Please sign in to comment.