Simple IPTables port redirection.

To redirect a single port with IPTables:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 123 -j REDIRECT --to-port 124

This example redirects TCP port 123 to port 124. It can also be used for UDP.

July 28th, 2008
By Joe | filed under Firewall, Network | No Comments »

Block XMAS and NULL scans with IPTables

Simple little rule to drop XMAS (All flags in a TCP Packet Set, hence “lit up like an Xmas tree!”) and NULL port scans (No flags set).

iptables -t nat -A PREROUTING -p tcp –tcp-flags ALL ALL -j DROP
iptables -t nat -A PREROUTING -p tcp –tcp-flags ALL NONE -j DROP

You can add these rules to a seperate chain for TCP if you have a high traffic firewall. More information on chains here.

July 28th, 2008
By Joe | filed under Firewall, Network | No Comments »

Testing Nepenthes Works

To check that Nepenthes actually works, and more importantly that any server side applications that rely on it receive data correctly it’s useful to test whether Nepenthes works.

Firstly enable the following lines in nepenthes.conf

//  "x1.so",                       "x-1.conf",                     "",
//  "x2.so",                       "x-2.conf",                     "",

This enables us to connect to the x-2 example module, that provides a simple shell and the x-3 example module that adds a file-handler that reads data from /dev/urandom.

Start Nepenthes and using netcat connect on the port specified in x-2.conf. This is 10002 by default.

You should have a prompt now:

joe@nepenthes ~ $ nc 127.0.0.1 10002
Welcome to dong Shell

Enter download file://127.0.0.1:53421//dev/urandom and hit return.

In the nepenthes log file should see something close to the following:

[23072008 01:57:18 crit module] Downloading file from "file://127.0.0.1:53421//dev/urandom"
[23072008 01:57:18 info down mgr] Handler urandom download handler will download file://127.0.0.1:53421//dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 info mgr submit] File 4a05e1a3a5658274c04409ea5b1a3227 has type data
[23072008 01:57:27 debug info fixme] File info submitted (4a05e1a3a5658274c04409ea5b1a3227, file://127.0.0.1:53421//dev/urandom)
[23072008 01:57:27 debug info fixme] File upload requested (4a05e1a3a5658274c04409ea5b1a3227, file://127.0.0.1:53421//dev/urandom)
[23072008 01:57:31 debug info fixme] Submitted file 4a05e1a3a5658274c04409ea5b1a3227 to sandbox http://www.norman.com/microsites/nsic/Submit/Special/45773/
[23072008 01:57:31 debug info fixme] Submitted file 4a05e1a3a5658274c04409ea5b1a3227 to sandbox http://luigi.informatik.uni-mannheim.de/submit.php?action=verify

Check your filesystem if using the submit-file module or your logging system!

July 22nd, 2008
By Joe | filed under Honeypot, Nepenthes | No Comments »
Next Page - More Posts in this section »