At work we have a lab network. And while one would think that the lab network would be more permissive than the corporate network, in all reality, it's less permissive. MAYBE it's the same, but I doubt it. I wanted to find out what ports were open to the outside world so I could find out how I can access any kind of server(s) at home. From the lab network, it is very easy to perform the scan with nmap. But what about the responses? I had (and still have) a web server running at the time, and while I was certain it would respond to ports 22, 80, and 443; that still leaves another 65,532 other possible ports. How do I get my server to just blindly respond to all those other ports, without having any real applications installed/running?
After much trouble, I eventually found a scapy script to do exactly what I wanted, just blindly respond to any packets on any/all ports! Read on for more details...
First off, I did not write this script myself... I got this script at the following site:
In the end, I want to put this script on my site for a couple of reasons. First, it took me forEVER to find this! I had spent hours and hours and hours searching. In the end, now that I know what I want I could probably find it pretty quickly. Which brings me to the other reason I want to put this on my site... Easy for me to find.
So on to the good stuff. First, prererequisits. Your "server", or the device that will be responding to the scan, needs to have the following:
- python. On a Debian-based setup, you can easily install it with the following command:
apt-get install python
- scapy. Again, easily installed with the following command:
apt-get install python-scapy
Now, for the script itself:
#!/usr/bin/python # -*- coding: utf-8 -*- # http://www.floyd.ch/?p=352 DEBUG_ON=False def ack-all-happy-scappy(): from scapy.all import sniff, send, Ether, IP, TCP import os ################# #CONFIG OPTIONS ################# #Standard options my_ip = "192.168.0.60" #your external IP my_interface = "wlan0" exclude_ports = ["22"] # Exclude ports, that already have a service running 22 = SSH, DEBUG_ON = False #Advanced options static_seq = None #Specify as None for random seq number start_iptables_command = "iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP" end_iptables_command = "iptables -D OUTPUT -p tcp --tcp-flags RST RST -j DROP" ################# #CONFIG END ################# #Actual code start if os.geteuid() != 0: info("You must be root to run this script.") sys.exit(1) info("##################################") info("The ACK-ALL-HAPPY-SCAPY script, written by floyd") info("This script can only be used with SYN-scans (nmap -sS)") info("Altough untested, this should work as well for IPv6") info("##################################") sleep(3) info("This is how the IPTABLES looked, before starting ACK-ALL-HAPPY-SCAPY:") executeInShell("iptables -L") def getSeqNumber(): if static_seq: return static_seq else: import random return random.randint(1,4294967295) def handleEachSyn(synpacket): if DEBUG_ON: debug("IN:") synpacket.display() ethlen = len(Ether()) iplen = len(IP()) synpacket_raw = str(synpacket) i = IP(synpacket_raw[ethlen:]) t = TCP(synpacket_raw[ethlen + iplen:]) f = IP(src=i.dst, dst=i.src)/TCP(sport=t.dport, dport=t.sport, ack=t.seq+1, seq=getSeqNumber()) if DEBUG_ON: debug("OUT:") f.display() send(f) try: #Setup info("Executing now:", start_iptables_command) executeInShell(start_iptables_command) info("Done!") #Work not_port_filter = " and not port "+" and not port ".join(exclude_ports) filter_string = 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) = 0 and dst '+my_ip+not_port_filter info("Using filter ", filter_string) info("Waiting for your scans on tcp ports 1-65535, except "+", ".join(exclude_ports)+", where already a real service should be waiting") info("Start your scan with: sudo nmap -PN -sS -p 1-65535 "+my_ip) sniff(filter=filter_string, iface=my_interface, prn=handleEachSyn) except KeyboardInterrupt: #Restoring info() info("You pressed Ctrl+C... please wait, restoring IPTABLES") info("Executing now:", end_iptables_command) for i in range(3): executeInShell(end_iptables_command) info("This is how the IPTABLES looks, after finishing ACK-ALL-HAPPY-SCAPY:") executeInShell("iptables -L") def executeInShell(command): import subprocess process = subprocess.Popen(command, shell=True) process.wait() def sleep(seconds): import time time.sleep(seconds) def info(*text): print "[PY-INFO] "+str(" ".join(str(i) for i in text)) def debug(*text): if DEBUG_ON: print "[PY-DEBUG] "+str(" ".join(str(i) for i in text)) main()
Just copy the text, and paste it into any text editor on your "server" or responding device.
Make sure the script is executable (in this command the filename is "ack-all.sh"):
chmod +x ack-all.sh
Here are a few key lines you will want to be sure to edit:
my_ip - this is the server's IP address. It it is behind a router or other device, it is the actual IP, not the external.
For example, if your public IP is 8.8.8.8 and your responder's actial IP is 192.168.2.2, you would use 192.168.2.2
my_interface - the interface you want to respond on.
exclude_ports - all ports that are already responded to for oother services. Port 22 is you SSH access to the responder
For multiple ports, you need to make the edit as follows: ["22" "80" "443"] (For SSH, HTTP, and HTTPS)
Run the script with the following command:
sudo ./ack-all.sh
Now, the responder is just going to sit there until you exit the script with Ctrl+C.
Next the scanner. This is by far the easier part.
First, if it isn't already installed, install nmap. Esily done with the following command:
apt-get install nmap
The command to do the scan will be somewhat similar to this:
sudo nmap -sS jonmoore.duckdns.org -p1-65535
This will send SYN packets to the host "jonmoore.duckdns.org" over ports 1 to 65535 (that is all ports). Assuming there is nothing blocking ANY ports at all, you will get responses on ALL ports. If there is any kind of firewall or other network security device that may be blocking some ports, you will not get any responses on those ports. Run the scan and see what you get!
Personally, I was hoping that port 22 (SSH) would be allowed out of the lab network. Sadly, my sacn indicated that ONLY ports 80 and 443 are allowed out of the lab.
