from SANS Institute Internet Storm Center
by Ed Skoudis
http://isc.sans.org/diary.php?date=2005-02-18
The other day, we asked readers to set up honeypot listeners using Netcat to capture some of the malicious code trying to hit TCP port 41523. Now, one of the problems with the most popular Linux/UNIX implementation of Netcat (that is, Hobbit's original) is that it does not create a persistent listener. Unlike the Windows version of Netcat (with its -L option for "Listen Harder"), the original UNIX/Linux version doesn't do this. Once one client connects and drops, the listener dies.
There are many ways to get around this problem, such as using a different version of Netcat. However, one of my favorite simple ways to deal with this is to set up the Netcat listener in a while loop as follows:
$ while [ 1 ]; do echo "Started"; nc -l -p 41523 >> capture.txt; done
This will listen on TCP 41523, append whatever it receives to capture.txt, and then start listening again.
If you'd like to go further and actually log out while keeping this thing running, you can simply dump this while line in a file, called honeypot.sh. Then, chmod it so that it is executable (chmod 555 honeypot.sh). Finally, invoke it as follows:
$ nohup ./honeypot.sh &
Then, logout and go watch some TV. Take a nap. Run naked through the park. Do whatever it is that you do...
Come back, and your little Netcat buddy will be running with its results stored in capture.txt. To kill it, you could simply kill the pid of the nc listener itself. Thanks to Don Smith for the nohup idea. Note that Don did NOT suggest the park idea.
No comments:
Post a Comment