全端口监控的实现

发表于 |

方式1

一个是通过抓包,一旦收到SYN,就回复一个SYN ACK
但是这个需要iptables将出去的RST ACK包给拦截掉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date    : 2018-07-23 14:50:27
# @Author  : giantbranch (giantbranch@gmail.com)
# @Link    : http://www.giantbranch.cn/
# @tags : 

from scapy.all import *

SSH_PORT = 22

# 定义数据包回调函数
def packet_callback(packet):
    # print packet.show()
    if TCP in packet:
        if packet["TCP"].dport == SSH_PORT or packet["TCP"].sport == SSH_PORT:
            return
        # SYN packet
        # 如果我们接收到一个SYN包,则我们构造一个SYN ACK包返回去。
        if packet["TCP"].flags == 0x02:
            # print "receive SYN packet"
            ip = IP(dst=packet["IP"].src, src=packet["IP"].dst)
            tcp = TCP(sport=packet["TCP"].dport, dport=packet["TCP"].sport)
            # syn ack flags
            tcp.flags = 0x012
            tcp.ack = packet["TCP"].seq + 1
            send(ip/tcp)
        # FIN ACK packet 
        # 如果我们接收到一个FIN ACK包,我们则返回一个ACK包。否则他会重传。
        elif packet["TCP"].flags == 0x011:
            # print "receive SYN packet"
            ip = IP(dst=packet["IP"].src, src=packet["IP"].dst)
            tcp = TCP(sport=packet["TCP"].dport, dport=packet["TCP"].sport)
            # ack flags
            tcp.seq = packet["TCP"].ack
            tcp.ack = packet["TCP"].seq + 1
            send(ip/tcp)
        # PSH ACK packet
        elif packet["TCP"].flags == 0x018:  
            # print "receive PSH ACK packet"
            if packet.haslayer("Raw"):
                print "payload is:\n"
                print packet["Raw"]
        else:
            print "tcp flags is : %s" % packet["TCP"].flags
    elif UDP in packet:
        pass
        # print "this is a udp packet"
    else:
        pass

sniff(prn=packet_callback, store=0)

iptables

1
iptables -A OUTPUT -p tcp --tcp-flags ALL RST,ACK -j DROP

那这样nmap扫描的时候就会以为端口都开放了

方式2

通过iptables直接做一个全端口转发,转发到你自己写的程序的端口即可

If you want to redirect all TCP and UDP traffic to Blackhole use the following command:

1
2
sudo iptables -t nat -A PREROUTING -p tcp --dport 1:65535 -j REDIRECT --to-ports 5000
sudo iptables -t nat -A PREROUTING -p udp --dport 1:65535 -j REDIRECT --to-ports 5000

Suppose you have other services running on the Host e.g. 22, 445 and you don’t want to capture them via Blackhole,you can create multiple iptables rules:

1
2
3
sudo iptables -t nat -A PREROUTING -p tcp --dport 1:21 -j REDIRECT --to-ports 5000
sudo iptables -t nat -A PREROUTING -p tcp --dport 23:444 -j REDIRECT --to-ports 5000
sudo iptables -t nat -A PREROUTING -p tcp --dport 446:65535 -j REDIRECT --to-ports 5000

优缺点

抓包方式
优点:
1、实现简单
缺点:
1、有些vps,不支持伪造发送syn,ack
2、难以写交互

全端口转发到一个端口
优点:
1、真正伪造了全端口开放的假象
2、便于写对应的交互
缺点:
1、有时候获取不到目的端口
2、无其他明显的缺点

获取到的payload是空的,有可能这个端口或者协议是服务器先发送信息的

Reference

http://www.secniu.com/%E5%8D%81%E8%A1%8C%E4%BB%A3%E7%A0%81%E5%AE%9E%E7%8E%B0%E7%BD%91%E7%BB%9C%E7%9A%84%E5%85%A8%E7%AB%AF%E5%8F%A3%E7%9B%91%E5%90%AC/
https://github.com/dudeintheshell/blackhole

打赏专区
paypal: https://www.paypal.me/giantbranch
假如你看不到评论,可能是你访问Disqus被墙了,请使用代理访问