Scanning the scanners … coding counter measures

When I was playing about with kippo the other night I had this idea to counter attack people who were scanning / trying to access my server. If someone connected to port 2222 without permission could I use the logs to automate a counter attack / perform some recon. After a quick look at the log files I decided that coding counter measures for a SSH honey pot would be pretty useless as the honey pot isn’t providing / holding any important information. I then turned my attention to another server that hosts some statistical data for other sites I contribute to.

Initially I wanted to look at any 404 errors because I could see people looking for default program paths and directories to exploit. This would be a good approach but there were also legitimate 404 errors where things like the favicon.ico or just simple stuff like unintentionally malformed URLs. I looked at the log files again and noticed everytime someone nmaps port 80 they leave a really obvious finger print.

debian.home:80 xxx.xxx.xxx.xxx – – [09/Jul/2013:15:45:13 +0100] “OPTIONS / HTTP/1.1” 200 188 “-” “Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)”

Present on every nmap scan I can see logged to the server. (There must be a param to disable/change this somewhere in nmap)
I came up with the script below which when executed will nmap anyone who has nmapped port 80 and save it all to a file 🙂

# fire all the lasers
# bash apache counter recon tool

echo ‘Gathering logfile data n’
cat /var/log/apache2/*.log | grep nmap | awk ‘{ print $2 }’ > nmappers.txt
cat nmappers.txt

echo ‘Filtering unique ips …n’
sort nmappers.txt | uniq > ips.txt

echo ‘Scanning the scanners …n’
nmap -v -T4 -A -iL ips.txt > recon.txt

echo ‘Cleaning up …n’
rm ips.txt
rm nmappers.txt

echo ‘Results …n’
cat recon.txt

Conclusion and thoughts:
This is just the beginning, really enjoyed coding this script will look to expand on it soon. Possibly combining this with kali linux & metasploit. Lots of room for improvement as this could also be used to look at failed login attempts on other services / ports … the nmap finger print could greatly be expanded on too using failed exploits from the log file. (Geolocation / Automatic notification to isps that their users are up to no good? etc.)

EDIT : big update coming to this script tehe 😀