Tag Archives: code

Scanning the scanners … coding counter measures

When I was playing about with kippo the other night I had this idea to counter attack people who were scanning / trying to access my server. If someone connected to port 2222 without permission could I use the logs to automate a counter attack / perform some recon. After a quick look at the log files I decided that coding counter measures for a SSH honey pot would be pretty useless as the honey pot isn’t providing / holding any important information. I then turned my attention to another server that hosts some statistical data for other sites I contribute to.

Initially I wanted to look at any 404 errors because I could see people looking for default program paths and directories to exploit. This would be a good approach but there were also legitimate 404 errors where things like the favicon.ico or just simple stuff like unintentionally malformed URLs. I looked at the log files again and noticed everytime someone nmaps port 80 they leave a really obvious finger print.

debian.home:80 xxx.xxx.xxx.xxx – – [09/Jul/2013:15:45:13 +0100] “OPTIONS / HTTP/1.1” 200 188 “-” “Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)”

Present on every nmap scan I can see logged to the server. (There must be a param to disable/change this somewhere in nmap)
I came up with the script below which when executed will nmap anyone who has nmapped port 80 and save it all to a file 🙂

# fire all the lasers
# bash apache counter recon tool

echo ‘Gathering logfile data n’
cat /var/log/apache2/*.log | grep nmap | awk ‘{ print $2 }’ > nmappers.txt
cat nmappers.txt

echo ‘Filtering unique ips …n’
sort nmappers.txt | uniq > ips.txt

echo ‘Scanning the scanners …n’
nmap -v -T4 -A -iL ips.txt > recon.txt

echo ‘Cleaning up …n’
rm ips.txt
rm nmappers.txt

echo ‘Results …n’
cat recon.txt

Conclusion and thoughts:
This is just the beginning, really enjoyed coding this script will look to expand on it soon. Possibly combining this with kali linux & metasploit. Lots of room for improvement as this could also be used to look at failed login attempts on other services / ports … the nmap finger print could greatly be expanded on too using failed exploits from the log file. (Geolocation / Automatic notification to isps that their users are up to no good? etc.)

EDIT : big update coming to this script tehe 😀

Defcon auto download script (2012)


I found this script floating about on the web I wonder if it could be adapted/used to suite this years defcon. Defcon is the worlds largest hacking conference now in its 21st year. The conference starts this year August 1st and runs till the 4th tickets for a 4 day pass are $180 and the conference will be held at the Rio Hotel in Las Vegas! What happens in Vegas, usually ends up on youtube a few months later

## $ ddl-rss-media https://www.defcon.org/podcast/defcon-20-slides.rss
# ddl-rss-media RSS_LINK {would download all media enclosed at current dir}
enclosures=`curl -k -s -L $@ | cat | grep enclosure | sed ‘s/.*enclosures*url=”//’ | sed ‘s/”.*//’`
for url in `echo $enclosures | xargs -L1`;
if [ ! -z $url ];
filename=`echo $url | sed ‘s/?.*//’ | sed ‘s/.*///’`
echo “Downloading $filename…”
wget -c -O $filename $url