secret

NTk2Zjc1MjA3MzY1NzI2OTZmNzU3MzZjNzkyMDY0NjU2MzZmNjQ2NTY0MjA3NDY4Njk3MzNmMjAy
MDU0Njk2ZDY1MjA3NzY1NmM2YzIwNzM3MDY1NmU3NDIwM2EyOQ==

Tuesday, April 23, 2013

Tired of nmap scans on your windows box?

Cool heres a solution, change the port as you see fit...

https://github.com/m0r3Sh3LLs/autoban


Create your socket listener



import socket
import sys
import os
import random

def startListen(host, port):

 # Create a TCP/IP socket
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

 # Bind the socket to the address given on the command line
 server_address = (host, port)
 sock.bind(server_address)
 print >>sys.stderr, 'starting up on %s port %s' % sock.getsockname()
 sock.listen(1)


 

Start your infinite loop, when a connect hits parse the IP and send it over to the autoBan function.


 while True:
  print >>sys.stderr, 'waiting for a connection'
  connection, client_address = sock.accept()
  try:
   print >>sys.stderr, 'client connected:', client_address
   while True:
    addr = str(client_address).replace('(','')
    addr = addr.replace('\'','')
    split = addr.split(',')
    ip = split[0]
    
    
    autoBan(ip)
    break
  finally:
   connection.close()



Here is the autoban Function


def autoBan(host):
 randomNum=str(random.randrange(1, 1000000))
 command="netsh advfirewall firewall add rule name=\"BAN"+randomNum+"\" protocol=TCP action=block dir=IN remoteip="+host
 print command
 os.system(command)

Here is the main application
### MAIN APPLICATION ####

host='0.0.0.0'
port=22
startListen(host, port)


 Thats cool, check out when I scan my machine with nmap default settings.

$ sudo nmap 192.168.1.4 -n -vv

Starting Nmap 6.00 ( http://nmap.org ) at 2013-04-23 21:22 EDT
Initiating ARP Ping Scan at 21:22
Scanning 192.168.1.4 [1 port]
Completed ARP Ping Scan at 21:22, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:22
Scanning 192.168.1.4 [1000 ports]
Discovered open port 445/tcp on 192.168.1.4
Discovered open port 22/tcp on 192.168.1.4
Discovered open port 139/tcp on 192.168.1.4
Discovered open port 135/tcp on 192.168.1.4
Increasing send delay for 192.168.1.4 from 0 to 5 due to 11 out of 15 dropped probes since last increase.
Increasing send delay for 192.168.1.4 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 36.60% done; ETC: 21:23 (0:00:54 remaining)
Increasing send delay for 192.168.1.4 from 10 to 20 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.1.4 from 20 to 40 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.1.4 from 40 to 80 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 62.85% done; ETC: 21:24 (0:00:52 remaining)
Increasing send delay for 192.168.1.4 from 80 to 160 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.1.4 from 160 to 320 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 73.30% done; ETC: 21:25 (0:00:52 remaining)
Increasing send delay for 192.168.1.4 from 320 to 640 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 77.40% done; ETC: 21:26 (0:00:57 remaining)
Increasing send delay for 192.168.1.4 from 640 to 1000 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 80.75% done; ETC: 21:27 (0:01:00 remaining)
sSYN Stealth Scan Timing: About 83.45% done; ETC: 21:28 (0:01:02 remaining)
SYN Stealth Scan Timing: About 86.35% done; ETC: 21:29 (0:00:59 remaining)
SYN Stealth Scan Timing: About 89.05% done; ETC: 21:30 (0:00:54 remaining)
SYN Stealth Scan Timing: About 91.50% done; ETC: 21:31 (0:00:46 remaining)
SYN Stealth Scan Timing: About 93.65% done; ETC: 21:31 (0:00:36 remaining)
Completed SYN Stealth Scan at 21:33, 678.28s elapsed (1000 total ports)
Nmap scan report for 192.168.1.4
Host is up (0.00055s latency).
Scanned at 2013-04-23 21:22:17 EDT for 679s
Not shown: 996 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 678.40 seconds
           Raw packets sent: 2137 (94.012KB) | Rcvd: 5 (204B)
It takes nmap 678.40 seconds to scan the machine since it dies midway....  Although it would be easy to bypass this script by just scanning windows ports, but most people are too lazy which is why this works.

1 comment:

  1. Tried this and I can't seem to get it to work. Ran it on the server and nmap breezed right thru and exposed everything in about 10 seconds.

    Have it on a local server and nmap'ed from the same subnet. Not sure what changes I need to make to get it to work correctly. Any assistance would be greatly appreciated.

    ReplyDelete