Saturday, 2 August 2008

Netcat - the simple port-scan logger

Sunday and I have not debugged yet - and I have the flu. So this will be tested and fixed later.

A small script (or a more complex one if you wish) can make Netcat into a simple Port Scan Logger. A little more and it can become a simple Honeypot (next port).

A Script

# while true; do nc -l -p [port_to_monitor] -e /bin/record.sh >> /tmp/port_connections.txt

This calls a script, /bin/record.sh. There are other ways to do this, but this is a quick and easy example. This script is as follows:

#!/bin/sh
# port_mon.sh
# Netcat script to record port scan details.
#
cat { while read; do echo "`date` > $REPLY">> log.txt; echo $REPLY; done; } netcat -v -v -l -w 3 [port_monitored] { while read;do echo "`date` < $REPLY" >> log.txt; echo $REPLY; done; }

This logs all connections to a single port from an IP address. This is a continuous loop. That is, when a connection is made, netcat will be respawned and ready to record another attempt.
Alternatively, we can log to syslog:
"echo '<0>message' nc -w 1 -u log_host 514"

Now, if we want to monitor several ports, a little extra scripting and we have a simple port scan monitor.

(for f in $(seq 1 254); do while true ; do nc -v -w3 -z $f; done)

No comments: