Skip to main content

Using scanner.wtf

·722 words·4 mins

The official Nmap website provides some good endpoints for testing scans against with some interesting services running. However, the services and ports in use are static.

A while back I registered scanner.wtf and set up some back services running in containers and set iptables up to have some rules that change using something similar to the following:

#!/bin/bash

# vsftp, nginx are installed on their default ports
# ssh is enabled but only allowed to a bastion IP by my a cloud firewall provided by my cloud provider
# There is also a different SSH server listening on port 222/tcp

echo "Enabling IPv4 forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Clearing old rules"
iptables -F
iptables -t nat -F
echo "Adding rules again"

# Allow all SSH through!!!  This allows my bastion IP to get to the instance after going through the cloud firewall
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT

# Rule to randomise how often a connetion can get to FTP.  Should allow half of connections through
iptables -A INPUT -p tcp --destination-port 21 -m statistic --mode random --probability 0.50 -j REJECT
iptables -A INPUT -p tcp --destination-port 21 -j ACCEPT

# Rule to always allow access to nginx on port 80
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT

# Rule to randomise mapping 443/tcp to the HTTP port
iptables -t nat -I PREROUTING -p tcp --dport 443 -m statistic --mode random --probability 0.20  -j REDIRECT --to-ports 80
iptables -t nat -I OUTPUT -p tcp -o lo --dport 443 -j REDIRECT --to-ports 80

# Rule to randomise mapping 8080/tcp to the HTTP port
iptables -t nat -I PREROUTING -p tcp --dport 8080 -m statistic --mode random --probability 0.20  -j REDIRECT --to-ports 80
iptables -t nat -I OUTPUT -p tcp -o lo --dport 8080 -j REDIRECT --to-ports 80

# Rule to randomise mapping 25/tcp to the FTP port
iptables -t nat -I PREROUTING -p tcp --dport 25 -m statistic --mode random --probability 0.65  -j REDIRECT --to-ports 21
iptables -t nat -I OUTPUT -p tcp -o lo --dport 25 -j REDIRECT --to-ports 21

# Rule to randomise mapping 2222/tcp to the SSH server on port 222
iptables -t nat -I PREROUTING -p tcp --dport 2222 -m statistic --mode random --probability 0.50  -j REDIRECT --to-ports 222
iptables -t nat -I OUTPUT -p tcp -o lo --dport 2222 -j REDIRECT --to-ports 22

# Rule to randomise ICMP
iptables -A INPUT -p icmp -m statistic --mode random --probability 0.50 -j REJECT
iptables -A INPUT -p icmp -j ACCEPT

# Catch all rule that will reject so that scans don't take forever
iptables -A INPUT -j REJECT

Some of the ports are static and always available to connect to, while some others change.

Using scanner.wtf I can test custom scanners to see how they handle changing ports and services. This is useful for testing logic that kicks off alerts when there are changes to the services assocaited with an IP or IP range.

Testing some scanners against scanner.wtf has also resulted in their scan progress being reported as hundreds of percent complete due to being confused by the ports and services changing.

nmap scanner.wtf

First scan results as below:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 18:34 BST
Connect Scan Timing: About 44.75% done; ETC: 18:35 (0:00:12 remaining)
Nmap scan report for scanner.wtf (159.65.210.198)
Host is up (0.056s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
443/tcp  open  https
2222/tcp open  EtherNetIP-1
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 15.24 seconds

Second scan results as below:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 18:36 BST
Nmap scan report for scanner.wtf (159.65.210.198)
Host is up (0.028s latency).
Not shown: 994 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
2222/tcp open  EtherNetIP-1
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 12.69 seconds

Third scan results as below:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 18:38 BST
Nmap scan report for scanner.wtf (159.65.210.198)
Host is up (0.022s latency).
Not shown: 994 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 13.39 seconds