Okay, this is a fun one. Today we’re going to discuss a tool that you can use as a network defender to cause a hacker to attack themselves when they try to attack you. The tool is called “rubberglue” and I wrote it a few years ago while I was working on the Active Defense Harbinger Project for Black Hills Info Sec.
The idea behind the tool is very simple, it takes the attacks that a hacker sends to your machine, and redirects them right back at them – kind of like a trampoline. The name for the tool comes from the old schoolyard tome “I’m rubber and you’re glue, whatever you say bounces off me and sticks to you.” And stick it does! With Rubberglue, you can cause an attacker to hack into his own computer, while he thinks he’s hacking you.
To get started, go ahead and get a copy of rubberglue from my bitbucket. You can find it at: https://bitbucket.org/Zaeyx/rubberglue/src/master/. To download this via git, you will run the following command:
git clone https://bitbucket.org/Zaeyx/rubberglue
This will clone the repo into a new directory “rubberglue”. Go ahead and cd into that directory.
You should find two files in that directory (as of this writing) the first is a log file (log.txt). This file records the actions taken by any attacker attempting to connect to your machine. The second is the script itself.
You can launch the script like so:
python rubberglue.py 22
This should give us the following output:
You need to give a port Usage: rubberglue.py <port>
The script is telling us that we need to specify a port to listen on. Choose whatever port you think an attack is likely to come against. A good port to choose might be port 22. Many attackers like to automate attempts to crack into remote machines through brute forcing ssh access on port 22. Many of them have ssh on the machines from which they launch the attacks. If you set rubberglue to listen on port 22, any attack that comes to your machine on that port will be redirected back to the attacker on the same port. They might break into their own computer!
python rubberglue.py 22
The script might not appear to be doing anything. This is expected behavior. If you want to keep it running in the background you can press ctrl+c to cancel it, then relaunch it like so:
python rubberglue.py 22 &
This tells the script to keep running, but then puts it into the background so that you can keep issuing commands. Remember, the script will turn off when you exit your terminal however. So if you wish to have it running all the time, you’ll need to do something to keep it running as a service, or to have it launch as a persistent startup job, etc.
What happens during an attack
If someone connects to your rubberglue instance, their connection will be instantly redirected right back to them on the same port. You’ll see a small indicator of this, something like:
Connection from: 220.127.116.11:59013->22
Whatever happens next is up to the attacker. If they send an exploit, or start trying to guess a password, everything they do – happens to them rather than you!
Checking the logs
You can check the logs to see a history of all of the connections to rubberglue. This is easy to do, just:
Running on multiple ports
Did you know that you can run rubberglue on multiple ports? It’s super easy to do this as well. Just keep specifying ports on the command line like so:
python rubberglue.py 22 21 23 3389
Testing that it really works
If you’re curious to see what happens to an attacker, it’s easy and safe to test out seeing what an attacker would see if they tried to connect to your rubberglue protected ports. You’ll start by turning rubberglue on to the port of your choice. Let’s say “789”:
python rubberglue.py 789
Then, on a second computer, you’ll want to start a test listener on that same port (for demonstration purposes). You can do this on a linux machine with the following command:
nc -l -p 789
The above command will cause the terminal window on your second machine to ‘hang’ while it waits for input. If you’d like to keep typing commands in that terminal, launch netcat like so:
nc -l -p 789 &
Once you have your listener, simply connect to port 789 on the first machine. For this example I like to use the ssh client. You can cause your ssh client to connect to port 789 on the first machine like so (replacing <machine_one_ip> with the actual ip or hostname of the machine running rubberglue):
ssh <machine_one_ip> -p 789
You should expect to instantly see something like the following message appear on machine number two!
This indicates that the ssh client connected to machine one, then that connection was forwarded back to the ‘attacking’ machine on the same port. If you were a real attacker, and if this had been the right port for ssh (22) you might have just launched an attack on yourself.