?The Tiny Canary - detecting hackers on your internal network

Use the linux packages netcat, tcpdump, and screen you can create a tiny canary to detect IPs that are scanning your network for compromise.

A script is created on a device such as the Raspberry Pi and then executed (or started automatically on bootup). This script listens on some obvious ports likely to be probed such as telnet, ssh, smb, SQL and RDP. The script is amazingly small and powerful!

The script named tinycanary.sh is as follows:

#!/bin/bash
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21:22 -j REDIRECT --to-ports 10000
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 10000
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1433:1434 -j REDIRECT --to-ports 10000
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3389 -j REDIRECT --to-ports 10000
/usr/bin/screen -S netcat -dm bash -c 'nc -lkv 10000 | tee -a /tmp/netcat.log'
/usr/bin/screen -S tcpdump -dm /sbin/tcpdump -i eth0 -w /tmp/tcpdump.pcap -C 1000 -W 10 -lenx -X -s 0 not port 22222
echo TinyPot running, use "sudo screen -r [netcat|tcpdump] to access tools"

If you want some further analysis you can use wireshark to view the capture file created by the script.