├── PSVPorts.ps1
└── README.md


/PSVPorts.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | 
  3 | .DESCRIPTION
  4 |     Sentinel Guard:
  5 |     Creates jobs that listens on TCP Ports specified and when
  6 |     a connection is established, it can send msg to syslog server.
  7 |     SYN Scan will not be alerted until service fingerprint detection.
  8 |     It will auto omit the opened Ports and jobs closed when PS exits.
  9 | 
 10 | .PARAMETER  Ports
 11 |     List of Ports to listen in for connections.
 12 | 
 13 | .PARAMETER  WhiteList
 14 |     List of host that will not trigger alert.
 15 |     use -WhiteList for avoid the internal scanners.
 16 | 
 17 | .PARAMETER  SysLogSrv
 18 |     SysLogSrv Receiver IP Address, assigned at Line #52
 19 |     Finally did not parameter the variable
 20 | 
 21 | .PARAMETER  SysLogSrvPort
 22 |     SysLogSrv Receiver Port Number, default is 514
 23 | 
 24 | .EXAMPLE
 25 |     Example monitoring on different ports
 26 |         PS C:\> .\PSVPorts.ps1 -Ports 21,23,7001
 27 |         PS C:\> .\PSVPorts.ps1 -Ports 21,23,7001 -WhiteList 192.168.1.200,192.168.2.100
 28 | 
 29 | .NOTES
 30 |     Authors: wolf0x
 31 |     Stopping PSVPorts: (Or close the powershell console directly)
 32 |         PS C:\> stop-job -name VPort*
 33 |         PS C:\> remove-job -name VPort*
 34 | #>
 35 | 
 36 | [CmdletBinding()]
 37 | Param(
 38 |     [Parameter(
 39 |         Position = 0, 
 40 |         Mandatory = $False)]
 41 |     [int32[]]$Ports = (21,23,80,1433,3306,6379,7001),
 42 |     [string[]]$WhiteList = (127.0.0.1)
 43 | )
 44 | 
 45 | foreach($port in $Ports){
 46 |     Start-Job -ScriptBlock {
 47 |         param($port, $WhiteList)
 48 | 
 49 |         Function SendTo-SysLog{
 50 |             Param ($Content = "Your payload...")
 51 |             # Change it to your SIEM/SysLog server
 52 |             $SysLogSrv = "192.168.0.100" 
 53 |             $SysLogSrvPort = 514 
 54 |             $Facility = 5 * 8
 55 |             $Severity = 1
 56 |             $SourceHostname = $env:computername
 57 |             $Tag = "SentinelGuard"
 58 | 
 59 |             $pri = "<" + ($Facility + $Severity) + ">"
 60 | 
 61 |             # Note that the timestamp is local time on the originating computer, not UTC.
 62 |             if ($(get-date).day -lt 10) { $timestamp = $(get-date).tostring("MMM d HH:mm:ss") } else { $timestamp = $(get-date).tostring("MMM dd HH:mm:ss") }
 63 | 
 64 |             # Hostname does not have to be in lowercase, and it shouldn't have spaces anyway, but lowercase is more traditional.
 65 |              # The name should be the simple hostname, not a fully-qualified domain name, but the script doesn't enforce this.
 66 |             $header = $timestamp + " " + $sourcehostname.tolower().replace(" ","").trim() + " "
 67 | 
 68 |             #Cannot have non-alphanumerics in the TAG field or have it be longer than 32 characters. 
 69 |             if ($tag -match '[^a-z0-9]') { $tag = $tag -replace '[^a-z0-9]','' } #Simply delete the non-alphanumerics
 70 |             if ($tag.length -gt 32) { $tag = $tag.substring(0,31) } #and truncate at 32 characters.
 71 | 
 72 |             $msg = $pri + $header + $tag + ": " + $content
 73 | 
 74 |             # Convert message to array of ASCII bytes.
 75 |             $bytearray = $([System.Text.Encoding]::ASCII).getbytes($msg)
 76 | 
 77 |             # RFC3164 Section 4.1: "The total length of the packet MUST be 1024 bytes or less."
 78 |              # "Packet" is not "PRI + HEADER + MSG", and IP header = 20, UDP header = 8, hence:
 79 |             if ($bytearray.count -gt 996) { $bytearray = $bytearray[0..995] }
 80 | 
 81 |             # Send the message... 
 82 |             $UdpClient = New-Object System.Net.Sockets.UdpClient 
 83 |             $UdpClient.Connect($SysLogSrv,$SysLogSrvPort) 
 84 |             $UdpClient.Send($ByteArray, $ByteArray.length) | out-null
 85 |         }
 86 | 
 87 |         # Create Objects needed.
 88 |         $endpoint = new-object System.Net.IPEndPoint([system.net.ipaddress]::any, $port)
 89 |         $listener = new-object System.Net.Sockets.TcpListener $endpoint
 90 |         $listener.server.ReceiveTimeout = 3000
 91 |         $listener.start()
 92 |         try {
 93 |             Write-Host "Listening on port: $port, Stop-Job to cancel"
 94 |             While ($true){
 95 |                 if (!$listener.Pending())
 96 |                 {
 97 |                     Start-Sleep -Seconds 1; 
 98 |                     continue; 
 99 |                 }
100 |                 $client = $listener.AcceptTcpClient()
101 |                 $client.client.RemoteEndPoint
102 |                 $IP = $client.Client.RemoteEndPoint
103 |                 $IP = $IP.tostring()
104 |                 $IP = $IP.split(':')
105 |                 $IP = $IP[0]
106 |                 $client.close()
107 |                 $SrcHost = [System.Net.Dns]::GetHostName()
108 |                 if (![string]::IsNullOrEmpty($IP)){
109 |                     if ($WhiteList -notcontains $IP){
110 |                         $logIP = "$IP has probed the Sentinel $SrcHost on port $port"
111 |                         #Send email alert can be configured easily, but is hard to re-dup alerts
112 |                         #Send-MailMessage -From 'sender@xxx.com' -To 'alert@xxx.com' -Subject $logIP -SmtpServer mailserver 
113 |                         SendTo-SysLog -Content $logIP
114 |                     }
115 |                 }
116 |             }
117 |         }
118 |         catch {
119 |             Write-Error $_          
120 |         }
121 |         finally{
122 |                 $listener.stop()
123 |                 Write-host "Listener Closed Safely"
124 |         }       
125 |     } -ArgumentList $port, $WhiteList -Name "VPort-$port" -ErrorAction Stop  
126 | }
127 | 
128 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Sentinel Guard - Use to build up Honey Net with ZERO cost
 2 | 
 3 | Over the past few years, people have always talked excitedly about honeypot technology, all kinds of honeypot is emerge in endlessly, open source, commercial, low interactive, highly interactive, and so on, under normal circumstances, the general enterprise to the requirement of the honeypot actually is not high, and its essence require expensive deployment cost and not easy deployment, in companies with large network, the difficuty is also on the system operations of honeypot depens on the nubmer of honeypots you deployed; In addition, the number of honeypot probes in the internal network also determines the detection node distribution degree, and the distribution degree also determines the sensitivity of the transverse movement detection points in the internal network. Deployment is almost impossible to trigger without it. So is there a convenient and rapidly deployable internal honeypot solution? Of course, money is not a matter, exactly, I belong to the kind of moneyless. What do you do without money but talks security? Nothing except yourself! Therefore, based on Powershell script and Windows environment, I set up a sentinel guards to build up a honeynet with a pure ZERO cost , so as to realize whole-domain Windows host honeynet monitoring. In the most extreme, one-key whole-domain honeynet scheme can be realized simplely and quickly. What else do you still want under 0 cost? 0成本还要什么自行车？
 4 | 
 5 | 哨兵 – 如何0成本搭建企业蜜网
 6 | 
 7 | 三步一岗，五步一哨，让你在内网中无计可施，麻麻再也不用担心我的内网了！
 8 | 
 9 | 蜜网技术实质上仍是一种蜜罐技术，是一种对攻击者进行欺骗的技术，通过布置一些作为诱饵的主机、网络服务以及信息，诱使攻击者对他们进行攻击，减少对实际系统所造成的安全威胁。但与传统的蜜罐技术的差异在于，蜜网构成了一个黑客诱捕网络体系架构，在这个架构中，可以包含一个或多个蜜罐，同时保证网络的高度可控性，以及提供多种工具以方便对攻击信息的采集和分析。
10 | 


--------------------------------------------------------------------------------