Last active
August 29, 2025 13:08
-
-
Save katzurki/dd09edbcd3b143a3b8236f1eebfc8387 to your computer and use it in GitHub Desktop.
Reflector is a Linux bash script that listens for malicious connections on port 22 and redirects them back to the attacker's port 22 to hack as they please.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # HOW IT WORKS: | |
| # sudo apt install -y ncat nftables curl | |
| # It listens for an incoming connection on port 22 and drops it, while noting the connecting IP. | |
| # It sets up an nftable tcp stream forward back to the connecting IP's own port 22, so that | |
| # on a repeat connection (since they didn't get the message) and if they try anything funny, | |
| # they're suddenly hacking themselves. Persists for 10 minutes, handes multiple connections. | |
| # For example, shodan now proudly lists its own ssh server info on my ip:22 | |
| set -euo pipefail | |
| # Host's outward-facing IP | |
| HOST_IP=`curl -s icanhazip.com | tr -d \n` | |
| echo "HOST_IP is $HOST_IP..." | |
| # 0) Enable IP forwarding | |
| echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward >/dev/null | |
| # 1) Create nftables table if missing | |
| if ! sudo nft list table ip reflect_nat >/dev/null 2>&1; then | |
| sudo nft -f - <<'NFT' | |
| table ip reflect_nat { | |
| set reflect { | |
| type ipv4_addr | |
| flags timeout | |
| timeout 900s | |
| } | |
| chain prerouting { | |
| type nat hook prerouting priority -100; | |
| tcp dport 22 ip saddr @reflect dnat to ip saddr : 22 | |
| } | |
| chain postrouting { | |
| type nat hook postrouting priority 100; | |
| tcp dport 22 ip daddr @reflect masquerade | |
| #tcp dport 22 ip daddr @reflect snat to 204.10.194.199 | |
| } | |
| } | |
| NFT | |
| fi | |
| # 2) Handler script (inline via here-doc) | |
| HANDLER="/tmp/reflect_mark.$$" | |
| cat >"$HANDLER" <<'EOF' | |
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| addr="${NCAT_REMOTE_ADDR:-}" | |
| # Always hand out a legacy banner | |
| printf 'SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8\r\n' | |
| if [[ -n "$addr" ]]; then | |
| /usr/sbin/nft add element ip reflect_nat reflect { $addr } 2>/dev/null || true | |
| # log only when reflecting (second and subsequent connections will hit reflect set) | |
| if /usr/sbin/nft list set ip reflect_nat reflect | grep -q "$addr"; then | |
| start=$(date +%s) | |
| usleep 80000 2>/dev/null || sleep 0.08 | |
| end=$(date +%s) | |
| dur=$(( end - start )) | |
| # reverse DNS lookup | |
| host=$(getent hosts "$addr" | awk '{print $2}' | head -n1 || echo "-") | |
| echo "$(date '+%F %T') attacker=$addr host=$host duration=${dur}s" >> /tmp/catch22.log | |
| fi | |
| fi | |
| usleep 80000 2>/dev/null || sleep 0.08 | |
| exit 0 | |
| EOF | |
| chmod +x "$HANDLER" | |
| # 3) Start listener | |
| echo "[*] Reflector running on $HOST_IP:22" | |
| echo " First connection shows fake banner; subsequent connections reflect." | |
| sudo ncat -vv -lk $HOST_IP 22 --sh-exec "$HANDLER" | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # HOW IT WORKS: | |
| # sudo apt install -y ncat nftables curl | |
| # It listens for an incoming connection on port 22 and drops it, while noting the connecting IP. | |
| # It sets up an nftable tcp stream forward back to the connecting IP's own port 22, so that | |
| # on a repeat connection (since they didn't get the message) and if they try anything funny, | |
| # they're suddenly hacking themselves. Persists for 10 minutes, handes multiple connections. | |
| # For example, shodan now proudly lists its own ssh server info on my ip:22 | |
| set -euo pipefail | |
| # Host's outward-facing IP | |
| HOST_IP=`curl -s icanhazip.com | tr -d \n` | |
| echo "HOST_IP is $HOST_IP..." | |
| # 0) Enable IP forwarding | |
| echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward >/dev/null | |
| # 1) Create nftables table if missing | |
| if ! sudo nft list table ip reflect_nat >/dev/null 2>&1; then | |
| sudo nft -f - <<'NFT' | |
| table ip reflect_nat { | |
| set reflect { | |
| type ipv4_addr | |
| flags timeout | |
| timeout 900s | |
| } | |
| chain prerouting { | |
| type nat hook prerouting priority -100; | |
| tcp dport 22 ip saddr @reflect dnat to ip saddr : 22 | |
| } | |
| chain postrouting { | |
| type nat hook postrouting priority 100; | |
| tcp dport 22 ip daddr @reflect masquerade | |
| #tcp dport 22 ip daddr @reflect snat to 204.10.194.199 | |
| } | |
| } | |
| NFT | |
| fi | |
| # 2) Handler script (inline via here-doc) | |
| HANDLER="/tmp/reflect_mark.$$" | |
| cat >"$HANDLER" <<'EOF' | |
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| addr="${NCAT_REMOTE_ADDR:-}" | |
| # Always hand out a legacy banner | |
| printf 'SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8\r\n' | |
| if [[ -n "$addr" ]]; then | |
| /usr/sbin/nft add element ip reflect_nat reflect { $addr } 2>/dev/null || true | |
| # log only when reflecting (second and subsequent connections will hit reflect set) | |
| if /usr/sbin/nft list set ip reflect_nat reflect | grep -q "$addr"; then | |
| start=$(date +%s) | |
| usleep 80000 2>/dev/null || sleep 0.08 | |
| end=$(date +%s) | |
| dur=$(( end - start )) | |
| # reverse DNS lookup | |
| host=$(getent hosts "$addr" | awk '{print $2}' | head -n1 || echo "-") | |
| echo "$(date '+%F %T') attacker=$addr host=$host duration=${dur}s" >> /tmp/catch22.log | |
| fi | |
| fi | |
| usleep 80000 2>/dev/null || sleep 0.08 | |
| exit 0 | |
| EOF | |
| chmod +x "$HANDLER" | |
| # 3) Start listener | |
| echo "[*] Reflector running on $HOST_IP:22" | |
| echo " First connection shows fake banner; subsequent connections reflect." | |
| sudo ncat -vv -lk $HOST_IP 22 --sh-exec "$HANDLER" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment