sad/portspoof
1
0
Fork 0
mirror of https://github.com/drk1wi/portspoof.git synced 2024-06-16 03:48:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updated DOCS, param options, fixed bugs related to fuzzing.

Browse Source
This commit is contained in:
Piotr 2013-08-08 22:04:51 +02:00
parent 96628fa3bb
commit 35a1f3a7ba
6 changed files with 101 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
DOCS
View File

@ -1,6 +1,6 @@
Portspoof documentation notes
INSTALLATION:
############## INSTALLATION ##############
1. Compile the software:
@ -34,3 +34,81 @@ INSTALLATION:
Modify or use the default init.d script from the 'system_files' directory
############## CONFIGURATION FILE ##############
You can define your service payloads in the configuration file:
1. Single port payload
80 "XXXX" - will result in sending back to scanners payload XXXX for every successful TCP connect to port 80
2. Range port payload
80-1000 "XXXX" - will result in sending back to scanners payload XXXX for every successful TCP connect to ports 80-1000
:Hex Encoded Payloads (useful for exploits):
80 "\x41\x41\x41\x41" - will result in sending back to scanners payload AAAA for every successful TCP connect to port 80
:Regular Expression Based Payloads:
(Will generate a payload that will match a particular regular expression)
80 "regular_expression [\w]+ ... - will generate (for example) paylaod: "regular_expression dddd ags"
############## FUZZING ##############
1. Fuzzing with a wordlist
$ ./portspoof -f payloads.txt -v
This command will use all of the payloads from the provided wordlist and distribute them across all of the available ports (1-65535).
Example:
payloads.txt:
--
<script>alert(1)</script>
<script>prompt(1)</script>
--
nc portspoof.org 1 will result in : <script>alert(1)</script>
nc portspoof.org 2 will result in : <script>alert(1)</script>
...
2. Fuzzing with internally generated payloads
$ ./portspoof -1 -v
This command will generate a random payload of random size on every port. Every response for every TCP conncet will be different.
3. Wrapping fuzzing payloads with NMAP signatures.
$ ./portspoof -n wrapping_paloads.txt -1 OR $./portspoof -f wordlist.txt -n wrapping_paloads.txt
Will result in wrapping the fuzzing payloads with those from wrapping_paloads.txt file.
The __FUZZ__ string in every line of wrapping_paloads.txt will be replaced with a fuzzzing payload.
This is especially useful for fuzzing software that relies on Nmap service banners.
There is an example wrapper file in the GIT repository: extra_files/fuzz_nmap_signatures.
Use it to fuzz for bugs in software that relies on Nmap output.

14
src/Configuration.cpp
View File

@ -72,7 +72,6 @@ void Configuration::usage(void)
"-f file_path : FUZZER_MODE - fuzzing payload file list \n"
"-n file_path : FUZZER_MODE - wrapping signatures file list\n"
"-1 FUZZER_MODE - generate fuzzing payloads internally\n"
"-3 FUZZER_MODE - generate random byte values !\n"
"-2 switch to simple reply mode (doesn't work for Nmap)!\n"
"-D run as daemon process\n"
"-d disable syslog\n"
@ -87,7 +86,7 @@ bool Configuration::processArgs(int argc, char** argv)
int ch;
extern char *__progname;
while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123D")) != -1) {
while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh12D")) != -1) {
switch (ch) {
case 'i':
this->bind_ip = std::string(optarg);
@ -129,6 +128,11 @@ bool Configuration::processArgs(int argc, char** argv)
case 'f':
this->opts[OPT_FUZZ_WORDLIST]=1;
this->fuzzpayload_file=std::string(optarg);
if(this->opts[OPT_FUZZ_INTERNAL])
{
fprintf(stdout,"Error: -1 flag cannot be used with -f \n\n", __progname);
exit(0);
}
fprintf(stdout,"-> Reading fuzzing payloads from a file %s!\n",this->fuzzpayload_file.c_str());
break;
case 'n':
@ -138,7 +142,13 @@ bool Configuration::processArgs(int argc, char** argv)
break;
case '1':
this->opts[OPT_FUZZ_INTERNAL]=1;
if(this->opts[OPT_FUZZ_WORDLIST])
{
fprintf(stdout,"Error: -f flag cannot be used with -1 \n\n", __progname);
exit(0);
}
fprintf(stdout,"-> Generating fuzzing payloads internally!\n");
break;
case '2':
this->opts[OPT_NOT_NMAP_SCANNER]=1;

7
src/Fuzzer.cpp
View File

@ -159,7 +159,7 @@ std::vector<char> Fuzzer::GetFUZZ()
{
if(this->counter%this->nmapfuzzsignatures.size()==0)
if((this->configuration->getConfigValue(OPT_FUZZ_NMAP) == 0) || this->counter%this->nmapfuzzsignatures.size()==0)
{
char buf_file[BUFSIZE];
@ -174,11 +174,12 @@ std::vector<char> Fuzzer::GetFUZZ()
str=std::string(buf_file);
str.erase(str.size() - 1);//remove \n
this->input_line=Utils::str2vector(str);
}
this->counter++;
if(this->configuration->getConfigValue(OPT_FUZZ_NMAP) == 0)
return this->input_line;
}
else if(this->configuration->getConfigValue(OPT_FUZZ_INTERNAL))
{

2
src/connection.cpp
View File

@ -102,7 +102,7 @@ void* process_connection(void *arg)
#else
if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&peer_sockaddr,(socklen_t*) (socklen_t*) &peer_sockaddr_len )){
perror("Getsockopt failed");
perror("Getsockopt failed: Have you set up your IPTABLES rules correctly ?");
goto close_socket;
}
else

2
system_files/init.d/portspoof.sh
View File

@ -17,7 +17,7 @@ start)
stop)
if pidof portspoof >/dev/null; then
killall -9 /usr/local/bin/portspoof >/dev/null
killall portspoof >/dev/null
echo "Portspoof stopped.."
else
echo "Portspoof not running.."

6
system_files/iptables-config
View File

@ -4,8 +4,10 @@
:INPUT ACCEPT [347451:16935290]
:OUTPUT ACCEPT [477:45868]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 1:21 -j REDIRECT --to-ports 4444
-A PREROUTING -i eth1 -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444
# Portspoof everything except the sshd service
# Remember to change the iface name
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1:21 -j REDIRECT --to-ports 4444
-A PREROUTING -i eth0 -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444
COMMIT
# Completed on Tue Apr 23 14:26:42 2013
# Generated by iptables-save v1.4.4 on Tue Apr 23 14:26:42 2013