mirror of
https://github.com/drk1wi/portspoof.git
synced 2024-06-16 03:48:54 +00:00
Updated DOCS, param options, fixed bugs related to fuzzing.
This commit is contained in:
parent
96628fa3bb
commit
35a1f3a7ba
80
DOCS
80
DOCS
@ -1,6 +1,6 @@
|
||||
Portspoof documentation notes
|
||||
|
||||
INSTALLATION:
|
||||
############## INSTALLATION ##############
|
||||
|
||||
1. Compile the software:
|
||||
|
||||
@ -34,3 +34,81 @@ INSTALLATION:
|
||||
|
||||
Modify or use the default init.d script from the 'system_files' directory
|
||||
|
||||
|
||||
############## CONFIGURATION FILE ##############
|
||||
|
||||
You can define your service payloads in the configuration file:
|
||||
|
||||
1. Single port payload
|
||||
|
||||
80 "XXXX" - will result in sending back to scanners payload XXXX for every successful TCP connect to port 80
|
||||
|
||||
2. Range port payload
|
||||
|
||||
80-1000 "XXXX" - will result in sending back to scanners payload XXXX for every successful TCP connect to ports 80-1000
|
||||
|
||||
:Hex Encoded Payloads (useful for exploits):
|
||||
|
||||
80 "\x41\x41\x41\x41" - will result in sending back to scanners payload AAAA for every successful TCP connect to port 80
|
||||
|
||||
:Regular Expression Based Payloads:
|
||||
(Will generate a payload that will match a particular regular expression)
|
||||
|
||||
80 "regular_expression [\w]+ ... - will generate (for example) paylaod: "regular_expression dddd ags"
|
||||
|
||||
|
||||
|
||||
############## FUZZING ##############
|
||||
|
||||
|
||||
1. Fuzzing with a wordlist
|
||||
|
||||
$ ./portspoof -f payloads.txt -v
|
||||
|
||||
This command will use all of the payloads from the provided wordlist and distribute them across all of the available ports (1-65535).
|
||||
|
||||
Example:
|
||||
|
||||
payloads.txt:
|
||||
--
|
||||
<script>alert(1)</script>
|
||||
<script>prompt(1)</script>
|
||||
--
|
||||
|
||||
nc portspoof.org 1 will result in : <script>alert(1)</script>
|
||||
nc portspoof.org 2 will result in : <script>alert(1)</script>
|
||||
...
|
||||
|
||||
|
||||
2. Fuzzing with internally generated payloads
|
||||
|
||||
$ ./portspoof -1 -v
|
||||
|
||||
This command will generate a random payload of random size on every port. Every response for every TCP conncet will be different.
|
||||
|
||||
3. Wrapping fuzzing payloads with NMAP signatures.
|
||||
|
||||
$ ./portspoof -n wrapping_paloads.txt -1 OR $./portspoof -f wordlist.txt -n wrapping_paloads.txt
|
||||
|
||||
Will result in wrapping the fuzzing payloads with those from wrapping_paloads.txt file.
|
||||
The __FUZZ__ string in every line of wrapping_paloads.txt will be replaced with a fuzzzing payload.
|
||||
This is especially useful for fuzzing software that relies on Nmap service banners.
|
||||
|
||||
There is an example wrapper file in the GIT repository: extra_files/fuzz_nmap_signatures.
|
||||
Use it to fuzz for bugs in software that relies on Nmap output.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -72,7 +72,6 @@ void Configuration::usage(void)
|
||||
"-f file_path : FUZZER_MODE - fuzzing payload file list \n"
|
||||
"-n file_path : FUZZER_MODE - wrapping signatures file list\n"
|
||||
"-1 FUZZER_MODE - generate fuzzing payloads internally\n"
|
||||
"-3 FUZZER_MODE - generate random byte values !\n"
|
||||
"-2 switch to simple reply mode (doesn't work for Nmap)!\n"
|
||||
"-D run as daemon process\n"
|
||||
"-d disable syslog\n"
|
||||
@ -87,7 +86,7 @@ bool Configuration::processArgs(int argc, char** argv)
|
||||
int ch;
|
||||
extern char *__progname;
|
||||
|
||||
while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123D")) != -1) {
|
||||
while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh12D")) != -1) {
|
||||
switch (ch) {
|
||||
case 'i':
|
||||
this->bind_ip = std::string(optarg);
|
||||
@ -129,6 +128,11 @@ bool Configuration::processArgs(int argc, char** argv)
|
||||
case 'f':
|
||||
this->opts[OPT_FUZZ_WORDLIST]=1;
|
||||
this->fuzzpayload_file=std::string(optarg);
|
||||
if(this->opts[OPT_FUZZ_INTERNAL])
|
||||
{
|
||||
fprintf(stdout,"Error: -1 flag cannot be used with -f \n\n", __progname);
|
||||
exit(0);
|
||||
}
|
||||
fprintf(stdout,"-> Reading fuzzing payloads from a file %s!\n",this->fuzzpayload_file.c_str());
|
||||
break;
|
||||
case 'n':
|
||||
@ -138,7 +142,13 @@ bool Configuration::processArgs(int argc, char** argv)
|
||||
break;
|
||||
case '1':
|
||||
this->opts[OPT_FUZZ_INTERNAL]=1;
|
||||
if(this->opts[OPT_FUZZ_WORDLIST])
|
||||
{
|
||||
fprintf(stdout,"Error: -f flag cannot be used with -1 \n\n", __progname);
|
||||
exit(0);
|
||||
}
|
||||
fprintf(stdout,"-> Generating fuzzing payloads internally!\n");
|
||||
|
||||
break;
|
||||
case '2':
|
||||
this->opts[OPT_NOT_NMAP_SCANNER]=1;
|
||||
|
@ -159,7 +159,7 @@ std::vector<char> Fuzzer::GetFUZZ()
|
||||
{
|
||||
|
||||
|
||||
if(this->counter%this->nmapfuzzsignatures.size()==0)
|
||||
if((this->configuration->getConfigValue(OPT_FUZZ_NMAP) == 0) || this->counter%this->nmapfuzzsignatures.size()==0)
|
||||
{
|
||||
|
||||
char buf_file[BUFSIZE];
|
||||
@ -174,11 +174,12 @@ std::vector<char> Fuzzer::GetFUZZ()
|
||||
str=std::string(buf_file);
|
||||
str.erase(str.size() - 1);//remove \n
|
||||
this->input_line=Utils::str2vector(str);
|
||||
|
||||
}
|
||||
|
||||
this->counter++;
|
||||
|
||||
|
||||
if(this->configuration->getConfigValue(OPT_FUZZ_NMAP) == 0)
|
||||
return this->input_line;
|
||||
}
|
||||
else if(this->configuration->getConfigValue(OPT_FUZZ_INTERNAL))
|
||||
{
|
||||
|
@ -102,7 +102,7 @@ void* process_connection(void *arg)
|
||||
#else
|
||||
|
||||
if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&peer_sockaddr,(socklen_t*) (socklen_t*) &peer_sockaddr_len )){
|
||||
perror("Getsockopt failed");
|
||||
perror("Getsockopt failed: Have you set up your IPTABLES rules correctly ?");
|
||||
goto close_socket;
|
||||
}
|
||||
else
|
||||
|
@ -17,7 +17,7 @@ start)
|
||||
stop)
|
||||
|
||||
if pidof portspoof >/dev/null; then
|
||||
killall -9 /usr/local/bin/portspoof >/dev/null
|
||||
killall portspoof >/dev/null
|
||||
echo "Portspoof stopped.."
|
||||
else
|
||||
echo "Portspoof not running.."
|
||||
|
@ -4,8 +4,10 @@
|
||||
:INPUT ACCEPT [347451:16935290]
|
||||
:OUTPUT ACCEPT [477:45868]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
-A PREROUTING -i eth1 -p tcp -m tcp --dport 1:21 -j REDIRECT --to-ports 4444
|
||||
-A PREROUTING -i eth1 -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444
|
||||
# Portspoof everything except the sshd service
|
||||
# Remember to change the iface name
|
||||
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1:21 -j REDIRECT --to-ports 4444
|
||||
-A PREROUTING -i eth0 -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444
|
||||
COMMIT
|
||||
# Completed on Tue Apr 23 14:26:42 2013
|
||||
# Generated by iptables-save v1.4.4 on Tue Apr 23 14:26:42 2013
|
||||
|
Loading…
Reference in New Issue
Block a user