diff --git a/DOCS b/DOCS
index b66026b..7074294 100644
--- a/DOCS
+++ b/DOCS
@@ -1,6 +1,6 @@
Portspoof documentation notes
-INSTALLATION:
+############## INSTALLATION ##############
1. Compile the software:
@@ -34,3 +34,81 @@ INSTALLATION:
Modify or use the default init.d script from the 'system_files' directory
+
+############## CONFIGURATION FILE ##############
+
+You can define your service payloads in the configuration file:
+
+1. Single port payload
+
+80 "XXXX" - will result in sending back to scanners payload XXXX for every successful TCP connect to port 80
+
+2. Range port payload
+
+80-1000 "XXXX" - will result in sending back to scanners payload XXXX for every successful TCP connect to ports 80-1000
+
+:Hex Encoded Payloads (useful for exploits):
+
+80 "\x41\x41\x41\x41" - will result in sending back to scanners payload AAAA for every successful TCP connect to port 80
+
+:Regular Expression Based Payloads:
+(Will generate a payload that will match a particular regular expression)
+
+80 "regular_expression [\w]+ ... - will generate (for example) paylaod: "regular_expression dddd ags"
+
+
+
+############## FUZZING ##############
+
+
+1. Fuzzing with a wordlist
+
+$ ./portspoof -f payloads.txt -v
+
+This command will use all of the payloads from the provided wordlist and distribute them across all of the available ports (1-65535).
+
+Example:
+
+payloads.txt:
+--
+
+
+--
+
+nc portspoof.org 1 will result in :
+nc portspoof.org 2 will result in :
+...
+
+
+2. Fuzzing with internally generated payloads
+
+$ ./portspoof -1 -v
+
+This command will generate a random payload of random size on every port. Every response for every TCP conncet will be different.
+
+3. Wrapping fuzzing payloads with NMAP signatures.
+
+$ ./portspoof -n wrapping_paloads.txt -1 OR $./portspoof -f wordlist.txt -n wrapping_paloads.txt
+
+Will result in wrapping the fuzzing payloads with those from wrapping_paloads.txt file.
+The __FUZZ__ string in every line of wrapping_paloads.txt will be replaced with a fuzzzing payload.
+This is especially useful for fuzzing software that relies on Nmap service banners.
+
+There is an example wrapper file in the GIT repository: extra_files/fuzz_nmap_signatures.
+Use it to fuzz for bugs in software that relies on Nmap output.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/src/Configuration.cpp b/src/Configuration.cpp
index 8c9768e..6ca019c 100755
--- a/src/Configuration.cpp
+++ b/src/Configuration.cpp
@@ -72,7 +72,6 @@ void Configuration::usage(void)
"-f file_path : FUZZER_MODE - fuzzing payload file list \n"
"-n file_path : FUZZER_MODE - wrapping signatures file list\n"
"-1 FUZZER_MODE - generate fuzzing payloads internally\n"
- "-3 FUZZER_MODE - generate random byte values !\n"
"-2 switch to simple reply mode (doesn't work for Nmap)!\n"
"-D run as daemon process\n"
"-d disable syslog\n"
@@ -87,7 +86,7 @@ bool Configuration::processArgs(int argc, char** argv)
int ch;
extern char *__progname;
- while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123D")) != -1) {
+ while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh12D")) != -1) {
switch (ch) {
case 'i':
this->bind_ip = std::string(optarg);
@@ -129,6 +128,11 @@ bool Configuration::processArgs(int argc, char** argv)
case 'f':
this->opts[OPT_FUZZ_WORDLIST]=1;
this->fuzzpayload_file=std::string(optarg);
+ if(this->opts[OPT_FUZZ_INTERNAL])
+ {
+ fprintf(stdout,"Error: -1 flag cannot be used with -f \n\n", __progname);
+ exit(0);
+ }
fprintf(stdout,"-> Reading fuzzing payloads from a file %s!\n",this->fuzzpayload_file.c_str());
break;
case 'n':
@@ -138,7 +142,13 @@ bool Configuration::processArgs(int argc, char** argv)
break;
case '1':
this->opts[OPT_FUZZ_INTERNAL]=1;
+ if(this->opts[OPT_FUZZ_WORDLIST])
+ {
+ fprintf(stdout,"Error: -f flag cannot be used with -1 \n\n", __progname);
+ exit(0);
+ }
fprintf(stdout,"-> Generating fuzzing payloads internally!\n");
+
break;
case '2':
this->opts[OPT_NOT_NMAP_SCANNER]=1;
diff --git a/src/Fuzzer.cpp b/src/Fuzzer.cpp
index ee2c829..72c9ef7 100755
--- a/src/Fuzzer.cpp
+++ b/src/Fuzzer.cpp
@@ -159,7 +159,7 @@ std::vector Fuzzer::GetFUZZ()
{
- if(this->counter%this->nmapfuzzsignatures.size()==0)
+ if((this->configuration->getConfigValue(OPT_FUZZ_NMAP) == 0) || this->counter%this->nmapfuzzsignatures.size()==0)
{
char buf_file[BUFSIZE];
@@ -174,11 +174,12 @@ std::vector Fuzzer::GetFUZZ()
str=std::string(buf_file);
str.erase(str.size() - 1);//remove \n
this->input_line=Utils::str2vector(str);
-
}
this->counter++;
-
+
+ if(this->configuration->getConfigValue(OPT_FUZZ_NMAP) == 0)
+ return this->input_line;
}
else if(this->configuration->getConfigValue(OPT_FUZZ_INTERNAL))
{
diff --git a/src/connection.cpp b/src/connection.cpp
index 19ae3dc..1689456 100755
--- a/src/connection.cpp
+++ b/src/connection.cpp
@@ -102,7 +102,7 @@ void* process_connection(void *arg)
#else
if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&peer_sockaddr,(socklen_t*) (socklen_t*) &peer_sockaddr_len )){
- perror("Getsockopt failed");
+ perror("Getsockopt failed: Have you set up your IPTABLES rules correctly ?");
goto close_socket;
}
else
diff --git a/system_files/init.d/portspoof.sh b/system_files/init.d/portspoof.sh
index 84fa38b..5345149 100644
--- a/system_files/init.d/portspoof.sh
+++ b/system_files/init.d/portspoof.sh
@@ -17,7 +17,7 @@ start)
stop)
if pidof portspoof >/dev/null; then
- killall -9 /usr/local/bin/portspoof >/dev/null
+ killall portspoof >/dev/null
echo "Portspoof stopped.."
else
echo "Portspoof not running.."
diff --git a/system_files/iptables-config b/system_files/iptables-config
index 1b18720..7dba958 100755
--- a/system_files/iptables-config
+++ b/system_files/iptables-config
@@ -4,8 +4,10 @@
:INPUT ACCEPT [347451:16935290]
:OUTPUT ACCEPT [477:45868]
:POSTROUTING ACCEPT [0:0]
--A PREROUTING -i eth1 -p tcp -m tcp --dport 1:21 -j REDIRECT --to-ports 4444
--A PREROUTING -i eth1 -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444
+# Portspoof everything except the sshd service
+# Remember to change the iface name
+-A PREROUTING -i eth0 -p tcp -m tcp --dport 1:21 -j REDIRECT --to-ports 4444
+-A PREROUTING -i eth0 -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444
COMMIT
# Completed on Tue Apr 23 14:26:42 2013
# Generated by iptables-save v1.4.4 on Tue Apr 23 14:26:42 2013