sad/portspoof
1
0
Fork 0
mirror of https://github.com/drk1wi/portspoof.git synced 2024-06-28 09:41:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hotfix/Improved_DOCS'

Browse Source
This commit is contained in:
drk1wi 2014-01-01 11:57:23 +01:00
commit d38ac6b956
3 changed files with 91 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
DOCS
View File

@ -10,7 +10,7 @@ Portspoof documentation notes
OR
$ g++ -lpthread -Wall -g Configuration.cpp connection.cpp Portspoof.cpp revregex.cpp Utils.cpp Fuzzer.cpp Server.cpp -o portspoof
$ g++ -lpthread -Wall -g Configuration.cpp connection.cpp Portspoof.cpp Revregex.cpp Utils.cpp Fuzzer.cpp Server.cpp -o portspoof
2. Configure your firewall rules:
@ -20,16 +20,15 @@ Portspoof documentation notes
Configure iptables:
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444
# iptables-restore < iptables-config (system_files directory)
# iptables-restore < iptables-config (system_files directory) # remember to change the interface name!
Run Portspoof with service emulation:
$ portspoof -c portspoof.conf -s portspoof_signatures -D
Run Portspoof in "open port" mode:
Run Portspoof in daemon "open port" mode:
$ portspoof -D
3. Add portspoof invocation to your system's startup scripts.
Modify or use the default init.d script from the 'system_files' directory

49
README
View File

@ -2,27 +2,48 @@ Portspoof software overview
Short description:
*Art of annoyance*
*Art of Annoyance*
The Portspoof program primary goal is to enhance OS security through a new service emulation technique that renders all standard port scanning results useless.
The Portspoof program primary goal is to enhance OS security through a set of new techniques:
- All TCP ports are always open
Instead of informing an attacker that a particular port is CLOSED or FILTERED a system with Portspoof will return SYN+ACK for every port connection attempt.
As a result it is impractical to use stealth (SYN, ACK, etc.) port scanning against your system, since all ports are always reported as OPEN.
Therefore, it difficult to determine if a valid software is listening on a particular port by just sweeping through a particular port range (check out the screenshots).
- Every open TCP port emulates a services
Portspoof has a huge dynamic service signature database, that will be used to generate valid service signatures and feed them to your offenders scanning software.
Scanning software usually tries to determine a service version that is running on an open port. This step is mandatory if one would want to identify port numbers on which you are running your services on a system behing the Portspoof.
For this reason Portspoof will respond to every service probe with a valid service signature, that is dynamically generated based on a service signature regular expression database.
As a result an attacker will not be able to determine which port numbers your system is truly using.
By using those two techniques together:
- your attackers will have a tough time while trying to identify your real services.
- the only way to determine if a service is emulated is through a protocol probe (imagine probing protocols for 65k open ports!).
- it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).
*Art of Active (Offensive) Defense*
Portspoof can be used as an 'Exploitation Framework Frontend', that turns your system into responsive and aggressive machine. In practice this usually means exploiting your attackers' tools and exploits. This approach is purely based on Active (Offensive) Defense concepts.
Portspoof can be used as an 'Exploitation Framework Frontend', that turns your system into responsive and aggressive machine. In practice this usually means exploiting your attackers' tools and exploits.
At the moment there are few example exploits in the configuration file (portspof.conf)
It is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security infrastructure.
The general goal of the program is to make the port scanning software (Nmap/Unicornscan/etc) process slow and output very difficult to interpret,
thus making the attack reconnaissance phase a challenging and bothersome task.
The most important features that Portspoof has:
Portspoof is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security system.
The general goal of the program is to make the reconessaince phase slow and bothersome for your attackers as much it is only possible.
This is quite a change to the standard 5s Nmap scan, that will give a full view of your systems running services.
- Portspoof is a userland software and does not require root privileges !
- Binds to just one tcp port per a running instance
- Easily customizable through iptables rules
- Marginal CPU/memory usage (multithreaded)
- More than 8000 dynamic service signatures are supported !
- Will help you to automate your Active Defense attacks against your attackers tools and scripts
The most important features that this software has:
- it will add some real pain to your attackers reconessaince phase.
- it is a userland software and does not require root privileges !
- it binds to just ONE tcp port per a running instance !
- it is easily customizable through your iptables rules
- marginal CPU and memory usage (multithreaded)
- more than 9000 dynamic service signatures to feed your attackers scanning software !
http://portspoof.org/

65
README.md
View File

@ -4,18 +4,60 @@
### Short description:
The portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports.
It is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security appliance.
The general goal of the program is to make the port scanning software (Nmap/Unicornscan/etc) process slow and output very difficult to interpret, thus making the attack reconnaissance phase a challenging and bothersome task.
###General benefits of using this software are:
* Protection against well known port scanners (all scanning results are chaotic and difficult to interpret)
* Possibility to use your current firewall rules to decide for which hosts "port spoofing" applies
* Port scanning detection functionality
* Lightweight and fast
####*Art of Annoyance*
The Portspoof program primary goal is to enhance OS security through a set of few techniques:
**1. All TCP ports are always open**
Instead of informing an attacker that a particular port is CLOSED or FILTERED a system with Portspoof will return SYN+ACK for every port connection attempt.
As a result it is impractical to use stealth (SYN, ACK, etc.) port scanning against your system, since all ports are always reported as OPEN.
Therefore, it difficult to determine if a valid software is listening on a particular port by just sweeping through a particular port range (check out the screenshots).
**2. Every open TCP port emulates a services**
Portspoof has a huge dynamic service signature database, that will be used to generate valid service signatures and feed them to your offenders scanning software.
Scanning software usually tries to determine a service version that is running on an open port. This step is mandatory if one would want to identify port numbers on which you are running your services on a system behing the Portspoof.
For this reason Portspoof will respond to every service probe with a valid service signature, that is dynamically generated based on a service signature regular expression database.
As a result an attacker will not be able to determine which port numbers your system is truly using.
By using those two techniques together:
* your attackers will have a tough time while trying to identify your real services.
* the only way to determine if a service is emulated is through a protocol probe (imagine probing protocols for 65k open ports!).
* it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system (nmap -sV -p - equivalent).
###Author: Piotr Duszynski (piotr@duszynski.eu)
####*Art of Active (Offensive) Defense*
Portspoof can be used as an 'Exploitation Framework Frontend', that turns your system into responsive and aggressive machine. In practice this usually means exploiting your attackers' tools and exploits.
At the moment there are few example exploits in the configuration file (portspoof.conf)
Portspoof is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security system.
The general goal of the program is to make the reconessaince phase slow and bothersome for your attackers as much it is only possible.
This is quite a change to the standard 5s Nmap scan, that will give a full view of your systems running services.
####*Features*
The most important features that Portspoof has:
- it will add some real pain to your attackers reconessaince phase.
- it is a userland software and does not require root privileges !
- it binds to just ONE tcp port per a running instance !
- it is easily customizable through your iptables rules
- marginal CPU and memory usage (multithreaded)
- more than 9000 dynamic service signatures to feed your attackers scanning software !
###Author: Piotr Duszynski (piotr[at]duszynski.eu)
http://portspoof.org/
Follow me at @drk1wi
###License
@ -32,4 +74,3 @@ Consult the INSTALL file.
* FAQ - Bug reporting and frequently asked questions