Portspoof documentation notes

############## INSTALLATION ##############

1. Compile the software:

	$ ./configure (use --sysconfdir=/etc/ to store configuration files in /etc/ )
	$ make
	$ sudo make install


2. Configure your firewall rules:

	Linux :

	Configure iptables:

	# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444
	# iptables-restore < iptables-config (system_files directory) # Note: remember to change the interface name to yours!

	Run Portspoof with service emulation in daemon mode:
	$ portspoof -c /etc/portspoof.conf -s /etc/portspoof_signatures -D

	This mode will generate and feed port scanners with bogus service signatures.

	Run Portspoof in daemon "open port" mode:
	$  portspoof -D

	This mode will just return OPEN state for every connection attempt.

3. Add portspoof invocation to your system's startup scripts.

	Modify or use the default init.d script from the 'system_files' directory
	

############## CONFIGURATION FILE ##############

You can define your service payloads in the configuration file:

1. Single port payload

80 "XXXX" - will result in sending back to scanners payload XXXX for every successful TCP connect to port 80

2. Range port payload

80-1000 "XXXX" - will result in sending back to scanners payload XXXX for every successful TCP connect to ports 80-1000

:Hex Encoded Payloads (useful for exploits):

80 "\x41\x41\x41\x41" - will result in sending back to scanners payload AAAA for every successful TCP connect to port 80

:Regular Expression Based Payloads:
(Will generate a payload that will match a particular regular expression)

80 "regular_expression [\w]+ ... - will generate (for example) paylaod: "regular_expression dddd ags"



############## FUZZING ##############


1. Fuzzing with a wordlist

$ ./portspoof -f payloads.txt -v 

This command will use all of the payloads from the provided wordlist and distribute them across all of the available ports (1-65535).

Example:

payloads.txt:
--
<script>alert(1)</script>
<script>prompt(1)</script>
--

nc portspoof.host 1 will result in : <script>alert(1)</script>
nc portspoof.host 2 will result in : <script>alert(1)</script>
...


2. Fuzzing with internally generated payloads

$ ./portspoof -1 -v 

This command will generate a random payload of random size on every port. Every response for every TCP conncet will be different.

3. Wrapping fuzzing payloads with NMAP signatures.

$ ./portspoof -n wrapping_paloads.txt -1 OR $./portspoof -f wordlist.txt -n wrapping_paloads.txt

Will result in wrapping the fuzzing payloads with those from wrapping_paloads.txt file.
The __FUZZ__ string in every line of wrapping_paloads.txt will be replaced with a fuzzzing payload.
This is especially useful for fuzzing software that relies on Nmap service banners.

There is an example wrapper file in the GIT repository: extra_files/fuzz_nmap_signatures.
Use it to fuzz for bugs in software that relies on Nmap output.