mirror of https://github.com/drk1wi/portspoof.git
113 lines
2.9 KiB
Plaintext
113 lines
2.9 KiB
Plaintext
Portspoof documentation notes
|
|
|
|
############## INSTALLATION ##############
|
|
|
|
1. Compile the software:
|
|
|
|
$ ./configure (use --sysconfdir=/etc/ to store configuration files in /etc/ )
|
|
$ make
|
|
$ sudo make install
|
|
|
|
|
|
2. Configure your firewall rules:
|
|
|
|
Linux :
|
|
|
|
Configure iptables:
|
|
|
|
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444
|
|
# iptables-restore < iptables-config (system_files directory) # Note: remember to change the interface name to yours!
|
|
|
|
Run Portspoof with service emulation in daemon mode:
|
|
$ portspoof -c /etc/portspoof.conf -s /etc/portspoof_signatures -D
|
|
|
|
This mode will generate and feed port scanners with bogus service signatures.
|
|
|
|
Run Portspoof in daemon "open port" mode:
|
|
$ portspoof -D
|
|
|
|
This mode will just return OPEN state for every connection attempt.
|
|
|
|
3. Add portspoof invocation to your system's startup scripts.
|
|
|
|
Modify or use the default init.d script from the 'system_files' directory
|
|
|
|
|
|
############## CONFIGURATION FILE ##############
|
|
|
|
You can define your service payloads in the configuration file:
|
|
|
|
1. Single port payload
|
|
|
|
80 "XXXX" - will result in sending back to scanners payload XXXX for every successful TCP connect to port 80
|
|
|
|
2. Range port payload
|
|
|
|
80-1000 "XXXX" - will result in sending back to scanners payload XXXX for every successful TCP connect to ports 80-1000
|
|
|
|
:Hex Encoded Payloads (useful for exploits):
|
|
|
|
80 "\x41\x41\x41\x41" - will result in sending back to scanners payload AAAA for every successful TCP connect to port 80
|
|
|
|
:Regular Expression Based Payloads:
|
|
(Will generate a payload that will match a particular regular expression)
|
|
|
|
80 "regular_expression [\w]+ ... - will generate (for example) paylaod: "regular_expression dddd ags"
|
|
|
|
|
|
|
|
############## FUZZING ##############
|
|
|
|
|
|
1. Fuzzing with a wordlist
|
|
|
|
$ ./portspoof -f payloads.txt -v
|
|
|
|
This command will use all of the payloads from the provided wordlist and distribute them across all of the available ports (1-65535).
|
|
|
|
Example:
|
|
|
|
payloads.txt:
|
|
--
|
|
<script>alert(1)</script>
|
|
<script>prompt(1)</script>
|
|
--
|
|
|
|
nc portspoof.host 1 will result in : <script>alert(1)</script>
|
|
nc portspoof.host 2 will result in : <script>alert(1)</script>
|
|
...
|
|
|
|
|
|
2. Fuzzing with internally generated payloads
|
|
|
|
$ ./portspoof -1 -v
|
|
|
|
This command will generate a random payload of random size on every port. Every response for every TCP conncet will be different.
|
|
|
|
3. Wrapping fuzzing payloads with NMAP signatures.
|
|
|
|
$ ./portspoof -n wrapping_paloads.txt -1 OR $./portspoof -f wordlist.txt -n wrapping_paloads.txt
|
|
|
|
Will result in wrapping the fuzzing payloads with those from wrapping_paloads.txt file.
|
|
The __FUZZ__ string in every line of wrapping_paloads.txt will be replaced with a fuzzzing payload.
|
|
This is especially useful for fuzzing software that relies on Nmap service banners.
|
|
|
|
There is an example wrapper file in the GIT repository: extra_files/fuzz_nmap_signatures.
|
|
Use it to fuzz for bugs in software that relies on Nmap output.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|