drk1wi / portspoof Goto Github PK

View Code? Open in Web Editor NEW

949.0 51.0 143.0 3.33 MB

Portspoof

Home Page: http://drk1wi.github.io/portspoof/

License: Other

Shell 28.31% C++ 33.77% C 1.02% Makefile 36.34% M4 0.57%

portspoof's Introduction

Portspoof

Portspoof software overview (https://drk1wi.github.io/portspoof/)

** Short description:**

The Portspoof program primary goal is to enhance OS security through a set of following techniques:

All 65535 TCP ports are always open

Instead of informing an attacker that a particular port is in a CLOSED or FILTERED state Portspoof will return SYN+ACK for every port connection attempt/

As a result it is impractical to use stealth (SYN, ACK, etc.) port scanning against your system, since all ports are always reported as OPEN:

 **`nmap -p 1-20 127.0.0.1`**
 Starting Nmap 6.47 ( http://nmap.org )
 Nmap scan report for 127.0.0.1
 Host is up (0.0018s latency).
 PORT   STATE SERVICE
 1/tcp  open  tcpmux
 2/tcp  open  compressnet
 3/tcp  open  compressnet
 4/tcp  open  unknown
 5/tcp  open  unknown
 6/tcp  open  unknown
 7/tcp  open  echo
 8/tcp  open  unknown
 9/tcp  open  discard
 10/tcp open  unknown
 11/tcp open  systat
 12/tcp open  unknown
 13/tcp open  daytime
 14/tcp open  unknown
 15/tcp open  netstat
 16/tcp open  unknown
 17/tcp open  qotd
 18/tcp open  unknown
 19/tcp open  chargen
 20/tcp open  ftp-data

Every open TCP port emulates a service

Portspoof has a huge database of dynamic service signatures, that will be used to generate fake banners and fool scanners.

Scanning software usually tries to determine a service version that is running on an open port. Portspoof will respond to every service probe with a valid service signature, that is dynamically generated based on a service signature regular expression database.

As a result an attacker will not be able to determine which port numbers your system is truly using:

 **`nmap -F -sV 127.0.0.1`**
 Starting Nmap 6.47 ( http://nmap.org )
 Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
 Nmap scan report for 127.0.0.1
 Host is up (0.21s latency).
 PORT      STATE SERVICE          VERSION
 7/tcp     open  http             Milestone XProtect video surveillance http interface (tu-ka)
 9/tcp     open  ntop-http        Ntop web interface 1ey (Q)
 13/tcp    open  ftp              VxWorks ftpd 6.a
 21/tcp    open  http             Grandstream VoIP phone http config 6193206
 22/tcp    open  http             Cherokee httpd X
 23/tcp    open  ftp              MacOS X Server ftpd (MacOS X Server 790751705)
 25/tcp    open  smtp?
 26/tcp    open  http             ZNC IRC bouncer http config 0.097 or later
 37/tcp    open  finger           NetBSD fingerd
 53/tcp    open  ftp              Rumpus ftpd
 79/tcp    open  http             Web e (Netscreen administrative web server)
 80/tcp    open  http             BitTornado tracker dgpX
 81/tcp    open  hosts2-ns?
 88/tcp    open  http             3Com OfficeConnect Firewall http config
 106/tcp   open  pop3pw?
 110/tcp   open  ipp              Virata-EmWeb nbF (HP Laserjet 4200 TN http config)
 111/tcp   open  imap             Dovecot imapd
 113/tcp   open  smtp             Xserve smtpd
 119/tcp   open  nntp?
 135/tcp   open  http             netTALK Duo http config
 139/tcp   open  http             Oversee Turing httpd kC (domain parking)
 143/tcp   open  crestron-control TiVo DVR Crestron control server
 144/tcp   open  http             Ares Galaxy P2P httpd 7942927
 179/tcp   open  http             WMI ViH (3Com 5500G-EI switch http config)
 199/tcp   open  smux?
 389/tcp   open  http-proxy       ziproxy http proxy
 427/tcp   open  vnc              (protocol 3)
 443/tcp   open  https?
 444/tcp   open  snpp?
 445/tcp   open  http             Pogoplug HBHTTP QpwKdZQ
 465/tcp   open  http             Gordian httpd 322410 (IQinVision IQeye3 webcam rtspd)
 513/tcp   open  login?
 514/tcp   open  finger           ffingerd
 515/tcp   open  pop3             Eudora Internet Mail Server X pop3d 4918451
 543/tcp   open  ftp              Dell Laser Printer z printer ftpd k
 544/tcp   open  ftp              Solaris ftpd
 548/tcp   open  http             Medusa httpd Elhmq (Sophos Anti-Virus Home http config)
 554/tcp   open  rtsp?
 587/tcp   open  http-proxy       Pound http proxy
 631/tcp   open  efi-webtools     EFI Fiery WebTools communication
 646/tcp   open  ldp?
 873/tcp   open  rsync?
 990/tcp   open  http             OpenWrt uHTTPd
 993/tcp   open  ftp              Konica Minolta bizhub printer ftpd
 995/tcp   open  pop3s?
 1025/tcp  open  sip-proxy        Comdasys SIP Server D
 1026/tcp  open  LSA-or-nterm?
 1027/tcp  open  IIS?
 1028/tcp  open  rfidquery        Mercury3 RFID Query protocol
 1029/tcp  open  smtp-proxy       ESET NOD32 anti-virus smtp proxy
 1110/tcp  open  http             qhttpd
 1433/tcp  open  http             ControlByWeb WebRelay-Quad http admin
 1720/tcp  open  H.323/Q.931?
 1723/tcp  open  pptp?
 1755/tcp  open  http             Siemens Simatic HMI MiniWeb httpd
 1900/tcp  open  tunnelvision     Tunnel Vision VPN info 69853
 2000/tcp  open  telnet           Patton SmartNode 4638 VoIP adapter telnetd
 2001/tcp  open  dc?
 2049/tcp  open  nfs?
 2121/tcp  open  http             Bosch Divar Security Systems http config
 2717/tcp  open  rtsp             Darwin Streaming Server 104621400
 3000/tcp  open  pop3             Solid pop3d
 3128/tcp  open  irc-proxy        muh irc proxy
 3306/tcp  open  ident            KVIrc fake identd
 3389/tcp  open  ms-wbt-server?
 3986/tcp  open  mapper-ws_ethd?
 4899/tcp  open  printer          QMC DeskLaser printer (Status o)
 5000/tcp  open  http             D-Link DSL-eTjM http config
 5009/tcp  open  airport-admin?
 5051/tcp  open  ssh              (protocol 325257)
 5060/tcp  open  http             apt-cache/apt-proxy httpd
 5101/tcp  open  ftp              OKI BVdqeC-ykAA VoIP adapter ftpd kHttKI
 5190/tcp  open  http             Conexant-EmWeb JqlM (Intertex IX68 WAP http config; SIPGT TyXT)
 5357/tcp  open  wsdapi?
 5432/tcp  open  postgresql?
 5631/tcp  open  irc              ircu ircd
 5666/tcp  open  litecoin-jsonrpc Litecoin JSON-RPC f_
 5800/tcp  open  smtp             Lotus Domino smtpd rT Beta y
 5900/tcp  open  ftp
 6000/tcp  open  http             httpd.js (Songbird WebRemote)
 6001/tcp  open  daap             mt-daapd DAAP TGeiZA
 6646/tcp  open  unknown
 7070/tcp  open  athinfod         Athena athinfod
 8000/tcp  open  amanda           Amanda backup system index server (broken: libsunmath.so.1 not found)
 8008/tcp  open  http?
 8009/tcp  open  ajp13?
 8080/tcp  open  http             D-Link DGL-4300 WAP http config
 8081/tcp  open  http             fec ysp (Funkwerk bintec R232B router; .h.K...z)
 8443/tcp  open  smtp
 8888/tcp  open  smtp             OpenVMS smtpd uwcDNI (OpenVMS RVqcGIr; Alpha)
 9100/tcp  open  jetdirect?
 9999/tcp  open  http             Embedded HTTPD 3BOzejtHW (Netgear MRd WAP http config; j)
 10000/tcp open  http             MikroTik router http config (RouterOS 0982808)
 32768/tcp open  filenet-tms?
 49152/tcp open  unknown
 49153/tcp open  http             ASSP Anti-Spam Proxy httpd XLgR(?)?
 49154/tcp open  http             Samsung AllShare httpd
 49155/tcp open  ftp              Synology DiskStation NAS ftpd
 49156/tcp open  aspi             ASPI server 837305
 49157/tcp open  sip              AVM FRITZ!Box |

By using those two techniques together:

your attackers will have a tough time while trying to identify your real services.
the only way to determine if a service is emulated is through a protocol probe (imagine probing protocols for 65k open ports!).
it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).

*** Art of Active (Offensive) Defense***

Portspoof can be used as an 'Exploitation Framework Frontend', that turns your system into responsive and aggressive machine. In practice this usually means exploiting your attackers' tools and exploits... At the moment there are few example exploits in the configuration file (portspoof.conf)

Portspoof is meant to be a lightweight, fast, portable and secure addition to any firewall system or security system.

The general goal of the program is to make the reconessaince phase slow and bothersome for your attackers as much it is only possible. This is quite a change to the standard 5s Nmap scan, that will give a full view of your systems running services.

The most important features that this software has:

it will add some real pain to your attackers reconessaince phase.
it is a userland software and does not require root privileges !
it binds to just ONE tcp port per a running instance !
it is easily customizable through your iptables rules
marginal CPU and memory usage (multithreaded)
more than 9000 dynamic service signatures to feed your attackers scanning software !

Author:

Piotr Duszyński (@drk1wi).

Commercial Usage

Portspoof is licensed under this License .

For commercial, legitimate applications, please contact the author for the appropriate licensing arrangements.

portspoof's People

Contributors

Stargazers

Watchers

Forkers

xakon afghanistanyn spclops ruebenkraut king1991wbs wushenwu uwecerron willbengtson kal23 notpeelz dipsec malageza carlues everhopingandwaiting exuvo clthomps synthresizer matt-elson archey kg3 shekkbuilder aramshrestha javarockstar yairark bruhman5thflo bryant1410 caffix haiderny h3llrope flyopenair gridl nogueyjose gorecx etem ovidsec security-geeks hope4hope loveshell mrtaheramine vaginessa cnstudios ykankaya ksmaheshkumar tim1512 samyoyo deepzec rajivraj techlord-rce m41doror lovebair2022 d3l7a sjukperro arryboom tuian jdiazmx johnmckinght ekultek zerocry heikipikker nalcorpallhat modulexcite m00tiny singletrackseeker liufeng-take clicknull rakhithjk acealchemycyberblaze deeby irytacja raymanchester ybslzwa guest20 marciopocebon juan157 jinm808 imulmul roofjack1 uberfix jayahir sm00v wolfking2 evrohachik duynguyen1879 timmytr1ll 5l1v3r1 saikatpura h0k5 andrewhenke kingterry777 rainly jam620 i85yl64 anwilx interstellar317 jesus-vallejo-mplvt hartl3y94 cpt-jack-a-castle mrobot7569 omdbsd jemysarin

portspoof's Issues

Error while install portspoof

System info

Linux bublic 5.15.0-75-generic #82-Ubuntu SMP Tue Jun 6 23:10:23 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Error

CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash /home/ssh4szybnev/portspoof/auto/missing --run aclocal-1.11
/home/ssh4szybnev/portspoof/auto/missing: line 52: aclocal-1.11: command not found
WARNING: `aclocal-1.11' is missing on your system.  You should only need it if
         you modified `acinclude.m4' or `configure.in'.  You might want
         to install the `Automake' and `Perl' packages.  Grab them from
         any GNU archive site.
 cd . && /bin/bash /home/ssh4szybnev/portspoof/auto/missing --run automake-1.11 --gnu
/home/ssh4szybnev/portspoof/auto/missing: line 52: automake-1.11: command not found
WARNING: `automake-1.11' is missing on your system.  You should only need it if
         you modified `Makefile.am', `acinclude.m4' or `configure.in'.
         You might want to install the `Automake' and `Perl' packages.
         Grab them from any GNU archive site.
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash /home/ssh4szybnev/portspoof/auto/missing --run autoconf
/home/ssh4szybnev/portspoof/auto/missing: line 52: autoconf: command not found
WARNING: `autoconf' is missing on your system.  You should only need it if
         you modified `configure.in'.  You might want to install the
         `Autoconf' and `GNU m4' packages.  Grab them from any GNU
         archive site.
/bin/bash ./config.status --recheck
running CONFIG_SHELL=/bin/bash /bin/bash ./configure --no-create --no-recursion
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking for style of include used by make... GNU
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking dependency style of gcc... gcc3
checking whether gcc and cc understand -c and -o together... yes
checking whether make sets $(MAKE)... (cached) yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/wait.h that is POSIX.1 compatible... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking sys/ioctl.h usability... yes
checking sys/ioctl.h presence... yes
checking for sys/ioctl.h... yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking sys/timeb.h usability... yes
checking sys/timeb.h presence... yes
checking for sys/timeb.h... yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking for an ANSI C-conforming const... yes
checking for size_t... yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible malloc... yes
checking for inet_ntoa... yes
checking for memset... yes
checking for socket... yes
configure: creating ./config.status
 /bin/bash ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating tools/Makefile
config.status: creating src/config.h
config.status: src/config.h is unchanged
config.status: executing depfiles commands
Making install in src
make[1]: Entering directory '/home/ssh4szybnev/portspoof/src'
g++ -DHAVE_CONFIG_H -I.  -DCONFDIR='"/usr/local/etc"'    -g -O2 -MT portspoof-Configuration.o -MD -MP -MF .deps/portspoof-Configuration.Tpo -c -o portspoof-Configuration.o `test -f 'Configuration.cpp' || echo './'`Configuration.cpp
Configuration.cpp: In member function ‘bool Configuration::processArgs(int, char**)’:
Configuration.cpp:133:48: warning: too many arguments for format [-Wformat-extra-args]
  133 |                                 fprintf(stdout,"Error: -1 flag cannot be used with -f \n\n", __progname);
      |                                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Configuration.cpp:147:48: warning: too many arguments for format [-Wformat-extra-args]
  147 |                                 fprintf(stdout,"Error: -f flag cannot be used with -1 \n\n", __progname);
      |                                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

^Cmake[1]: *** [Makefile:310: portspoof-Configuration.o] Interrupt
make: *** [Makefile:248: install-recursive] Interrupt

Error to install portspoof

Hello sorry if i text again but he gives me an error when i text sudo make install:
Making install in src
make[1]: ingresso nella directory «/home/ghost/portspoof/src»
make[2]: ingresso nella directory «/home/ghost/portspoof/src»
test -z "/usr/local/bin" || /usr/bin/mkdir -p "/usr/local/bin"
/usr/bin/install -c portspoof '/usr/local/bin'
/usr/bin/install: impossibile sovrascrivere la directory '/usr/local/bin/portspoof' con una non-directory
make[2]: *** [Makefile:243: install-binPROGRAMS] Errore 1
make[2]: uscita dalla directory «/home/ghost/portspoof/src»
make[1]: *** [Makefile:502: install-am] Errore 2
make[1]: uscita dalla directory «/home/ghost/portspoof/src»
make: *** [Makefile:248: install-recursive] Errore 1

sorry for desturbing you time thanks.

No command injection

Im running portspoof as is videos and in the repo docs, the port 8080 is open, the command injection is exactly the same, the signature is sent but no command is executed

This is myiptables-config file

# Generated by iptables-save v1.8.7 on Mon May  2 08:59:34 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j ACCEPT
COMMIT
# Completed on Mon May  2 08:59:34 2022
# Generated by iptables-save v1.8.7 on Mon May  2 08:59:34 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1:21 -j REDIRECT --to-ports 4444
-A PREROUTING -i eth0 -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon May  2 08:59:34 2022

Somehow differs a bit fro yours

BSD - randomly SEGFAULTS on startup while processing signature files

BSD - DOS due to connection state table exhaustion

Occasional segfault when starting

There seems to be an occasional (it doesn't happen every time) segfault when loading.

-> Using user defined configuration file /home/pherricoxide/Code/portspoof/tools/portspoof.conf
-> Using user defined signature file /home/pherricoxide/Code/portspoof/tools/portspoof_signatures
-> Verbose mode on.

Program received signal SIGSEGV, Segmentation fault.
revregex_bracket (str=str@entry=0xde9a40 "\\+OK POP3 server \\(Neon Mail Server System Advance ye_EHcL, a[\374\n\a\\) ready [-\\w_.]+\\. <\n", start_offset=<optimized out>, 
    end_offset=end_offset@entry=80, retlen=0x7f01ffffd5ac, retlen@entry=0x7fffffffd5ac) at revregex.cpp:271
271     *retlen=finsize;
(gdb) backtrace 
#0  revregex_bracket (str=str@entry=0xde9a40 "\\+OK POP3 server \\(Neon Mail Server System Advance ye_EHcL, a[\374\n\a\\) ready [-\\w_.]+\\. <\n", start_offset=<optimized out>, 
    end_offset=end_offset@entry=80, retlen=0x7f01ffffd5ac, retlen@entry=0x7fffffffd5ac) at revregex.cpp:271
#1  0x000000000040785d in revregex (param_str=param_str@entry=0xdea110 "\\+OK POP3 server \\(Neon Mail Server System Advance ([-\\w_.]+), [^)]*\\) ready ([-\\w_.]+)\\. <\n", 
    param_len=param_len@entry=0x7fffffffd5fc, start_offset=start_offset@entry=0, end_offset=end_offset@entry=91) at revregex.cpp:448
#2  0x0000000000407bb8 in process_signature (str=...) at revregex.cpp:578
#3  0x000000000040436b in Configuration::processSignatureFile (this=this@entry=0x64d010) at Configuration.cpp:278
#4  0x0000000000404953 in Configuration::processArgs (this=this@entry=0x64d010, argc=argc@entry=6, argv=argv@entry=0x7fffffffe078) at Configuration.cpp:173
#5  0x0000000000402b82 in main (argc=6, argv=0x7fffffffe078) at Portspoof.cpp:54
(gdb)

signature classification (port/OS/service type)

allow user to define the type of signatures to be generated

Detection of nmap without -sV?

Hello,

are there any specific settings one needs to change to detect nmap without the -sV option?
When running an nmap-scan with -sV of the portspoof-server, the alerts get generated:

1692696537 # Service_probe # SIGNATURE_SEND # source_ip:<IP> # dst_port:5500

However, without the -sV option, no alerts get generated.

What are we doing wrong?
Kind regards
Gearanach

make fails

Making all in src
/Library/Developer/CommandLineTools/usr/bin/make all-am
g++ -DHAVE_CONFIG_H -I. -DCONFDIR='"/etc"' -g -O2 -MT portspoof-connection.o -MD -MP -MF .deps/portspoof-connection.Tpo -c -o portspoof-connection.o test -f 'connection.cpp' || echo './'connection.cpp
connection.cpp:148:48: error: use of undeclared identifier 'SOL_IP'
...if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr_)...
^
connection.cpp:198:48: error: use of undeclared identifier 'SOL_IP'
...if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr_)...
^
connection.cpp:234:47: error: use of undeclared identifier 'SOL_IP'
if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_...
^
3 errors generated.
make[2]: *** [portspoof-connection.o] Error 1
make[1]: *** [all] Error 2
make: *** [all-recursive] Error 1

BSD - include file hell

I don't have time for this. If anoyone would like to help then he is more than welcome :)

Support for docker

Would it be possible to run portspoof inside of docker? If not, maybe you should remove this (empty?) package https://hub.docker.com/r/drk1wi/portspoof_docker .

Restore BSD support

The relevant code is there... it's just a matter of time to sort some compilation issues.

Run as Service Error

Hello,

I have installed Portspoof on Redhat 7.
Finally I configured below command.
portspoof -c /usr/local/etc/portspoof.conf -s /usr/local/etc/portspoof_signatures -D

But when I restart computer Portspoof not working.
What can I do?

Best regards.

Usefull but not practical

So , portspoof will reply that every port is opened but with a fake banner on specific service , but that does not means that the server is safe , however the idea is great .
Even if a scanner is pointed to port 80 and it receives an ssh banner , the attacker already knows that port 80 is for http service , this means apache or nginx , and just need to launch some exploits .
It is much better for the server admin to compile individually the tools that will use and change the output info on scanners , instead the attacker gets "Nginx 2.05" it will get "Custom http server 1.0" witch there is no exploit for it , or configure iptable for on port scanner to drop every every connection from that ip , or even to slow down the response by implementing some rules of pks/s on that port .
Another alternative witch could be more valuable to the system admin , it to run a script on the background that is checking iptables reports , and when it gets an attempt to scan or ping a port not configured in iptables the that script will run automatically an nmap scan on attacker ip , register the ip on a separated file with hour , country of ip , etc..... .
Same thing can be done to http ports if something out of the ordinary is been experimented by the attacker , like sql exploitation attempt , etc.....
on ssh ports anyone can configure a port knocking config , witch is easy to do and much more safer than anything , it must need the correct sequence of pings to get that port opened and the ssh keys ahead that turns the exploitation or brute force attempt even more improbable .

setgid fail problem when running portspoof

run: $ portspoof -D
output: setgid: Unable to drop group privileges: Operation not permitted

It doesn't work on Raspberry PI B

I have been following INSTALL instructions but i did an nmap scan to my raspberry and it didn't work.

I look forward to hearing from you.

Floating point exception (core dumped)

Running with arguments,

-v -f extra_files/fuzz_nmap_signatures -1

And then doing an nmap scan of port 4444 with -sV turned on results in,

Program received signal SIGFPE, Arithmetic exception.

0x0000000000405e2a in Fuzzer::GetFUZZ (this=0x64d290) at Fuzzer.cpp:162
162         if(this->counter%this->nmapfuzzsignatures.size()==0)

(gdb) backtrace 
#0  0x0000000000405e2a in Fuzzer::GetFUZZ (this=0x64d290) at Fuzzer.cpp:162
#1  0x00000000004036f0 in Configuration::mapPort2Signature (this=<optimized out>, port=port@entry=4444) at Configuration.cpp:251
#2  0x000000000040556d in process_connection (arg=0x64d010) at connection.cpp:206
#3  0x00007ffff76abf8e in start_thread (arg=0x7ffff6fd6700) at pthread_create.c:311
#4  0x00007ffff73d5e1d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Platform: 64 bit Linux (Ubuntu 13.04).

portspoof logging

After a successfully working installation of portspoof, it's logs don't show the original IP, just the server's IP, 1.2.3.4:

1394991139 # Service_probe # SIGNATURE_SEND # source_ip:1.2.3.4 # dst_port:11

Could the iptables nat be obfuscating the original scanner's IP? Here is the relevant code that returns the IP in the logs from connections.cpp, line 196:

snprintf(msg,MAX_LOG_MSG_LEN,"%d # Service_probe # SIGNATURE_SEND # source_ip:%s # dst_port:%d  \n",(int)timestamp,(char*)inet_ntoa(peer_sockaddr.sin_addr),original_port);

Terminate called after throwing an instance of 'std::out_of_range'

When attempting to figure out the cause of #8 I changed the args to,

./portspoof -v -f extra_files/fuzz_nmap_signatures -n extra_files/fuzz_payloads -1

Not entirely sure how the fuzzing stuff works yet, so I'm probably giving it bad arguments.. but I thought I'd report the crash anyway so you can add some better input validation.

Thread nr.0 for port 4444 
terminate called after throwing an instance of 'std::out_of_range'
  what():  basic_string::substr

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff6fd6700 (LWP 10980)]
0x00007ffff7313037 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) backtrace 
#0  0x00007ffff7313037 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff7316698 in __GI_abort () at abort.c:90
#2  0x00007ffff7b37e8d in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x00007ffff7b35f76 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#4  0x00007ffff7b35fa3 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#5  0x00007ffff7b361de in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#6  0x00007ffff7b889ad in std::__throw_out_of_range(char const*) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#7  0x00000000004091e2 in _M_check (__s=0x40a30e "basic_string::substr", __pos=<optimized out>, this=0x7ffff6fd5030) at /usr/include/c++/4.7/bits/basic_string.h:321
#8  substr (__n=2, __pos=<optimized out>, this=0x7ffff6fd5030) at /usr/include/c++/4.7/bits/basic_string.h:2205
#9  Utils::wrapNMAP (wrapper=..., payload=...) at Utils.cpp:105
#10 0x0000000000405f83 in Fuzzer::GetFUZZ (this=<optimized out>) at Fuzzer.cpp:195
#11 0x00000000004036f0 in Configuration::mapPort2Signature (this=<optimized out>, port=port@entry=4444) at Configuration.cpp:251
#12 0x000000000040556d in process_connection (arg=0x2ae0) at connection.cpp:206
#13 0x00007ffff76abf8e in start_thread (arg=0x7ffff6fd6700) at pthread_create.c:311
#14 0x00007ffff73d5e1d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Getsockopt failed: Protocol not available

Running portspoof by itself resulted in,

$ portspoof 
-> No parameters - using default values.
Error opening signature file: portspoof_signatures

Then I tried the -1 option (so it doesn't require a portspoof_signatures file?). However, it doesn't appear to make any of the ports appear as open, and it throws the following error when nmap runs,

$ portspoof -1 -v
-> Generate fuzzing payloads internally!
-> Verbose mode on.
 new conn - thread choosen: 0 -  nr. of connections already in queue: 0
 Getsockopt failed: Protocol not available

This is on an Ubuntu 13.04 system.

just cannot install

make
Making all in src
make[1]: Entering directory /root/Desktop/portspoof-master/src' make all-am make[2]: Entering directory/root/Desktop/portspoof-master/src'
g++ -DHAVE_CONFIG_H -I. -DCONFDIR='"/usr/local/etc"' -g -O2 -MT portspoof-Configuration.o -MD -MP -MF .deps/portspoof-Configuration.Tpo -c -o portspoof-Configuration.o test -f 'Configuration.cpp' || echo './'Configuration.cpp
In file included from Configuration.h:86:0,
from Configuration.cpp:38:
Utils.h:45:25: fatal error: openssl/aes.h: File o directory non esistente
compilation terminated.
make[2]: *** [portspoof-Configuration.o] Error 1
make[2]: Leaving directory /root/Desktop/portspoof-master/src' make[1]: *** [all] Error 2 make[1]: Leaving directory/root/Desktop/portspoof-master/src'
make: *** [all-recursive] Error 1

Fix YouTube Videos On Site - Make https

Hi,

Please fix the YouTube videos on https://drk1wi.github.io/portspoof/

Simply make them all https links.

Thanks,

Will

Tag release request

Hi,

Any tags avail?

I'd like to package it for Fedora when stable.

Thx.

Random crashes

Portspoof (builded after this commit) randomly crash very often. I start it with this command line from non root user:
./root/bin/portspoof -c ./root/etc/portspoof.conf -s ./root/etc/portspoof_signatures

I know an issue without log is a pain but it crashing two or tree times a day with no output :s
Is it possible to enable some debug to provide logs? Where can I enable them?

My old version (1.3 - 26/06/2014) had less crash (one or two times a week) and sometimes output with 'Send to socket failed: Connection reset by peer' Don't know if it help.

gcc (Debian 4.9.2-10) 4.9.2
debian 8.6
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 123456 -j RETURN
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444

Not related to the issue: Thanks for provide this awesome tool! Great work! I hope support will be back :)

Fails to build with musl-libc - "connection.h: fatal error: sys/sysctl.h: No such file or directory"

Musl libc doesn't provide a separate sys/sysctl.h. Use linux/sysctl.h directly instead.

See https://bugs.gentoo.org/show_bug.cgi?id=717134 .

ARM compatibility

As far as I know, Portspoof does not run on ARM devices at the moment.

Would it be possible to create a version of portspoof that runs on ARM, too?

Build fails with strict-aliasing violations

I tried to compile with LTO: -flto=4 -Werror=odr -Werror=lto-type-mismatch -Werror=strict-aliasing

The -Werror=* flags are important to detect cases where the compiler can try to optimize based on assuming UB cannot happen, and miscompile code that has UB in it. strict-aliasing issues are always bad but LTO can make them even worse.

I got this error:

x86_64-pc-linux-gnu-g++ -DHAVE_CONFIG_H -I.  -DCONFDIR='"/etc"'    -march=native -fstack-protector-all -O2 -pipe -fdiagnostics-color=always -frecord-gcc-switches -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-clash-protection -flto=4 -Werror=odr -Werror=lto-type-mismatch -Werror=strict-aliasing  -Wformat -Werror=format-security -c -o portspoof-connection.o `test -f 'connection.cpp' || echo './'`connection.cpp
connection.cpp: In function ‘void* process_connection(void*)’:
connection.cpp:92:22: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing]
   92 |         int tid =  *((int*)(&arg));
      |                     ~^~~~~~~~~~~~~
cc1plus: some warnings being treated as errors
make[2]: *** [Makefile:455: portspoof-connection.o] Error 1

Downstream report: https://bugs.gentoo.org/861698
Full build log: build.log

Can't install portspoof

Hello i tried so many times to find how to install but every time the error is when i put the comand make the error is:
Making all in src
make[1]: ingresso nella directory «/home/ghost/portspoof/src»
make all-am
make[2]: ingresso nella directory «/home/ghost/portspoof/src»
g++ -DHAVE_CONFIG_H -I. -DCONFDIR='"/usr/local/etc"' -g -O2 -MT portspoof-Configuration.o -MD -MP -MF .deps/portspoof-Configuration.Tpo -c -o portspoof-Configuration.o test -f 'Configuration.cpp' || echo './'Configuration.cpp
In file included from Configuration.h:91,
from Configuration.cpp:38:
connection.h:48:10: fatal error: sys/sysctl.h: File o directory non esistente
48 | #include <sys/sysctl.h>
| ^~~~~~~~~~~~~~
compilation terminated.
make[2]: *** [Makefile:310: portspoof-Configuration.o] Errore 1
make[2]: uscita dalla directory «/home/ghost/portspoof/src»
make[1]: *** [Makefile:189: all] Errore 2
make[1]: uscita dalla directory «/home/ghost/portspoof/src»
make: *** [Makefile:248: all-recursive] Errore 1

if anyone can help me i will be very happy thank you

Portspoof is running but nmap -F -sV 127.0.0.1 works

Clean pull from master
OS: Ubuntu 16.04

./configure
make
sudo make install
sudo portspoof -c /usr/local/etc/portspoof.conf -s /usr/local/etc/portspoof_signatures -D1

When I run nmap I see the process in htop but nmap -F -sV 127.0.0.1 doesn't show any spoofed port.

slow down functionality

Implement slow down mechanism

Portspoof logging

i have tried to setup logging, however once specifying the file i would like the logs to go to with "-l". I then proceed to scan the device to test it and there is no output to the log file. I am trying to setup forwarding with syslog and would like to forward the alerts otherwise i wouldn't even post this. The tool is awesome, and i greatly appreciate it!

where to view the real-time logs from port-spoof.

Portspoof crashes when using -f option

My portspoof installation (running on an ARM device) is working well by using the service emulation mode ("portspoof -c /path/to/portspoof.conf -s /path/to/portspoof_signatures -D").

However, when using any fuzzing mode but the -1 one, for example:
"portspoof -f /path/to/fuzzingfile.txt -D",
Portspoof crashes instantly.

Maybe this is because a wrong syntax of the fuzzingfile.txt (some non-alphanumberic chars), but I don't know for sure.