-
Notifications
You must be signed in to change notification settings - Fork 149
/
README
202 lines (168 loc) · 10.1 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
Portspoof software overview (http://drk1wi.github.io/portspoof/)
**Short description:**
The Portspoof program primary goal is to enhance OS security through a set of following techniques:
- All 65535 TCP ports are always open
Instead of informing an attacker that a particular port is in a CLOSED or FILTERED state Portspoof will return SYN+ACK for every port connection attempt ... and no it does not bind to every possible port ;-)
As a result it is impractical to use stealth (SYN, ACK, etc.) port scanning against your system, since all ports are always reported as OPEN:
**`nmap -p 1-20 127.0.0.1`**
Starting Nmap 6.47 ( http://nmap.org )
Nmap scan report for 127.0.0.1
Host is up (0.0018s latency).
PORT STATE SERVICE
1/tcp open tcpmux
2/tcp open compressnet
3/tcp open compressnet
4/tcp open unknown
5/tcp open unknown
6/tcp open unknown
7/tcp open echo
8/tcp open unknown
9/tcp open discard
10/tcp open unknown
11/tcp open systat
12/tcp open unknown
13/tcp open daytime
14/tcp open unknown
15/tcp open netstat
16/tcp open unknown
17/tcp open qotd
18/tcp open unknown
19/tcp open chargen
20/tcp open ftp-data
- Every open TCP port emulates a services
Portspoof has a huge database of dynamic service signatures, that will be used to generate fake banners and fool scanners.
Scanning software usually tries to determine a service version that is running on an open port. Portspoof will respond to every service probe with a valid service signature, that is dynamically generated based on a service signature regular expression database.
As a result an attacker will not be able to determine which port numbers your system is truly using:
**`nmap -F -sV 127.0.0.1`**
Starting Nmap 6.47 ( http://nmap.org )
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Nmap scan report for 127.0.0.1
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
7/tcp open http Milestone XProtect video surveillance http interface (tu-ka)
9/tcp open ntop-http Ntop web interface 1ey (Q)
13/tcp open ftp VxWorks ftpd 6.a
21/tcp open http Grandstream VoIP phone http config 6193206
22/tcp open http Cherokee httpd X
23/tcp open ftp MacOS X Server ftpd (MacOS X Server 790751705)
25/tcp open smtp?
26/tcp open http ZNC IRC bouncer http config 0.097 or later
37/tcp open finger NetBSD fingerd
53/tcp open ftp Rumpus ftpd
79/tcp open http Web e (Netscreen administrative web server)
80/tcp open http BitTornado tracker dgpX
81/tcp open hosts2-ns?
88/tcp open http 3Com OfficeConnect Firewall http config
106/tcp open pop3pw?
110/tcp open ipp Virata-EmWeb nbF (HP Laserjet 4200 TN http config)
111/tcp open imap Dovecot imapd
113/tcp open smtp Xserve smtpd
119/tcp open nntp?
135/tcp open http netTALK Duo http config
139/tcp open http Oversee Turing httpd kC (domain parking)
143/tcp open crestron-control TiVo DVR Crestron control server
144/tcp open http Ares Galaxy P2P httpd 7942927
179/tcp open http WMI ViH (3Com 5500G-EI switch http config)
199/tcp open smux?
389/tcp open http-proxy ziproxy http proxy
427/tcp open vnc (protocol 3)
443/tcp open https?
444/tcp open snpp?
445/tcp open http Pogoplug HBHTTP QpwKdZQ
465/tcp open http Gordian httpd 322410 (IQinVision IQeye3 webcam rtspd)
513/tcp open login?
514/tcp open finger ffingerd
515/tcp open pop3 Eudora Internet Mail Server X pop3d 4918451
543/tcp open ftp Dell Laser Printer z printer ftpd k
544/tcp open ftp Solaris ftpd
548/tcp open http Medusa httpd Elhmq (Sophos Anti-Virus Home http config)
554/tcp open rtsp?
587/tcp open http-proxy Pound http proxy
631/tcp open efi-webtools EFI Fiery WebTools communication
646/tcp open ldp?
873/tcp open rsync?
990/tcp open http OpenWrt uHTTPd
993/tcp open ftp Konica Minolta bizhub printer ftpd
995/tcp open pop3s?
1025/tcp open sip-proxy Comdasys SIP Server D
1026/tcp open LSA-or-nterm?
1027/tcp open IIS?
1028/tcp open rfidquery Mercury3 RFID Query protocol
1029/tcp open smtp-proxy ESET NOD32 anti-virus smtp proxy
1110/tcp open http qhttpd
1433/tcp open http ControlByWeb WebRelay-Quad http admin
1720/tcp open H.323/Q.931?
1723/tcp open pptp?
1755/tcp open http Siemens Simatic HMI MiniWeb httpd
1900/tcp open tunnelvision Tunnel Vision VPN info 69853
2000/tcp open telnet Patton SmartNode 4638 VoIP adapter telnetd
2001/tcp open dc?
2049/tcp open nfs?
2121/tcp open http Bosch Divar Security Systems http config
2717/tcp open rtsp Darwin Streaming Server 104621400
3000/tcp open pop3 Solid pop3d
3128/tcp open irc-proxy muh irc proxy
3306/tcp open ident KVIrc fake identd
3389/tcp open ms-wbt-server?
3986/tcp open mapper-ws_ethd?
4899/tcp open printer QMC DeskLaser printer (Status o)
5000/tcp open http D-Link DSL-eTjM http config
5009/tcp open airport-admin?
5051/tcp open ssh (protocol 325257)
5060/tcp open http apt-cache/apt-proxy httpd
5101/tcp open ftp OKI BVdqeC-ykAA VoIP adapter ftpd kHttKI
5190/tcp open http Conexant-EmWeb JqlM (Intertex IX68 WAP http config; SIPGT TyXT)
5357/tcp open wsdapi?
5432/tcp open postgresql?
5631/tcp open irc ircu ircd
5666/tcp open litecoin-jsonrpc Litecoin JSON-RPC f_
5800/tcp open smtp Lotus Domino smtpd rT Beta y
5900/tcp open ftp
6000/tcp open http httpd.js (Songbird WebRemote)
6001/tcp open daap mt-daapd DAAP TGeiZA
6646/tcp open unknown
7070/tcp open athinfod Athena athinfod
8000/tcp open amanda Amanda backup system index server (broken: libsunmath.so.1 not found)
8008/tcp open http?
8009/tcp open ajp13?
8080/tcp open http D-Link DGL-4300 WAP http config
8081/tcp open http fec ysp (Funkwerk bintec R232B router; .h.K...z)
8443/tcp open smtp
8888/tcp open smtp OpenVMS smtpd uwcDNI (OpenVMS RVqcGIr; Alpha)
9100/tcp open jetdirect?
9999/tcp open http Embedded HTTPD 3BOzejtHW (Netgear MRd WAP http config; j)
10000/tcp open http MikroTik router http config (RouterOS 0982808)
32768/tcp open filenet-tms?
49152/tcp open unknown
49153/tcp open http ASSP Anti-Spam Proxy httpd XLgR(?)?
49154/tcp open http Samsung AllShare httpd
49155/tcp open ftp Synology DiskStation NAS ftpd
49156/tcp open aspi ASPI server 837305
49157/tcp open sip AVM FRITZ!Box |
By using those two techniques together:
- your attackers will have a tough time while trying to identify your real services.
- the only way to determine if a service is emulated is through a protocol probe (imagine probing protocols for 65k open ports!).
- it takes more than 8hours and 200MB of sent data in order to properly go through the reconessaince phase for your system ( nmap -sV -p - equivalent).
***Art of Active (Offensive) Defense***
Portspoof can be used as an 'Exploitation Framework Frontend', that turns your system into responsive and aggressive machine. In practice this usually means exploiting your attackers' tools and exploits...
*At the moment there are few example exploits in the configuration file (portspoof.conf)*
Portspoof is meant to be a lightweight, fast, portable and secure addition to any firewall system or security system.
The general goal of the program is to make the reconessaince phase slow and bothersome for your attackers as much it is only possible.
This is quite a change to the standard 5s Nmap scan, that will give a full view of your systems running services.
The most important features that this software has:
- it will add some real pain to your attackers reconessaince phase.
- it is a userland software and does not require root privileges !
- it binds to just ONE tcp port per a running instance !
- it is easily customizable through your iptables rules
- marginal CPU and memory usage (multithreaded)
- more than 9000 dynamic service signatures to feed your attackers scanning software !
Author: Piotr Duszynski (piotr [at] duszynski.eu) #
License
Consult the COPYING file.
Compile instructions
Consult the DOC file.
Other important files
AUTHORS File with Author contact info
Changelog What I have implemented
FAQ Bug reporting and frequently asked questions
DOC Documentation file