Portspoof - Tool to provide Snooping/DOS defenses for PUPs

For discussions about security.
Message
Author
gcmartin

Portspoof - Tool to provide Snooping/DOS defenses for PUPs

#1 Post by gcmartin »

Original Request
Can anyone make a PET for community use of this Defense tool? The Puppy Installation version of this tool is posted by @Musher0, in the very next post.

Description
The Portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. It is meant to be a lightweight, fast, portable and secure addition.

The general goal of the program is to make the port scanning software process slow and output very difficult to interpret, thus making the attack reconnaissance phase a challenging and bothersome task.
Please thank @Musher0 for bringing this to Puppyland.

Hope this helps
Edited: Subject and Description Paragraph toward my post's restructure
Last edited by gcmartin on Tue 04 Mar 2014, 17:32, edited 1 time in total.

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#2 Post by musher0 »

Hi, gcmartin.

Here you go, portspoof-1.1.pet! (284 Kb)
http://www65.zippyshare.com/v/46304739/file.html (The big red DOWNLOAD NOW button in the upper right, not the green or blue ones.)

Now, it would be great if a proper SysOp could tell us how to configure it properly!
There is an explanation starting at # 2 here:
https://github.com/drk1wi/portspoof/blob/master/DOCS
but it's Martian to me!

Thanks in advance.

BFN.

musher0
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

gcmartin

This tool appears to address Denial of Service concerns

#3 Post by gcmartin »

Great!
musher0 wrote:... it would be great if a proper SysOp could tell us how to configure it properly ...
This should help us.

Here to help

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

Re: This tool appears to address Denial of Service concerns

#4 Post by musher0 »

gcmartin wrote:Great!
musher0 wrote:... it would be great if a proper SysOp could tell us how to configure it properly ...
This should help us.

Here to help
Hi, gcmartin.

Nice little article. Hehe, with this little utility, now the joke's on "them"! :twisted: You can set
portspoof so it takes an attacker 30 hours to scan the computer ports: if that's not a deterrent... :)
And send the wolf a copy of Little Red Riding Hood! :lol: I love this programmer's sense of humour!

My only concern would be how to set up the iptables correctly. I would not want portspoof to
interfere with my regular connection, say, with freesbee.

Thanks for finding this, BTW.

BFN.

musher0
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

User avatar
NickAu
Posts: 183
Joined: Mon 30 Dec 2013, 04:32
Location: Far North Coast NSW ɹÇ￾punuÊ￾op

#5 Post by NickAu »

Many attackers simply perform a scan, which is easily automated with tools like Nmap. An attacker who discovers a firewall and similar defensive system can often guess which ports and services are worth attacking
So this would be like the second line of defence?

The first. being Stealth, your computer staying silent on the net not responding to any requests. See GRC Shields up https://www.grc.com/default.htm I passed see attachment.

Then this.?

Then my router?

then my firewall?
Attachments
original.jpeg
(178.72 KiB) Downloaded 392 times
[b]Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD[/b]

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#6 Post by musher0 »

Hi, Nick.

I did compile portspoof for Puppy, but I am no SysAdmin. Which is why I hope a proper one will show up on this thread and answer your questions and mine.

BFN.

musher0
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

User avatar
NickAu
Posts: 183
Joined: Mon 30 Dec 2013, 04:32
Location: Far North Coast NSW ɹÇ￾punuÊ￾op

#7 Post by NickAu »

No probs musher0.

But you can see why I ask? As a general security tool it would be line 2, If they cant see me ( stealth) they cant target me?

If they can see me this tool will drive them mad

If they get by this tool then they have to breach any router settings and firewall..

After that they need to bypass my software firewall.

I too want more info so i can use it. I love this sort of stuff. Its something that would drive the kids mad next time they TRIED to access my pc thru the network.

ps

and any good firewall will give you stealth ability. your pc should never respond to any ping or unsolicited request

Not good.
Your computer has responded that this port exists but is currently closed to connections.

Good.
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!
[b]Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD[/b]

gcmartin

#8 Post by gcmartin »

Hi @NickAu

Unless you're using a Proxy somewhere in the cloud, you are seen. There really is NO WAY to hide because in order to get on the Internet you MUST go thru an ISP who will assign you an IP from the pool he is legally licensed to.

Some of the Security garbage over the years is just that, garbage. And the general user "drinks the kool-aid" so to speak as they believe this. (Understandably so because no one that I know of has read how traffic even flows on the Internet where a good understanding is provided to gleen what is truth versus some of the crap thrown our way. As such if we dont understand, we'll believe anything)

Usually, an attacker has a reason for targeting and its not as random as one has been led to believe. Further, there are all kinds of ways to get/harvest IP addresses. Lastly, harvesting IP is just one step in whatever rationale is used to invade.

This tool should be looked at, not as a specific level of defense, rather, it should be looked at as a response mechanism to something which it is trained to follow once something it notes happens on your specific PC.

Hope this helps.

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#9 Post by musher0 »

@NIckAu.

Oh, I do follow your logic! But gcmartin is right, portspoof is a line of counter-attack.
Rather than being only on the defensive, you're taking the "kiddy" for a ride. Also,
back to good old logic, you can't have your ports all closed and all open at the
same time... Entity "A" cannot be entity "A" and entity "non-A" at the same time.

My understanding of it is that you're not flying "stealth" if you're using portspoof, rather
the complete opposite! You've got all flashes on and you're saying: "Right this way,
kiddy-kiddy-kiddy." What you're not telling the kiddy is: "I'll waste 30 hours of your
time!" :twisted: "And you'll have to start over pretty soon, because I usually stay on
line only 2-3 hours at a time." (hehe)

But I'm no expert. Maybe a paradox can exist.

~~~~~~~~~
Anyway, I took the plunge.

Assembled the commands in the article into this little script. (No merit!)
#!/bin/sh
# portspoof.sh
# Purpose: Set up and run portspoof
####
iptables -t nat -A PREROUTING -i eth0 -p tcp -mtcp --dport 1:65535 -j REDIRECT --to-ports 4444

portspoof -c /usr/etc/portspoof.conf -s /usr/etc/portspoof_signatures -D
And I ran it.

iptables tells me it doesn't know "nat" and portspoof tells me there's a segmentation
fault in the signatures file. Not good.

Maybe I can repair the seg fault by recompiling or by borrowing a healthy sig file from
a ready-made package, or simply by running "fsck" (if the file happened to fall on a bad
spot on the disk).

But I don't know how to create the "nat" file iptables need. Heck, I don't even know
what it's for!

Any help will be much appreciated. BFN.

musher0
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#10 Post by amigo »

Yes, it opens all possible ports (65K+), but redirects them (with iptables) to a single port which portspoof listens, and responds, on.

gcmartin

#11 Post by gcmartin »

One manner of Portspoof setup: "linux-1" in this diagram is the firewall and is where all traffic is allowed to enter/leave the LAN behind it. The ISP IP services come from the eth0 and the LAN, where PCs reside exist on eth1. Portspoof, here, would detect and confuse an invading port scanner which originates from the internet.
ImageThere is no reason why the "linux-1" service could not be included as a subsystem in either the router or in my LAN PCs. But, it is NOT necessary to do it in both. So this leaves us with 3 options to deploy;namely the one seen in the picture or deploying within the router or on LAN.

One question posted earlier is about NAT:
NAT - a plain language, hi-level, explanation
NAT is a protocol subsystem feature which is commonly employed by routers to map the LAN IP address to one given by the ISP. It does this via an internal algorithm where the LAN PC is assign a given port for the outgoing and expect a return, when appropriate, back along that same port in order to complete delivery to the original LAN PC.

So in essence I think NAT would be appropriate for a PC/router doing Firewall services for a LAN, but not be necessary for a single PC doing a "personal, one PC" firewall effort.

I am currently looking into some measure of describing to PortSpoof how to apply this at the single PC level. And, I am also looking at an implementation similar to the picture, where a low power Motherboard with 2 hi-speed LAN pathways to be employed to handle port scans that my ISP has been seen to do customarily.
Last edited by gcmartin on Wed 05 Mar 2014, 18:53, edited 2 times in total.

User avatar
Karl Godt
Posts: 4199
Joined: Sun 20 Jun 2010, 13:52
Location: Kiel,Germany

#12 Post by Karl Godt »

Have not installed it yet, but iptables works for me :

# iptables -t nat -A PREROUTING -i eth0 -p tcp -mtcp --dport 1:65535 -j REDIRECT --to-ports 4444

# type -a iptables
iptables is /sbin/iptables

# file /sbin/iptables
/sbin/iptables: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped

# busybox iptables -t nat -A PREROUTING -i eth0 -p tcp -mtcp --dport 1:65535 -j REDIRECT --to-ports 4444
iptables: applet not found


But I am using ppp0. eth0 shows up by # ifconfig -a .


# iptables --version
iptables v1.3.8
# uname -r
2.6.37.4-KRG-i486-StagingDrivers-3

gcmartin

#13 Post by gcmartin »

On one 64bit single MB LAN I get the following:

Code: Select all

sh-4.1#  iptables -t nat -A PREROUTING -i eth0 -p tcp -mtcp --dport 1:65535 -j REDIRECT --to-ports 4444
iptables v1.4.10: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
sh-4.1# uname -a
Linux studio1337 3.8.4-l0wt3ch-rt2 #1 SMP PREEMPT RT Sat Apr 13 07:46:49 GMT 2013 x86_64 GNU/Linux
Will check others.

2nd 64bit PC - WORKS!

Code: Select all

bash-4.1# iptables -t nat -A PREROUTING -i eth0 -p tcp -mtcp --dport 1:65535 -j REDIRECT --to-ports 4444
<root> ~
bash-4.1# uname -a
Linux Mariner-desktop 3.8.7 #1 SMP Sun Jun 16 09:49:24 PDT 2013 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ AuthenticAMD GNU/Linux
Last edited by gcmartin on Wed 05 Mar 2014, 20:22, edited 1 time in total.

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#14 Post by musher0 »

Hi, folks.

Thanks, all, for your inputs.

I got the script to work even without the "nat" table, when I changed the iptables call to
/sbin/iptables instead of just plain iptables. Proof attached! Also, there's about 10
portspoof entries in htop when it's running. There were no complaints about a seg fault
in the sig file either, this time.

This on UpupRaring 3.992 running on an AMD 2600+ CPU, w/ 2 Gb of RAM, and w/
videotron.ca router & IPS.

Maybe it's just me, but I did notice a tiny decrease in overall Internet speed? Is this
possible? Also, how do we measure performance for the portspoof?

Thanks in advance. BFN.

musher0
Attachments
portspoof.jpg
(29.37 KiB) Downloaded 605 times
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

gcmartin

#15 Post by gcmartin »

I wonder what a port scan from another LAN PC would turn up? To test, though, you'lll need to test before start of Portspoof ,,,, then after ... to compare measurements.

I use a JAVA app which is a utility I've used for past 15 years; namely AngryIP, which, to me is the friendliest, most versatile, and fastest IP scanner on the planet. In Puppyland, You can find it here..

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#16 Post by musher0 »

Hi, gcmartin.

Ah. Your AngryIP reminds me of lsof, the real one, not the busybox one. The busybox
lsof does not have any parameters you can control it with. (Why am I not surprised?...)
Whereas here's what you get with lsof --help: :)
[/bin]>lsof -h
lsof 4.87
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
[-F [f]] [-g [s]] [-i ] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
-?|-h list help -a AND selections (OR) -b avoid kernel blocks
-c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s files
-d s select by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY*
-i select IPv[46] files -K list tasKs (threads) -l list UID numbers
-n no host names -N select NFS files -o list file offset
-O no overhead *RISKY* -P no port names -R list paRent PID
-s list file size -t terse listing -T disable TCP/TPI info
-U select Unix socket -v list version info -V verbose search
+|-w Warnings (-) -X skip TCP&UDP* files -- end option scan
+f|-f +filesystem or -file names +|-f[gG] flaGs
-F [f] select fields; -F? for help
+|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
+m [m] use|create mount supplement
+|-M portMap registration (-) -o o o 0t offset digits (8)
-p s exclude(^)|select PIDs -S [t] t second stat timeout (15)
-T qs TCP/TPI Q,St (s) info
-g [s] exclude(^)|select and print process group IDs
-i i select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
+|-r [t[m<fmt>]] repeat every t seconds (15); + until no files, - forever.
An optional suffix to t is m<fmt>; m must separate t from <fmt> and
<fmt> is an strftime(3) format for the marker line.
-s p:s exclude(^)|select protocol (p = TCP|UDP) states by name(s).
-u s exclude(^)|select login|UID set s
-x [fl] cross over +d|+D File systems or symbolic Links
names select named files or files on named file systems
Only root can list all files; /dev warnings disabled; kernel ID check disabled.

Ah, isn't information about a program beautiful !! :D

I uploaded a copy here:
http://www66.zippyshare.com/v/79186025/file.html

There's also a thread on lsof here:
http://murga-linux.com/puppy/viewtopic. ... 409#710409

And here's what I get in terminal after launching portspoof:
[/bin]>lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cupsd 3861 root 8u IPv4 4677 0t0 TCP localhost:631 (LISTEN)
portspoof 31058 daemon 3u IPv4 337684 0t0 TCP *:4444 (LISTEN)


Opera is open, on this thread, and is connected to two other sites, and they are not
showing. They're probably gobbled up by portspoof.

Yess! Over here, kiddy-kiddy-kiddy! ;) I hope you'll like your special copy of
The Little Red Riding Hood! :twisted:

BFN.

musher0
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#17 Post by Flash »

What does Shields Up! say after you've activated Portspoof?

User avatar
NickAu
Posts: 183
Joined: Mon 30 Dec 2013, 04:32
Location: Far North Coast NSW ɹÇ￾punuÊ￾op

#18 Post by NickAu »

.
This tool should be looked at, not as a specific level of defense, rather, it should be looked at as a response mechanism to something which it is trained to follow once something it notes happens on your specific PC.

Thank you that explains it. still love it.
[b]Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD[/b]

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#19 Post by musher0 »

Flash wrote:What does Shields Up! say after you've activated Portspoof?
Hi, Flash.

With portspoof on:
Port Authority Edition — Internet Vulnerability Profile
by Steve Gibson, Gibson Research Corporation.

This textual summary may be printed, or marked and copied
for subsequent pasting into any other application:

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2014-03-06 at 03:57:56

Results from scan of ports: 0-1055

0 Ports Open
72 Ports Closed
984 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be CLOSED were: 0, 1, 2, 3, 4, 5, 6, 31, 61,
62, 91, 93, 121, 123, 153, 154,
182, 184, 212, 213, 242, 243,
272, 273, 304, 305, 333, 335,
363, 365, 394, 395, 424, 425,
454, 456, 485, 486, 515, 516,
545, 546, 576, 607, 637, 639,
668, 669, 698, 699, 728, 729,
759, 760, 788, 789, 818, 820,
848, 850, 879, 880, 907, 910,
936, 937, 964, 967, 994, 995,
1025, 1026

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

---------------------------------------------------------------------
THE EQUIPMENT AT THE TARGET IP ADDRESS
ACTIVELY REJECTED OUR UPnP PROBES!
(That's good news!)

This equipment is not fully “stealthful
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#20 Post by Flash »

I'm not too familiar with the Shields Up! site, but from your results it doesn't look like Portspoof did anything. Perhaps it wasn't configured correctly.

Post Reply