Portspoof - Tool to provide Snooping/DOS defenses for PUPs

For discussions about security.
Message
Author
User avatar
NickAu
Posts: 183
Joined: Mon 30 Dec 2013, 04:32
Location: Far North Coast NSW ɹÇ￾punuÊ￾op

#21 Post by NickAu »

Any other test I should have used on that site? (I'm sure I missed something.
I do not think so most of the rest is set up for Windows.


Portspoof not installed on my pc.


That grc test ... umm if port spoof was running it could have given away that the pc was there.

That test is just for firewalls.


The firewall test shows

NO PORTS were found to be OPEN. Just what it says.

Ports found to be CLOSED were: 0, 1, 2, 3, 4, 5, 6, 31, 61,
62, 91, 93, 121, 123, 153, 154,
182, 184, 212, 213, 242, 243,
272, 273, 304, 305, 333, 335,
363, 365, 394, 395, 424, 425,
454, 456, 485, 486, 515, 516,
545, 546, 576, 607, 637, 639,
668, 669, 698, 699, 728, 729,
759, 760, 788, 789, 818, 820,
848, 850, 879, 880, 907, 910,
936, 937, 964, 967, 994, 995,
1025, 1026

These ports are visable on the net during random port scans but report as closed.


TruStealth: FAILED - NOT all tested ports were STEALTH, This is a firewall config. The haxors know you are there now all they have to do is get in. On windows some of those ports are for .. Windows update.. say port 146 ( just an example not the port) now they know how to tailor an attack on that port on that ip.

Not good

Good this was my result
TruStealth: PASSED- All tested ports were STEALTH, Nothing to see here they move on.

I will not presume to say how the app interacts with the above. But. When you did the shields up scan they scanned your ip for stuff. that scan resulted in your pc replying to unsolicited requests from grc to connect to your pc. Thats how they know you have unstealthed ports . this means anybody scanning your ip will know there is a pc there and connected.

TruStealth

They scanned my pc the same way my pc did not respond to any request as far as they know there is no evidence of a pc existing on this ip.

For a dedicated attack TruStealth is useless.

For a random scan Its great as they cant see your pc.

I will also not argue the validity of the test or if ports should be stealth or just closed. Do not know about it in linux. In windows stealth is better than closed. If random scans cant see you they cant target you.

Try running windows without a firewall or puppy for that matter go to grc and do the trustealth test and see how many ports are wide open to the net.

Again I do not know much but I do not want a port sitting there open to anybody that can run a scanner and connect to another pc.

Question? what is a ping if there is nothing for it to bounce back from.
[b]Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD[/b]

gcmartin

#22 Post by gcmartin »

[quote="Musher0 in an earlier post"] ... This equipment is not fully “stealthful

User avatar
NickAu
Posts: 183
Joined: Mon 30 Dec 2013, 04:32
Location: Far North Coast NSW ɹÇ￾punuÊ￾op

#23 Post by NickAu »

PortSpoof is suppose to be designed to do its job should an attacker start after the PC. The article and the literature is clear that it will make an attacker wait and wait and wait and
Thats how i see it.

So i was kinda right second line defence first being that they cant see you.
This is a good example of an external site which doesn't know what to make of the PC it is trying to talk to.

inasmuch as it did respond to our probing. Thus hackers will know that some equipment exists at this IPv4 address
No, the point is that site shouldnt know you are even there or that any equipment exists on that ip. The pc should stay silent to any unsolicited requests. Even responding to a ping is bad.
Last edited by NickAu on Sun 09 Mar 2014, 04:39, edited 5 times in total.
[b]Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD[/b]

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#24 Post by musher0 »

gcmartin wrote:[(...)
Maybe its time to invite the author to this forum's thread to assert the tool's operation to this audience.
That would be really wonderful!
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#25 Post by musher0 »

I gather we're stumped?
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

gcmartin

#26 Post by gcmartin »

This tool can be helpful if employed with a little discretion. It, in and of itself, is NOT a complete firewall but can be helpful in being a deterrent should someone attempting a breach. That someone would be unsuspecting that he is being wrongly steered.

This is an effective means for something simple that works to make life a "nightmare" for an attacker.

Hope this helps
Edited: 2nd sentence edit to correct its interpretation.
Last edited by gcmartin on Mon 10 Mar 2014, 04:19, edited 1 time in total.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#27 Post by Flash »

Keeping in mind that it was probably designed for use only with servers, how can we test to see if it is really doing what we think it says it will?

drk1wi
Posts: 5
Joined: Wed 12 Mar 2014, 09:31

#28 Post by drk1wi »

Hi everyone,

I am the author of Portspoof. I can support you with some insight in how the tool was designed/implemented and how it works in general ;)

At the moment you can run it on any Linux that has NAT support enabled (this is the default case in most distros) and the easiest way to check if everything is working properly is to use one of the port scanners.
For example just : nmap -sS -p - -v your_internal_ip

'Shields Up' will only show you some results in case you are not behind a NAT.

Cheers,
Piotr

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#29 Post by Flash »

Thank you for joining the forum.

So what is Shields Up seeing? Is it the ports of the NAT server?

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#30 Post by musher0 »

Hi, drk1wi.

Indeed, thanks for joining this thread. It's a pleasure to have you among us.

I did find my internal ip address, but hmm... there is no nmap utility on my UpupRaring 3.9.9.2....

Best regards.

musher0
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#31 Post by musher0 »

Hello again, people.

I found two ready-made archives that made nmap work out of the box on my
Raring Puppy.

nmap itself from Ubuntu 12.10 LTS
http://archive.ubuntu.com/ubuntu/pool/m ... 1_i386.deb

And the requested lua library from the Debian Squeeze archive
http://ftp.br.debian.org/debian/pool/ma ... 5_i386.deb
(this one intentionally for a lower glibc, the glibc version for ubuntu seemed a little high.)

YMMV...

This is getting better. What should we do next, Piotr?

BFN.

musher0
Attachments
nmap.jpg
Proof! :)
(39.1 KiB) Downloaded 408 times
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

drk1wi
Posts: 5
Joined: Wed 12 Mar 2014, 09:31

#32 Post by drk1wi »

@Flash

What does Shields Up! say after you've activated Portspoof?

I am not that familiar with this service, but from a networking point of view they can only scan your visible (public IP), so unless you have a dedicated public IP they just scan you internet providers gateway.

drk1wi
Posts: 5
Joined: Wed 12 Mar 2014, 09:31

#33 Post by drk1wi »

musher0 wrote:Hello again, people.

I found two ready-made archives that made nmap work out of the box on my
Raring Puppy.

nmap itself from Ubuntu 12.10 LTS
http://archive.ubuntu.com/ubuntu/pool/m ... 1_i386.deb

And the requested lua library from the Debian Squeeze archive
http://ftp.br.debian.org/debian/pool/ma ... 5_i386.deb
(this one intentionally for a lower glibc, the glibc version for ubuntu seemed a little high.)

YMMV...

This is getting better. What should we do next, Piotr?

BFN.

musher0


It seems like iptables isn't configured properly.
Can you paste it (iptables-save) and your ifconfig?

What you have to do is to configure your FW rules to redirect all of the "unwanted" traffic to the application (by default it's listening on port 4444).

Did you try this startup script ?

https://github.com/drk1wi/portspoof/blo ... rtspoof.sh

Cheers,
Piotr

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#34 Post by musher0 »

Hello, Piotr.

Many thanks for the feedback.

Downloaded your script. Results of my ifconfig is attached.
As to iptables -save, it just gives the help lines, same as iptables -h.

There's something I'm not getting, obviously.
Probably I have to change the lightbulb over my head? :lol:

Best regards.

musher0
Attachments
ifconfig-musher0.txt.zip
(530 Bytes) Downloaded 146 times
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

drk1wi
Posts: 5
Joined: Wed 12 Mar 2014, 09:31

#35 Post by drk1wi »

musher0 wrote:Hello, Piotr.

Many thanks for the feedback.

Downloaded your script. Results of my ifconfig is attached.
As to iptables -save, it just gives the help lines, same as iptables -h.

There's something I'm not getting, obviously.
Probably I have to change the lightbulb over my head? :lol:

Best regards.

musher0
Hey musher0.

Try 'iptables-save' :) Basically, if the software is listening on 4444 and you have a proper iptables configuration then everything should work. Though, iptables config can be sometimes a pain.

Piotr

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#36 Post by musher0 »

Hi, drk1wi.

I found a how-to at https://help.ubuntu.com/community/IptablesHowTo.
Would appreciate confirmation that it is a reliable source of information for this subject.

Do these rules look ok?
# Generated by iptables-save v1.4.12 on Fri Mar 14 19:36:46 2014
*mangle
:PREROUTING ACCEPT [152633:80760501]
:INPUT ACCEPT [152633:80760501]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94663:7638659]
:POSTROUTING ACCEPT [94663:7638659]
COMMIT
# Completed on Fri Mar 14 19:36:46 2014
# Generated by iptables-save v1.4.12 on Fri Mar 14 19:36:46 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TRUSTED - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j TRUSTED
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A TRUSTED -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A TRUSTED -p icmp -j DROP
-A TRUSTED -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Mar 14 19:36:46 2014
Sorry for asking, but I have no previous experience at all of ip-rules.
Many thanks in advance for any edit or insight.

BFN.

musher0
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

drk1wi
Posts: 5
Joined: Wed 12 Mar 2014, 09:31

#37 Post by drk1wi »

# Generated by iptables-save v1.4.12 on Fri Mar 14 19:36:46 2014
*mangle
:PREROUTING ACCEPT [152633:80760501]
:INPUT ACCEPT [152633:80760501]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94663:7638659]
:POSTROUTING ACCEPT [94663:7638659]
COMMIT
# Completed on Fri Mar 14 19:36:46 2014
# Generated by iptables-save v1.4.12 on Fri Mar 14 19:36:46 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TRUSTED - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j TRUSTED
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A TRUSTED -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A TRUSTED -p icmp -j DROP
-A TRUSTED -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Mar 14 19:36:46 2014
You don't have any iptables REDIRECT rules to Portspoof.
You can check out an example here: https://github.com/drk1wi/portspoof/blo ... les-config

Try also to add this one (it's a bit generic, but you should be able to verify if the soft works):

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -j REDIRECT --to-ports 4444

In general it's a good approach to add a Portspoof rule to the PREROUTING for every port that's isn't ACCEPT'ed in your INPUT.
In your case it's a range 1-21, 23-79,81-65535.
This way an attacker will not be able to easiyl determine which ports on your system are in a CLOSED state and which services are real.

65535

Cheers,
Piotr :)

Post Reply