Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 20 Dec 2014, 13:22
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Portspoof - Tool to provide Snooping/DOS defenses for PUPs
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 3 [37 Posts]   Goto page: Previous 1, 2, 3 Next
Author Message
musher0


Joined: 04 Jan 2009
Posts: 4460
Location: Gatineau (Qc), Canada

PostPosted: Wed 05 Mar 2014, 18:06    Post subject:
Subject description: lsof-4.87.pet
 

Hi, gcmartin.

Ah. Your AngryIP reminds me of lsof, the real one, not the busybox one. The busybox
lsof does not have any parameters you can control it with. (Why am I not surprised?...)
Whereas here's what you get with lsof --help: Smile
Quote:
[/bin]>lsof -h
lsof 4.87
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
-?|-h list help -a AND selections (OR) -b avoid kernel blocks
-c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s files
-d s select by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY*
-i select IPv[46] files -K list tasKs (threads) -l list UID numbers
-n no host names -N select NFS files -o list file offset
-O no overhead *RISKY* -P no port names -R list paRent PID
-s list file size -t terse listing -T disable TCP/TPI info
-U select Unix socket -v list version info -V verbose search
+|-w Warnings (-) -X skip TCP&UDP* files -- end option scan
+f|-f +filesystem or -file names +|-f[gG] flaGs
-F [f] select fields; -F? for help
+|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
+m [m] use|create mount supplement
+|-M portMap registration (-) -o o o 0t offset digits (Cool
-p s exclude(^)|select PIDs -S [t] t second stat timeout (15)
-T qs TCP/TPI Q,St (s) info
-g [s] exclude(^)|select and print process group IDs
-i i select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
+|-r [t[m<fmt>]] repeat every t seconds (15); + until no files, - forever.
An optional suffix to t is m<fmt>; m must separate t from <fmt> and
<fmt> is an strftime(3) format for the marker line.
-s p:s exclude(^)|select protocol (p = TCP|UDP) states by name(s).
-u s exclude(^)|select login|UID set s
-x [fl] cross over +d|+D File systems or symbolic Links
names select named files or files on named file systems
Only root can list all files; /dev warnings disabled; kernel ID check disabled.

Ah, isn't information about a program beautiful !! Very Happy

I uploaded a copy here:
http://www66.zippyshare.com/v/79186025/file.html

There's also a thread on lsof here:
http://murga-linux.com/puppy/viewtopic.php?p=710409#710409

And here's what I get in terminal after launching portspoof:
Quote:
[/bin]>lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cupsd 3861 root 8u IPv4 4677 0t0 TCP localhost:631 (LISTEN)
portspoof 31058 daemon 3u IPv4 337684 0t0 TCP *:4444 (LISTEN)


Opera is open, on this thread, and is connected to two other sites, and they are not
showing. They're probably gobbled up by portspoof.

Yess! Over here, kiddy-kiddy-kiddy! Wink I hope you'll like your special copy of
The Little Red Riding Hood! Twisted Evil

BFN.

musher0

_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send private message Visit poster's website 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11180
Location: Arizona USA

PostPosted: Wed 05 Mar 2014, 18:35    Post subject:  

What does Shields Up! say after you've activated Portspoof?
Back to top
View user's profile Send private message 
NickAu


Joined: 30 Dec 2013
Posts: 186
Location: Far North Coast NSW ɹǝpunuʍop

PostPosted: Wed 05 Mar 2014, 20:25    Post subject:  

.
Quote:
This tool should be looked at, not as a specific level of defense, rather, it should be looked at as a response mechanism to something which it is trained to follow once something it notes happens on your specific PC.



Thank you that explains it. still love it.

_________________
Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 4460
Location: Gatineau (Qc), Canada

PostPosted: Wed 05 Mar 2014, 23:46    Post subject:  

Flash wrote:
What does Shields Up! say after you've activated Portspoof?


Hi, Flash.

With portspoof on:

Quote:
Port Authority Edition — Internet Vulnerability Profile
by Steve Gibson, Gibson Research Corporation.

This textual summary may be printed, or marked and copied
for subsequent pasting into any other application:

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2014-03-06 at 03:57:56

Results from scan of ports: 0-1055

0 Ports Open
72 Ports Closed
984 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be CLOSED were: 0, 1, 2, 3, 4, 5, 6, 31, 61,
62, 91, 93, 121, 123, 153, 154,
182, 184, 212, 213, 242, 243,
272, 273, 304, 305, 333, 335,
363, 365, 394, 395, 424, 425,
454, 456, 485, 486, 515, 516,
545, 546, 576, 607, 637, 639,
668, 669, 698, 699, 728, 729,
759, 760, 788, 789, 818, 820,
848, 850, 879, 880, 907, 910,
936, 937, 964, 967, 994, 995,
1025, 1026

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

---------------------------------------------------------------------


Quote:
THE EQUIPMENT AT THE TARGET IP ADDRESS
ACTIVELY REJECTED OUR UPnP PROBES!
(That's good news!)

This equipment is not fully “stealthful” inasmuch as it did respond to our probing. Thus hackers will know that some equipment exists at this IPv4 address—though they will have no idea what it is, and they will be unable to attack it though UPnP SSDP subversion because it is proactively replying that there is no active service available at its UDP port 1900.

[...]

Positive results seen
This page has reported 11319 positive “exposed” results.


Any other test I should have used on that site? (I'm sure I missed something.)

BFN.

musher0

_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send private message Visit poster's website 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11180
Location: Arizona USA

PostPosted: Thu 06 Mar 2014, 00:05    Post subject:  

I'm not too familiar with the Shields Up! site, but from your results it doesn't look like Portspoof did anything. Perhaps it wasn't configured correctly.
Back to top
View user's profile Send private message 
NickAu


Joined: 30 Dec 2013
Posts: 186
Location: Far North Coast NSW ɹǝpunuʍop

PostPosted: Thu 06 Mar 2014, 00:49    Post subject:  

Quote:
Any other test I should have used on that site? (I'm sure I missed something.

I do not think so most of the rest is set up for Windows.


Portspoof not installed on my pc.


That grc test ... umm if port spoof was running it could have given away that the pc was there.

That test is just for firewalls.


The firewall test shows

NO PORTS were found to be OPEN. Just what it says.

Ports found to be CLOSED were: 0, 1, 2, 3, 4, 5, 6, 31, 61,
62, 91, 93, 121, 123, 153, 154,
182, 184, 212, 213, 242, 243,
272, 273, 304, 305, 333, 335,
363, 365, 394, 395, 424, 425,
454, 456, 485, 486, 515, 516,
545, 546, 576, 607, 637, 639,
668, 669, 698, 699, 728, 729,
759, 760, 788, 789, 818, 820,
848, 850, 879, 880, 907, 910,
936, 937, 964, 967, 994, 995,
1025, 1026

These ports are visable on the net during random port scans but report as closed.


TruStealth: FAILED - NOT all tested ports were STEALTH, This is a firewall config. The haxors know you are there now all they have to do is get in. On windows some of those ports are for .. Windows update.. say port 146 ( just an example not the port) now they know how to tailor an attack on that port on that ip.

Not good

Good this was my result
TruStealth: PASSED- All tested ports were STEALTH, Nothing to see here they move on.

I will not presume to say how the app interacts with the above. But. When you did the shields up scan they scanned your ip for stuff. that scan resulted in your pc replying to unsolicited requests from grc to connect to your pc. Thats how they know you have unstealthed ports . this means anybody scanning your ip will know there is a pc there and connected.

TruStealth

They scanned my pc the same way my pc did not respond to any request as far as they know there is no evidence of a pc existing on this ip.

For a dedicated attack TruStealth is useless.

For a random scan Its great as they cant see your pc.

I will also not argue the validity of the test or if ports should be stealth or just closed. Do not know about it in linux. In windows stealth is better than closed. If random scans cant see you they cant target you.

Try running windows without a firewall or puppy for that matter go to grc and do the trustealth test and see how many ports are wide open to the net.

Again I do not know much but I do not want a port sitting there open to anybody that can run a scanner and connect to another pc.

Question? what is a ping if there is nothing for it to bounce back from.

_________________
Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD
Back to top
View user's profile Send private message 
gcmartin


Joined: 14 Oct 2005
Posts: 4506
Location: Earth

PostPosted: Thu 06 Mar 2014, 01:28    Post subject:  

Musher0 in an earlier post wrote:
... This equipment is not fully “stealthful” inasmuch as it did respond to our probing. Thus hackers will know that some equipment exists at this IPv4 address—though they will have no idea what it is, and they will be unable to attack it though UPnP SSDP subversion because it is proactively replying that there is no active service available at its UDP port 1900. ...
This is a good example of an external site which doesn't know what to make of the PC it is trying to talk to.

PortSpoof is suppose to be designed to do its job should an attacker start after the PC. The article and the literature is clear that it will make an attacker wait and wait and wait and ...

Maybe its time to invite the author to this forum's thread to assert the tool's operation to this audience.

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile
Back to top
View user's profile Send private message 
NickAu


Joined: 30 Dec 2013
Posts: 186
Location: Far North Coast NSW ɹǝpunuʍop

PostPosted: Thu 06 Mar 2014, 01:34    Post subject:  

Quote:
PortSpoof is suppose to be designed to do its job should an attacker start after the PC. The article and the literature is clear that it will make an attacker wait and wait and wait and


Thats how i see it.

So i was kinda right second line defence first being that they cant see you.

Quote:
This is a good example of an external site which doesn't know what to make of the PC it is trying to talk to.

inasmuch as it did respond to our probing. Thus hackers will know that some equipment exists at this IPv4 address



No, the point is that site shouldnt know you are even there or that any equipment exists on that ip. The pc should stay silent to any unsolicited requests. Even responding to a ping is bad.

_________________
Precise Puppy 5.7.1 Retro Fatty Edition. Hp Compaq 2510p 2x Intel(R) Core(TM) 2 Duo Cpu U7700@ 1.33 ghz,2 gig ram Booting from 8 gig micro USB + 32 gig SD card instead of HDD

Last edited by NickAu on Sun 09 Mar 2014, 00:39; edited 5 times in total
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 4460
Location: Gatineau (Qc), Canada

PostPosted: Thu 06 Mar 2014, 03:07    Post subject:  

gcmartin wrote:
[(...)
Maybe its time to invite the author to this forum's thread to assert the tool's operation to this audience.


That would be really wonderful!

_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send private message Visit poster's website 
musher0


Joined: 04 Jan 2009
Posts: 4460
Location: Gatineau (Qc), Canada

PostPosted: Sat 08 Mar 2014, 23:35    Post subject:  

I gather we're stumped?
_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send private message Visit poster's website 
gcmartin


Joined: 14 Oct 2005
Posts: 4506
Location: Earth

PostPosted: Sun 09 Mar 2014, 17:20    Post subject:  

This tool can be helpful if employed with a little discretion. It, in and of itself, is NOT a complete firewall but can be helpful in being a deterrent should someone attempting a breach. That someone would be unsuspecting that he is being wrongly steered.

This is an effective means for something simple that works to make life a "nightmare" for an attacker.

Hope this helps
Edited: 2nd sentence edit to correct its interpretation.

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile

Last edited by gcmartin on Mon 10 Mar 2014, 00:19; edited 1 time in total
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11180
Location: Arizona USA

PostPosted: Sun 09 Mar 2014, 22:31    Post subject:  

Keeping in mind that it was probably designed for use only with servers, how can we test to see if it is really doing what we think it says it will?
Back to top
View user's profile Send private message 
drk1wi

Joined: 12 Mar 2014
Posts: 5

PostPosted: Wed 12 Mar 2014, 05:38    Post subject:  

Hi everyone,

I am the author of Portspoof. I can support you with some insight in how the tool was designed/implemented and how it works in general Wink

At the moment you can run it on any Linux that has NAT support enabled (this is the default case in most distros) and the easiest way to check if everything is working properly is to use one of the port scanners.
For example just : nmap -sS -p - -v your_internal_ip

'Shields Up' will only show you some results in case you are not behind a NAT.

Cheers,
Piotr
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11180
Location: Arizona USA

PostPosted: Wed 12 Mar 2014, 10:40    Post subject:  

Thank you for joining the forum.

So what is Shields Up seeing? Is it the ports of the NAT server?
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 4460
Location: Gatineau (Qc), Canada

PostPosted: Wed 12 Mar 2014, 14:30    Post subject:  

Hi, drk1wi.

Indeed, thanks for joining this thread. It's a pleasure to have you among us.

I did find my internal ip address, but hmm... there is no nmap utility on my UpupRaring 3.9.9.2....

Best regards.

musher0

_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 2 of 3 [37 Posts]   Goto page: Previous 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1135s ][ Queries: 12 (0.0050s) ][ GZIP on ]