Giters

bocajspear1 / ports4u

Go app to dynamically open ports for malware analysis

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

dockergolangmalware-analysissimulation

Ports4u

No port? No Problem


Ports4u Status Open Issues License

What is Ports4u?

Ports4u is a Golang-based application built for malware network traffic analysis, replacing something like InetSim. It detects attempted connections to ports and creates a quick listener on that port. It takes advantage of the multiple attempts TCP will take if it doesn't get back a response from a SYN packet. Ports4u utilizes iptables to block the RST packets that would otherwise notify of a closed port.

Ports4u also supports forwarding traffic based on the data it receives to real services it runs. For example, if it gets HTTP on another port, it forwards that traffic to the HTTP server on port 80.

Ports4u is currently oriented to be used in a Docker container.

Building

Assumes you have Docker installed.

Run:

make build

Supported Services

Ports4u currently runs the following services:

  • HTTP on port 80
  • TLS on port 443

Data

All logs are available in the logs subdirectory. Ports4u will create it on startup if not already present.

HOST-PORT.log

Contains the contents sent to Ports4u, with the remote IP and port in the filename.

Data recieved is prepended with

<<<<<<<< <REMOTE_IP> ----------------------------

While data sent is prepended with:

>>>>>>>> <REMOTE_IP> ----------------------------

ip_list.txt

Contains a newline separated list of IPs seen being connected to.

domains.txt

Contains a newline separated list of domains been requested.

conn_list.txt

Contains a list of connections seen, the format is:

tcp or udp|<IP>|<PORT>

TODO

  • More services to forward to

About

Go app to dynamically open ports for malware analysis

dockergolangmalware-analysissimulation

License:Mozilla Public License 2.0

Languages

Language:Go 84.4%Language:Shell 14.3%Language:Dockerfile 0.9%Language:Makefile 0.4%