Is Windows supported?

[bontchev]

When running it on Windows, I get the error

OSError: [WinError 10049] The requested address is not valid in its context

on line 466 (self.socket.bind(self.server_address)). And, yes, the port I'm telling it to listen to, is open.

[bontchev]

Never mind, this doesn't work on Linux, either.

Traceback (most recent call last):
  File "./bpfdoor_scanner.py", line 174, in <module>
    server = ThreadedUDPServer((listen_ip, listen_port), ThreadedUDPRequestHandler)
  File "/usr/lib/python3.8/socketserver.py", line 452, in __init__
    self.server_bind()
  File "/usr/lib/python3.8/socketserver.py", line 466, in server_bind
    self.socket.bind(self.server_address)
OSError: [Errno 99] Cannot assign requested address

Any idea what might be the problem? I'm behind a NAT, but I am tunneling the port I've told the script to listen to, both TCP and UDP. I've run TCP/IP servers in the past, listening to ports on this machine, but they were written in Twisted and had absolutely no problems listening to ports that I've tunneled through the NAT.

[bontchev]

OK, I have a better understanding of what is happening now. I am sorry to say, but as it is right now, there is simply no way this scanner would work in the real world. My guess is that you've tested it in an environment, where both the scanning machine and the machine infected with BPFDoor were on the same LAN - probably on virtual machines.

Here is what is happening.

Consider the -i option. The help says "Your IP address". WTF is that? Well, there are two options.

First, it could be your external IP address. But if you supply that there, the line

 server = ThreadedUDPServer((listen_ip, listen_port), ThreadedUDPRequestHandler)

tries to attach an UDP server on that very same IP address. From the point of view of the program, an external IP address is just somebody's machine on the Internet. It's just a coincidence that it happens to be yours. Dude, you can't go around attaching UDP servers on other people's machines, so of course this fails. But what is the alternative?

Well, you could supply there your local IP address instead. And, indeed, in the examples used in the README, you use a local address - 10.101.72.100. (There are typos there, BTW - you've written -1 instead of -i.) But, if you do that, the program itself issues a warning that this is a local address and, therefore, not likely to work:

        elif ipaddress.IPv4Address(listen_ip).is_private:
            print('[!] Warning: you are listening on a private IP address -- public IPs will not be able to reach back')

Furthermore, this is the IP address you stuff in the TCP/IP packet that you send to the backdoor. Presumably, the backdoor uses it to determine where to send the reply. But if this is a local IP address, you'll get the reply only if you're on the same LAN as the machine infected with the backdoor. Not good for scanning over the Internet.

Suggestions how to fix this:

• Set up your UDP server on localhost, instead of on the IP supplied by the user.
• Specify clearly in the documentation, that the external IP address should be specified with the -i option and that it is the responsibility of the user to ensure that UDP traffic from the Internet over the specified port reaches the machine running the scanner (i.e., the firewall isn't blocking it, if the machine is behind the NAT, this port has been tunneled through it, and so on).
• Even better, get rid of the -i option completely and determine the external IP address of the machine programmatically.