Portspoof is meant to be a lightweight, fast, portable, and secure addition to any firewall system or security system. The general goal of the program is to make the information-gathering phase slow and bothersome for your attackers as much as possible. This is quite a change to the standard 5s nmap scan that will give a full view of your system’s running services.
Instead of informing an attacker that a particular port is CLOSED or FILTERED a system with Portspoof will return SYN+ACK for every port connection attempt.
As a result it is impractical to use stealth (SYN, ACK, etc.) port scanning against your system, since all ports are always reported as OPEN. With this approach it is really difficult to determine if a valid software is listening on a particular port.
The most important features that Portspoof has:
– Portspoof is a userland software and does not require root privileges
– Binds to just one tcp port per a running instance
– Easily customizable through your iptables rules
– Marginal CPU/memory usage (multithreaded)
– More than 9000 dynamic service signatures are supported
So let’s start directly. This is how the common structure of portspoof looks. First I will mention the normal network structure without using portspoof and then with portspoof. The figure below shows the normal structure of my network.
Here, when an attacker scans the CentOS server’s network then first request will be sent to Iptables and, according to the iptables rule, it will send the response to the server. So rules have been set in my iptables standard.
As you can see, port 22 is open and any connection thorough the client machine to the server’s ssh service is allowed. So if I scan this network through NMAP from my KALI Linux, which I am considering an attacker’s machine, it will show me the result.
Now let’s check the network configuration with portspoof. Make sure portspoof’s default port is 4444. You can change it according to your need.
As we can see in the above picture, when an attacker sends an nmap scan request to the centos server, first it gets received by the iptables. Then, rather than responding to the attacker machine, iptables forwards that request to the portspoof on 4444 port and it enables portspoof to respond to the attacker’s machine in order to show all 65535 ports open.
Firstly, I am flushing all the rules of iptables and I am allowing all packets into my network. To do so, there is the following command:
After giving this command, if you want to see the current policy, you can check it with this command:
Before installation we need to scan the centos system with Nmap using Kali linux and it will show the list of service running with opened port.
Now it’s time to configure our iptables with the portspoof. For that, let’s download and install portspoof. I have downloaded the rpm package of portspoof. This command installs that package:
#unzip –q portspoof-master.zip
Next thing to do is to flush all the current firewall rules. As we already checked, we do not have any rules set in our current firewall. So apply those iptables –f and –l command to your server to cross-verify our process.
Then we can see from the above picture that our firewall is up and running and it is allowing all packets from any network. Now it is time to forward those packets to portspoof in order to reply the client machine. To do so, use the following command:
#iptables –t nat –A PREROUTING –i eth2 –p tcp –m tcp –dport 1:65535 –j REDIRECT –to-ports 4444
Iptables Linux default firewall.
-A Appends the iptables rule to the end of the specified chain. This is the command used to add a rule when rule order in the chain does not matter.
-t Specifies the table name which we are going to use.
-i Selects the interface.
-m Additional match options are also available through modules loaded by the iptables command. To use a match option module, load the module by name using the -m option, such as -m <module-name> (replacing <module-name> with the name of the module).
-p Sets the default policy for the specified chain, so that when packets traverse an entire chain without matching a rule, they are sent on to the specified target, such as ACCEPT or DROP.
–dport Sets a destination port
–to-ports Destination port to forward.
The last few words in this command are very important; first, it will collect all the packets accepted by iptables and then it will forward them to the 4444 port, which is by default a port of our portspoof tool.
Now let’s scan the target. (Keep in mind that we have not configured our portspoof.)
It shows that our host (CentOS) is live and running but it is not showing any list of open ports. This suggests that we have successfully configured our iptables with the portspoof. So our iptables is successfully sending all incoming packets to the portspoof. Now it is time to configure portspoof.
Portspoof runs with its two main files which is lying in /etc/ folder, as shown below:
To start portspoof, let’s check the help to determine which options are provided to us.
Two mandatory options are needed to run the portspoof. The command to run portspoof is:
#portspoof –c /etc/portspoof.conf –s /etc/portspoof_signatures
Once you give this command it will look like this:
Now it is time to scan from our attacker machine (Kali Linux).
As you can see, starting from 1, it will show all 65535 ports open. Actually these ports are not actually open and some don’t eve exist, but this is how we are fooling the attacker to make him see all 65535 ports are opened.
If you want to scan that host with any signature within nmap then it will show as below. I am using nmap with the –v and –A options. Then the result, will be as shown below:
You may remember that, when we started portspoof, it was in verbose mode. So if we check the host machine now, it will show some information about which kinds of threads have been coming in and which kind of signature reply that portspoof tool has given in respond to that request. This information will be shown like this:
Thus how you can fool the attacker or a noob. If you configure this, he will be confused and out of his mind about which port is actually and legitimately open. If he is a pro noob then he will start hunting from port 1st to 65535 (I hope so). So this is a very lightweight small tool to fool attackers as well as to increase the amount of attack time in which you might trace the actual attacker.