Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port. As a result, any attackers port scan results will become fairly meaningless and will require hours of effort to accurately identify which ports have real services on and which do not.
The tool is meant to be a lightweight, fast, portable and secure addition to any firewall system or security system. The general goal of the program is to make the reconnaissance phase as slow and bothersome for your attackers as possible. This is quite a change to the standard 5s Nmap scan, that will give a full view of your systems running services.
Techniques Used by Portspoof:
All configured TCP ports are always open
Instead of informing an attacker that a particular port is in a CLOSED or FILTERED state a system running Portspoof will return SYN+ACK for every connection attempt, spoof all ports open.
Result: As a result it is impractical to use stealth (SYN, ACK, etc.) port scanning against your system, since all ports are always reported as OPEN. With this approach it is really difficult to determine if a valid software is listening on a particular port.
Every open TCP port emulates a valid services
Portspoof has a huge dynamic service signature database, that will be used to generate responses to your offenders scanning software service probes.
Scanning software usually tries to determine a service that is running on an open port. This step is mandatory if one would want to identify port numbers on which you are running your services on a system behind the spoofed ports. For this reason, Portspoof will respond to every service probe with a valid service signature, that is dynamically generated based on a service signature regular expression database.
Result: As a result an attacker will not be able to determine which port numbers your system is truly using.
Portspoof Port Spoofing Tool Features
The most important features that Portspoof has:
Portspoof is a userland software and does not require root privilege
Binds to just one TCP port per a running instance
Easily customizable through your iptables rules
Marginal CPU/memory usage (multithreaded)
More than 9000 dynamic service signatures are supported
If you choose to, Portspoof can be used as an ‘Exploitation Framework Frontend’, that turns your system into a responsive and aggressive machine. This means exploiting your attackers’ tools and exploits in response to a port scan.
to compile the source follow the instruction below:
./configure && make && sudo make install
g++ -lpthread -Wall -g Configuration.cpp connection.cpp Portspoof.cpp revregex.cpp Utils.cpp Fuzzer.cpp Server.cpp -o portspoof
Then place the portspoof binary that’s generated into your binaries folder.
This will compile portspoof and place it in needed directories. The next steps will be configuring your system so that when portspoof is started it will function properly.
The next step will be configuring iptables properly. Iptables will need configured to forward all traffic on unused ports to port 4444. Port 4444 is the port that portspoof runs on. This allows portspoof to emulate the services as being open.
To do this we will use the iptables nat table and the prerouting chain. One thing you’ll want to check before this is, is whether your default policy for input or output is to drop the traffic. If it is you will need to add the following rules.
iptables -A INPUT -i eth0 -p tcp -m multiport –dports 4444 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport –dports 4444 -m state –state NEW,ESTABLISHED -j ACCEPT
Make sure you substitute eth0 for the interface that you’re using.
Once these rules are in place we can start adding the prerouting rules. These rules can vary depending on the system you are installing this on and what services you have running on it already. So for this guide I will assume that the system it’s running on has the following services running on it and along with the ports they are running on.
telnet – port 23
ssh – port 22
http – port 80
The above sample system setup should give you a basic understanding on how to set up portspoof on your own system. To set up the above system you would use the following rules.
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 1:21 -j REDIRECT –to-ports 4444
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 24:79 -j REDIRECT –to-ports 4444
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 81:65535 -j REDIRECT –to-ports 4444
Again you will want to substitute eth0 for the interface you’re using.
The above configuration should be enough for your system to operate properly, atleast in terms of iptables. If you experience issues with your iptables configuration, you can attempt to troubleshoot them with netcat. You can do this by setting up a netcat listener on port 4444 and attempting to connect to it with other various ports from a remote system.
With this you are pretty much done. All that is left is configuring portspoof to operate in your own liking. I do like the default configuration and will leave alone in this respect. If you would like to modify it, you can do so by editing the files located here: /usr/local/etc/portspoof.conf and here: /usr/local/etc/portspoof_signatures.
Once you configure those to your liking, head on over to where you originally downloaded portspoof. In this folder there is another one called system_files. You will want to cd into that directory. Once there you will issue the following commands.
cp init.d/portspoof.sh /etc/init.d/portspoof
chmod +x /etc/init.d/portspoof
After this you have successfully installed portspoof. You can start portspoof with the following command.
Once you’ve done this feel free to test it. You can do the testing with nmap, as shown earlier in this post.
If you’re satisfied with it’s performance you can have it start on boot by adding the following command to the bottom of this file: /etc/rc.d/rc.local
it’s done, scan using the nmap to see the results.