How to setup portspoof

Hello everyone. I’ve been having some fun setting up different services to secure and monitor the server this website has been running on. I came across portspoof a little while ago and recently decide to try and set it up on this server. So to demonstrate what portspoof is… why don’t you try to nmap this website. If you don’t have a system handy with nmap I have provided a sample output below.

root@kali:~# nmap CalebCoffie.com

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-21 23:
Nmap scan report for CalebCoffie.com (192.210.197.145)
Host is up (0.0099s latency).
rDNS record for 192.210.197.145: .
Not shown: 55 closed ports
PORT      STATE    SERVICE
1/tcp     open     tcpmux
3/tcp     open     compressnet
4/tcp     open     unknown
6/tcp     open     unknown
7/tcp     open     echo
9/tcp     open     discard
.
.
.
35500/tcp open     unknown
38292/tcp open     landesk-cba
40193/tcp open     unknown
40911/tcp open     unknown
41511/tcp open     unknown
42510/tcp open     caerpc
44176/tcp open     unknown
44442/tcp open     coldfusion-auth
44443/tcp open     coldfusion-auth
44501/tcp open     unknown
45100/tcp open     unknown
48080/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 4.65 seconds

I didn’t provide the full output simply because it wouldn’t look too great having thousands of lines of output from nmap. So it is shortened above.

Portspoof simply makes it seem as if all ports are open on a system. This is useful because it makes it harder to for a hacker to do recon on a system. If a system says all ports are open then you don’t know which ones are legitimately open leaving you not knowing which services to attack. There’s also another method to make recon difficult on a system that takes the opposite approach. It’s called port knocking. Port knocking makes it seem like most if not all port are closed until a certain sequence of ports have been knocked (attempt to make connection).

Both portspoofing and port knocking have there place. I decided to put portspoofing on this server because it seemed like a more viable option for me (not requiring me to remember a specific port sequence). Portspoofing will be the topic of this guide but if there’s interest in port knocking I can try and do a guide on that as well. I’m doing this guide for port knocking because I don’t believe the documentation for portspoof provided a complete guide.

The first thing you will want to do is download the portspoof source. This can be done with git. If you don’t know how to use git, feel free to read my previous post on it here.

The git repo is located on github here: https://github.com/drk1wi/portspoof

You can download the source using the git clone command. Once you have downloaded the source you can then compile it. You will need the build utilities for your specific platform. I will not cover this simply because it can vary a bunch between platforms.

To compile it you can issue either one of the following sequence of commands.

./configure
make
sudo make install

or

g++ -lpthread -Wall -g Configuration.cpp connection.cpp Portspoof.cpp revregex.cpp Utils.cpp Fuzzer.cpp Server.cpp -o portspoof

Then place the portspoof binary that’s generated into your binaries folder.

This will compile portspoof and place it in needed directories. The next steps will be configuring your system so that when portspoof is started it will function properly.

The next step will be configuring iptables properly. Iptables will need configured to forward all traffic on unused ports to port 4444. Port 4444 is the port that portspoof runs on. This allows portspoof to emulate the services as being open.

To do this we will use the iptables nat table and the prerouting chain. One thing you’ll want to check before this is, is whether your default policy for input or output is to drop the traffic. If it is you will need to add the following rules.

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 4444 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 4444 -m state --state NEW,ESTABLISHED -j ACCEPT

Make sure you substitute eth0 for the interface that you’re using.

Once these rules are in place we can start adding the prerouting rules. These rules can vary depending on the system you are installing this on and what services you have running on it already. So for this guide I will assume that the system it’s running on has the following services running on it and along with the ports they are running on.

telnet - port 23
ssh - port 22
http - port 80

The above sample system setup should give you a basic understanding on how to set up portspoof on your own system. To set up the above system you would use the following rules.

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1:21 -j REDIRECT --to-ports 4444
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 24:79 -j REDIRECT --to-ports 4444
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 81:65535 -j REDIRECT --to-ports 4444

Again you will want to substitute eth0 for the interface you’re using.

The above configuration should be enough for your system to operate properly, atleast in terms of iptables. If you experience issues with your iptables configuration, you can attempt to troubleshoot them with netcat. You can do this by setting up a netcat listener on port 4444 and attempting to connect to it with other various ports from a remote system.

With this you are pretty much done. All that is left is configuring portspoof to operate in your own liking. I do like the default configuration and will leave alone in this respect. If you would like to modify it, you can do so by editing the files located here: /usr/local/etc/portspoof.conf and here: /usr/local/etc/portspoof_signatures.

Once you configure those to your liking, head on over to where you originally downloaded portspoof. In this folder there is another one called system_files. You will want to cd into that directory. Once there you will issue the following commands.

cp init.d/portspoof.sh /etc/init.d/portspoof
chmod +x /etc/init.d/portspoof

After this you have successfully installed portspoof. You can start portspoof with the following command.

/etc/init.d/portspoof start

Once you’ve done this feel free to test it. You can do the testing with nmap, as shown earlier in this post.

If you’re satisfied with it’s performance you can have it start on boot by adding the following command to the bottom of this file: /etc/rc.d/rc.local

/etc/init.d/portspoof start

After this you should be completely done. If you run into any issues feel free to comment below or message me and I can try my best in helping you. On a side note, I would just like to inform everyone that this site now uses encryption by default for all of it’s pages. So this means that you can now privately browse this site without people sniffing your traffic. Pretty sweet huh?

Leave a Comment