Attackers can use portspoof to tease network attackers.

Portspoof is a lightweight, fast, and portable Security plug-in suitable for any firewall or security system. The program aims to minimize or disrupt the information collection phase of attacks.

Next we will go to the topic. This article first introduces the general network communication when portspoof is not used, and then the network communication situation after portspoof is used. For normal network communication:‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

‍‍Here, if an attacker scans the network of the CentOS server, the first request is first sent to iptables, and the packet processing method is determined according to iptables rules. Configure the rules for the current target host:‍‍

 

‍‍That is, port 22 is open, allowing any client to connect to the server's ssh service. I used a machine installed with the Kali Linux system as an attacker and used nmap to scan the target server. The result is as follows:‍‍

 

‍‍The following tests the network configuration of portspoof. The default port of the program is 4444, which can be modified as needed.‍‍

 

‍‍It can be seen that when an attacker sends an nmap scan request to the CentOS server, it is first obtained by iptables, but then sent to port 4444 of portspoof instead of responding to the attacker's machine, then, the system responded to the attacker through portspoof and reported that all the 65535 ports were open.‍‍

‍

‍ Start demonstration‍ ‍

 

‍‍First, clear all iptables rules and allow all data packets to enter the target host. Run the following command:‍‍

iptables -F

To view the current policy after execution, run the following command:
 

‍

iptables -L

 

‍‍Then configure iptables with portspoof. The first thing to do is download and install portspoof. I have downloaded its rpm package. You can run the following command to install it:‍‍

rpm –ivh portspoof-1.0-5.1.i686.rpm

 

Command/option description rpm package management command-I install rpm package-v print detailed information during processing-h print the hash mark ("#") during installation

‍‍Then refresh the current firewall rule. As mentioned above, the current firewall does not have any rules, so you only need to use the iptables-F or iptables-L command to confirm.‍‍

‍‍The next step is to forward these packets to portspoof to respond to the scan request. The command is as follows:‍‍

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -dport1:65535 -j REDIRECT -to-ports 4444

 

The last few keywords of this command are very important, so that iptables forwards all received packets to port 4444, that is, the default port of portspoof. Then scan the target again (portspoof is not configured yet ):

 

‍

 

‍‍The scan results show that the host (CentOS) is running, but no open ports are listed. This indicates that iptables is successfully configured and all received packets are successfully sent to portspoof. Configure portspoof.‍‍

‍‍Two configuration files are required for portspoof running, both in the/etc/directory, as shown in:‍‍

 

The portspoof. conf file configures how portspoof responds to scans and what scans it responds to. The portspoof_signatures file contains the fingerprint information of a large number of scanning tools.

For example, if I perform a regular nmap scan on a host, it only shows me whether a port is open and lists the port numbers. If the-sV option is added to nmap, the service name running on the target server is also displayed. Portspoof detects these fingerprints and returns incorrect results based on the request features.

Enter the portspoof-h command to view the available options:

 

To run portspoof, two options are required:

portspoof -c /etc/portspoof.conf -s /etc/portspoof_signatures

The running result is as follows:

The following uses an attacker machine (Kali Linux) to scan the target server:

‍‍Result: All 65535 ports starting from 1 are open. In fact, these ports are not really open, and some do not even exist. However, such scan results may still confuse attackers.‍‍

‍‍

Scan the target host with any options in nmap and obtain similar results. Is the result of the nmap-v and-A scan:‍‍

 
 

‍‍I used the verbose mode when running portspoof. If I check the target host, I can see which scan was performed, which signature was identified, and which scan was responded, as shown in:‍‍


 

 

‍‍Summary‍‍

‍‍This article describes how to use portspoof to tease attackers or network beginners and confuse them with ports that are truly open and false. If the attacker is a newbie, he may attempt to attack all these ports. Therefore, through this tool, we can confuse attackers to a certain extent and prolong their attack time to locate and track attackers.‍