How To Use Portspoof (Cyber Deception)

Hello and welcome, and in this video, we’re going to be talking a little bit about Portspoof, a fantastic utility that takes your unused TCP/IP ports and turns them into something different whenever an attacker actually goes about trying to scan them. This video is part of the Active Defense and Cyber Deception class that we run at Wild West Hackin’ Fest in San Diego and in Deadwood and also I run in Black Hat.

Now as always, with all of these videos, we’re going to be using the Active Defense Harbinger Distribution. Once again, if you want this distribution, you go to, you go into the free tools, you’ll see ADHD listed there. You can download the VM and play along. All of the instructions are on the ADHD usage document on the desktop.

Now to get to the instructions for using Portspoof, we’re going to go to Annoyance. We’re going to go down into Portspoof, which I went right by it. Here we go. We’re going to select Portspoof. Let me zoom back out and it’s going to have a wonderful little website that you can go to get more information about Portspoof, an overall description of Portspoof and what we’re actually doing.

Now let’s get started, and the first thing we’re going to have to do is play around with iptables rules. Now the way Portspoof works is it listens on a port, in this situation that’s going to be listening on port 4444, and we’re going to create an iptables firewall that takes all of the traffic that’s coming in a port or a port range. As you can see here, we have matches TCP as the protocol and then it’s going to match the destination port. And then this situation, the range between one and 65,535 and it’s going to redirect it to the local system on port 4444.

Now what Portspoof is going to do is receive those connections initially and it’s going to say that every single port that is scanned is open, and then we’re going to change it so it actually goes with a variety of different services.

So if we were to look at my system now and how it looks in a scan, if I run my Nmap scan, give it a port one to 10 I’m only going to run 10 ports in this video and you’ll see why. But Portspoof can greatly increase the amount of time it takes for a successful port scan.

We’re going to go with ports one through 10 against my Linux IP address and it comes back with all of those ports currently closed. Now, why does it think that those ports are closed? Well, one of the things I can do is I can add in the dash dash reason flag and with the dash dash reason flag, we are seeing that the connection itself is refused.

There’s a number of reasons why you might not get a response from a system. You could get a reset, you could get no response whatsoever. You could get an ICM port unreachable. There’s a wide variety of reasons and with the dash dash reason flag, Nmap’s going to tell us why it thought those ports were closed.

Well now let’s go configure Portspoof.

So I’m going to use the wonderful power of copy and paste and just so you know, copy and paste is without question the single most powerful tool that any hacker or pentester or security professional has. I’m going to become root and I’m going to paste in that long string for iptables. I’m going to hit enter. We have now created that iptables rule on this system. Now to get the initial working Portspoof, the only thing I have to do is just run Portspoof.

Now it’s running.

So now if I go back to my system, that’s “running the attack” over here, you can see that initially all of the ports were closed. Now all of those ports are open and the reason why it states that those ports are open is because it received a SYN/ACK and Portspoof is sending those SYN/ACKs.

Now this in and of itself is not all that interesting. It’s just basically saying yep, SYN/ACK, ports open. But with Portspoof, we can actually do something a little bit more interesting with Portspoof. You see, what we can do with Portspoof is we can actually give it a signature file on the system. So I’m going to copy that string with a signature file, I’m going to paste in Portspoof. Now Portspoof is running and it’s saying using user-defined signature file at user local Etsy Portspoof signatures.

Now, what does it mean to have a signature file?

Well, a variety of different services will respond with a variety of different banners. For example, if you connect to an SSH server, it might come back and say open SSH in the specific version. You might identify a web server by its banner. It says it’s an Apache webserver or whatever. We can use those signatures, and to be honest, Nmap uses those signatures to adequately identify what the remote application is on the other side. So now if we run an actual scan against it, we’re now going to do Nmap space -AF, but we’re going to do a version scan and what that version scan is going to do is, it’s going to attempt to identify what those versions of the different services are on the system.

Now it’s going to take a little bit longer and the reason why it takes a little bit longer is because Nmap isn’t just seeing if the port is open, it’s actually interrogating that service and it’s trying to identify exactly what that banner is.

So there’s a lot of stimulus and response that’s going back and forth between my system here and the system we are now currently scanning. If you want to see status, you can just hit the space bar and it’s going to come back and it’s going to say, well about 70% done, one’s completed and here are the results.

Now, if you look at this point, Portspoof is now completely messed with us because it’s saying that port 1 is open, the service is Telnet, and it believes that it’s a Tanberg NPS, 800 Telnet D server. It thinks that port 4 is Webtam, Webtrends, WTAM. We’ve got a Tobit David.fx, IMAP D server. We have a Sunbelt server?

What is this madness? What is this insanity?

Well, if we were to run this again, it’s going to take a little while.

Portspoof is taking these signatures from the signature file and it’s feeding it right back into Nmap and it’s actually taking a random signature from that signature file and feeding it into Nmap.

Now inevitably you’re going to have someone say, well, of course, an attacker will be able to see right through this. Yes, I mean it’s going to create a lot of noise for the attacker, but that’s kind of the point.

Remember, detection time plus reaction time must be less than the amount of time it takes for an attacker to successfully attack your network. So now we have greatly increased the amount of time it takes for an attacker to run a simple port scan against the target computer system. That’s interesting, in and of itself, it’s just going to increase that time. 10 ports. It took 32 seconds to scan 10 ports. If we were trying to scan all 65,535 ports that were referenced in our iptables rules, it’s going to take a lot longer to identify all those services in ports.

Now if you wanted to find a real service that was alive and listening, you would have to run it multiple times and see which ones looked more consistent with what you would expect. And you can also do a manual inspection. If you think it’s a webserver port, just connect to it. But once again, this is greatly increasing the amount of work effort that an attacker has to go through to identify your ports and your services. So this is a fantastic little utility that’s built into the Active Defense Harbinger Distribution. We use for our Wild West Hackin’ classes for cyber deception.

And if this is interesting, coming up, we’ve got an entire two-day class dedicated to all of this that you should be running.

So once again, my name is John Strand. Please check out Enterprise Security Weekly every Wednesday where Paul Asadoorian and Matt and myself get together and we talk about vendors. Thank you so much and I will see you in the next video.

Want to level up your skills and learn more straight from John himself?
You can check out his classes below!

SOC Core Skills

Active Defense & Cyber Deception

Getting Started in Security with BHIS and MITRE ATT&CK

Introduction to Pentesting

Available live/virtual and on-demand