Portspoof
Overview
Sección titulada «Overview»Portspoof is a sophisticated network deception tool that emulates legitimate services and responds to connection attempts with valid service signatures. It can bind to arbitrary ports and respond with authentic-looking banners and responses from popular services (HTTP, SSH, SMTP, DNS, etc.), deceiving port scanners, fingerprinting tools, and reconnaissance activities. Portspoof is primarily used for network defense, honeypots, and deception-based security strategies.
Installation
Sección titulada «Installation»Linux (Debian/Ubuntu)
Sección titulada «Linux (Debian/Ubuntu)»sudo apt-get install portspoofFedora/RHEL
Sección titulada «Fedora/RHEL»sudo dnf install portspoofmacOS (via Homebrew)
Sección titulada «macOS (via Homebrew)»brew install portspoofBuild from Source
Sección titulada «Build from Source»git clone https://github.com/drk1wi/portspoof.git
cd portspoof
./configure
make
sudo make installInstall Build Dependencies
Sección titulada «Install Build Dependencies»sudo apt-get install build-essential autoconf automake libtoolVerify Installation
Sección titulada «Verify Installation»portspoof --version
portspoof --helpCore Concepts
Sección titulada «Core Concepts»Service Emulation
Sección titulada «Service Emulation»Portspoof emulates legitimate service responses to appear as if real services are running.
Port Mapping
Sección titulada «Port Mapping»Map arbitrary ports to service signatures, creating convincing decoy services.
Signature Database
Sección titulada «Signature Database»Includes extensive database of authentic service banners and responses.
Network Deception
Sección titulada «Network Deception»Confuse attackers and automated scanning tools by presenting false service information.
Configuration
Sección titulada «Configuration»Main Configuration File
Sección titulada «Main Configuration File»/etc/portspoof/portspoof.conf
/usr/local/etc/portspoof.confService Signatures Database
Sección titulada «Service Signatures Database»/usr/share/portspoof/portspoof_signatures
/etc/portspoof/portspoof_signaturesView Default Configuration
Sección titulada «View Default Configuration»cat /etc/portspoof/portspoof.confBasic Commands
Sección titulada «Basic Commands»Start Portspoof
Sección titulada «Start Portspoof»sudo portspoof
sudo portspoof -c /etc/portspoof/portspoof.confStart on Specific Port
Sección titulada «Start on Specific Port»sudo portspoof -p 8888Run in Foreground (Debug)
Sección titulada «Run in Foreground (Debug)»sudo portspoof -dSpecify Configuration File
Sección titulada «Specify Configuration File»sudo portspoof -c /custom/path/portspoof.confStart with Specific Signature Database
Sección titulada «Start with Specific Signature Database»sudo portspoof -s /path/to/signaturesCommon Usage Patterns
Sección titulada «Common Usage Patterns»| Command | Description |
|---|---|
sudo portspoof | Start with default configuration |
sudo portspoof -p 9999 | Run on custom port |
sudo portspoof -d | Debug mode (foreground) |
sudo portspoof -c config.conf | Use custom config |
sudo portspoof -s signatures.txt | Load custom signatures |
sudo portspoof -l 192.168.1.100 | Bind to specific interface |
Configuration File Setup
Sección titulada «Configuration File Setup»Basic Configuration Template
Sección titulada «Basic Configuration Template»# Portspoof Configuration File
#
# Server settings
SERVER_PORT=9999
SERVER_BIND_ADDR=0.0.0.0
SERVER_LISTEN_QUEUE=500
# Service signature database
SIGNATURES_FILE=/usr/share/portspoof/portspoof_signatures
# Logging
LOG_FILE=/var/log/portspoof/portspoof.log
VERBOSITY_LEVEL=1
# Performance
MAX_THREADS=100
INITIAL_THREADS=10Custom Port Configuration
Sección titulada «Custom Port Configuration»SERVER_PORT=8888
SERVER_BIND_ADDR=192.168.1.100
SIGNATURES_FILE=/etc/portspoof/custom_signaturesHigh-Volume Configuration
Sección titulada «High-Volume Configuration»SERVER_PORT=9999
MAX_THREADS=500
INITIAL_THREADS=50
SERVER_LISTEN_QUEUE=1000Service Signatures
Sección titulada «Service Signatures»View Available Signatures
Sección titulada «View Available Signatures»cat /usr/share/portspoof/portspoof_signatures | head -20HTTP Service Signature
Sección titulada «HTTP Service Signature»HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234
Server: Apache/2.4.41
<html><head><title>Index of /</title></head><body>
<h1>Index of /</h1>
...
</body></html>SSH Service Signature
Sección titulada «SSH Service Signature»SSH-2.0-OpenSSH_7.4SMTP Service Signature
Sección titulada «SMTP Service Signature»220 mail.example.com ESMTP PostfixFTP Service Signature
Sección titulada «FTP Service Signature»220 FTP Server ReadyTelnet Response
Sección titulada «Telnet Response»Connected to server
login:Create Custom Signatures
Sección titulada «Create Custom Signatures»cat > custom_signatures.txt << 'EOF'
# Port 80 HTTP
"GET / HTTP/1.1" "HTTP/1.1 200 OK\r\nServer: Apache/2.4.41\r\n\r\n"
# Port 22 SSH
"SSH-2.0" "SSH-2.0-OpenSSH_7.4\r\n"
# Port 25 SMTP
"EHLO\|HELO" "220 mail.example.com ESMTP Postfix\r\n"
# Port 3389 RDP
".*" "\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00"
# Port 445 SMB
".*" "\xff\x53\x4d\x42"
EOFNetwork Deception Strategies
Sección titulada «Network Deception Strategies»Honeypot Port Setup
Sección titulada «Honeypot Port Setup»# Configure portspoof to emulate multiple services
sudo portspoof -c honeypot.conf
# Monitor connections
tail -f /var/log/portspoof/portspoof.logDecoy Network Service
Sección titulada «Decoy Network Service»# Emulate multiple services on single port
sudo portspoof -p 9999 -s decoy_signatures.txtPort Obfuscation
Sección titulada «Port Obfuscation»# Make all ports appear to have services
# Map every connection to realistic service responsesAdvanced Deployment
Sección titulada «Advanced Deployment»Multi-Interface Binding
Sección titulada «Multi-Interface Binding»# Create config for multiple interfaces
cat > multi_interface.conf << 'EOF'
SERVER_PORT=9999
SERVER_BIND_ADDR=0.0.0.0
SIGNATURES_FILE=/usr/share/portspoof/portspoof_signatures
EOF
sudo portspoof -c multi_interface.confLoad Balancing Setup
Sección titulada «Load Balancing Setup»# Run multiple portspoof instances
sudo portspoof -p 9999 &
sudo portspoof -p 9998 &
sudo portspoof -p 9997 &Systemd Service Configuration
Sección titulada «Systemd Service Configuration»cat > /etc/systemd/system/portspoof.service << 'EOF'
[Unit]
Description=Portspoof Service Emulation
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/bin/portspoof -c /etc/portspoof/portspoof.conf
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl enable portspoof
sudo systemctl start portspoofTesting Portspoof Responses
Sección titulada «Testing Portspoof Responses»Test Connection
Sección titulada «Test Connection»nc -zv localhost 9999
nc -zv 192.168.1.100 9999Capture Service Banner
Sección titulada «Capture Service Banner»echo "" | nc 192.168.1.100 9999
timeout 2 nc 192.168.1.100 9999 | od -cVerify HTTP Response
Sección titulada «Verify HTTP Response»curl -v http://127.0.0.1:9999/Test SSH Response
Sección titulada «Test SSH Response»ssh -v localhost -p 9999Nmap Service Detection
Sección titulada «Nmap Service Detection»nmap -sV 127.0.0.1 -p 9999
nmap -sV -A 192.168.1.100 -p 9999Zenmap Fingerprinting
Sección titulada «Zenmap Fingerprinting»# Test against Zenmap/Nmap OS detection
nmap -O 127.0.0.1 -p 9999Monitoring and Logging
Sección titulada «Monitoring and Logging»View Portspoof Logs
Sección titulada «View Portspoof Logs»tail -f /var/log/portspoof/portspoof.log
grep "connection" /var/log/portspoof/portspoof.logMonitor Active Connections
Sección titulada «Monitor Active Connections»sudo netstat -antp | grep portspoof
sudo lsof -i :9999Real-time Connection Tracking
Sección titulada «Real-time Connection Tracking»watch -n 1 "netstat -antp | grep portspoof"Parse Connection Attempts
Sección titulada «Parse Connection Attempts»grep "from" /var/log/portspoof/portspoof.log | \
awk '{print $NF}' | sort | uniq -c | sort -rnHoneypot Integration
Sección titulada «Honeypot Integration»Combine with IDS
Sección titulada «Combine with IDS»# Log portspoof connections
tail -f /var/log/portspoof/portspoof.log | \
while read line; do
# Alert on suspicious IPs
echo "$line" | grep -i attack >> suspicious.log
doneNetwork Tapering
Sección titulada «Network Tapering»# Use portspoof to confuse network scans
# Deploy on decoy systems
# Monitor all connection attemptsCreate Honeypot Network
Sección titulada «Create Honeypot Network»# Isolated network segment with portspoof
# Running on multiple ports
# Monitoring all trafficPerformance Tuning
Sección titulada «Performance Tuning»Optimize for High Load
Sección titulada «Optimize for High Load»cat > high_load.conf << 'EOF'
MAX_THREADS=1000
INITIAL_THREADS=100
SERVER_LISTEN_QUEUE=5000
TIMEOUT=30
EOF
sudo portspoof -c high_load.confResource Limits
Sección titulada «Resource Limits»ulimit -n 10000
ulimit -u 1000Process Monitoring
Sección titulada «Process Monitoring»ps aux | grep portspoof
top -p $(pgrep portspoof)Troubleshooting
Sección titulada «Troubleshooting»Permission Denied (Port < 1024)
Sección titulada «Permission Denied (Port < 1024)»# Use sudo for ports below 1024
sudo portspoof -p 80
# Or run as root
su - -c "portspoof -p 80"Port Already in Use
Sección titulada «Port Already in Use»# Check existing bindings
sudo netstat -tlnp | grep :9999
# Kill existing process
sudo kill $(lsof -t -i :9999)Configuration File Not Found
Sección titulada «Configuration File Not Found»# Verify file exists and permissions
ls -la /etc/portspoof/portspoof.conf
cat /etc/portspoof/portspoof.confSignature File Issues
Sección titulada «Signature File Issues»# Check signature file
ls -la /usr/share/portspoof/portspoof_signatures
file /usr/share/portspoof/portspoof_signaturesService Not Starting
Sección titulada «Service Not Starting»# Run in debug mode
sudo portspoof -d
# Check for errors
sudo systemctl status portspoof
sudo journalctl -u portspoof -n 20Security Considerations
Sección titulada «Security Considerations»Network Placement
Sección titulada «Network Placement»- Deploy on internal networks only
- Ensure controlled environment
- Document deception strategy
- Monitor for false positives
Ethical Usage
Sección titulada «Ethical Usage»- Use only in authorized networks
- Document deception policies
- Ensure team awareness
- Legal compliance verification
Detection and Analysis
Sección titulada «Detection and Analysis»# Monitor portspoof system
watch -n 5 "netstat -antp | grep portspoof"
tail -f /var/log/portspoof/portspoof.log | grep -v "^$"Advanced Scenarios
Sección titulada «Advanced Scenarios»Multi-Service Honeypot
Sección titulada «Multi-Service Honeypot»# Emulate multiple services on different ports
sudo portspoof -p 80 -s http_signatures &
sudo portspoof -p 22 -s ssh_signatures &
sudo portspoof -p 25 -s smtp_signatures &
sudo portspoof -p 3306 -s mysql_signatures &Incident Response Preparation
Sección titulada «Incident Response Preparation»# Setup decoy environment
# Monitor attacker interaction
# Collect forensic evidence
# Analyze attack patternsThreat Intelligence Gathering
Sección titulada «Threat Intelligence Gathering»# Deploy honeypot
# Record all connection attempts
# Analyze attacker behavior
# Share findings with communityBest Practices
Sección titulada «Best Practices»- Clear Documentation: Document deception strategy
- Regular Updates: Keep signature database current
- Monitoring: Actively monitor honeypot
- Isolation: Properly segment honeypot network
- Incident Response: Have plan for detected attacks
- Legal Review: Verify compliance with regulations
- Team Coordination: Ensure all team members aware
- Log Retention: Archive connection logs
Related Tools
Sección titulada «Related Tools»- Honeyd: Virtual honeypot framework
- Cowrie: SSH/Telnet honeypot
- Kippo: Medium interaction honeypot
- Dionaea: Low interaction honeypot
- Snare/Tanner: Web application honeypot
- Suricata: Network security monitoring
- Zeek: Network analysis framework