Portspoof

Overview

Portspoof is a sophisticated network deception tool that emulates legitimate services and responds to connection attempts with valid service signatures. It can bind to arbitrary ports and respond with authentic-looking banners and responses from popular services (HTTP, SSH, SMTP, DNS, etc.), deceiving port scanners, fingerprinting tools, and reconnaissance activities. Portspoof is primarily used for network defense, honeypots, and deception-based security strategies.

Installation

Linux (Debian/Ubuntu)

sudo apt-get install portspoof

Fedora/RHEL

sudo dnf install portspoof

macOS (via Homebrew)

brew install portspoof

Build from Source

git clone https://github.com/drk1wi/portspoof.git
cd portspoof
./configure
make
sudo make install

Install Build Dependencies

sudo apt-get install build-essential autoconf automake libtool

Verify Installation

portspoof --version
portspoof --help

Core Concepts

Service Emulation

Portspoof emulates legitimate service responses to appear as if real services are running.

Port Mapping

Map arbitrary ports to service signatures, creating convincing decoy services.

Signature Database

Includes extensive database of authentic service banners and responses.

Network Deception

Confuse attackers and automated scanning tools by presenting false service information.

Configuration

Main Configuration File

/etc/portspoof/portspoof.conf
/usr/local/etc/portspoof.conf

Service Signatures Database

/usr/share/portspoof/portspoof_signatures
/etc/portspoof/portspoof_signatures

View Default Configuration

cat /etc/portspoof/portspoof.conf

Basic Commands

Start Portspoof

sudo portspoof
sudo portspoof -c /etc/portspoof/portspoof.conf

Start on Specific Port

sudo portspoof -p 8888

Run in Foreground (Debug)

sudo portspoof -d

Specify Configuration File

sudo portspoof -c /custom/path/portspoof.conf

Start with Specific Signature Database

sudo portspoof -s /path/to/signatures

Common Usage Patterns

Command	Description
sudo portspoof	Start with default configuration
sudo portspoof -p 9999	Run on custom port
sudo portspoof -d	Debug mode (foreground)
sudo portspoof -c config.conf	Use custom config
sudo portspoof -s signatures.txt	Load custom signatures
sudo portspoof -l 192.168.1.100	Bind to specific interface

Configuration File Setup

Basic Configuration Template

# Portspoof Configuration File
#
# Server settings
SERVER_PORT=9999
SERVER_BIND_ADDR=0.0.0.0
SERVER_LISTEN_QUEUE=500

# Service signature database
SIGNATURES_FILE=/usr/share/portspoof/portspoof_signatures

# Logging
LOG_FILE=/var/log/portspoof/portspoof.log
VERBOSITY_LEVEL=1

# Performance
MAX_THREADS=100
INITIAL_THREADS=10

Custom Port Configuration

SERVER_PORT=8888
SERVER_BIND_ADDR=192.168.1.100
SIGNATURES_FILE=/etc/portspoof/custom_signatures

High-Volume Configuration

SERVER_PORT=9999
MAX_THREADS=500
INITIAL_THREADS=50
SERVER_LISTEN_QUEUE=1000

Service Signatures

View Available Signatures

cat /usr/share/portspoof/portspoof_signatures | head -20

HTTP Service Signature

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234
Server: Apache/2.4.41

<html><head><title>Index of /</title></head><body>
<h1>Index of /</h1>
...
</body></html>

SSH Service Signature

SSH-2.0-OpenSSH_7.4

SMTP Service Signature

220 mail.example.com ESMTP Postfix

FTP Service Signature

220 FTP Server Ready

Telnet Response

Connected to server
login:

Create Custom Signatures

cat > custom_signatures.txt << 'EOF'
# Port 80 HTTP
"GET / HTTP/1.1" "HTTP/1.1 200 OK\r\nServer: Apache/2.4.41\r\n\r\n"

# Port 22 SSH
"SSH-2.0" "SSH-2.0-OpenSSH_7.4\r\n"

# Port 25 SMTP
"EHLO\|HELO" "220 mail.example.com ESMTP Postfix\r\n"

# Port 3389 RDP
".*" "\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00"

# Port 445 SMB
".*" "\xff\x53\x4d\x42"
EOF

Network Deception Strategies

Honeypot Port Setup

# Configure portspoof to emulate multiple services
sudo portspoof -c honeypot.conf

# Monitor connections
tail -f /var/log/portspoof/portspoof.log

Decoy Network Service

# Emulate multiple services on single port
sudo portspoof -p 9999 -s decoy_signatures.txt

Port Obfuscation

# Make all ports appear to have services
# Map every connection to realistic service responses

Advanced Deployment

Multi-Interface Binding

# Create config for multiple interfaces
cat > multi_interface.conf << 'EOF'
SERVER_PORT=9999
SERVER_BIND_ADDR=0.0.0.0
SIGNATURES_FILE=/usr/share/portspoof/portspoof_signatures
EOF

sudo portspoof -c multi_interface.conf

Load Balancing Setup

# Run multiple portspoof instances
sudo portspoof -p 9999 &
sudo portspoof -p 9998 &
sudo portspoof -p 9997 &

Systemd Service Configuration

cat > /etc/systemd/system/portspoof.service << 'EOF'
[Unit]
Description=Portspoof Service Emulation
After=network.target

[Service]
Type=simple
User=root
ExecStart=/usr/bin/portspoof -c /etc/portspoof/portspoof.conf
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl enable portspoof
sudo systemctl start portspoof

Testing Portspoof Responses

Test Connection

nc -zv localhost 9999
nc -zv 192.168.1.100 9999

Capture Service Banner

echo "" | nc 192.168.1.100 9999
timeout 2 nc 192.168.1.100 9999 | od -c

Verify HTTP Response

curl -v http://127.0.0.1:9999/

Test SSH Response

ssh -v localhost -p 9999

Nmap Service Detection

nmap -sV 127.0.0.1 -p 9999
nmap -sV -A 192.168.1.100 -p 9999

Zenmap Fingerprinting

# Test against Zenmap/Nmap OS detection
nmap -O 127.0.0.1 -p 9999

Monitoring and Logging

View Portspoof Logs

tail -f /var/log/portspoof/portspoof.log
grep "connection" /var/log/portspoof/portspoof.log

Monitor Active Connections

sudo netstat -antp | grep portspoof
sudo lsof -i :9999

Real-time Connection Tracking

watch -n 1 "netstat -antp | grep portspoof"

Parse Connection Attempts

grep "from" /var/log/portspoof/portspoof.log | \
awk '{print $NF}' | sort | uniq -c | sort -rn

Honeypot Integration

Combine with IDS

# Log portspoof connections
tail -f /var/log/portspoof/portspoof.log | \
while read line; do
    # Alert on suspicious IPs
    echo "$line" | grep -i attack >> suspicious.log
done

Network Tapering

# Use portspoof to confuse network scans
# Deploy on decoy systems
# Monitor all connection attempts

Create Honeypot Network

# Isolated network segment with portspoof
# Running on multiple ports
# Monitoring all traffic

Performance Tuning

Optimize for High Load

cat > high_load.conf << 'EOF'
MAX_THREADS=1000
INITIAL_THREADS=100
SERVER_LISTEN_QUEUE=5000
TIMEOUT=30
EOF

sudo portspoof -c high_load.conf

Resource Limits

ulimit -n 10000
ulimit -u 1000

Process Monitoring

ps aux | grep portspoof
top -p $(pgrep portspoof)

Troubleshooting

Permission Denied (Port < 1024)

# Use sudo for ports below 1024
sudo portspoof -p 80

# Or run as root
su - -c "portspoof -p 80"

Port Already in Use

# Check existing bindings
sudo netstat -tlnp | grep :9999

# Kill existing process
sudo kill $(lsof -t -i :9999)

Configuration File Not Found

# Verify file exists and permissions
ls -la /etc/portspoof/portspoof.conf
cat /etc/portspoof/portspoof.conf

Signature File Issues

# Check signature file
ls -la /usr/share/portspoof/portspoof_signatures
file /usr/share/portspoof/portspoof_signatures

Service Not Starting

# Run in debug mode
sudo portspoof -d

# Check for errors
sudo systemctl status portspoof
sudo journalctl -u portspoof -n 20

Security Considerations

Network Placement

• Deploy on internal networks only
• Ensure controlled environment
• Document deception strategy
• Monitor for false positives

Ethical Usage

• Use only in authorized networks
• Document deception policies
• Ensure team awareness
• Legal compliance verification

Detection and Analysis

# Monitor portspoof system
watch -n 5 "netstat -antp | grep portspoof"
tail -f /var/log/portspoof/portspoof.log | grep -v "^$"

Advanced Scenarios

Multi-Service Honeypot

# Emulate multiple services on different ports
sudo portspoof -p 80 -s http_signatures &
sudo portspoof -p 22 -s ssh_signatures &
sudo portspoof -p 25 -s smtp_signatures &
sudo portspoof -p 3306 -s mysql_signatures &

Incident Response Preparation

# Setup decoy environment
# Monitor attacker interaction
# Collect forensic evidence
# Analyze attack patterns

Threat Intelligence Gathering

# Deploy honeypot
# Record all connection attempts
# Analyze attacker behavior
# Share findings with community

Best Practices

• Clear Documentation: Document deception strategy
• Regular Updates: Keep signature database current
• Monitoring: Actively monitor honeypot
• Isolation: Properly segment honeypot network
• Incident Response: Have plan for detected attacks
• Legal Review: Verify compliance with regulations
• Team Coordination: Ensure all team members aware
• Log Retention: Archive connection logs

Related Tools

• Honeyd: Virtual honeypot framework
• Cowrie: SSH/Telnet honeypot
• Kippo: Medium interaction honeypot
• Dionaea: Low interaction honeypot
• Snare/Tanner: Web application honeypot
• Suricata: Network security monitoring
• Zeek: Network analysis framework