A good way to confuse attackers is to provide them with false information, that is, to lead them down promising paths that lead nowhere.
We can do this by showing them incorrect software/OS versions, so they will waste a lot of time without getting any results and finally give up or look for an easier prey.
Portspoof is a software that does exactly that, showing software banners on the indicated ports.
Clone the repo, compile and install:
We can customize the response of each specific port, even assigning regexps so that each response is different, for this we modify the configuration file:
vi /usr/local/etc/portspoof.conf
Start the software:
/usr/local/bin/portspoof -s /usr/local/etc/portspoof_signatures -c /usr/local/etc/portspoof.conf -v
Configure an iptables rule to redirect traffic from ports 23-65535 to port 4444 where portspoof is listening:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444
Connect to port 8081 to verify that it works correctly:
nc 192.168.11.114 8081
OK0100 eXtremail V9 release 2REMote management ...
If we perform a port scan, we can see the banners that portspoof presents us on each port:
nmap -F -sV 192.168.11.114
Starting Nmap 7.01 ( https://nmap.org ) at 2018-05-16 22:38 CEST
Nmap scan report for 192.168.11.114
Host is up (0.00012s latency).
PORT STATE SERVICE VERSION
7/tcp closed echo
9/tcp closed discard
13/tcp closed daytime
21/tcp closed ftp
22/tcp open ssh OpenSSH 7.5p1 (protocol 2.0; HPN-SSH patch 14v12)
23/tcp open telnet?
25/tcp open smtp?
26/tcp open rsftp?
37/tcp open time?
53/tcp open domain?
79/tcp open finger?
80/tcp open http Apache/IBM_Lotus_Domino_v.6.5.6
81/tcp open pop3 Sun Solstice Internet Mail Server pop3d 80969628
88/tcp open http BusyBox httpd (Sphairon Turbolink IAD ADSL modem http config)
106/tcp open pop3pw?
110/tcp open http Phex HTML-Shared File Export httpd 625816
111/tcp open http FusionReactor web server monitor
113/tcp open http Gordian httpd 30979347 (Lantronix MSSVIA http config)
119/tcp open http CAMEO httpd (D-Link DAP-1150 WAP http config)
135/tcp open msrpc?
139/tcp open nagios-nsca Nagios NSCA
143/tcp open ssh (protocol 693)
144/tcp open http HttpFileServer httpd .N..#.
179/tcp open smtp XMail SMTP server 05074 (Linux/x86)
199/tcp open smux?
389/tcp open http GoAhead WebServer
427/tcp open http Cisco ASA 5510 firewall http config
443/tcp open http VLC media player http interface 6
444/tcp open snpp?
445/tcp open ssh (protocol 0476)
465/tcp open smtps?
513/tcp open ftp Cisco TelePresence MCU xSeM videoconferencing bridge n
514/tcp open http DIONIS httpd 57220047
515/tcp open upnp Conexant-EmWeb 2.7 (Huawei ADSL/WAP/VoIP router UPnP; UPnP 281)
543/tcp open http sw-cp-server httpd HRE-sl (Parallels Plesk WebAdmin version)
544/tcp open kshell?
548/tcp open pop3 Microsoft Windows 2003 POP3 Service 1.0
554/tcp open rtsp?
587/tcp open submission?
631/tcp open rtsp Cisco WVC54GCA webcam rtspd
646/tcp open http Servage.net enhanced Apache (u)
873/tcp open http Spyglass_MicroServer gKdcSzw (Tektronix Phaser printer http config)
990/tcp open http Qnap VioStor video recorder http admin Mjw
993/tcp open ftp Tektronix Phaser ftpd
995/tcp open teamspeak-serverquery TeamSpeak 3 ServerQuery
1025/tcp open NFS-or-IIS?
1026/tcp open telnet Cisco Catalyst switch telnetd
1027/tcp open IIS?
1028/tcp open http Apple TV http config (iTunesLib aRGx)
1029/tcp open ms-lsa?
1110/tcp open nfsd-status?
1433/tcp open http BAIDA aDIoThkXL
1720/tcp open h323q931?
1723/tcp open http Micro-Web (Burk ARC Plus remote management http interface)
1755/tcp open telnet HP Jet Direct printer telnetd
1900/tcp open http Apple TV httpd
2000/tcp open ftp Wind River FTP server vHVl
2001/tcp open http Seam web framework
2049/tcp open http NewCS satellite card sharing system http config
2121/tcp open http Avaya IP Office VoIP PBX httpd G(ufxK
2717/tcp open http KM_HTTP-Server 3803 (Kyocera 4050 printer http config)
3000/tcp open http NessusWWW 5.0.3 (Nessus vulnerability scanner http UI)
3128/tcp open squid-http?
3306/tcp open smtp Floosietek FTGate smtpd
3389/tcp open http Terayon cable modem http config 36845502
3986/tcp open http TRENDnet SMART24B switch http config
4899/tcp open radmin?
5000/tcp open upnp?
5009/tcp open http VMware vCloud Director
5051/tcp open http Mongrel httpd 6
5060/tcp open sip?
5101/tcp open imap Microsoft Exchange 2007-2010 imapd
5190/tcp open aol?
5357/tcp open pop3 ArGoSoft freeware pop3d .l.......
5432/tcp open smtp-proxy Arkoon smtp replay (Sendmail)
5631/tcp open pcanywheredata?
5666/tcp open http SignalSys SP200X VoIP http config
5800/tcp open vnc-http Alexandrie2(by GBConcept)
5900/tcp open ssl/imap Cyrus imapd
6000/tcp open smtp PostCast smtpd
6001/tcp open http Virata-EmWeb 7.5 (HP LaserJet http config)
6646/tcp open unknown
7070/tcp open ftp NetPresenz 4007 (Unregistered)
8000/tcp open http-alt?
8008/tcp open http?
8009/tcp open http Virata-EmWeb 89355861 (HP Officejet Pro L7680 http config)
8080/tcp open http-proxy?
8081/tcp open blackice-icecap?
8443/tcp open sip-proxy 3CX PhoneSystem PBX m
8888/tcp open sun-answerbook?
9100/tcp open jetdirect?
9999/tcp open ftp-proxy Cleo VLProxy ftp proxy OdAgknxsc
10000/tcp open telnet Cyberoam UTM firewall telnetd
32768/tcp open filenet-tms?
49152/tcp open http uTorrent WebUI
49153/tcp open http ASSP Anti-Spam Proxy httpd Z(?)?
49154/tcp open ftp OkiData oowFYlWkl printer ftpd 47834
49155/tcp open unknown
49156/tcp open nut Network UPS Tools upsd
49157/tcp open unknown