Una buena forma de confundir a los atacantes es proporcionarles información errónea, es decir llevarlos por caminos prometedores pero que no llegan a ningún sitio.
Esto podemos hacerlo mostrándoles versiones de software/SO incorrectas de este modo perderán mucho tiempo sin conseguir resultados y finalmente desistirán o buscarán alguna presa mas fácil.
Portspoof es un software que hace exactamente eso, mostrar banners de software en los puertos indicados.
Clonamos el repo, compilamos e instalamos:
Podemos personalizar la respuesta de cada puerto en concreto, incluso asignando regexps para que cada respuesta sea distinta, para ello modificamos el fichero de configuración:
vi /usr/local/etc/portspoof.conf
Arrancamos el software:
/usr/local/bin/portspoof -s /usr/local/etc/portspoof_signatures -c /usr/local/etc/portspoof.conf -v
Configuramos una regla de iptables para redirigir el tráfico de los puertos 23-65535 al puerto 4444 que es donde se encuentra portspoof escuchando:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444
Conectamos al puerto 8081 para comprobar que funciona correctamente:
nc 192.168.11.114 8081
OK0100 eXtremail V9 release 2REMote management ...
Si realizamos un escaner de puertos podemos ver los banners que nos presenta portspoof en cada puerto:
nmap -F -sV 192.168.11.114
Starting Nmap 7.01 ( https://nmap.org ) at 2018-05-16 22:38 CEST
Nmap scan report for 192.168.11.114
Host is up (0.00012s latency).
PORT STATE SERVICE VERSION
7/tcp closed echo
9/tcp closed discard
13/tcp closed daytime
21/tcp closed ftp
22/tcp open ssh OpenSSH 7.5p1 (protocol 2.0; HPN-SSH patch 14v12)
23/tcp open telnet?
25/tcp open smtp?
26/tcp open rsftp?
37/tcp open time?
53/tcp open domain?
79/tcp open finger?
80/tcp open http Apache/IBM_Lotus_Domino_v.6.5.6
81/tcp open pop3 Sun Solstice Internet Mail Server pop3d 80969628
88/tcp open http BusyBox httpd (Sphairon Turbolink IAD ADSL modem http config)
106/tcp open pop3pw?
110/tcp open http Phex HTML-Shared File Export httpd 625816
111/tcp open http FusionReactor web server monitor
113/tcp open http Gordian httpd 30979347 (Lantronix MSSVIA http config)
119/tcp open http CAMEO httpd (D-Link DAP-1150 WAP http config)
135/tcp open msrpc?
139/tcp open nagios-nsca Nagios NSCA
143/tcp open ssh (protocol 693)
144/tcp open http HttpFileServer httpd .N..#.
179/tcp open smtp XMail SMTP server 05074 (Linux/x86)
199/tcp open smux?
389/tcp open http GoAhead WebServer
427/tcp open http Cisco ASA 5510 firewall http config
443/tcp open http VLC media player http interface 6
444/tcp open snpp?
445/tcp open ssh (protocol 0476)
465/tcp open smtps?
513/tcp open ftp Cisco TelePresence MCU xSeM videoconferencing bridge n
514/tcp open http DIONIS httpd 57220047
515/tcp open upnp Conexant-EmWeb 2.7 (Huawei ADSL/WAP/VoIP router UPnP; UPnP 281)
543/tcp open http sw-cp-server httpd HRE-sl (Parallels Plesk WebAdmin version)
544/tcp open kshell?
548/tcp open pop3 Microsoft Windows 2003 POP3 Service 1.0
554/tcp open rtsp?
587/tcp open submission?
631/tcp open rtsp Cisco WVC54GCA webcam rtspd
646/tcp open http Servage.net enhanced Apache (u)
873/tcp open http Spyglass_MicroServer gKdcSzw (Tektronix Phaser printer http config)
990/tcp open http Qnap VioStor video recorder http admin Mjw
993/tcp open ftp Tektronix Phaser ftpd
995/tcp open teamspeak-serverquery TeamSpeak 3 ServerQuery
1025/tcp open NFS-or-IIS?
1026/tcp open telnet Cisco Catalyst switch telnetd
1027/tcp open IIS?
1028/tcp open http Apple TV http config (iTunesLib aRGx)
1029/tcp open ms-lsa?
1110/tcp open nfsd-status?
1433/tcp open http BAIDA aDIoThkXL
1720/tcp open h323q931?
1723/tcp open http Micro-Web (Burk ARC Plus remote management http interface)
1755/tcp open telnet HP Jet Direct printer telnetd
1900/tcp open http Apple TV httpd
2000/tcp open ftp Wind River FTP server vHVl
2001/tcp open http Seam web framework
2049/tcp open http NewCS satellite card sharing system http config
2121/tcp open http Avaya IP Office VoIP PBX httpd G(ufxK
2717/tcp open http KM_HTTP-Server 3803 (Kyocera 4050 printer http config)
3000/tcp open http NessusWWW 5.0.3 (Nessus vulnerability scanner http UI)
3128/tcp open squid-http?
3306/tcp open smtp Floosietek FTGate smtpd
3389/tcp open http Terayon cable modem http config 36845502
3986/tcp open http TRENDnet SMART24B switch http config
4899/tcp open radmin?
5000/tcp open upnp?
5009/tcp open http VMware vCloud Director
5051/tcp open http Mongrel httpd 6
5060/tcp open sip?
5101/tcp open imap Microsoft Exchange 2007-2010 imapd
5190/tcp open aol?
5357/tcp open pop3 ArGoSoft freeware pop3d .l.......
5432/tcp open smtp-proxy Arkoon smtp replay (Sendmail)
5631/tcp open pcanywheredata?
5666/tcp open http SignalSys SP200X VoIP http config
5800/tcp open vnc-http Alexandrie2(by GBConcept)
5900/tcp open ssl/imap Cyrus imapd
6000/tcp open smtp PostCast smtpd
6001/tcp open http Virata-EmWeb 7.5 (HP LaserJet http config)
6646/tcp open unknown
7070/tcp open ftp NetPresenz 4007 (Unregistered)
8000/tcp open http-alt?
8008/tcp open http?
8009/tcp open http Virata-EmWeb 89355861 (HP Officejet Pro L7680 http config)
8080/tcp open http-proxy?
8081/tcp open blackice-icecap?
8443/tcp open sip-proxy 3CX PhoneSystem PBX m
8888/tcp open sun-answerbook?
9100/tcp open jetdirect?
9999/tcp open ftp-proxy Cleo VLProxy ftp proxy OdAgknxsc
10000/tcp open telnet Cyberoam UTM firewall telnetd
32768/tcp open filenet-tms?
49152/tcp open http uTorrent WebUI
49153/tcp open http ASSP Anti-Spam Proxy httpd Z(?)?
49154/tcp open ftp OkiData oowFYlWkl printer ftpd 47834
49155/tcp open unknown
49156/tcp open nut Network UPS Tools upsd
49157/tcp open unknown