---

       

GoSpoof is a push torwards bringing cyber deceptive tooling back into your defensive toolkit. This tool was directly inspired by the tool portspoof.

Blog Post          Docs

---

Setup

Portspoof requires all traffic to be directed to a single port. Run either of the following commands to setup the iptables rule to redirect to port 4444:

./src/goSpoof -sT 4444

sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444

For Docker run the set up script

go run DockerSetup.go

Then

docker build -t gospoof .

Now you can run

docker run --rm --network host --privileged gospoof (any flags you wish as normal)

For NON-Docker, After running iptable rules, cd into cmd and build the website

cd GoSpoof/cmd
go run setup.go
cd gospoof

The executable "goSpoof" should already exist in the directory - if not, rebuild it using the following:

go build -o goSpoof

Run the executable

./goSpoof

Move it into bin using the following command:

cp ./goSpoof bin

Usage and CLI Structure

Usage of ./goSpoof:
  -D string
        run as daemon process (default None)
  -Y string
        load configuration from yaml file (default None)
  -fT string
        reset iptables (default None)
  -i string
        ip : Bind to a particular IP address (default if none specified, goSpoof will grab your IP)
  -l string
        file_path : log port scanning alerts to a file (default None)
  -p string
        port : bind to a particular PORT number (default "4444")
  -r string
        port range for iptables to redirect from. Format is (low port):(high port) Must be used with -sT arg (default "1:65535")
  -s string
        file_path : go-spoof service signature regex. file (default None)
  -sP string
        Provide a range of ports (1-10) or a list of ports 1,9,32, or a single port (default "1-65535")
  -sT string
        setup iptables to bind to a single port (bind to this port using -p). Specify specific range of ports to redirect FROM with -r (default None)
  -w string
        specify a number of seconds to wait between sending signatures. Significantly slows down scanning with -sV
  -v string
        be verbose (default None)
  -honey
      Use -honey Y to activate a Honeypot Mode. This will give you an attackers IP as well as the date and time of the attack and what payloads were sent. This is then saved in honeypot.log
  -t
      Assign a value 1-5 to thottle time for a scan 1 = 5 minutes and doubles through each level to 5 = 80 minutes
  -rg
      Tunnels an intruders attacks back at them. This is a stand alone flag NO OTHER flags should be used with Rubber glue. Saves the hash and plain text in a captures directory.
  -e 
      Excludes ports that are specified
  --boot
      Saves flags used and starts go-spoof as configured with said flags, on boot.
  -rm
      Removes all flags used on boot as well as the saved config file and deletes the gospoof.service. A complete fresh start
  --WebUI
      This launches the GoSpoof Command Center. To run the website without the entire GoSpoof tool running, simply cd .. then cd Web/Server then do node server.js. Open up a browser of your choice and go to http://localhost:3000



      Example yaml configuration file

# Minimal, sane defaults — uses your IP and turns on the WebUI
ip: "192.xxx.xxx.xxx"
port: "4444"

serviceSignaturePath: "../tools/portspoof_signatures"

# Behavior
honeypotMode: "Y"        # "Y" or "N"
spoofPorts: "1-65535"
excludedPorts: "22,80,443"
throttleLevel: "0"       # 0 disables throttling
sleep: "0"
rubberGlueMode: "N"      # leave "N" unless you want RG mode only

# No iptables changes by default
startTables: " "
tablesRange: "1:65535"
flushTables: " "

# Extras
webUI: true              # launches http://localhost:3000
boot: false
rm: false

Made with ❤️ by Black Hills Infosec