)
GoSpoof is a push torwards bringing cyber deceptive tooling back into your defensive toolkit. This tool was directly inspired by the tool portspoof.
Portspoof requires all traffic to be directed to a single port. Run either of the following commands to setup the iptables rule to redirect to port 4444:
./src/goSpoof -sT 4444sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444After running, cd into the src directory.
cd srcThe executable "goSpoof" should already exist in the directory - if not, rebuild it using the following:
go build -o goSpoofRun the executable
./goSpoofMove it into bin using the following command:
cp ./goSpoof binUsage of ./goSpoof:
-D string
run as daemon process (default None)
-Y string
load configuration from yaml file (default None)
-fT string
reset iptables (default None)
-i string
ip : Bind to a particular IP address (default if none specified, goSpoof will grab your IP)
-l string
file_path : log port scanning alerts to a file (default None)
-p string
port : bind to a particular PORT number (default "4444")
-r string
port range for iptables to redirect from. Format is (low port):(high port) Must be used with -sT arg (default "1:65535")
-s string
file_path : go-spoof service signature regex. file (default None)
-sP string
Provide a range of ports (1-10) or a list of ports 1,9,32, or a single port (default "1-65535")
-sT string
setup iptables to bind to a single port (bind to this port using -p). Specify specific range of ports to redirect FROM with -r (default None)
-w string
specify a number of seconds to wait between sending signatures. Significantly slows down scanning with -sV
-v string
be verbose (default None)
-honey
Use -honey Y to activate a Honeypot Mode. This will give you an attackers IP as well as the date and time of the attack and what payloads were sent. This is then saved in honeypot.log
-t
Assign a value 1-5 to thottle time for a scan 1 = 5 minutes and doubles through each level to 5 = 80 minutes
-rg
Tunnels an intruders attacks back at them. This is a stand alone flag NO OTHER flags should be used with Rubber glue. Saves the hash and plain text in a captures directory.
-e
Excludes ports that are specified
--boot
Saves flags used and starts go-spoof as configured with said flags, on boot.
-rm
Removes all flags used on boot as well as the saved config file and deletes the gospoof.service. A complete fresh startMade with ❤️ by Black Hills Infosec