PORT SPOOF
Enable IP forward and redirect destination port to another one.
root@kali:~# sysctl net.ipv4.ip_forward=1
root@kali:~# iptables -t nat -A PREROUTING -p tcp --destination 192.168.1.107 ! --dport 22 -j REDIRECT --to-ports 4444
Clone portspoof source from github, and compile it.
root@kali:~# git clone http://github.com/drk1wi/portspoof
root@kali:~# cd portspoof/
root@kali:~/portspoof# ./configure
root@kali:~/portspoof# make && make install
Start a port listener for tcp stream. TCP stream will reply by Portspoof, and you can control it manually.
root@kali:~/portspoof# portspoof -v -p 4444
root@kali:~/portspoof# portspoof -p 4444 -s /usr/local/etc/portspoof_signatures -c /usr/local/etc/portspoof.conf -l portspoof-4444.log
-> Using user defined signature file /usr/local/etc/portspoof_signatures
-> Using user defined configuration file /usr/local/etc/portspoof.conf
-> Using log file portspoof-4444.log
-> Binding to port: 4444
Redirect Multi PORTs
root@kali:~# iptables -t nat -A PREROUTING -p tcp --destination 192.168.1.107 ! --dport 22 -j REDIRECT --to-ports 4444
root@kali:~/portspoof# iptables -t nat -A PREROUTING -p tcp --destination 192.168.1.107--dport 22:100 -j REDIRECT --to-ports 4444
root@kali:~/portspoof# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1:65535 -j REDIRECT --to-ports 4444
Local Port Forward
Transform port 8080 to 8888 on local machine, please modify the ip address yourself.
root:not/ # sysctl net.ipv4.ip_forward=1
root:not/ # iptables -t nat -A PREROUTING -p tcp --destination 192.168.1.108 --dport 8080 -j DNAT --to-destination 192.168.1.108:8888
root:not/ # iptables -t nat -A OUTPUT -p tcp --destination 127.0.0.1 --dport 8080 -j DNAT --to-destination 127.0.0.1:8888
root:not/ # iptables -t nat -A OUTPUT -p tcp --destination 192.168.1.108 --dport 8080 -j DNAT --to-destination 127.0.0.1:8888
root:not/ # iptables -t nat -L -n -v --line-number
IP SOURCE ADDRESS SPOOF
Replace ip source address with 8.8.8.8.
root:not/ # iptables -t nat -A POSTROUTING -p tcp --destination 192.168.1.107 --dport 4444 -j SNAT --to-source 8.8.8.8
Please run wireshark or tcpdump, and start packet sniffer. Packets detail as follow:
No. Time Source Destination Protocol Length Info
1 0.000000000 8.8.8.8 192.168.1.107 TCP 74 58188 > krb524 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=3660674 TSecr=0 WS=128
Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0
Ethernet II, Src: fe:41:d0:17:09:ce (fe:41:d0:17:09:ce), Dst: CadmusCo_12:a1:ba (08:00:27:12:a1:ba)
Internet Protocol Version 4, Src: 8.8.8.8 (8.8.8.8), Dst: 192.168.1.107 (192.168.1.107)
Transmission Control Protocol, Src Port: 58188 (58188), Dst Port: krb524 (4444), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
2 0.000064000 192.168.1.107 8.8.8.8 TCP 74 krb524 > 58188 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=993617 TSecr=3660674 WS=1024
Frame 2: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0
Ethernet II, Src: CadmusCo_12:a1:ba (08:00:27:12:a1:ba), Dst: 80:89:17:7d:a1:20 (80:89:17:7d:a1:20)
Internet Protocol Version 4, Src: 192.168.1.107 (192.168.1.107), Dst: 8.8.8.8 (8.8.8.8)
Transmission Control Protocol, Src Port: krb524 (4444), Dst Port: 58188 (58188), Seq: 0, Ack: 1, Len: 0
You can see that ip source address was replaced with 8.8.8.8.
References
http://portspoof.org/
http://github.com/drk1wi/portspoof/
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
http://resources.infosecinstitute.com/fool-network-hunters-hackers/
http://www.freebuf.com/articles/network/34225.html