iptables - port spoof / local port forward

来源：互联网发布：优化探究同步导学案编辑：程序博客网时间：2024/05/29 07:15

PORT SPOOF

Enable IP forward and redirect destination port to another one.

root@kali:~# sysctl net.ipv4.ip_forward=1root@kali:~# iptables -t nat -A PREROUTING -p tcp --destination 192.168.1.107 ! --dport 22 -j REDIRECT --to-ports 4444

Clone portspoof source from github, and compile it.

root@kali:~# git clone http://github.com/drk1wi/portspoofroot@kali:~# cd portspoof/root@kali:~/portspoof# ./configureroot@kali:~/portspoof# make && make install

Start a port listener for tcp stream. TCP stream will reply by Portspoof, and you can control it manually.

root@kali:~/portspoof# portspoof -v -p 4444root@kali:~/portspoof# portspoof -p 4444 -s /usr/local/etc/portspoof_signatures -c /usr/local/etc/portspoof.conf -l portspoof-4444.log-> Using user defined signature file /usr/local/etc/portspoof_signatures-> Using user defined configuration file /usr/local/etc/portspoof.conf-> Using log file portspoof-4444.log-> Binding to port: 4444

Redirect Multi PORTs

root@kali:~# iptables -t nat -A PREROUTING -p tcp --destination 192.168.1.107 ! --dport 22 -j REDIRECT --to-ports 4444root@kali:~/portspoof# iptables -t nat -A PREROUTING -p tcp --destination 192.168.1.107--dport 22:100 -j REDIRECT --to-ports 4444root@kali:~/portspoof# iptables -t nat -A PREROUTING -i eth0 -p tcp  --dport 1:65535 -j REDIRECT --to-ports 4444

Local Port Forward

Transform port 8080 to 8888 on local machine, please modify the ip address yourself.

root:not/ # sysctl net.ipv4.ip_forward=1root:not/ # iptables -t nat -A PREROUTING -p tcp --destination 192.168.1.108 --dport 8080 -j DNAT --to-destination 192.168.1.108:8888root:not/ # iptables -t nat -A OUTPUT -p tcp --destination 127.0.0.1 --dport 8080 -j DNAT --to-destination 127.0.0.1:8888root:not/ # iptables -t nat -A OUTPUT -p tcp --destination 192.168.1.108 --dport 8080 -j DNAT --to-destination 127.0.0.1:8888root:not/ # iptables -t nat -L -n -v --line-number

IP SOURCE ADDRESS SPOOF

Replace ip source address with 8.8.8.8.

root:not/ # iptables -t nat -A POSTROUTING -p tcp --destination 192.168.1.107 --dport 4444 -j SNAT --to-source 8.8.8.8

Please run wireshark or tcpdump, and start packet sniffer. Packets detail as follow:

No.     Time           Source                Destination           Protocol Length Info      1 0.000000000    8.8.8.8               192.168.1.107         TCP      74     58188 > krb524 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=3660674 TSecr=0 WS=128Frame 1: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0Ethernet II, Src: fe:41:d0:17:09:ce (fe:41:d0:17:09:ce), Dst: CadmusCo_12:a1:ba (08:00:27:12:a1:ba)Internet Protocol Version 4, Src: 8.8.8.8 (8.8.8.8), Dst: 192.168.1.107 (192.168.1.107)Transmission Control Protocol, Src Port: 58188 (58188), Dst Port: krb524 (4444), Seq: 0, Len: 0No.     Time           Source                Destination           Protocol Length Info      2 0.000064000    192.168.1.107         8.8.8.8               TCP      74     krb524 > 58188 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=993617 TSecr=3660674 WS=1024Frame 2: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface 0Ethernet II, Src: CadmusCo_12:a1:ba (08:00:27:12:a1:ba), Dst: 80:89:17:7d:a1:20 (80:89:17:7d:a1:20)Internet Protocol Version 4, Src: 192.168.1.107 (192.168.1.107), Dst: 8.8.8.8 (8.8.8.8)Transmission Control Protocol, Src Port: krb524 (4444), Dst Port: 58188 (58188), Seq: 0, Ack: 1, Len: 0

You can see that ip source address was replaced with 8.8.8.8.

References

http://portspoof.org/http://github.com/drk1wi/portspoof/http://www.thegeekstuff.com/2011/06/iptables-rules-examples/http://resources.infosecinstitute.com/fool-network-hunters-hackers/http://www.freebuf.com/articles/network/34225.html

0 0