Go-Spoof: A Tool for Cyber Deception

By /

Listen to this Post

Featured Image
Source: Black Hills Information Security, Inc.

Go-Spoof is a powerful cyber deception tool designed to enhance security operations by mimicking real network services, confusing attackers, and gathering intelligence on malicious activities. It is useful for both Red Teams (simulating attacks) and Blue Teams (defending against attacks).

You Should Know:

1. Installation & Setup

Go-Spoof is written in Go, making it cross-platform. Install it using:

git clone https://github.com/blackhillsinfosec/go-spoof 
cd go-spoof 
go build

2. Running a Fake HTTP Server

To mimic a web server and log attacker interactions:

./go-spoof http -ip 192.168.1.100 -port 80

This will respond to HTTP requests while logging attacker IPs and payloads.

3. Spoofing DNS Responses

Redirect attackers to a honeypot:

./go-spoof dns -domain fakebank.com -ip 10.0.0.5

Any DNS query for `fakebank.com` will resolve to 10.0.0.5.

4. Deploying Fake SMB Shares

Trap attackers scanning for file shares:

./go-spoof smb -ip 192.168.1.100 -share FAKE_FILES

This logs any attempts to access the fake share.

5. Integrating with SIEM & Logging

Forward logs to Splunk or ELK Stack:

./go-spoof http -ip 192.168.1.100 -port 80 | logger -t GO-SPOOF

6. Defensive Blue Team Use

Monitor attacker behavior by deploying Go-Spoof in high-risk segments:

./go-spoof all -ip 192.168.1.100 -output attacker_logs.json

7. Automating with Cron (Linux)

Schedule Go-Spoof to restart daily:

0 0    /path/to/go-spoof http -ip 192.168.1.100 -port 80 >> /var/log/go-spoof.log

8. Windows Equivalent (PowerShell)

Run a fake RDP server:

Start-Process -FilePath ".\go-spoof.exe" -ArgumentList "rdp -ip 10.0.0.10"

9. Analyzing Attacker Logs

Use `jq` to parse JSON logs:

cat attacker_logs.json | jq '.attacker_ip, .payload'

10. Customizing Responses

Modify `responses.json` to mimic real services convincingly.

What Undercode Say

Go-Spoof is an essential tool for active defense, allowing security teams to detect, deceive, and analyze attackers in real time. By deploying fake services, defenders can waste attackers’ time, gather threat intelligence, and improve incident response.

Related Commands for Further Learning:

  • Linux Network Monitoring:
    tcpdump -i eth0 port 80 -w spoofed_traffic.pcap
  • Windows Fake Service (PowerShell):
    New-NetFirewallRule -DisplayName "FakeSMB" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 445
  • Log Analysis with grep:
    grep "malicious_ip" /var/log/go-spoof.log
  • Honeypot Integration:
    ./go-spoof dns -domain attacker.trap -ip 192.168.1.50 >> /opt/honeypot/logs/dns_spoof.log

Expected Output:

A fully operational deception environment that logs attacker interactions, redirects malicious traffic, and enhances security monitoring.

Reference:

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: