Since some days we work on a fork of the great Dionaea Honeypot. Dionaea is a low-interaction honeypot that captures attack payloads and malware by offering a variety of network services.
We modify some of its services to avoid identification by network scanners like: Nmap. All modifications below are in our repository on github https://github.com/devwerks/dionaea
We started a Intense scan with Nmap to see what services are identified and associated with Dionaea
nmap -T4 -A -v hostFTP
21/tcp open ftp Dionaea honeypot ftpd
We search for the String "Dionaea honeypot ftpd" in the file nmap-service-probes. There we can see that Nmap detects the Welcome Message send by the Dionaea FTP service. So we changed the message to show a ProFTPD server.
- self.reply(WELCOME_MSG, "Welcome to the ftp service") + self.reply(WELCOME_MSG, "ProFTPD 1.2.8 Server")HTTP
443/tcp open https Dionaea honeypot httpd
The same procedure as above. We respond now with the protocol HTTP/1.1 instead of HTTP/1.0.
- self.send("%s %d %s\r\n" % ("HTTP/1.0", code, message))
+ self.send("%s %d %s\r\n" % ("HTTP/1.1", code, message))
This should also work for Port: 80 http
SSL CertificateIssuer: commonName=Nepenthes Development Team/organizationName=dionaea.carnivore.it/countryName=DE
This was not directly detected by Nmap, but it can be found by an attacker by reading the Nmap output.
- MBSTRING_ASC, (const unsigned char *)"Nepenthes Development Team", -1, -1, 0); + MBSTRING_ASC, (const unsigned char *)"RapidSSL SHA256 CA", -1, -1, 0); - MBSTRING_ASC, (const unsigned char *)"dionaea.carnivore.it", -1, -1, 0); + MBSTRING_ASC, (const unsigned char *)"GeoTrust Inc.", -1, -1, 0);
We changed this to look like real Certificate.
How to useTo use dionaea, simply copy from https://github.com/devwerks/dionaea. The configuration is the same.
If you run into issues, feel free to get on touch on Twitter, check the current issues or create a new one. Patches are also welcome.
