The ftp service of dionaea honeypot can be identified very easily by nmap. In this article I will show you how to customize your ftp service.
First of all install the latest nightly packages from the Personal Package Archive (PPA) or build the honeypot from the sources in the dionaea git repository. After this edit the config file /etc/dionaea/dionaea.conf and add new customized response messages in the ftp section. Before you start let nmap identify the ftp service.
In the examples below the IP address 192.168.12.34 is used to access the honeypot. Replace the IP address with the IP of your own honeypot.
$ nmap -sV -p 21 192.168.12.34
Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-25 13:34 CET
Nmap scan report for 192.168.12.34
Host is up (0.00043s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
As you can see nmap successfully identifies the honeypot. But lets override the welcome message with a new one.
modules = {
[...]
python = {
[...]
ftp = {
root = "var/dionaea/wwwroot"
[...]
response_messages = {
welcome_msg = "220 DiskStation FTP server ready."
}
}
[...]
}
[...]
}
And run the scan again.
$ nmap -sV -p 21 192.168.12.34
[...]
PORT STATE SERVICE VERSION
21/tcp open ftp Synology DiskStation NAS ftpd
Service Info: Device: storage-misc
Lets try another one.
ftp = {
[...]
response_messages = {
welcome_msg = "220 FTP Server ready."
}
}
And rescan your honeypot.
$ nmap -sV -p 21 192.168.12.34
[...]
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD or KnFTPD
Service Info: OS: Unix
Have a look at the source code to get a list of all available messages you can override.
Be aware that there are other ways to identify your honeypot. But a customized honeypot might be harder to fingerpinrt.
Links
- Website: dionaea git repository (English)
- Website: Honeypot PPA (English)
- Website: nmap (English)