Reducing the fingerprint of the Dionaea honeypot

So, as I go down the path of playing with MHN, I did an external scan of the Dionaea honeypot I recently put up and found that NMAP easily picked out the fact that it was running Dionaea. Since I am working on trying to capture some payloads, I knew I had to do something to disguise it better. I followed this post and was able to change it up. I may look in to building this in to the deploy package in the near future.

Now I wait.  🙂

Before:

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Dionaea honeypot ftpd
22/tcp   open  ssh          (protocol 2.0)
80/tcp   open  http?
135/tcp  open  msrpc?
443/tcp  open  ssl/https?
445/tcp  open  microsoft-ds Dionaea honeypot smbd
1433/tcp open  ms-sql-s     Dionaea honeypot MS-SQL server
3306/tcp open  mysql        MySQL 5.0.54
5060/tcp open  sip          (SIP end point; Status: 200 OK)

 

After:

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           ProFTPD 1.2.9
22/tcp   open  ssh           (protocol 2.0)
80/tcp   open  http?
135/tcp  open  msrpc?
443/tcp  open  ssl/https?
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s?
3306/tcp open  mysql         MySQL 5.0.54
5060/tcp open  sip           (SIP end point; Status: 200 OK)

Erich Kron, Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in InfoSec

Leave a Reply