Reducing the fingerprint of the Dionaea honeypot

So, as I go down the path of playing with MHN, I did an external scan of the Dionaea honeypot I recently put up and found that NMAP easily picked out the fact that it was running Dionaea. Since I am working on trying to capture some payloads, I knew I had to do something to disguise it better. I followed this post and was able to change it up. I may look in to building this in to the deploy package in the near future.

Now I wait.  🙂

Before:

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Dionaea honeypot ftpd
22/tcp   open  ssh          (protocol 2.0)
80/tcp   open  http?
135/tcp  open  msrpc?
443/tcp  open  ssl/https?
445/tcp  open  microsoft-ds Dionaea honeypot smbd
1433/tcp open  ms-sql-s     Dionaea honeypot MS-SQL server
3306/tcp open  mysql        MySQL 5.0.54
5060/tcp open  sip          (SIP end point; Status: 200 OK)

 

After:

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           ProFTPD 1.2.9
22/tcp   open  ssh           (protocol 2.0)
80/tcp   open  http?
135/tcp  open  msrpc?
443/tcp  open  ssl/https?
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s?
3306/tcp open  mysql         MySQL 5.0.54
5060/tcp open  sip           (SIP end point; Status: 200 OK)

Erich Kron is the Security Awareness Advocate at KnowBe4, and has over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere.

Leave a Reply