So, as I go down the path of playing with MHN, I did an external scan of the Dionaea honeypot I recently put up and found that NMAP easily picked out the fact that it was running Dionaea. Since I am working on trying to capture some payloads, I knew I had to do something to disguise it better. I followed this post and was able to change it up. I may look in to building this in to the deploy package in the near future.
Now I wait. 🙂
Before:
PORT STATE SERVICE VERSION 21/tcp open ftp Dionaea honeypot ftpd 22/tcp open ssh (protocol 2.0) 80/tcp open http? 135/tcp open msrpc? 443/tcp open ssl/https? 445/tcp open microsoft-ds Dionaea honeypot smbd 1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server 3306/tcp open mysql MySQL 5.0.54 5060/tcp open sip (SIP end point; Status: 200 OK)
After:
PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.2.9 22/tcp open ssh (protocol 2.0) 80/tcp open http? 135/tcp open msrpc? 443/tcp open ssl/https? 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s? 3306/tcp open mysql MySQL 5.0.54 5060/tcp open sip (SIP end point; Status: 200 OK)
Erich Kron is the Security Awareness Advocate at KnowBe4, and has over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the US Army 2nd Regional Cyber Center-Western Hemisphere.