How to set up Dionaea Honeypot to evade Nmap detection

Introduction

The vast majority of attacks on a Dionaea honeypot are automated.  The attacking script doesn’t bother checking the responses of services and just launches it’s attack when it finds an open port. Cool! We can catch a lot of malware this way. Here is an Nmap -sV scan of a Dionaea Honeypot I set up for a previous article:

If you want to use Dionaea to catch live people attacking your network there is an obvious problem.

In this tutorial I will be walking you through setting up Dionaea Honeypot to avoid detection by Nmap.

How Nmap detects services

A very detailed walk-through of how Nmap does service detection can be found in chapter 7 of the Nmap book.

When an Nmap scan is initiated with one of the service detection options, Nmap goes through a series of steps to try to identify the service behind an open port. When Nmap receives data from a service that data is compared against a list of entries in /usr/share/nmap/nmap-service-probes. We can see which Dionaea services Nmap can detect using grep:

cat /usr/share/nmap/nmap-service-probes | grep Dionaea

Here’s the output with the matches in bold so they can be seen more easily:

match ftp m|^220 Welcome to the ftp service\r\n| p/Dionaea honeypot ftpd/ 
match http m|^HTTP/1\.0 200 OK\r\nContent-type: text/html; charset=utf-8\r\nContent-Length: 204\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3\.2 Final//EN
\"><html>\n<title>Directory listing for /</title>\n<body>\n<h2>Directory listing for /</h2>\n<hr>\n<ul>\n<li><a href=\"\.\./\">\.\./</a>\n</ul>\n<hr>\n</body>
\n</html>\n$| p/Dionaea honeypot httpd/ 
match microsoft-ds m|^\0...\xffSMBr\0\0\0\0\x98\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\x40\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\x10\0\0\0\0\x01\0\0\0\0\
0\xfd\xe3\0\0..........\x00\x34\0W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0H\0O\0M\0E\0U\0S\0E\0R\0-\0.\0.\0.\0.\0.\0.\0\0\0|s p/Dionaea honeypot smbd/ 
match honeypot m|^HTTP/1\.0 200 OK\r\nAllow: OPTIONS, GET, HEAD, POST\r\nContent-Length: 0\r\nConnection: close\r\n\r\n| p/Dionaea Honeypot httpd/ 
match honeypot m|^SIP/2\.0 200 OK\r\nContent-Length: 0\r\nVia: SIP/2\.0/TCP nm;branch=foo\r\nFrom: sip:nm@nm;tag=root\r\nAccept: application/sdp\r\nTo: sip:nm
2@nm2\r\nContact: sip:nm2@nm2\r\nCSeq: 42 OPTIONS\r\nAllow: REGISTER, OPTIONS, INVITE, CANCEL, BYE, ACK\r\nCall-ID: 50000\r\nAccept-Language: en\r\n\r\n| p/Di
onaea Honeypot sipd/ 
match ms-sql-s m|^\x04\x01\x00\x2b\x00\x00\x00\x00\x00\x00\x1a\x00\x06\x01\x00\x20\x00\x01\x02\x00\x21\x00\x01\x03\x00\x22\x00\x00\x04\x00\x22\x00\x01\xff\x08
\x00\x02\x10\x00\x00\x02\x00\x00| p/Dionaea honeypot MS-SQL server/

In this version of Nmap there are six possible service responses that could be identified as Dionaea. Looking back at the screenshot earlier in the article we can see that Nmap only identified two of our services as Dionaea honeypot. Not bad but we can do better.

configuring the smb service

First we are going to look at the SMB service. Let’s take a deeper look at the nmap-service-probes entry for this service

match microsoft-ds m|^\0...\xffSMBr\0\0\0\0\x98\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\x40\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\x10\0\0\0\0\x01\0\0\0\0\
0\xfd\xe3\0\0..........\x00\x34\0W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0H\0O\0M\0E\0U\0S\0E\0R\0-\0.\0.\0.\0.\0.\0.\0\0\0|s p/Dionaea honeypot smbd/

in /opt/dionaea/lib/dionaea/python/dionaea/smb/extras.py we can see that the default values for primary_domain and server_name are “WORKGROUP” and “HOMEUSER-3AF6FE”. Let’s look at nmap-service-probes again with the relevant info in bold:

match microsoft-ds m|^\0...\xffSMBr\0\0\0\0\x98\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\x40\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\x10\0\0\0\0\x01\0\0\0\0\ 0\xfd\xe3\0\0..........\x00\x34\0W\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0H\0O\0M\0E\0U\0S\0E\0R\0-\0.\0.\0.\0.\0.\0.\0\0\0|s p/Dionaea honeypot smbd/

Dionaea is looking for the primary_domain “WORKGROUP” and the server_name “HOMEUSER-” followed by any six characters (except for a line break). Busted. Let’s change it up. The SMB service can be customized via a YAML file. Let’s look at /opt/dionaea/etc/dionaea/services-enabled/smb.yaml

- name: smb 
  config: 
 
    ## Generic setting ## 
 
    # 1:"Windows XP Service Pack 0/1", 
    # 2:"Windows XP Service Pack 2", 
    # 3:"Windows XP Service Pack 3", 
    # 4:"Windows 7 Service Pack 1", 
    # 5:"Linux Samba 4.3.11" 
    os_type: 4 
 
     # Additional config 
#    primary_domain: Test 
#    oem_domain_name: Test 
#    server_name: TEST-SERVER 
 
     ## Windows 7 ## 
    native_os: Windows 7 Professional 7600 
    native_lan_manager: Windows 7 Professional 6.1 
    shares: 
      ADMIN$: 
        comment: Remote Admin 
        path: C:\\Windows 
        type: disktree 
      C$: 
        coment: Default Share 
        path: C:\\ 
        type: 
          - disktree 
          - special 
      IPC$: 
        comment: Remote IPC 
        type: ipc 
      Printer: 
        comment: Microsoft XPS Document Writer 
        type: printq 
 
     ## Samba ## 
#    native_os: Windows 6.1 
#    native_lan_manager: Samba 4.3.11 
#    shares: 
#      admin: 
#        comment: Remote Admin 
#        path: \\home\\admin 
#        type: disktree 
#      share: 
#        coment: Default Share 
#        path: \\share 
#        type: disktree 
#      IPC$: 
#        comment: Remote IPC 
#        path: IPC Service 
#        type: ipc 
#      Printer: 
#        comment: Printer Drivers 
#        type: printq

The section we’re going to change is “Additional config”. Uncomment all three lines and change the values to whatever you choose, I’ll be using “Development” and “Development-Server”. When you’re finished the file should look something like the following:

- name: smb 
  config: 
 
    ## Generic setting ## 
 
    # 1:"Windows XP Service Pack 0/1", 
    # 2:"Windows XP Service Pack 2", 
    # 3:"Windows XP Service Pack 3", 
    # 4:"Windows 7 Service Pack 1", 
    # 5:"Linux Samba 4.3.11" 
    os_type: 4 
 
     # Additional config 
    primary_domain: Development 
    oem_domain_name: Development 
    server_name: Development-Server 
 
     ## Windows 7 ## 
    native_os: Windows 7 Professional 7600 
    native_lan_manager: Windows 7 Professional 6.1 
    shares: 
      ADMIN$: 
        comment: Remote Admin 
        path: C:\\Windows 
        type: disktree 
      C$: 
        coment: Default Share 
        path: C:\\ 
        type: 
          - disktree 
          - special 
      IPC$: 
        comment: Remote IPC 
        type: ipc 
      Printer: 
        comment: Microsoft XPS Document Writer 
        type: printq 
 
     ## Samba ## 
#    native_os: Windows 6.1 
#    native_lan_manager: Samba 4.3.11 
#    shares: 
#      admin: 
#        comment: Remote Admin 
#        path: \\home\\admin 
#        type: disktree 
#      share: 
#        coment: Default Share 
#        path: \\share 
#        type: disktree 
#      IPC$: 
#        comment: Remote IPC 
#        path: IPC Service 
#        type: ipc 
#      Printer: 
#        comment: Printer Drivers 
#        type: printq

Let’s run an Nmap -sV scan and see what we get:

Nmap no longer identifies the smb service as a Dionaea honeypot. Great! Let’s see what we can do about MS-SQL on port 1433.

Configuring the ms-sql service

Here’s the nmap-service-probes entry for MS-SQL:

match ms-sql-s m|^\x04\x01\x00\x2b\x00\x00\x00\x00\x00\x00\x1a\x00\x06\x01\x00\x20\x00\x01\x02\x00\x21\x00\x01\x03\x00\x22\x00\x00\x04\x00\x22\x00\x01\xff\x08\x00\x02\x10\x00\x00\x02\x00\x00| p/Dionaea honeypot MS-SQL server/

For this one I had to fire up Wireshark. What Nmap is looking for here is a series of bytes that are sent as part of the login process when connecting to an MS-SQL database. Here’s a screenshot of the relevant packet in Wireshark:

The highlighted bytes match the entry in nmap-service-probes. You can confirm this yourself by running Wireshark while doing doing a Nmap service identification scan against port 1433.

nmap -p 1433 -sV ip.of.your.honeypot

Using a Wireshark display filter makes things easier

ip.src == ip.of.your.honeypot && tds

Once your display filter is in place and your Nmap scan is running you should see a single packet with “TDS” in the Protocol column and “Response” in the Info column. Click on the “Tabular Data Stream” in the packet detail pane of Wireshark and you should see the bytes highlighted like in my screenshot above.

Unfortunately, Dionaea doesn’t provide much in the way of customization in the mssql.yaml file so we will dig into some python.

We can find the relevant part of /opt/dionaea/lib/dionaea/python/dionaea/mssql/mssql.py using grep with some options to show line numbers and following lines:

cat mssql.py | grep -n -A 20 "def process"

Here’s the output:

 

If we change r.VersionToken.TokenType (line 147) to a different value we should be able to evade Nmap. I’m going to change it to “0x01”.

Here is a screenshot of Wireshark showing the new packet. Notice that the 9th highlighted byte has changed from “00” to “01”.:

 Let’s see what Nmap has to say about the change:

Looks good! Our honeypot is much stealthier now.

CONCLUSION

Service identification is a cat and mouse game. Any new release of Nmap could have adjustments to the nmap-service-probes file that now identifies a previously unidentified Dionaea service. Anyone who reads chapter 7 of the Nmap book could create their own entries in nmap-service-probes. If keeping your honeypot stealthy is important to you the best thing to do is keep Nmap up to date, scan yourself often, and occasionally change up the values in the YAML configuration files located in /opt/dionaea/etc/dionaea/services-*. If a new version of Nmap identifies your honeypot just follow the basic steps we took here:

  1. grep the nmap-service-probes file to see how Nmap is identifying the service.
  2. Find the YAML configuration file or python script for that service and edit it so that the information identified in step 1 no longer matches what’s in nmap-service-probes. Wireshark can help a lot with this step in figuring out what to change.

That’s it! If you have any issues or questions please leave a comment below or find me on Twitter @TheJBAnderson

Leave a Reply