Customize dionaeas FTP service

The ftp service of dionaea honeypot can be identified very easily by nmap. In this article I will show you how to customize your ftp service.

First of all install the latest nightly packages from the Personal Package Archive (PPA) or build the honeypot from the sources in the dionaea git repository. After this edit the config file /etc/dionaea/dionaea.conf and add new customized response messages in the ftp section. Before you start let nmap identify the ftp service.

In the examples below the IP address 192.168.12.34 is used to access the honeypot. Replace the IP address with the IP of your own honeypot.

$ nmap -sV -p 21 192.168.12.34

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-25 13:34 CET
Nmap scan report for 192.168.12.34
Host is up (0.00043s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Dionaea honeypot ftpd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds

As you can see nmap successfully identifies the honeypot. But lets override the welcome message with a new one.

modules = {
    [...]
    python = {
        [...]
        ftp = {

            root = "var/dionaea/wwwroot"

            [...]

            response_messages = {
                welcome_msg = "220 DiskStation FTP server ready."
            }
        }
        [...]
    }
    [...]
}

And run the scan again.

$ nmap -sV -p 21 192.168.12.34
[...]
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Synology DiskStation NAS ftpd
Service Info: Device: storage-misc

Lets try another one.

ftp = {
    [...]
    response_messages = {
        welcome_msg = "220 FTP Server ready."
    }
}

And rescan your honeypot.

$ nmap -sV -p 21 192.168.12.34
[...]
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD or KnFTPD
Service Info: OS: Unix

Have a look at the source code to get a list of all available messages you can override.

Be aware that there are other ways to identify your honeypot. But a customized honeypot might be harder to fingerpinrt.

Related articles