Fortinet black logo

Administration Guide

Home FortiDeceptor 4.0.2 Administration Guide
4.0.2
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.0
4.1.1
4.1.0
4.0.2
4.0.1
4.0.0
3.3.3
3.3.2
3.3.1
3.3.0
3.2.2
3.2.1
3.2.0
3.1.1
3.1.0
3.0.2
3.0.1
3.0.0
2.1.0
2.0.0
1.1.0
1.0.1

FortiDeceptor decoys

FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When attackers attack a decoy, first, an alert is generated; second, their malicious activities are captured and analyzed in real-time to generate a mitigation and remediation response that protects the network.

The current FortiDeceptor decoys are:

Windows
  • Windows 7
  • Windows 10 (can be deployed as a gold image)
  • Windows 2016 (deployed as a gold image)
  • Windows 2019 (deployed as a gold image)
Linux
  • Ubuntu Desktop
IoT/OT
  • SCADA version 3
  • Medical OS
  • POS OS
  • ERP OS
  • 8 OT protocols
  • IoT OS
VPN
  • Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)

The current FortiDeceptor monitor services are:

Windows
  • RDP
  • SMB
  • TCPListener
  • NBNSSpoofSpotter
Linux
  • SSH
  • SAMBA

  • TCPListener

  • HTTP

  • HTTPS

  • GIT
IoT/OT
  • HTTP
  • FTP
  • TFTP
  • SNMP
  • MODBUS
  • S7COMM
  • BACNET
  • IPMI
  • TRICONEX
  • ENIP
  • Kamstrup

  • DNP3

  • Telnet

  • PACS-WEB
  • PACS
  • DICOM server
  • Infusion Pump (TELNET)
  • Infusion Pump (FTP)
  • POS-WEB
  • ERP-WEP
  • GUARDIAN-AST
  • IEC104

  • Jetdirect

  • Printer-WEB

  • IP Camera-WEB

  • UPnP

  • RTSP

  • CDP
SSL VPN

  • HTTPS

The current FortiDeceptor IP address capacity are:

  • A single FortiDeceptor appliance (HW/VM) can host up to 16 deception VMs.
  • A single deception VM supports up to 16 IP addresses or decoys, Each IP represent a decoy.
  • A single FortiDeceptor appliance (HW/VM) can support up to 256 IP addresses.
  • With 4 decoys per segment on average, a single FortiDeceptor appliance (HW/VM) can support up to 64 segments (VLANS).

  • FortiDeceptor decoys services details

IoT OS

HP printer decoy

SNMP service

  • Enable this towill open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within network

  • Community name is user-defined

  • SNMP response is customized for HP printer decoy

Jetdirect

  • Enable this service will open port 9100 on decoy VM, and respond to PJL (Printer Job Language) request.

Printer-WEB

  • A web GUI that simulate administration GUI of HP Officejet Pro X451dw printer.

IP camera decoy

IP Camera-WEB

  • A login-required service that displays videos to simulate IP cameras, although there are default videos, users should upload 1-8 .mp4 videos to best fit the working environment.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • Community name is user-defined

  • SNMP response is customized for IP camera decoy

UPnP service

  • Enable this service to open port 8080 on decoy VM and simulate UPnP service: a UPnP msg will broadcast within the network. Within the msg there is a url for the attacker to download a .xml file showing device information.

RTSP service

  • When this this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video.

  • The RTSP port can be adjusted

  • To upload, you can use ffmpeg, or any other methods to infinitely loop a video, so it is available to the attacker

For example, to infinitely loop a video:sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};

For attacker, the live camera stream is available at rtsp://{ip}:{port}/{name_you_choose}

Cisco router decoy

Models

4 cisco images (model) are supported - 2691, 3660, 3725 and 3745, also if users upload a cisco image that cannot be used, an error msg will appear.

Router Running-Config (optional)

User can upload a customized cisco config file to predefine the Cisco router setting

Telnet service

  • A login-required service that enables attackers to utilize all Cisco router’s functions.

HTTP service

  • A login-required GUI service that like the telnet service but provide less functionalities.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Cisco router decoy

CDP service

  • Enable CDP so the decoy VM will send CDP traffic within the network.

Medical

Infusion Pump (Telnet) service

  • Simulate Infusion Pump (telnet)

  • A username/password is required to login.

Infusion Pump (FTP)

  • Simulates Infusion Pump (FTP)

  • A username/password is required to login.

PACS service

  • A user-defined name for the PACS system.

PACS-WEB service

  • Login-required web GUI for PACS, with existing medical data

  • Port can be adjusted

DICOM Server service

  • Server port can be adjusted

  • Server name can be adjusted

  • DICOM operations (e.g. C-STORE, C-FIND) are supported

POS

POS-WEB service

  • Login-required web GUI simulate POS website

  • Port can be adjusted

CRM(ERP)

ERP-WEB service

  • Login-required web GUI simulates ERP website

  • Port can be adjusted

SCADA (version3) OS

Schneider SCADAPack 333E decoy

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • Community name is user-defined

  • SNMP response is customized for Schneider SCADAPack 333E decoy

DNP3 service

  • Toggle to enable/disable this service, enable this service capture attack through DNP3

Telnet service

  • Login-required telnet service simulates SCADAPack E Smart RTU command line environment

Schneider Power Meter - PM5560 decoy

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network

  • Community name is user-defined

  • SNMP response is customized for Schneider Power Meter - PM5560 decoy

BACNET service

  • Toggle to enable/disable this service. Enable this service to capture attacks through BACNET on default BACNET port

HTTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port

DNP3 service

  • toggle to enable/disable this service, enable this service capture attack through DNP3 on default DNP3 port

ENIP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through ENIP on default ENIP port

Schneider EcoStruxure BMS server decoy

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for Schneider EcoStruxure BMS server decoy

  • Community name is user-defined

BACNET service

  • Toggle to enable/disable this service. Enable this service tp capture attacks through BACNET on default BACNET port

HTTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port

TRICONEX service

  • Toggle to enable/disable this service, enable this service capture attack to TRICONEX service

Siemens S7-200 PLC decoy

HTTP service

  • Toggle to enable/disable this service. Enable this service capture attack through HTTP on default HTTP port

  • HTTP page title is user defined

  • Plant Identification is user-defined

  • Serial Number is user-defined

TFTP service

  • Toggle to enable/disable this service. Enable this to service capture attacks through TFTP on default TFTP port

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for Siemens S7-200 PLC decoy

  • Community name is user-defined

MODBUS service

  • Toggle to enable/disable this service. Enable this service capture attack through MODBUS on default MODBUS port

S7COMM service

  • Toggle to enable/disable this service. Enable this service capture attack through S7COMM on default S7COMM port

  • Module Type is user-defined

  • PLC Name is user-defined

Rockwell PLC decoy

HTTP service

  • Toggle to enable/disable this service, enable this service capture attack through HTTP on default HTTP port

  • HTTP page title is user defined

TFTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through TFTP on default TFTP port

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for Siemens Rockwell PLC decoy

  • Community name is user-defined

ENIP service

  • Toggle to enable/disable this service, enable this service capture attack through ENIP on default ENIP port

  • ENIP serial number is user-defined

Siemens S7-300 PLC decoy

TFTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through TFTP on the default TFTP port

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for Siemens S7-300 PLC decoy

  • Community name is user-defined

IEC104 service

  • Toggle to enable/disable this service, enable this service capture attack through IEC104 on default IEC104 port

IPMI Device decoy

HTTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for IPMI Device decoy

  • community name is user-defined

FTP service

  • Toggle to enable/disable this service. Enable this service to capture attack through FTP on default FTP port

  • FTP banner is user-defined

IPMI service

  • toggle to enable/disable this service, enable this service capture attack through IPMI on default IPMI port

KAMSTRUP 382 decoy

KAMSTRUP service

  • Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device

  • To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

VAV-DD BACnet controller decoy

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for VAV-DD BACnet controller decoy

  • Community name is user-defined

BACNET service

  • Toggle to enable/disable this service. Enable this service capture attack through BACNET on default BACNET port

Guardian-AST decoy

Guardian-AST service

  • Toggle to enable/disable this service. Enable this service to simulate a AST’s satellite communications remote asset tracking system named Guardian

  • To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

Ascent Compass MNG decoy

HTTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port

FTP service

  • Toggle to enable/disable this service. Enable this service capture attack through FTP on default FTP port

  • FTP banner is user-defined

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for Ascent Compass MNG decoy

  • Community name is user-defined

BACNET service

  • Toggle to enable/disable this service. Enable this service to capture attacks through BACNET on default BACNET port
Previous
Next

FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When attackers attack a decoy, first, an alert is generated; second, their malicious activities are captured and analyzed in real-time to generate a mitigation and remediation response that protects the network.

The current FortiDeceptor decoys are:

Windows
  • Windows 7
  • Windows 10 (can be deployed as a gold image)
  • Windows 2016 (deployed as a gold image)
  • Windows 2019 (deployed as a gold image)
Linux
  • Ubuntu Desktop
IoT/OT
  • SCADA version 3
  • Medical OS
  • POS OS
  • ERP OS
  • 8 OT protocols
  • IoT OS
VPN
  • Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)

The current FortiDeceptor monitor services are:

Windows
  • RDP
  • SMB
  • TCPListener
  • NBNSSpoofSpotter
Linux
  • SSH
  • SAMBA

  • TCPListener

  • HTTP

  • HTTPS

  • GIT
IoT/OT
  • HTTP
  • FTP
  • TFTP
  • SNMP
  • MODBUS
  • S7COMM
  • BACNET
  • IPMI
  • TRICONEX
  • ENIP
  • Kamstrup

  • DNP3

  • Telnet

  • PACS-WEB
  • PACS
  • DICOM server
  • Infusion Pump (TELNET)
  • Infusion Pump (FTP)
  • POS-WEB
  • ERP-WEP
  • GUARDIAN-AST
  • IEC104

  • Jetdirect

  • Printer-WEB

  • IP Camera-WEB

  • UPnP

  • RTSP

  • CDP
SSL VPN

  • HTTPS

The current FortiDeceptor IP address capacity are:

  • A single FortiDeceptor appliance (HW/VM) can host up to 16 deception VMs.
  • A single deception VM supports up to 16 IP addresses or decoys, Each IP represent a decoy.
  • A single FortiDeceptor appliance (HW/VM) can support up to 256 IP addresses.
  • With 4 decoys per segment on average, a single FortiDeceptor appliance (HW/VM) can support up to 64 segments (VLANS).

  • FortiDeceptor decoys services details

IoT OS

HP printer decoy

SNMP service

  • Enable this towill open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within network

  • Community name is user-defined

  • SNMP response is customized for HP printer decoy

Jetdirect

  • Enable this service will open port 9100 on decoy VM, and respond to PJL (Printer Job Language) request.

Printer-WEB

  • A web GUI that simulate administration GUI of HP Officejet Pro X451dw printer.

IP camera decoy

IP Camera-WEB

  • A login-required service that displays videos to simulate IP cameras, although there are default videos, users should upload 1-8 .mp4 videos to best fit the working environment.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • Community name is user-defined

  • SNMP response is customized for IP camera decoy

UPnP service

  • Enable this service to open port 8080 on decoy VM and simulate UPnP service: a UPnP msg will broadcast within the network. Within the msg there is a url for the attacker to download a .xml file showing device information.

RTSP service

  • When this this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video.

  • The RTSP port can be adjusted

  • To upload, you can use ffmpeg, or any other methods to infinitely loop a video, so it is available to the attacker

For example, to infinitely loop a video:sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};

For attacker, the live camera stream is available at rtsp://{ip}:{port}/{name_you_choose}

Cisco router decoy

Models

4 cisco images (model) are supported - 2691, 3660, 3725 and 3745, also if users upload a cisco image that cannot be used, an error msg will appear.

Router Running-Config (optional)

User can upload a customized cisco config file to predefine the Cisco router setting

Telnet service

  • A login-required service that enables attackers to utilize all Cisco router’s functions.

HTTP service

  • A login-required GUI service that like the telnet service but provide less functionalities.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Cisco router decoy

CDP service

  • Enable CDP so the decoy VM will send CDP traffic within the network.

Medical

Infusion Pump (Telnet) service

  • Simulate Infusion Pump (telnet)

  • A username/password is required to login.

Infusion Pump (FTP)

  • Simulates Infusion Pump (FTP)

  • A username/password is required to login.

PACS service

  • A user-defined name for the PACS system.

PACS-WEB service

  • Login-required web GUI for PACS, with existing medical data

  • Port can be adjusted

DICOM Server service

  • Server port can be adjusted

  • Server name can be adjusted

  • DICOM operations (e.g. C-STORE, C-FIND) are supported

POS

POS-WEB service

  • Login-required web GUI simulate POS website

  • Port can be adjusted

CRM(ERP)

ERP-WEB service

  • Login-required web GUI simulates ERP website

  • Port can be adjusted

SCADA (version3) OS

Schneider SCADAPack 333E decoy

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • Community name is user-defined

  • SNMP response is customized for Schneider SCADAPack 333E decoy

DNP3 service

  • Toggle to enable/disable this service, enable this service capture attack through DNP3

Telnet service

  • Login-required telnet service simulates SCADAPack E Smart RTU command line environment

Schneider Power Meter - PM5560 decoy

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network

  • Community name is user-defined

  • SNMP response is customized for Schneider Power Meter - PM5560 decoy

BACNET service

  • Toggle to enable/disable this service. Enable this service to capture attacks through BACNET on default BACNET port

HTTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port

DNP3 service

  • toggle to enable/disable this service, enable this service capture attack through DNP3 on default DNP3 port

ENIP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through ENIP on default ENIP port

Schneider EcoStruxure BMS server decoy

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for Schneider EcoStruxure BMS server decoy

  • Community name is user-defined

BACNET service

  • Toggle to enable/disable this service. Enable this service tp capture attacks through BACNET on default BACNET port

HTTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port

TRICONEX service

  • Toggle to enable/disable this service, enable this service capture attack to TRICONEX service

Siemens S7-200 PLC decoy

HTTP service

  • Toggle to enable/disable this service. Enable this service capture attack through HTTP on default HTTP port

  • HTTP page title is user defined

  • Plant Identification is user-defined

  • Serial Number is user-defined

TFTP service

  • Toggle to enable/disable this service. Enable this to service capture attacks through TFTP on default TFTP port

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for Siemens S7-200 PLC decoy

  • Community name is user-defined

MODBUS service

  • Toggle to enable/disable this service. Enable this service capture attack through MODBUS on default MODBUS port

S7COMM service

  • Toggle to enable/disable this service. Enable this service capture attack through S7COMM on default S7COMM port

  • Module Type is user-defined

  • PLC Name is user-defined

Rockwell PLC decoy

HTTP service

  • Toggle to enable/disable this service, enable this service capture attack through HTTP on default HTTP port

  • HTTP page title is user defined

TFTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through TFTP on default TFTP port

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for Siemens Rockwell PLC decoy

  • Community name is user-defined

ENIP service

  • Toggle to enable/disable this service, enable this service capture attack through ENIP on default ENIP port

  • ENIP serial number is user-defined

Siemens S7-300 PLC decoy

TFTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through TFTP on the default TFTP port

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for Siemens S7-300 PLC decoy

  • Community name is user-defined

IEC104 service

  • Toggle to enable/disable this service, enable this service capture attack through IEC104 on default IEC104 port

IPMI Device decoy

HTTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for IPMI Device decoy

  • community name is user-defined

FTP service

  • Toggle to enable/disable this service. Enable this service to capture attack through FTP on default FTP port

  • FTP banner is user-defined

IPMI service

  • toggle to enable/disable this service, enable this service capture attack through IPMI on default IPMI port

KAMSTRUP 382 decoy

KAMSTRUP service

  • Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device

  • To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

VAV-DD BACnet controller decoy

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for VAV-DD BACnet controller decoy

  • Community name is user-defined

BACNET service

  • Toggle to enable/disable this service. Enable this service capture attack through BACNET on default BACNET port

Guardian-AST decoy

Guardian-AST service

  • Toggle to enable/disable this service. Enable this service to simulate a AST’s satellite communications remote asset tracking system named Guardian

  • To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

Ascent Compass MNG decoy

HTTP service

  • Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port

FTP service

  • Toggle to enable/disable this service. Enable this service capture attack through FTP on default FTP port

  • FTP banner is user-defined

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network

  • SNMP response is customized for Ascent Compass MNG decoy

  • Community name is user-defined

BACNET service

  • Toggle to enable/disable this service. Enable this service to capture attacks through BACNET on default BACNET port
Previous
Next