Fortinet white logo
Fortinet white logo

Administration Guide

FortiDeceptor decoys

FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When a hacker attacks a decoy, an alert is generated and their malicious activities are captured and analyzed in real-time. This analysis generates a mitigation and remediation response that protects the network.

The current FortiDeceptor decoy OS are:
Windows

Windows 7, Windows 10, Windows 2016 and Windows 2019

Linux

Ubuntu Desktop, CentOS, ESXi and ELK

IoT/OT

SCADA version 3, Medical OS, IoT OS, and d VoIP version1.

VPN

Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)

Customized Windows

Windows 10, Windows Server 2016, Windows Sever 2019

The current FortiDeceptor application decoys are:
Application Decoys

POS OS, ERP OS PACS and SAP

The current FortiDeceptor lure services are:
Windows

RDP, SMB, TCPListener, NBNSSpoofSpotter, ICMP and FTP

Linux

SSH, SAMBA, TCPListener, HTTP, HTTPS, GIT, ICMP and FTP

IoT/OT

HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, ENIP, Kamstrup, DNP3, Telnet, PACS-WEB, PACS, DICOM server, Infusion Pump (TELNET), Infusion Pump (FTP), POS-WEB, ERP-WEP, GUARDIAN-AST, IEC104, Jetdirect, Printer-WEB, IP Camera-WEB, UPnP, RTSP, CDP, TP-link WEB, CWMP, SAP DISPATCHER, SAP WEB, MOXA, MQTT WEB, CoAP, SIP, and XMPP WEB

SSL VPN

HTTPS

Customized Windows

RDP, SMB, NBNSSpoofSpotter, MSSQL, IIS (HTTP/HTTPS) and ICMP

The current FortiDeceptor IP address capacity are:
  • A single EOL can host up to 16 deception VMs.
  • A single FDCIKG can host up to 20 deception VMs.
  • A single FDCVMS can host up to 20 deception VMs.
  • A single deception VM supports up to 24 IP addresses or decoys. Each IP represents a decoy.
  • A single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
  • A single FortiDeceptor appliance (HW/VM) can support up to 128 segments (VLANS).
Tooltip

VPN only supports 8 IPs.

Cisco Decoy only supports 1VLAN.

Decoy services details

IoT OS

Brother MFC Printer Decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Brother MFC Printer decoy.

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Brother NC-340h printer.

Cisco router decoy

Service

Description

Models*

4 Cisco images (models) are supported: 2691, 3660, 3725 and 3745.

An error is displayed if you upload an image that is not supported.

Router Running-Config (optional)

Allows you to upload a customized Cisco config file to predefine the Cisco router setting

Telnet service

A login-required service that enables attackers to utilize all Cisco router functions.

HTTP service

A login-required GUI service similar to the telnet service but with less functionality.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Cisco router decoy.

CDP service

Enable this service to allow the decoy VM to send CDP traffic within the network.

*Please provide Cisco IOS software to run the Cisco decoy. You can copy the IOS from any Cisco router/switch flash by using TFTP server and running the copy flash tftp: command on the Cisco router/switch side, and then completing the deployment wizard.

HP printer decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within network

  • Community name is user-defined

  • SNMP response is customized for HP printer decoy.

Jetdirect

  • Enable this service to open port 9100 on the decoy VM, and respond to PJL (Printer Job Language) requests.

Printer-WEB

  • A web GUI that simulates the administration GUI of HP Officejet Pro X451dw printer.

IP camera decoy

Service

Description

IP Camera-WEB

  • A login-required service that displays videos to simulate IP cameras. Default videos are available. However, we strongly recommend uploading 1-8 .mp4 videos that fit best with the working environment.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for IP camera decoy.

UPnP service

  • Enable this service to open port 8080 on the decoy VM and simulate UPnP service.
  • A UPnP msg will broadcast within the network. Within the msg there is a URL for the attacker to download a .xml file showing device information.

RTSP service

  • When this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video.

  • The RTSP port can be adjusted.

  • To upload the video, you can use ffmpeg, or any other method to infinitely loop a video so it is available to the attacker

Example:

To infinitely loop a video:sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};

From the attacker perspective, the live camera stream is available at rtsp://{ip}:{port}/{name_you_choose}

Lexmark Printer decoy

Service

Description

SNMP

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Lexmark Printer decoy

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Lexmark MX410de printer.

TP-LINK decoy

Service

Description

TP-LINK WEB

Enable this service to allow attackers to login to a fake TP-link setting site.

CWMP

Enable this service to send data using CWMP protocol to {ip}:{port}/cpe.

Medical

Service

Description

Infusion Pump (Telnet) service

  • Simulates Infusion Pump (telnet)

  • A username/password is required to login.

Infusion Pump (FTP)

  • Simulates Infusion Pump (FTP)

  • A username/password is required to login.

PACS service

  • A user-defined name for the PACS system.

PACS-WEB service

  • Login-required web GUI for PACS, with existing medical data

  • Port can be adjusted

DICOM Server service

  • Server port can be adjusted

  • Server name can be adjusted

  • DICOM operations (e.g. C-STORE, C-FIND) are supported

B. Braun Infusomat service

  • HTTP/S: Built-in web services to retrieve medical data
  • CAN Bus Protocol (enable/disable)
  • B.BRAUN (port 8080): Login-required web GUI for the B.Braun Infusomat device

POS

Service

Description

POS-WEB service

  • Login-required web GUI simulate POS website

  • Port can be adjusted

CRM(ERP)

Service

Description

ERP-WEB service

  • Login-required web GUI simulates ERP website

  • Port can be adjusted

SAP

Service

Description

SAP ROUTER

  • Enable SAP ROUTER Service so SAP Logon can configure the SAProuter String.
  • Use the default port to ensure SAP Logon can connect.

SAP DISPATCHER

  • Enable SAP DISPATCHER so SAP Logon can get responses from the SAP decoy.
  • Use the default port to ensure SAP Logon can connect.

SAP WEB

A fake SAP HTTP and HTTPS GUI for SAP Fiori Launchpad or Legacy WebGUI.

SCADA (version3) OS

Ascent Compass MNG decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port

  • FTP banner is user-defined.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network

  • Community name is user-defined

  • SNMP response is customized for Ascent Compass MNG decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

Guardian-AST decoy

Service

Description

Guardian-AST service

  • Enable this service to simulate an AST’s satellite communications remote asset tracking system named Guardian.

  • To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

IPMI Device decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for IPMI Device decoy.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port.

  • FTP banner is user-defined.

IPMI service

  • Enable this service to capture attack through IPMI on the default IPMI port.

KAMSTRUP 382 decoy

Service

Description

KAMSTRUP service

  • Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device

  • To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

Liebert Spruce UPS decoy

Service

Description

TFTP

Enable this to service capture attacks through TFTP on default TFTP port

SNMP

  • Enable this service to open port 161 on decoy VM and respond to SNMP(v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Liebert Spruce UPS decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

Niagara4 Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

BACNET

Enable this service to capture attack through BACNET on default BACNET port.

NiagaraAX Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

BACNET

Enable this service to capture attacks through BACNET on the default BACNET port.

PowerLogic ION7650 decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for PowerLogic ION7650 decoy.

MODBUS

Enable this service to capture attacks through MODBUS on the default MODBUS port.

DNP3

Enable this service to capture attacks through DNP3 on the default DNP3 port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L16ER/BLOGIX5316ER decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L16ER/B LOGIX5316ER decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L35E Ethernet Port decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L35E Ethernet Port decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell PLC decoy

Service

Description

HTTP service

  • Enable s this service capture attack through HTTP on the default HTTP port.

  • HTTP page title is user defined.

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens Rockwell PLC decoy.

ENIP service

  • Enable this service to capture attack through ENIP on the default ENIP port.

  • ENIP serial number is user-defined.

GE PLC decoy

Service

Description

HTTP service
  • Enable this service to capture attacks through HTTP on the default HTTP port.
  • HTTP page title is user defined.
TFTP service
  • Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service
  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for GE PLC decoy.
ENIP service
  • Enable this service to capture attacks through ENIP on the default ENIP port.
  • ENIP serial number is user-defined.
Schneider EcoStruxure BMS server decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider EcoStruxure BMS server decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

TRICONEX service

  • Enable this service to capture attacks with the TRICONEX service.

MOXA NPORT 5110 decoy

Service

Description

SNMP service
  • Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for moxa nport 5110 decoy.
Telnet service
  • Login-required telnet service simulates moxa nport 5110 command line environment.
  • Two command choices: 1 and 2
HTTP service
  • Enable this service to capture attacks through HTTP on the default HTTP port.
MOXA service
Schneider Power Meter - PM5560 decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for Schneider Power Meter - PM5560 decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on default HTTP port.

DNP3 service

  • Enable this service to capture attacks through DNP3 on the default DNP3 port.

ENIP service

  • Enable this service to capture attacks through ENIP on the default ENIP port.

Schneider SCADAPack 333E decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider SCADAPack 333E decoy.

DNP3 service

  • Enable this service to capture attacks through DNP3.

Telnet service

  • Login-required telnet service simulates SCADAPack E Smart RTU command line environment.

Siemens S7-200 PLC decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

  • HTTP page title is user defined.

  • Plant Identification is user-defined.

  • Serial Number is user-defined.

TFTP service

  • Enable this to service capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-200 PLC decoy.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

S7COMM service

  • Enable this service to capture attacks through S7COMM on the default S7COMM port.

  • Module Type is user-defined.

  • PLC Name is user-defined.

Siemens S7-300 PLC decoy

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-300 PLC decoy.

IEC104 service

  • Enable this service to capture attacks through IEC104 on the default IEC104 port.

VAV-DD BACNET controller decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for VAV-DD BACNET controller decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

VOIP V1 OS

MQTT decoy

Service

Description

MQTT WEB
  • Enable this service to capture attacks through MQTT WEB on the default MQTT WEB port.
  • Supports custom listening port. Default port is 18083.
  • Supports adding User/Password.
CoAP
  • Enable this to service capture attacks through CoAP on the default CoAP port.
  • Download libcoap from GitHub is required. Go to https://github.com/miri64/libcoap and follow the command libcoap command rule.
SIP decoy

Service

Description

SIP
  • Enable this service to capture attacks through MQTT WEB on the default SIP port.
  • Supports adding User/Password.
  • Users can connect to the SIP server from SIP client service (like Linphone) through UDP or TCP, and register an account, text message, voice call, and video call each other.
XMPP decoy

Service

Description

XMPP WEB
  • Enable this service to capture attacks through XMPP WEB on the default XMPP WEB port.
  • Supports custom listening port (default port is 5280).
  • Supports adding User/Password.
  • Can be reached through HTTP.

FortiDeceptor decoys

FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When a hacker attacks a decoy, an alert is generated and their malicious activities are captured and analyzed in real-time. This analysis generates a mitigation and remediation response that protects the network.

The current FortiDeceptor decoy OS are:
Windows

Windows 7, Windows 10, Windows 2016 and Windows 2019

Linux

Ubuntu Desktop, CentOS, ESXi and ELK

IoT/OT

SCADA version 3, Medical OS, IoT OS, and d VoIP version1.

VPN

Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)

Customized Windows

Windows 10, Windows Server 2016, Windows Sever 2019

The current FortiDeceptor application decoys are:
Application Decoys

POS OS, ERP OS PACS and SAP

The current FortiDeceptor lure services are:
Windows

RDP, SMB, TCPListener, NBNSSpoofSpotter, ICMP and FTP

Linux

SSH, SAMBA, TCPListener, HTTP, HTTPS, GIT, ICMP and FTP

IoT/OT

HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, ENIP, Kamstrup, DNP3, Telnet, PACS-WEB, PACS, DICOM server, Infusion Pump (TELNET), Infusion Pump (FTP), POS-WEB, ERP-WEP, GUARDIAN-AST, IEC104, Jetdirect, Printer-WEB, IP Camera-WEB, UPnP, RTSP, CDP, TP-link WEB, CWMP, SAP DISPATCHER, SAP WEB, MOXA, MQTT WEB, CoAP, SIP, and XMPP WEB

SSL VPN

HTTPS

Customized Windows

RDP, SMB, NBNSSpoofSpotter, MSSQL, IIS (HTTP/HTTPS) and ICMP

The current FortiDeceptor IP address capacity are:
  • A single EOL can host up to 16 deception VMs.
  • A single FDCIKG can host up to 20 deception VMs.
  • A single FDCVMS can host up to 20 deception VMs.
  • A single deception VM supports up to 24 IP addresses or decoys. Each IP represents a decoy.
  • A single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
  • A single FortiDeceptor appliance (HW/VM) can support up to 128 segments (VLANS).
Tooltip

VPN only supports 8 IPs.

Cisco Decoy only supports 1VLAN.

Decoy services details

IoT OS

Brother MFC Printer Decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Brother MFC Printer decoy.

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Brother NC-340h printer.

Cisco router decoy

Service

Description

Models*

4 Cisco images (models) are supported: 2691, 3660, 3725 and 3745.

An error is displayed if you upload an image that is not supported.

Router Running-Config (optional)

Allows you to upload a customized Cisco config file to predefine the Cisco router setting

Telnet service

A login-required service that enables attackers to utilize all Cisco router functions.

HTTP service

A login-required GUI service similar to the telnet service but with less functionality.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Cisco router decoy.

CDP service

Enable this service to allow the decoy VM to send CDP traffic within the network.

*Please provide Cisco IOS software to run the Cisco decoy. You can copy the IOS from any Cisco router/switch flash by using TFTP server and running the copy flash tftp: command on the Cisco router/switch side, and then completing the deployment wizard.

HP printer decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within network

  • Community name is user-defined

  • SNMP response is customized for HP printer decoy.

Jetdirect

  • Enable this service to open port 9100 on the decoy VM, and respond to PJL (Printer Job Language) requests.

Printer-WEB

  • A web GUI that simulates the administration GUI of HP Officejet Pro X451dw printer.

IP camera decoy

Service

Description

IP Camera-WEB

  • A login-required service that displays videos to simulate IP cameras. Default videos are available. However, we strongly recommend uploading 1-8 .mp4 videos that fit best with the working environment.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for IP camera decoy.

UPnP service

  • Enable this service to open port 8080 on the decoy VM and simulate UPnP service.
  • A UPnP msg will broadcast within the network. Within the msg there is a URL for the attacker to download a .xml file showing device information.

RTSP service

  • When this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video.

  • The RTSP port can be adjusted.

  • To upload the video, you can use ffmpeg, or any other method to infinitely loop a video so it is available to the attacker

Example:

To infinitely loop a video:sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};

From the attacker perspective, the live camera stream is available at rtsp://{ip}:{port}/{name_you_choose}

Lexmark Printer decoy

Service

Description

SNMP

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Lexmark Printer decoy

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Lexmark MX410de printer.

TP-LINK decoy

Service

Description

TP-LINK WEB

Enable this service to allow attackers to login to a fake TP-link setting site.

CWMP

Enable this service to send data using CWMP protocol to {ip}:{port}/cpe.

Medical

Service

Description

Infusion Pump (Telnet) service

  • Simulates Infusion Pump (telnet)

  • A username/password is required to login.

Infusion Pump (FTP)

  • Simulates Infusion Pump (FTP)

  • A username/password is required to login.

PACS service

  • A user-defined name for the PACS system.

PACS-WEB service

  • Login-required web GUI for PACS, with existing medical data

  • Port can be adjusted

DICOM Server service

  • Server port can be adjusted

  • Server name can be adjusted

  • DICOM operations (e.g. C-STORE, C-FIND) are supported

B. Braun Infusomat service

  • HTTP/S: Built-in web services to retrieve medical data
  • CAN Bus Protocol (enable/disable)
  • B.BRAUN (port 8080): Login-required web GUI for the B.Braun Infusomat device

POS

Service

Description

POS-WEB service

  • Login-required web GUI simulate POS website

  • Port can be adjusted

CRM(ERP)

Service

Description

ERP-WEB service

  • Login-required web GUI simulates ERP website

  • Port can be adjusted

SAP

Service

Description

SAP ROUTER

  • Enable SAP ROUTER Service so SAP Logon can configure the SAProuter String.
  • Use the default port to ensure SAP Logon can connect.

SAP DISPATCHER

  • Enable SAP DISPATCHER so SAP Logon can get responses from the SAP decoy.
  • Use the default port to ensure SAP Logon can connect.

SAP WEB

A fake SAP HTTP and HTTPS GUI for SAP Fiori Launchpad or Legacy WebGUI.

SCADA (version3) OS

Ascent Compass MNG decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port

  • FTP banner is user-defined.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network

  • Community name is user-defined

  • SNMP response is customized for Ascent Compass MNG decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

Guardian-AST decoy

Service

Description

Guardian-AST service

  • Enable this service to simulate an AST’s satellite communications remote asset tracking system named Guardian.

  • To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

IPMI Device decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for IPMI Device decoy.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port.

  • FTP banner is user-defined.

IPMI service

  • Enable this service to capture attack through IPMI on the default IPMI port.

KAMSTRUP 382 decoy

Service

Description

KAMSTRUP service

  • Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device

  • To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

Liebert Spruce UPS decoy

Service

Description

TFTP

Enable this to service capture attacks through TFTP on default TFTP port

SNMP

  • Enable this service to open port 161 on decoy VM and respond to SNMP(v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Liebert Spruce UPS decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

Niagara4 Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

BACNET

Enable this service to capture attack through BACNET on default BACNET port.

NiagaraAX Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

BACNET

Enable this service to capture attacks through BACNET on the default BACNET port.

PowerLogic ION7650 decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for PowerLogic ION7650 decoy.

MODBUS

Enable this service to capture attacks through MODBUS on the default MODBUS port.

DNP3

Enable this service to capture attacks through DNP3 on the default DNP3 port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L16ER/BLOGIX5316ER decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L16ER/B LOGIX5316ER decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L35E Ethernet Port decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L35E Ethernet Port decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell PLC decoy

Service

Description

HTTP service

  • Enable s this service capture attack through HTTP on the default HTTP port.

  • HTTP page title is user defined.

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens Rockwell PLC decoy.

ENIP service

  • Enable this service to capture attack through ENIP on the default ENIP port.

  • ENIP serial number is user-defined.

GE PLC decoy

Service

Description

HTTP service
  • Enable this service to capture attacks through HTTP on the default HTTP port.
  • HTTP page title is user defined.
TFTP service
  • Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service
  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for GE PLC decoy.
ENIP service
  • Enable this service to capture attacks through ENIP on the default ENIP port.
  • ENIP serial number is user-defined.
Schneider EcoStruxure BMS server decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider EcoStruxure BMS server decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

TRICONEX service

  • Enable this service to capture attacks with the TRICONEX service.

MOXA NPORT 5110 decoy

Service

Description

SNMP service
  • Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for moxa nport 5110 decoy.
Telnet service
  • Login-required telnet service simulates moxa nport 5110 command line environment.
  • Two command choices: 1 and 2
HTTP service
  • Enable this service to capture attacks through HTTP on the default HTTP port.
MOXA service
Schneider Power Meter - PM5560 decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for Schneider Power Meter - PM5560 decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on default HTTP port.

DNP3 service

  • Enable this service to capture attacks through DNP3 on the default DNP3 port.

ENIP service

  • Enable this service to capture attacks through ENIP on the default ENIP port.

Schneider SCADAPack 333E decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider SCADAPack 333E decoy.

DNP3 service

  • Enable this service to capture attacks through DNP3.

Telnet service

  • Login-required telnet service simulates SCADAPack E Smart RTU command line environment.

Siemens S7-200 PLC decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

  • HTTP page title is user defined.

  • Plant Identification is user-defined.

  • Serial Number is user-defined.

TFTP service

  • Enable this to service capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-200 PLC decoy.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

S7COMM service

  • Enable this service to capture attacks through S7COMM on the default S7COMM port.

  • Module Type is user-defined.

  • PLC Name is user-defined.

Siemens S7-300 PLC decoy

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-300 PLC decoy.

IEC104 service

  • Enable this service to capture attacks through IEC104 on the default IEC104 port.

VAV-DD BACNET controller decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for VAV-DD BACNET controller decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

VOIP V1 OS

MQTT decoy

Service

Description

MQTT WEB
  • Enable this service to capture attacks through MQTT WEB on the default MQTT WEB port.
  • Supports custom listening port. Default port is 18083.
  • Supports adding User/Password.
CoAP
  • Enable this to service capture attacks through CoAP on the default CoAP port.
  • Download libcoap from GitHub is required. Go to https://github.com/miri64/libcoap and follow the command libcoap command rule.
SIP decoy

Service

Description

SIP
  • Enable this service to capture attacks through MQTT WEB on the default SIP port.
  • Supports adding User/Password.
  • Users can connect to the SIP server from SIP client service (like Linphone) through UDP or TCP, and register an account, text message, voice call, and video call each other.
XMPP decoy

Service

Description

XMPP WEB
  • Enable this service to capture attacks through XMPP WEB on the default XMPP WEB port.
  • Supports custom listening port (default port is 5280).
  • Supports adding User/Password.
  • Can be reached through HTTP.