Fortinet white logo
Fortinet white logo

Administration Guide

FortiDeceptor decoys

FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When a hacker attacks a decoy, an alert is generated and their malicious activities are captured and analyzed in real-time. This analysis generates a mitigation and remediation response that protects the network.

The current FortiDeceptor decoy OS are:
Windows

Windows 7, Windows 10, Windows 10ltsc2021v1

Linux

Ubuntu Desktop, CentOS, ESXi ,ELK and EV2023

IoT/OT

SCADA version 3, Medical OS, IoT OS, and d VoIP version1.

VPN

Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)

Customized Windows

Windows 10, Windows 11, Windows Server 2016, Windows Sever 2019, Windows Sever 2022, French Windows 10, French Windows Server 2016

Customized Linux

Red Hat 7.9, Red Hat 8, Red Hat 9, Ubuntu20.04 Server

The current FortiDeceptor application decoys are:
Application Decoys

POS OS, ERP OS PACS and SAP

The current FortiDeceptor lure services are:
Windows

RDP, SMB, TCPListener, NBNSSpoofSpotter, ICMP, FTP, SMTP, SWIFT Lite2. Does not contain (Windows 7.

Linux

SSH, SAMBA, TCPListener, HTTP, HTTPS, GIT, ICMP and FTP

IoT/OT

HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, ENIP, Kamstrup, DNP3, Telnet, PACS-WEB, PACS, DICOM server, Infusion Pump (TELNET), Infusion Pump (FTP), POS-WEB, ERP-WEP, GUARDIAN-AST, IEC104, Jetdirect, Printer-WEB, IP Camera-WEB, UPnP, RTSP, CDP, TP-link WEB, CWMP, SAP DISPATCHER, SAP WEB, MOXA, MQTT WEB, CoAP, SIP, and XMPP WEB

SSL VPN

HTTPS

Customized Windows

RDP, SMB, NBNSSpoofSpotter, MSSQL, IIS (HTTP/HTTPS), ICMP, TCPListener, SMTP, SWIFT Lite2 and FTP

Customized Linux

HTTP, HTTPS, GIT, SAMBA, SSH, SMTP, TCPListener, FTP, RADIUS, ICMP

The current FortiDeceptor IP address capacity are:
  • A single EOL can host up to 16 deception VMs.
  • A single FDCIKG can host up to 20 deception VMs.
  • A single FDCVMS can host up to 20 deception VMs.
  • A single deception VM supports up to 24 IP addresses or decoys. Each IP represents a decoy.
  • A single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
  • A single FortiDeceptor appliance (HW/VM) can support up to 128 segments (VLANS).
Tooltip

VPN only supports 8 IPs.

Cisco Decoy only supports 1VLAN.

Decoy services details

Centos

centosv1 Decoy

Service

Description

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

SAMBA

  • Enable this service to capture attacks through SMB on the default SMB port.

HTTP

  • Enable this service to capture attacks through HTTP on the default HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the default HTTPS port.

GIT

  • HTTP port can be adjusted.
  • HTTPS port can be adjusted.
  • GIT Users are user-defined.
  • Git Repository Import is optional.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

ICMP

  • Enable this service to capture ping/attacks through ICMP.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

RADIUS

  • Enable this service to capture attacks through RADIUS.
  • Authentication port can be adjusted.
  • Accouting port can be adjusted.
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

EV2023

EV-CPO Decoy

Service Description
HTTP
  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS
  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

FortiGate

fgt601v1 Decoy

(FGT-60E/FGT-100F/FGT-1500D/FGT-2000E/FGT-3700D)

Service

Description

SSLVPN

  • Enable this service to capture attacks through SSLVPN on the user-defined port.

fgt601v2 Decoy

(FGT-60F/FGT-100F/FGT-1500D/FGT-2000E/FGT-3700D/ FGT-60F-DMZ/FGT-100F-DMZ/FGT-1500D-DMZ/FGT-2000E-DMZ/FGT-3700D-DMZ)

Service

Description

SSLVPN

  • Enable this service to capture attacks through SSLVPN on the user-defined port.

Ubuntu

ESXI Decoy (Ubuntu16v2)

Service

Description

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Elastic Search (Ubuntu16v2)

Service

Description

Elastic Search

  • ES port can be adjusted, and the user-defined port will be used for HTTP REST API calls to interact with the Elasticsearch cluster.
  • ES node name is to define a unique identifier for the default created node with in the Cluster. Decoy hostname will be used if empty.
  • ES cluster name is required to setup the decoy.

Linux Decoy (Ubuntu16v2)

Service

Description

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

SAMBA

  • Enable this service to capture attacks through SMB on the default SMB port.

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

GIT

  • HTTP port can be adjusted.
  • HTTPS port can be adjusted.
  • GIT Users are user-defined.
  • Git Repository Import is optional.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

ICMP

Enable this service to capture ping/traceroute attacks through ICMP.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

RADIUS

  • Enable this service to capture attacks through RADIUS.
  • Authentication port can be adjusted.
  • Accounting port can be adjusted.
  • Secret Password is user-defined.

VNC

  • Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

Mac Decoy (Ubuntu16v2)

Service

Description

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

VNC

  • Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

Citrix ADC Decoy (Ubuntu18v1)

Service

Description

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Application Delivery Management Decoy (Ubuntu18v1)

Service

Description

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Endpoint Management Decoy (Ubuntu18v1)

Service

Description

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Receiver Decoy (Ubuntu18v1)

Service

Description

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

ESXI Decoy (Ubuntu18v1)

Service

Description

SSH

Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.

SSH banner is user-defined.

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Elastic Search (Ubuntu18v1)

Service

Description

Elastic Search

  • ES port can be adjusted, and the user-defined port will be used for HTTP REST API calls to interact with the Elasticsearch cluster.
  • ES node name is to define a unique identifier for the default created node with in the Cluster. Decoy hostname will be used if empty.
  • ES cluster name is required to setup the decoy.

Linux Decoy (Ubuntu18v1)

Service

Description

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

SAMBA

  • Enable this service to capture attacks through SMB on the default SMB port.

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

GIT

  • HTTP port can be adjusted.
  • HTTPS port can be adjusted.
  • GIT Users are user-defined.
  • Git Repository Import is optional.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials.

RADIUS

  • Enable this service to capture attacks through RADIUS.
  • Authentication port can be adjusted.
  • Accounting port can be adjusted.
  • Secret Password is user-defined.

VNC

  • Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

MySql MariaDB Decoy (Ubuntu18v1)

Service

Description

MariaDB

  • Enable this service to open the user defined port on the decoy VM and respond to MySQL database requests within the network.
  • Database name must match the name of database in the uploaded SQL schema.
  • Database content requires a SQL schema file for organizing database objects, providing a structured way to manage data and the relationships between different objects within the database system.

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

Nginx Decoy (Ubuntu18v1)

Service

Description

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

ScadaBR Decoy (Ubuntu18v1)

Service

Description

ScadaBR

  • Enable this service to capture attacks through ScadaBR web access on the user-defined HTTP port.

Tomcat Decoy (Ubuntu18v1)

Service

Description

TOMCAT (HTTP)

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

TOMCAT (HTTPS)

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

Webmin Decoy (Ubuntu18v1)

Service

Description

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Windows

Windows 7 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port.

SMB

  • Enable this service to capture attacks through SMB on the default SMB port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 10 Decoy

Service Description
RDP
  • Enable this service to capture attacks through RDP on the default RDP port.
SMB
  • Enable this service to capture attacks through SMB on the default SMB port.
SMTP
  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener
  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.
NBNSSpoofSpotter
  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP
  • Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2
  • Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
  • MT file import is mandatory.
FTP
  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 10ltsc2021v1 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port.

SMB

  • Enable this service to capture attacks through SMB on the default SMB port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

NBNSSpoofSpotter

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.
  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials.

Customized Windows

Customized Windows 10 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port.
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.

SMB

  • Enable this service to capture attacks through SMB on the default SMB port.
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service

MSSQL

  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 11 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service

SMB

  • Enable this service to capture attacks through SMB on the default SMB port
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

MSSQL

  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2016 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service

SMB

  • Enable this service to capture attacks through SMB on the default SMB port
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service

MSSQL

  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPs

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

Enable this service to capture attacks through NBNS (NetBIOS Name Service)

  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query tyo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2019 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port.
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.

SMB

MSSQL

  • Enable this service to capture attacks through SMB on the default SMB port
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)
  • DSN Description is user-defined (after enabling ODBC lure)

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

NBNSSpoofSpotter

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.
  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on deployed Windows decoy
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2022 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service

SMB

  • Enable this service to capture attacks through SMB on the default SMB port
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.

MSSQL

  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPs

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.

ICMP

SWIFT Lite2

  • Enable this service to capture ping/traceroute attacks through ICMP.
  • Enable this service to activate SWIFT Lite2 on deployed Windows decoy
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized French Windows 10 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service

SMB

  • Enable this service to capture attacks through SMB on the default SMB port
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.

MSSQL

  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on deployed Windows decoy
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized French Windows Server 2016 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port.
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.

SMB

  • Enable this service to capture attacks through SMB on the default SMB port.
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service.

MSSQL

  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on deployed Windows decoy
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

IoT OS

Brother MFC Printer Decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Brother MFC Printer decoy.

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Brother NC-340h printer.

Cisco Router Decoy

Service

Description

Models*

4 Cisco images (models) are supported: 2691, 3660, 3725 and 3745.

An error is displayed if you upload an image that is not supported.

Router Running-Config (optional)

Allows you to upload a customized Cisco config file to predefine the Cisco router setting

Telnet service

A login-required service that enables attackers to utilize all Cisco router functions.

HTTP service

A login-required GUI service similar to the telnet service but with less functionality.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Cisco router decoy.

CDP service

Enable this service to allow the decoy VM to send CDP traffic within the network.

*Please provide Cisco IOS software to run the Cisco decoy. You can copy the IOS from any Cisco router/switch flash by using TFTP server and running the copy flash tftp: command on the Cisco router/switch side, and then completing the deployment wizard.

HP Printer Decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for HP printer decoy.

Jetdirect

  • Enable this service to open port 9100 on the decoy VM, and respond to PJL (Printer Job Language) requests.

Printer-WEB

  • A web GUI that simulates the administration GUI of HP Officejet Pro X451dw printer.

IP Camera Decoy

Service

Description

IP Camera-WEB

  • A login-required service that displays videos to simulate IP cameras. Default videos are available. However, we strongly recommend uploading 1-8 .mp4 videos that fit best with the working environment.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for IP camera decoy.

UPnP service

  • Enable this service to open port 8080 on the decoy VM and simulate UPnP service.
  • A UPnP msg will broadcast within the network. Within the msg there is a URL for the attacker to download a .xml file showing device information.

RTSP service

  • When this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video.

  • The RTSP port can be adjusted.

  • To upload the video, you can use ffmpeg, or any other method to infinitely loop a video so it is available to the attacker

Example:

To infinitely loop a video:sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};

From the attacker perspective, the live camera stream is available at rtsp://{ip}:{port}/{name_you_choose}

Lexmark Printer Decoy

Service

Description

SNMP

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Lexmark Printer decoy

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Lexmark MX410de printer.

TP-LINK Router Decoy

Service

Description

TP-LINK WEB

Enable this service to allow attackers to login to a fake TP-link setting site.

CWMP

Enable this service to send data using CWMP protocol to {ip}:{port}/cpe.

HP Switch Decoy

Service

Description

SNMP

Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.

Community name is user-defined.

SNMP response is customized for HP switch decoy.

Telnet service

A login-required service.

CDP

Enable this service to allow the decoy VM to send CDP traffic within the network.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

MikroTik Router Decoy

Service

Description

SNMP

Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.

Community name is user-defined.

SNMP response is customized for MikroTik router decoy.

Telnet service

A login-required service that enables attackers to utilize all MikroTik router functions.

CDP

Enable this service to allow the decoy VM to send CDP traffic within the network.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

SWIFT VPN Gateway decoy

Service

Description

Telnet service

A login-required service.

HTTPS

Enable this service to capture attacks through HTTPS on the default HTTPS port.

Medical

PACS Decoy

Service

Description

Infusion Pump (Telnet) service

  • Simulates Infusion Pump (telnet)

  • A username/password is required to login.

Infusion Pump (FTP)

  • Simulates Infusion Pump (FTP)

  • A username/password is required to login.

PACS service

  • A user-defined name for the PACS system.

PACS-WEB service

  • Login-required web GUI for PACS, with existing medical data

  • Port can be adjusted

DICOM Server service

  • Server port can be adjusted

  • Server name can be adjusted

  • DICOM operations (e.g. C-STORE, C-FIND) are supported

Infusomat Decoy

Service

Description

Http service

Enable this service to capture attacks through HTTP on the default HTTP port.

Https Service

Enable this service to capture attacks through HTTPS on the default HTTPS port.

CAN Bus Protocol

Enable this service to capture attacks through TCP on the default TCP port(1500)

B.BRAUN

Enable this service to capture attacks through HTTP port 8080.

Spacecom Decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

HTTP Service

  • Enable this service to capture attacks through HTTPS on the default HTTPS port.

FTPService

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

CAN Bus Protocol

  • Enable this service to capture attacks through TCP on the default TCP port(1500).

SSH Service

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network
  • SSH banner is user-defined

POS

Service

Description

POS-WEB service

  • Login-required web GUI simulate POS website

  • Port can be adjusted

CRM(ERP)

Service

Description

ERP-WEB service

  • Login-required web GUI simulates ERP website

  • Port can be adjusted

SAP

Service

Description

SAP ROUTER

  • Enable SAP ROUTER Service so SAP Logon can configure the SAProuter String.
  • Use the default port to ensure SAP Logon can connect.

SAP DISPATCHER

  • Enable SAP DISPATCHER so SAP Logon can get responses from the SAP decoy.
  • Use the default port to ensure SAP Logon can connect.

SAP WEB

A fake SAP HTTP and HTTPS GUI for SAP Fiori Launchpad or Legacy WebGUI.

SCADA (version3) OS

Ascent Compass MNG decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port

  • FTP banner is user-defined.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network

  • Community name is user-defined

  • SNMP response is customized for Ascent Compass MNG decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

Guardian-AST decoy

Service

Description

Guardian-AST service

  • Enable this service to simulate an AST’s satellite communications remote asset tracking system named Guardian.

  • To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

IPMI Device decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for IPMI Device decoy.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port.

  • FTP banner is user-defined.

IPMI service

  • Enable this service to capture attack through IPMI on the default IPMI port.

KAMSTRUP 382 decoy

Service

Description

KAMSTRUP service

  • Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device

  • To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

Liebert Spruce UPS decoy

Service

Description

TFTP

Enable this to service capture attacks through TFTP on default TFTP port

SNMP

  • Enable this service to open port 161 on decoy VM and respond to SNMP(v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Liebert Spruce UPS decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

Niagara4 Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

BACNET

Enable this service to capture attack through BACNET on default BACNET port.

NiagaraAX Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

BACNET

Enable this service to capture attacks through BACNET on the default BACNET port.

PowerLogic ION7650 decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for PowerLogic ION7650 decoy.

MODBUS

Enable this service to capture attacks through MODBUS on the default MODBUS port.

DNP3

Enable this service to capture attacks through DNP3 on the default DNP3 port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L16ER/BLOGIX5316ER decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L16ER/B LOGIX5316ER decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L35E Ethernet Port decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L35E Ethernet Port decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell PLC decoy

Service

Description

HTTP service

  • Enable s this service capture attack through HTTP on the default HTTP port.

  • HTTP page title is user defined.

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens Rockwell PLC decoy.

ENIP service

  • Enable this service to capture attack through ENIP on the default ENIP port.

  • ENIP serial number is user-defined.

GE PLC decoy

Service

Description

HTTP service
  • Enable this service to capture attacks through HTTP on the default HTTP port.
  • HTTP page title is user defined.
TFTP service
  • Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service
  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for GE PLC decoy.
ENIP service
  • Enable this service to capture attacks through ENIP on the default ENIP port.
  • ENIP serial number is user-defined.

Schneider EcoStruxure BMS server decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider EcoStruxure BMS server decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

TRICONEX service

  • Enable this service to capture attacks with the TRICONEX service.

MOXA NPORT 5110 decoy

Service

Description

SNMP service
  • Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for moxa nport 5110 decoy.
Telnet service
  • Login-required telnet service simulates moxa nport 5110 command line environment.
  • Two command choices: 1 and 2
HTTP service
  • Enable this service to capture attacks through HTTP on the default HTTP port.
MOXA service

Schneider Power Meter - PM5560 decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for Schneider Power Meter - PM5560 decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on default HTTP port.

DNP3 service

  • Enable this service to capture attacks through DNP3 on the default DNP3 port.

ENIP service

  • Enable this service to capture attacks through ENIP on the default ENIP port.

Schneider SCADAPack 333E decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider SCADAPack 333E decoy.

DNP3 service

  • Enable this service to capture attacks through DNP3.

Telnet service

  • Login-required telnet service simulates SCADAPack E Smart RTU command line environment.

Siemens S7-200 PLC decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

  • HTTP page title is user defined.

  • Plant Identification is user-defined.

  • Serial Number is user-defined.

TFTP service

  • Enable this to service capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-200 PLC decoy.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

S7COMM service

  • Enable this service to capture attacks through S7COMM on the default S7COMM port.

  • Module Type is user-defined.

  • PLC Name is user-defined.

Siemens S7-300 PLC decoy

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-300 PLC decoy.

IEC104 service

  • Enable this service to capture attacks through IEC104 on the default IEC104 port.

Siemens S7-1500 PLC decoy

Service

Description

HTTP service Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
TFTP service Enable this to service capture attacks through TFTP on the default TFTP port
IEC104 service Enable this to service capture attacks through IEC104 on the default IEC104 port.
SNMP service Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-1500 PLC decoy.
S7COMM service Enable this service to capture attacks through S7COMM on the default S7COMM port. Module Type is user-defined. PLC Name is user-defined.
PROFINET service Enable this service to capture attacks through PROFINET

Phoenix contact AXC 1050 decoy

Service

Description

HTTP service Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
SNMP service Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Phoenix contact AXC 1050 decoy.
FTP service Enable this service to capture attacks through FTP on the default FTP port FTP banner is user-defined Anonymous Access can be enabled which let user enters "anonymous" as a user ID and eliminate the need to authenticate themselves
PROFINET service Enable this service to capture attacks through PROFINET

VAV-DD BACNET controller decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for VAV-DD BACNET controller decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

C-More HMI decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

HTTPS service

  • Enable this service to capture attacks through HTTPS on the default HTTPS port.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port. FTP banner is user-defined.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.

Modicon M580 decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
  • Community name is user-defined.

ENIP service

  • Enable this service to capture attacks through ENIP on the default ENIP port.

Modicon M241 decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
  • Community name is user-defined.

ENIP service

  • Enable this service to capture attacks through ENIP on the default ENIP port.

Emerson iPro by Dixell decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.

Lantronix XPORT V1.8/2.0 decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

Lantronix Discovery Protocol service

  • This protocol allows the discovery of Lantronix devices using the Lantronix discovery protocol.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.

VOIP V1 OS

MQTT decoy

Service

Description

MQTT WEB
  • Enable this service to capture attacks through MQTT WEB on the default MQTT WEB port.
  • Supports custom listening port. Default port is 18083.
  • Supports adding User/Password.
CoAP
  • Enable this to service capture attacks through CoAP on the default CoAP port.
  • Download libcoap from GitHub is required. Go to https://github.com/miri64/libcoap and follow the command libcoap command rule.

SIP decoy

Service

Description

SIP
  • Enable this service to capture attacks.

  • SIP port can be adjusted.
  • Supports adding User/Password.
  • Users can connect to the SIP server from SIP client service (like Linphone) through UDP or TCP, and register an account, text message, voice call, and video call each other.

XMPP decoy

Service

Description

XMPP WEB
  • Enable this service to cpature attacks and XMPP WEB

  • Listening port can be adjusted
  • Supports custom listening port (default port is 5280).
  • Supports adding User/Password.
  • Can be reached through HTTP.

4G/5G 3GPP decoy

Service

Description

NextEPC WEB

  • Enable this service to capture attacks through NextEPC WEB on the default port.
  • Supports adding User/Password.

SCTP & GTP-C

  • Enable this service to capture attacks through Stream Control Transmission Protocol (SCTP) and GTP-C.

GTP-U

  • Enable the service to capture attacks through GTP-U.

FortiDeceptor decoys

FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When a hacker attacks a decoy, an alert is generated and their malicious activities are captured and analyzed in real-time. This analysis generates a mitigation and remediation response that protects the network.

The current FortiDeceptor decoy OS are:
Windows

Windows 7, Windows 10, Windows 10ltsc2021v1

Linux

Ubuntu Desktop, CentOS, ESXi ,ELK and EV2023

IoT/OT

SCADA version 3, Medical OS, IoT OS, and d VoIP version1.

VPN

Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)

Customized Windows

Windows 10, Windows 11, Windows Server 2016, Windows Sever 2019, Windows Sever 2022, French Windows 10, French Windows Server 2016

Customized Linux

Red Hat 7.9, Red Hat 8, Red Hat 9, Ubuntu20.04 Server

The current FortiDeceptor application decoys are:
Application Decoys

POS OS, ERP OS PACS and SAP

The current FortiDeceptor lure services are:
Windows

RDP, SMB, TCPListener, NBNSSpoofSpotter, ICMP, FTP, SMTP, SWIFT Lite2. Does not contain (Windows 7.

Linux

SSH, SAMBA, TCPListener, HTTP, HTTPS, GIT, ICMP and FTP

IoT/OT

HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, ENIP, Kamstrup, DNP3, Telnet, PACS-WEB, PACS, DICOM server, Infusion Pump (TELNET), Infusion Pump (FTP), POS-WEB, ERP-WEP, GUARDIAN-AST, IEC104, Jetdirect, Printer-WEB, IP Camera-WEB, UPnP, RTSP, CDP, TP-link WEB, CWMP, SAP DISPATCHER, SAP WEB, MOXA, MQTT WEB, CoAP, SIP, and XMPP WEB

SSL VPN

HTTPS

Customized Windows

RDP, SMB, NBNSSpoofSpotter, MSSQL, IIS (HTTP/HTTPS), ICMP, TCPListener, SMTP, SWIFT Lite2 and FTP

Customized Linux

HTTP, HTTPS, GIT, SAMBA, SSH, SMTP, TCPListener, FTP, RADIUS, ICMP

The current FortiDeceptor IP address capacity are:
  • A single EOL can host up to 16 deception VMs.
  • A single FDCIKG can host up to 20 deception VMs.
  • A single FDCVMS can host up to 20 deception VMs.
  • A single deception VM supports up to 24 IP addresses or decoys. Each IP represents a decoy.
  • A single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
  • A single FortiDeceptor appliance (HW/VM) can support up to 128 segments (VLANS).
Tooltip

VPN only supports 8 IPs.

Cisco Decoy only supports 1VLAN.

Decoy services details

Centos

centosv1 Decoy

Service

Description

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

SAMBA

  • Enable this service to capture attacks through SMB on the default SMB port.

HTTP

  • Enable this service to capture attacks through HTTP on the default HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the default HTTPS port.

GIT

  • HTTP port can be adjusted.
  • HTTPS port can be adjusted.
  • GIT Users are user-defined.
  • Git Repository Import is optional.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

ICMP

  • Enable this service to capture ping/attacks through ICMP.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

RADIUS

  • Enable this service to capture attacks through RADIUS.
  • Authentication port can be adjusted.
  • Accouting port can be adjusted.
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

EV2023

EV-CPO Decoy

Service Description
HTTP
  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS
  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

FortiGate

fgt601v1 Decoy

(FGT-60E/FGT-100F/FGT-1500D/FGT-2000E/FGT-3700D)

Service

Description

SSLVPN

  • Enable this service to capture attacks through SSLVPN on the user-defined port.

fgt601v2 Decoy

(FGT-60F/FGT-100F/FGT-1500D/FGT-2000E/FGT-3700D/ FGT-60F-DMZ/FGT-100F-DMZ/FGT-1500D-DMZ/FGT-2000E-DMZ/FGT-3700D-DMZ)

Service

Description

SSLVPN

  • Enable this service to capture attacks through SSLVPN on the user-defined port.

Ubuntu

ESXI Decoy (Ubuntu16v2)

Service

Description

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Elastic Search (Ubuntu16v2)

Service

Description

Elastic Search

  • ES port can be adjusted, and the user-defined port will be used for HTTP REST API calls to interact with the Elasticsearch cluster.
  • ES node name is to define a unique identifier for the default created node with in the Cluster. Decoy hostname will be used if empty.
  • ES cluster name is required to setup the decoy.

Linux Decoy (Ubuntu16v2)

Service

Description

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

SAMBA

  • Enable this service to capture attacks through SMB on the default SMB port.

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

GIT

  • HTTP port can be adjusted.
  • HTTPS port can be adjusted.
  • GIT Users are user-defined.
  • Git Repository Import is optional.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

ICMP

Enable this service to capture ping/traceroute attacks through ICMP.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

RADIUS

  • Enable this service to capture attacks through RADIUS.
  • Authentication port can be adjusted.
  • Accounting port can be adjusted.
  • Secret Password is user-defined.

VNC

  • Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

Mac Decoy (Ubuntu16v2)

Service

Description

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

VNC

  • Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

Citrix ADC Decoy (Ubuntu18v1)

Service

Description

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Application Delivery Management Decoy (Ubuntu18v1)

Service

Description

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Endpoint Management Decoy (Ubuntu18v1)

Service

Description

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Receiver Decoy (Ubuntu18v1)

Service

Description

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

ESXI Decoy (Ubuntu18v1)

Service

Description

SSH

Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.

SSH banner is user-defined.

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Elastic Search (Ubuntu18v1)

Service

Description

Elastic Search

  • ES port can be adjusted, and the user-defined port will be used for HTTP REST API calls to interact with the Elasticsearch cluster.
  • ES node name is to define a unique identifier for the default created node with in the Cluster. Decoy hostname will be used if empty.
  • ES cluster name is required to setup the decoy.

Linux Decoy (Ubuntu18v1)

Service

Description

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

SAMBA

  • Enable this service to capture attacks through SMB on the default SMB port.

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

GIT

  • HTTP port can be adjusted.
  • HTTPS port can be adjusted.
  • GIT Users are user-defined.
  • Git Repository Import is optional.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials.

RADIUS

  • Enable this service to capture attacks through RADIUS.
  • Authentication port can be adjusted.
  • Accounting port can be adjusted.
  • Secret Password is user-defined.

VNC

  • Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

MySql MariaDB Decoy (Ubuntu18v1)

Service

Description

MariaDB

  • Enable this service to open the user defined port on the decoy VM and respond to MySQL database requests within the network.
  • Database name must match the name of database in the uploaded SQL schema.
  • Database content requires a SQL schema file for organizing database objects, providing a structured way to manage data and the relationships between different objects within the database system.

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

Nginx Decoy (Ubuntu18v1)

Service

Description

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

ScadaBR Decoy (Ubuntu18v1)

Service

Description

ScadaBR

  • Enable this service to capture attacks through ScadaBR web access on the user-defined HTTP port.

Tomcat Decoy (Ubuntu18v1)

Service

Description

TOMCAT (HTTP)

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

TOMCAT (HTTPS)

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

SSH

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
  • SSH banner is user-defined.

Webmin Decoy (Ubuntu18v1)

Service

Description

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Windows

Windows 7 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port.

SMB

  • Enable this service to capture attacks through SMB on the default SMB port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 10 Decoy

Service Description
RDP
  • Enable this service to capture attacks through RDP on the default RDP port.
SMB
  • Enable this service to capture attacks through SMB on the default SMB port.
SMTP
  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener
  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.
NBNSSpoofSpotter
  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP
  • Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2
  • Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
  • MT file import is mandatory.
FTP
  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 10ltsc2021v1 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port.

SMB

  • Enable this service to capture attacks through SMB on the default SMB port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

NBNSSpoofSpotter

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.
  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials.

Customized Windows

Customized Windows 10 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port.
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.

SMB

  • Enable this service to capture attacks through SMB on the default SMB port.
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service

MSSQL

  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 11 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service

SMB

  • Enable this service to capture attacks through SMB on the default SMB port
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

MSSQL

  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2016 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service

SMB

  • Enable this service to capture attacks through SMB on the default SMB port
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service

MSSQL

  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPs

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

Enable this service to capture attacks through NBNS (NetBIOS Name Service)

  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query tyo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2019 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port.
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.

SMB

MSSQL

  • Enable this service to capture attacks through SMB on the default SMB port
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)
  • DSN Description is user-defined (after enabling ODBC lure)

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

NBNSSpoofSpotter

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.
  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on deployed Windows decoy
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2022 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service

SMB

  • Enable this service to capture attacks through SMB on the default SMB port
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.

MSSQL

  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPs

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.

ICMP

SWIFT Lite2

  • Enable this service to capture ping/traceroute attacks through ICMP.
  • Enable this service to activate SWIFT Lite2 on deployed Windows decoy
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized French Windows 10 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service

SMB

  • Enable this service to capture attacks through SMB on the default SMB port
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.

MSSQL

  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on deployed Windows decoy
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized French Windows Server 2016 Decoy

Service

Description

RDP

  • Enable this service to capture attacks through RDP on the default RDP port.
  • Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.

SMB

  • Enable this service to capture attacks through SMB on the default SMB port.
  • Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service.

MSSQL

  • Enable this service to capture attacks through MSSQL (Microsoft SQL Server).
  • Listening port can be adjusted.
  • MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema.
  • SQL Database Content import is mandatory.
  • Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
  • DSN name is user-defined (after enabling ODBC lure)

  • DSN Description is user-defined (after enabling ODBC lure)

HTTP

  • Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

  • Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

SMTP

  • Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
  • Listening port can be adjusted.
  • SMTP Domain is user-defined.
  • SMTP Banner is user-defined.
  • Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.
  • Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

TCPListener

  • Enable this service to capture the port scan attacks on the defined ports.
  • TCP banner is user-defined.

NBNSSpoofSpotter

  • Enable this service to capture attacks through NBNS (NetBIOS Name Service)
  • NBNS Username is user-defined.
  • NBNS Password is user-defined.
  • NBNS Domain is user-defined. (Not mandatory)
  • NBNS Hostname is user-defined.
  • Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string
  • NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.

ICMP

  • Enable this service to capture ping/traceroute attacks through ICMP.

SWIFT Lite2

  • Enable this service to activate SWIFT Lite2 on deployed Windows decoy
  • MT file import is mandatory.

FTP

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined.
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

IoT OS

Brother MFC Printer Decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Brother MFC Printer decoy.

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Brother NC-340h printer.

Cisco Router Decoy

Service

Description

Models*

4 Cisco images (models) are supported: 2691, 3660, 3725 and 3745.

An error is displayed if you upload an image that is not supported.

Router Running-Config (optional)

Allows you to upload a customized Cisco config file to predefine the Cisco router setting

Telnet service

A login-required service that enables attackers to utilize all Cisco router functions.

HTTP service

A login-required GUI service similar to the telnet service but with less functionality.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Cisco router decoy.

CDP service

Enable this service to allow the decoy VM to send CDP traffic within the network.

*Please provide Cisco IOS software to run the Cisco decoy. You can copy the IOS from any Cisco router/switch flash by using TFTP server and running the copy flash tftp: command on the Cisco router/switch side, and then completing the deployment wizard.

HP Printer Decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for HP printer decoy.

Jetdirect

  • Enable this service to open port 9100 on the decoy VM, and respond to PJL (Printer Job Language) requests.

Printer-WEB

  • A web GUI that simulates the administration GUI of HP Officejet Pro X451dw printer.

IP Camera Decoy

Service

Description

IP Camera-WEB

  • A login-required service that displays videos to simulate IP cameras. Default videos are available. However, we strongly recommend uploading 1-8 .mp4 videos that fit best with the working environment.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for IP camera decoy.

UPnP service

  • Enable this service to open port 8080 on the decoy VM and simulate UPnP service.
  • A UPnP msg will broadcast within the network. Within the msg there is a URL for the attacker to download a .xml file showing device information.

RTSP service

  • When this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video.

  • The RTSP port can be adjusted.

  • To upload the video, you can use ffmpeg, or any other method to infinitely loop a video so it is available to the attacker

Example:

To infinitely loop a video:sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};

From the attacker perspective, the live camera stream is available at rtsp://{ip}:{port}/{name_you_choose}

Lexmark Printer Decoy

Service

Description

SNMP

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Lexmark Printer decoy

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Lexmark MX410de printer.

TP-LINK Router Decoy

Service

Description

TP-LINK WEB

Enable this service to allow attackers to login to a fake TP-link setting site.

CWMP

Enable this service to send data using CWMP protocol to {ip}:{port}/cpe.

HP Switch Decoy

Service

Description

SNMP

Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.

Community name is user-defined.

SNMP response is customized for HP switch decoy.

Telnet service

A login-required service.

CDP

Enable this service to allow the decoy VM to send CDP traffic within the network.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

MikroTik Router Decoy

Service

Description

SNMP

Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.

Community name is user-defined.

SNMP response is customized for MikroTik router decoy.

Telnet service

A login-required service that enables attackers to utilize all MikroTik router functions.

CDP

Enable this service to allow the decoy VM to send CDP traffic within the network.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

SWIFT VPN Gateway decoy

Service

Description

Telnet service

A login-required service.

HTTPS

Enable this service to capture attacks through HTTPS on the default HTTPS port.

Medical

PACS Decoy

Service

Description

Infusion Pump (Telnet) service

  • Simulates Infusion Pump (telnet)

  • A username/password is required to login.

Infusion Pump (FTP)

  • Simulates Infusion Pump (FTP)

  • A username/password is required to login.

PACS service

  • A user-defined name for the PACS system.

PACS-WEB service

  • Login-required web GUI for PACS, with existing medical data

  • Port can be adjusted

DICOM Server service

  • Server port can be adjusted

  • Server name can be adjusted

  • DICOM operations (e.g. C-STORE, C-FIND) are supported

Infusomat Decoy

Service

Description

Http service

Enable this service to capture attacks through HTTP on the default HTTP port.

Https Service

Enable this service to capture attacks through HTTPS on the default HTTPS port.

CAN Bus Protocol

Enable this service to capture attacks through TCP on the default TCP port(1500)

B.BRAUN

Enable this service to capture attacks through HTTP port 8080.

Spacecom Decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

HTTP Service

  • Enable this service to capture attacks through HTTPS on the default HTTPS port.

FTPService

  • Enable this service to capture attacks through FTP on the user-defined FTP port
  • FTP banner is user-defined
  • Enable Anonymous Access to allow files access through FTP without needing specific user credentials

CAN Bus Protocol

  • Enable this service to capture attacks through TCP on the default TCP port(1500).

SSH Service

  • Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network
  • SSH banner is user-defined

POS

Service

Description

POS-WEB service

  • Login-required web GUI simulate POS website

  • Port can be adjusted

CRM(ERP)

Service

Description

ERP-WEB service

  • Login-required web GUI simulates ERP website

  • Port can be adjusted

SAP

Service

Description

SAP ROUTER

  • Enable SAP ROUTER Service so SAP Logon can configure the SAProuter String.
  • Use the default port to ensure SAP Logon can connect.

SAP DISPATCHER

  • Enable SAP DISPATCHER so SAP Logon can get responses from the SAP decoy.
  • Use the default port to ensure SAP Logon can connect.

SAP WEB

A fake SAP HTTP and HTTPS GUI for SAP Fiori Launchpad or Legacy WebGUI.

SCADA (version3) OS

Ascent Compass MNG decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port

  • FTP banner is user-defined.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network

  • Community name is user-defined

  • SNMP response is customized for Ascent Compass MNG decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

Guardian-AST decoy

Service

Description

Guardian-AST service

  • Enable this service to simulate an AST’s satellite communications remote asset tracking system named Guardian.

  • To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

IPMI Device decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for IPMI Device decoy.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port.

  • FTP banner is user-defined.

IPMI service

  • Enable this service to capture attack through IPMI on the default IPMI port.

KAMSTRUP 382 decoy

Service

Description

KAMSTRUP service

  • Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device

  • To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

Liebert Spruce UPS decoy

Service

Description

TFTP

Enable this to service capture attacks through TFTP on default TFTP port

SNMP

  • Enable this service to open port 161 on decoy VM and respond to SNMP(v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Liebert Spruce UPS decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

Niagara4 Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on default HTTP port.

BACNET

Enable this service to capture attack through BACNET on default BACNET port.

NiagaraAX Station decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for IPMI Device decoy.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

BACNET

Enable this service to capture attacks through BACNET on the default BACNET port.

PowerLogic ION7650 decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for PowerLogic ION7650 decoy.

MODBUS

Enable this service to capture attacks through MODBUS on the default MODBUS port.

DNP3

Enable this service to capture attacks through DNP3 on the default DNP3 port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L16ER/BLOGIX5316ER decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L16ER/B LOGIX5316ER decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L35E Ethernet Port decoy

Service

Description

SNMP

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for Rockwell 1769-L35E Ethernet Port decoy.

ENIP

Enable this service to capture attacks through ENIP on the default ENIP port.

HTTP

Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell PLC decoy

Service

Description

HTTP service

  • Enable s this service capture attack through HTTP on the default HTTP port.

  • HTTP page title is user defined.

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens Rockwell PLC decoy.

ENIP service

  • Enable this service to capture attack through ENIP on the default ENIP port.

  • ENIP serial number is user-defined.

GE PLC decoy

Service

Description

HTTP service
  • Enable this service to capture attacks through HTTP on the default HTTP port.
  • HTTP page title is user defined.
TFTP service
  • Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service
  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.
  • SNMP response is customized for GE PLC decoy.
ENIP service
  • Enable this service to capture attacks through ENIP on the default ENIP port.
  • ENIP serial number is user-defined.

Schneider EcoStruxure BMS server decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider EcoStruxure BMS server decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

TRICONEX service

  • Enable this service to capture attacks with the TRICONEX service.

MOXA NPORT 5110 decoy

Service

Description

SNMP service
  • Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network.
  • Community name is user-defined.
  • SNMP response is customized for moxa nport 5110 decoy.
Telnet service
  • Login-required telnet service simulates moxa nport 5110 command line environment.
  • Two command choices: 1 and 2
HTTP service
  • Enable this service to capture attacks through HTTP on the default HTTP port.
MOXA service

Schneider Power Meter - PM5560 decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network

  • Community name is user-defined.

  • SNMP response is customized for Schneider Power Meter - PM5560 decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

HTTP service

  • Enable this service to capture attacks through HTTP on default HTTP port.

DNP3 service

  • Enable this service to capture attacks through DNP3 on the default DNP3 port.

ENIP service

  • Enable this service to capture attacks through ENIP on the default ENIP port.

Schneider SCADAPack 333E decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Schneider SCADAPack 333E decoy.

DNP3 service

  • Enable this service to capture attacks through DNP3.

Telnet service

  • Login-required telnet service simulates SCADAPack E Smart RTU command line environment.

Siemens S7-200 PLC decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

  • HTTP page title is user defined.

  • Plant Identification is user-defined.

  • Serial Number is user-defined.

TFTP service

  • Enable this to service capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-200 PLC decoy.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

S7COMM service

  • Enable this service to capture attacks through S7COMM on the default S7COMM port.

  • Module Type is user-defined.

  • PLC Name is user-defined.

Siemens S7-300 PLC decoy

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for Siemens S7-300 PLC decoy.

IEC104 service

  • Enable this service to capture attacks through IEC104 on the default IEC104 port.

Siemens S7-1500 PLC decoy

Service

Description

HTTP service Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
TFTP service Enable this to service capture attacks through TFTP on the default TFTP port
IEC104 service Enable this to service capture attacks through IEC104 on the default IEC104 port.
SNMP service Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-1500 PLC decoy.
S7COMM service Enable this service to capture attacks through S7COMM on the default S7COMM port. Module Type is user-defined. PLC Name is user-defined.
PROFINET service Enable this service to capture attacks through PROFINET

Phoenix contact AXC 1050 decoy

Service

Description

HTTP service Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
SNMP service Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Phoenix contact AXC 1050 decoy.
FTP service Enable this service to capture attacks through FTP on the default FTP port FTP banner is user-defined Anonymous Access can be enabled which let user enters "anonymous" as a user ID and eliminate the need to authenticate themselves
PROFINET service Enable this service to capture attacks through PROFINET

VAV-DD BACNET controller decoy

Service

Description

SNMP service

  • Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network.

  • Community name is user-defined.

  • SNMP response is customized for VAV-DD BACNET controller decoy.

BACNET service

  • Enable this service to capture attacks through BACNET on the default BACNET port.

C-More HMI decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

HTTPS service

  • Enable this service to capture attacks through HTTPS on the default HTTPS port.

FTP service

  • Enable this service to capture attacks through FTP on the default FTP port. FTP banner is user-defined.

SNMP service

  • Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.

Modicon M580 decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
  • Community name is user-defined.

ENIP service

  • Enable this service to capture attacks through ENIP on the default ENIP port.

Modicon M241 decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

TFTP service

  • Enable this service to capture attacks through TFTP on the default TFTP port.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
  • Community name is user-defined.

ENIP service

  • Enable this service to capture attacks through ENIP on the default ENIP port.

Emerson iPro by Dixell decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

MODBUS service

  • Enable this service to capture attacks through MODBUS on the default MODBUS port.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.

Lantronix XPORT V1.8/2.0 decoy

Service

Description

HTTP service

  • Enable this service to capture attacks through HTTP on the default HTTP port.

Lantronix Discovery Protocol service

  • This protocol allows the discovery of Lantronix devices using the Lantronix discovery protocol.

SNMP service

  • Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
  • Community name is user-defined.

VOIP V1 OS

MQTT decoy

Service

Description

MQTT WEB
  • Enable this service to capture attacks through MQTT WEB on the default MQTT WEB port.
  • Supports custom listening port. Default port is 18083.
  • Supports adding User/Password.
CoAP
  • Enable this to service capture attacks through CoAP on the default CoAP port.
  • Download libcoap from GitHub is required. Go to https://github.com/miri64/libcoap and follow the command libcoap command rule.

SIP decoy

Service

Description

SIP
  • Enable this service to capture attacks.

  • SIP port can be adjusted.
  • Supports adding User/Password.
  • Users can connect to the SIP server from SIP client service (like Linphone) through UDP or TCP, and register an account, text message, voice call, and video call each other.

XMPP decoy

Service

Description

XMPP WEB
  • Enable this service to cpature attacks and XMPP WEB

  • Listening port can be adjusted
  • Supports custom listening port (default port is 5280).
  • Supports adding User/Password.
  • Can be reached through HTTP.

4G/5G 3GPP decoy

Service

Description

NextEPC WEB

  • Enable this service to capture attacks through NextEPC WEB on the default port.
  • Supports adding User/Password.

SCTP & GTP-C

  • Enable this service to capture attacks through Stream Control Transmission Protocol (SCTP) and GTP-C.

GTP-U

  • Enable the service to capture attacks through GTP-U.