Debian 11, Red Hat 7.9, Red Hat 8, Red Hat 9, Ubuntu20.04 Server

Windows 10, Windows 11 version 23H2, Windows Server 2016, Windows Server 2019, Windows Server 2022, French Windows 10, French Windows Server 2016. For detailed information, see Custom Decoy Image

NOTE: Windows 11 version 24H2 is not supported.

SCADA version 3, Medical OS, IoT OS, and VoIP version1.

Ubuntu Desktop, CentOS, ESXi server, FV-CPO

Fortinet SSL-VPN (FG-60F, FG-100F, FG-1500D, FG-2000E, FG-3700D)

HTTP, HTTPS, GIT, SAMBA, SSH, SMTP, TCPListener, FTP, RADIUS, ICMP

RDP, SMB, NBNSSpoofSpotter, MSSQL, IIS (HTTP/HTTPS), ICMP, TCPListener, SMTP, SWIFT Lite2 and FTP

HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, ENIP, Kamstrup, DNP3, Telnet, PACS-WEB, PACS, DICOM server, Infusion Pump (TELNET), Infusion Pump (FTP), POS-WEB, ERP-WEP, GUARDIAN-AST, IEC104, Jetdirect, Printer-WEB, IP Camera-WEB, UPnP, RTSP, CDP, TP-link WEB, CWMP, SAP DISPATCHER, SAP WEB, MOXA, MQTT WEB, CoAP, SIP, and XMPP WEB

SSH, SAMBA, TCPListener, HTTP, HTTPS, GIT, ICMP and FTP

HTTPS

Enable this service to capture attacks through BACNET on the default BACNET port.

Enable this service to allow the decoy VM to send CDP traffic within the network.

• Enable this to service capture attacks through CoAP on the default CoAP port.
• Download libcoap from GitHub is required. Go to https://github.com/miri64/libcoap and follow the command libcoap command rule.

Enable this service to send data using CWMP protocol to {ip}:{port}/cpe.

• Server port can be adjusted

• Server name can be adjusted

• DICOM operations (e.g. C-STORE, C-FIND) are supported

Enable this service to capture attacks through DNP3 on the default DNP3 port.

• ES port can be adjusted, and the user-defined port will be used for HTTP REST API calls to interact with the Elasticsearch cluster.
• ES node name is to define a unique identifier for the default created node with in the Cluster. Decoy hostname will be used if empty.
• ES cluster name is required to setup the decoy.

• Enable this service to capture attack through ENIP on the default ENIP port.

• ENIP serial number is user-defined.

• Login-required web GUI simulates ERP website

• Port can be adjusted

• Enable this service to capture attacks through FTP on the default FTP port.

• FTP port can be adjusted.

• FTP banner is user-defined.

• Enable Anonymous Access to allow files access through FTP without needing specific user credentials

• HTTP port can be adjusted.
• HTTPS port can be adjusted.
• GIT Users are user-defined.
• Git Repository Import is optional.

• Enable this service to simulate an AST’s satellite communications remote asset tracking system named Guardian.

• To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

• Enable the service to capture attacks through GTP-U.

• Enable this service to capture attacks through HTTP on the default HTTP port.

• Serial Number is user-defined.

• Enable this service to capture attacks through HTTPS on the default HTTPS port.

• Enable this service to capture ping/attacks through ICMP.

• Simulates Infusion Pump (FTP)

• A username/password is required to login.

• Simulates Infusion Pump (telnet)

• A username/password is required to login.

• Simulates Infusion Pump (telnet)

• A username/password is required to login.

• A login-required service that displays videos to simulate IP cameras. Default videos are available. However, we strongly recommend uploading 1-8 .mp4 videos that fit best with the working environment.

• Enable this service to capture attack through IPMI on the default IPMI port.

• Enable this service to open port 9100 on the decoy VM, and respond to PJL (Printer Job Language) requests.

• Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device

• To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

• This protocol allows the discovery of Lantronix devices using the Lantronix discovery protocol.

• Enable this service to open the user defined port on the decoy VM and respond to MySQL database requests within the network.
• Database name must match the name of database in the uploaded SQL schema.
• Database content requires a SQL schema file for organizing database objects, providing a structured way to manage data and the relationships between different objects within the database system.

Enable this service to capture attacks through MODBUS on the default MODBUS port.

• Download MOXA script from GitHub is required (https://github.com/Z-0ne/MoxaNportScan)

• Enable this service to capture attacks through MQTT WEB on the default MQTT WEB port.
• Supports custom listening port. Default port is 18083.
• Supports adding User/Password.

• Enable this service to capture attacks through NBNS (NetBIOS Name Service)
• NBNS Username is user-defined.
• NBNS Password is user-defined.
• NBNS Domain is user-defined. (Not mandatory)
• NBNS Hostname is user-defined.

• Enable NBNS User Hostname: This allows the system to directly query the specified NBNS hostname.

• Disable NBNS User Hostname: The system will generate fake hostnames based on the provided string.

• NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.

• A user-defined name for the PACS system.

• Login-required web GUI for PACS, with existing medical data

• Port can be adjusted

• Login-required web GUI simulate POS website

• Port can be adjusted

A web GUI that simulates the administration GUI of Lexmark MX410de printer.

centosv1 Decoy

• Enable this service to capture attacks through RADIUS.
• Authentication port can be adjusted.
• Accouting port can be adjusted.
• FTP banner is user-defined.
• Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Linux Decoy (Ubuntu16v2)

• Enable this service to capture attacks through RADIUS.
• Authentication port can be adjusted.
• Accounting port can be adjusted.
• Secret Password is user-defined.

• Enable this service to capture attacks through RDP on the default RDP port.

Customized Windows Decoys:

• Enable this service to capture attacks through RDP on the default RDP port.
• Automatically enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service,if the customized windows decoys have joined Active Directory (AD) domain during customization, and input AD user when deploy decoy.
• Automatically enable Anti Deception Detection feature to allow AD lure users to dynamically login to AD Domain Server daily, if the customized windows decoys have joined Active Directory (AD) domain during customization, and input AD user when deploy decoy.

Allows you to upload a customized Cisco config file to predefine the Cisco router setting

• When this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video.

• The RTSP port can be adjusted.

• To upload the video, you can use ffmpeg, or any other method to infinitely loop a video so it is available to the attacker

Example:

To infinitely loop a video:sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};

From the attacker perspective, the live camera stream is available at rtsp://{ip}:{port}/{name_you_choose}

• Enable this service to capture attacks through S7COMM on the default S7COMM port.

• Module Type is user-defined.

• PLC Name is user-defined.

Enable this service to capture attacks through SMB on the default SMB port.

• Enable SAP DISPATCHER so SAP Logon can get responses from the SAP decoy.
• Use the default port to ensure SAP Logon can connect.

• Enable SAP ROUTER Service so SAP Logon can configure the SAProuter String.
• Use the default port to ensure SAP Logon can connect.

A fake SAP HTTP and HTTPS GUI for SAP Fiori Launchpad or Legacy WebGUI.

• Enable this service to capture attacks through MQTT WEB on the default SIP port.
• Supports adding User/Password.
• Users can connect to the SIP server from SIP client service (like Linphone) through UDP or TCP, and register an account, text message, voice call, and video call each other.

• Enable this service to capture attacks through SMB on the default SMB port.

Customized Windows Decoys:

• Enable this service to capture attacks through RDP on the default RDP port.
• Automatically enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service,if the customized windows decoys have joined Active Directory (AD) domain during customization, and input AD user when deploy decoy.
• Automatically enable Anti Deception Detection feature to allow AD lure users to dynamically login to AD Domain Server daily, if the customized windows decoys have joined Active Directory (AD) domain during customization, and input AD user when deploy decoy.

• Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol).
• Listening port can be adjusted.
• SMTP Domain is user-defined.
• SMTP Banner is user-defined.
• Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service.

• Secure SMTP listening port can be adjusted.

• Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.

• Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
• Community name is user-defined.
• SNMP response is customized for:
  • Brother MFC Printer decoy
  • Cisco router decoy
  • GE PLC decoy
  • HP printer decoy
  • HP switch decoy
    
  • IP camera decoy
  • IPMI Device decoy
  • IPMI Device decoy
  • Lexmark Printer decoy
  • Liebert Spruce UPS decoy
  • moxa nport 5110 decoy
  • Phoenix contact AXC 1050 decoy
  • PowerLogic ION7650 decoy
  • Rockwell 1769-L35E Ethernet Port decoy
  • Schneider Power Meter - PM5560 decoy
  • Schneider SCADAPack 333E decoy
  • Siemens Rockwell PLC decoy
  • Siemens S7-200 PLC decoy
  • Siemens S7-300 PLC decoy
  • Siemens S7-1500 PLC decoy
  • TrueNAS Decoy
  • VAV-DD BACNET controller decoy

• Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.
• SSH banner is user-defined.

• Enable this service to capture attacks through SSLVPN on the user-defined port.

• Enable this service to activate SWIFT Lite2 on Windows 10 decoy.
• MT file import is mandatory.

• Enable this service to capture the port scan attacks on the customized port.
• TCP banner is user-defined.

MikroTik Router Decoy

A login-required service that enables attackers to utilize all MikroTik router functions.

MikroTik Router Decoy

A login-required service that enables attackers to utilize all MikroTik router functions.

MOXA NPORT 5110 decoy

• Login-required telnet service simulates moxa nport 5110 command line environment.
• Two command choices: 1 and 2

Schneider SCADAPack 333E decoy

Login-required telnet service simulates SCADAPack E Smart RTU command line environment.

Enable this service to allow attackers to login to a fake TP-link setting site.

• Enable this service to capture attacks with the TRICONEX service.

• Enable this service to open port 8080 on the decoy VM and simulate UPnP service.
• A UPnP msg will broadcast within the network. Within the msg there is a URL for the attacker to download a .xml file showing device information.

• Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.