Fool OS Scans functionality

[citnadxela]

Opencanary is ran on linux obviously. I was wondering if there's a way to hide the os (in bold below) from the fingerprinting port scan?

PS C:\Users> & 'C:\Program Files (x86)\Nmap\nmap.exe' -O -p 1433 opencanary
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-11 09:06 Pacific Standard Time
Nmap scan report for opencanary ()
Host is up (0.034s latency).

PORT STATE SERVICE
1433/tcp open ms-sql-s
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|firewall|WAP
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X|2.4.X (90%), WatchGuard Fireware 11.X (86%), IPFire 2.X (86%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6 cpe:/o:watchguard:fireware:11.8 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:ipfire:ipfire:2.11 cpe:/o:linux:linux_kernel:2.4
Aggressive OS guesses: Linux 3.11 - 4.1 (90%), Linux 3.2.0 (90%), Linux 3.16 (89%), Linux 4.4 (89%), Linux 2.6.18 - 2.6.22 (88%), Linux 3.13 (88%), Linux 3.10 - 3.12 (87%), Linux 3.10 - 4.11 (87%), Linux 3.12 (87%), Linux 3.13 or 4.2 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 6 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.96 seconds
PS C:\Users>

[jayjb]

Hi @citnadxela,

Hiding or fooling the fingerprinting process is totally possible (we do it in our commercial Canary product). The issue with OpenCanary is that we do not know what hardware or underlying OS will be running the OpenCanary program (or what combination of the two). So we haven't (yet), endeavoured to add that functionality to the OpenCanary project.

[stepner03]

Hi @jayjb,
as of today 01 June 2023 has the os fingerprint functionality been implemented in the opensource version of opencanary ?

Thx
Kevin

[jayjb]

Hi @stepner03,

It hasn't been implemented on OpenCanary yet.

[1Stronk]

Funny I discover this now, because I actually managed to get what you're trying to do working with a tool called Cyder , fooling the OS scan into thinking my Ubuntu system actually being a Windows Server. It basically returns fingerprint information from the nmap database as a reply on an incoming NMAP scan. It runs fine alongside OpenCanary when you remove the honeypot functionality from Cyder's code (there should be branch available on my account)

It runs on outdated Python libraries though, and it's not tested on anything but Ubuntu. If my coding skills were better I would've tried building it into OpenCanary, but maybe someone else is interested into updating the original code and incorporating it ^^

It would be a pretty major add-on, considering Cyder is the only open-source tool capable of this as far as I know.

[MakoWish]

I would also like to see this. I tried Cyder, but I can't seem to get it running on Ubuntu 22.04. Not much use in emulating a Windows Server if you can't actually appear to be a Windows Server.

[MakoWish]

Very nice! Thank you! I will give this a shot!

[MakoWish]

Aside from a few incompatible Python packages (downgraded those to compatible versions), everything seemed to go well up until the sudo python3 app.py part.

me@ubuntu:~/Cyder$ sudo python3 app.py
/usr/lib/python3/dist-packages/scapy/layers/ipsec.py:471: CryptographyDeprecationWarning: Blowfish has been deprecated
  cipher=algorithms.Blowfish,
/usr/lib/python3/dist-packages/scapy/layers/ipsec.py:485: CryptographyDeprecationWarning: CAST5 has been deprecated
  cipher=algorithms.CAST5,
Traceback (most recent call last):
  File "/home/eadmin/Cyder/app.py", line 1, in <module>
    from Tunnel.packetBackUp import startIntercept
  File "/home/eadmin/Cyder/Tunnel/packetBackUp.py", line 3, in <module>
    from Tunnel.VirtualDevice import destroyTap, getVirtualDevices
  File "/home/eadmin/Cyder/Tunnel/VirtualDevice.py", line 6, in <module>
    import gconstant as gc
  File "/home/eadmin/Cyder/gconstant.py", line 11, in <module>
    from Crypto.PublicKey import RSA
  File "/usr/local/lib/python3.10/dist-packages/Crypto/PublicKey/RSA.py", line 585
    except ValueError, IndexError:
           ^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: multiple exception types must be parenthesized

[1Stronk]

So apparantly this is a syntax error, in the code, which I didn't get when I got this working a year ago. Note I used a clean install of ubuntu, no changes except for the commands above.

Anyway, back to your error, this means the fault is with the version of Python not being able to understand the syntax used

or my altered code is wrong (which I doubt, I never altered code, only deleted code))

Try changing:

except ValueError, IndexError
to
except (ValueError, IndexError):

or to
except ValueError(IndexError):

[MakoWish]

I already had OpenCanary installed, so I wiped the VM and started from a fresh Ubuntu 22.04. Cyder seems to be working now aside from a permission denied on tcpdump.

tcpdump: /var/log/cyder/pcap/capture.pcap: Permission denied

I did an NMAP scan against the machine, and it is reporting as a Windows box now, so looks like it is working! Since I am not really concerned with Cyder as an actual HoneyPot, I am going to call it "working enough" and not care about the tcpdump error. I had already cloned the Cyder repo this morning, but I didn't mess with anything yet. I may play around with it some more to strip out more unnecessary functionality.

I appreciate your walkthrough on this! This is just what I needed!

[1Stronk]

Good to hear you got it working. I also ignored the TCPdump, stuff like this should be stripped from the code :) I never got around to cleaning it up tho. Goodluck on your project.

Here's some more stuff you can add to your Cyder config file to emulate some Windows Services and make your honeypot more realistic.

#HTTP emulation
5985 = HTTP/1\.1 \d\d\d.*\r\nContent-Type: text/html(?:; charset=us-ascii)?\r\nServer:
Microsoft-HTTPAPI/([\d.]+)\r\n
47001 = HTTP/1\.1 \d\d\d.*\r\nContent-Type: text/html(?:; charset=us-ascii)?\r\nServer:
Microsoft-HTTPAPI/([\d.]+)\r\n
#Windows RPC emulation
135 = \x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0...$
49664 = \x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0...$
49665 = \x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0...$
49666 = \x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0...$
49668 = \x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0...$
49669 = \x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0...$
49693 = \x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0...$
49701 = \x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0...$
49712 = \x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0...$
49982 = \x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0...$

(I chose these ports based on an nmap scan I did on a running Windows Server VM)