FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When a hacker attacks a decoy, an alert is generated and their malicious activities are captured and analyzed in real-time. This analysis generates a mitigation and remediation response that protects the network.

The current FortiDeceptor decoy OS are:

Windows	Windows 7, Windows 10, Windows 10ltsc2021v1
Linux	Ubuntu Desktop, CentOS, ESXi and ELK
IoT/OT	SCADA version 3, Medical OS, IoT OS, and d VoIP version1.
VPN	Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)
Customized Windows	Windows 10, Windows 11, Windows Server 2016, Windows Sever 2019, Windows Sever 2022, French Windows 10, French Windows Server 2016

The current FortiDeceptor application decoys are:

Application Decoys

POS OS, ERP OS PACS and SAP

The current FortiDeceptor lure services are:

Windows	RDP, SMB, TCPListener, NBNSSpoofSpotter, ICMP, FTP, SMTP, SWIFT Lite2. Does not contain (Windows 7.
Linux	SSH, SAMBA, TCPListener, HTTP, HTTPS, GIT, ICMP and FTP
IoT/OT	HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, ENIP, Kamstrup, DNP3, Telnet, PACS-WEB, PACS, DICOM server, Infusion Pump (TELNET), Infusion Pump (FTP), POS-WEB, ERP-WEP, GUARDIAN-AST, IEC104, Jetdirect, Printer-WEB, IP Camera-WEB, UPnP, RTSP, CDP, TP-link WEB, CWMP, SAP DISPATCHER, SAP WEB, MOXA, MQTT WEB, CoAP, SIP, and XMPP WEB
SSL VPN	HTTPS
Customized Windows	RDP, SMB, NBNSSpoofSpotter, MSSQL, IIS (HTTP/HTTPS), ICMP, TCPListener, SMTP, SWIFT Lite2 and FTP

The current FortiDeceptor IP address capacity are:

A single EOL can host up to 16 deception VMs.
A single FDCIKG can host up to 20 deception VMs.
A single FDCVMS can host up to 20 deception VMs.
A single deception VM supports up to 24 IP addresses or decoys. Each IP represents a decoy.
A single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
A single FortiDeceptor appliance (HW/VM) can support up to 128 segments (VLANS).

VPN only supports 8 IPs.

Cisco Decoy only supports 1VLAN.

IoT OS

Brother MFC Printer Decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Brother MFC Printer decoy.
Jetdirect	Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.
Printer-WEB	A web GUI that simulates the administration GUI of Brother NC-340h printer.

Cisco router decoy

Service	Description
Models*	4 Cisco images (models) are supported: 2691, 3660, 3725 and 3745. An error is displayed if you upload an image that is not supported.
Router Running-Config (optional)	Allows you to upload a customized Cisco config file to predefine the Cisco router setting
Telnet service	A login-required service that enables attackers to utilize all Cisco router functions.
HTTP service	A login-required GUI service similar to the telnet service but with less functionality.
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP(v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Cisco router decoy.
CDP service	Enable this service to allow the decoy VM to send CDP traffic within the network.

*Please provide Cisco IOS software to run the Cisco decoy. You can copy the IOS from any Cisco router/switch flash by using TFTP server and running the copy flash tftp: command on the Cisco router/switch side, and then completing the deployment wizard.

HP printer decoy

Service	Description
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within network Community name is user-defined SNMP response is customized for HP printer decoy.
Jetdirect	Enable this service to open port 9100 on the decoy VM, and respond to PJL (Printer Job Language) requests.
Printer-WEB	A web GUI that simulates the administration GUI of HP Officejet Pro X451dw printer.

IP camera decoy

Service	Description
IP Camera-WEB	A login-required service that displays videos to simulate IP cameras. Default videos are available. However, we strongly recommend uploading 1-8 .mp4 videos that fit best with the working environment.
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network Community name is user-defined. SNMP response is customized for IP camera decoy.
UPnP service	Enable this service to open port 8080 on the decoy VM and simulate UPnP service. A UPnP msg will broadcast within the network. Within the msg there is a URL for the attacker to download a .xml file showing device information.
RTSP service	When this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video. The RTSP port can be adjusted. To upload the video, you can use ffmpeg, or any other method to infinitely loop a video so it is available to the attacker Example: To infinitely loop a video:`sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};` From the attacker perspective, the live camera stream is available at `rtsp://{ip}:{port}/{name_you_choose}`

Lexmark Printer decoy

Service

Description

SNMP

Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
Community name is user-defined.
SNMP response is customized for Lexmark Printer decoy

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Lexmark MX410de printer.

TP-LINK decoy

Service	Description
TP-LINK WEB	Enable this service to allow attackers to login to a fake TP-link setting site.
CWMP	Enable this service to send data using CWMP protocol to {ip}:{port}/cpe.

Medical

Service	Description
Infusion Pump (Telnet) service	Simulates Infusion Pump (telnet) A username/password is required to login.
Infusion Pump (FTP)	Simulates Infusion Pump (FTP) A username/password is required to login.
PACS service	A user-defined name for the PACS system.
PACS-WEB service	Login-required web GUI for PACS, with existing medical data Port can be adjusted
DICOM Server service	Server port can be adjusted Server name can be adjusted DICOM operations (e.g. C-STORE, C-FIND) are supported
B. Braun Infusomat service	HTTP/S: Built-in web services to retrieve medical data CAN Bus Protocol (enable/disable) B.BRAUN (port 8080): Login-required web GUI for the B.Braun Infusomat device

POS

Service	Description
POS-WEB service	Login-required web GUI simulate POS website Port can be adjusted

CRM(ERP)

Service	Description
ERP-WEB service	Login-required web GUI simulates ERP website Port can be adjusted

SAP

Service	Description
SAP ROUTER	Enable SAP ROUTER Service so SAP Logon can configure the SAProuter String. Use the default port to ensure SAP Logon can connect.
SAP DISPATCHER	Enable SAP DISPATCHER so SAP Logon can get responses from the SAP decoy. Use the default port to ensure SAP Logon can connect.
SAP WEB	A fake SAP HTTP and HTTPS GUI for SAP Fiori Launchpad or Legacy WebGUI.

SCADA (version3) OS

Ascent Compass MNG decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
FTP service	Enable this service to capture attacks through FTP on the default FTP port FTP banner is user-defined.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network Community name is user-defined SNMP response is customized for Ascent Compass MNG decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.

Guardian-AST decoy

Service	Description
Guardian-AST service	Enable this service to simulate an AST’s satellite communications remote asset tracking system named Guardian. To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

IPMI Device decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for IPMI Device decoy.
FTP service	Enable this service to capture attacks through FTP on the default FTP port. FTP banner is user-defined.
IPMI service	Enable this service to capture attack through IPMI on the default IPMI port.

KAMSTRUP 382 decoy

Service	Description
KAMSTRUP service	Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

Liebert Spruce UPS decoy

Service	Description
TFTP	Enable this to service capture attacks through TFTP on default TFTP port
SNMP	Enable this service to open port 161 on decoy VM and respond to SNMP(v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Liebert Spruce UPS decoy.
HTTP	Enable this service to capture attacks through HTTP on default HTTP port.

Niagara4 Station decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for IPMI Device decoy.
HTTP	Enable this service to capture attacks through HTTP on default HTTP port.
BACNET	Enable this service to capture attack through BACNET on default BACNET port.

NiagaraAX Station decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for IPMI Device decoy.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.
BACNET	Enable this service to capture attacks through BACNET on the default BACNET port.

PowerLogic ION7650 decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for PowerLogic ION7650 decoy.
MODBUS	Enable this service to capture attacks through MODBUS on the default MODBUS port.
DNP3	Enable this service to capture attacks through DNP3 on the default DNP3 port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L16ER/BLOGIX5316ER decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Rockwell 1769-L16ER/B LOGIX5316ER decoy.
ENIP	Enable this service to capture attacks through ENIP on the default ENIP port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L35E Ethernet Port decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Rockwell 1769-L35E Ethernet Port decoy.
ENIP	Enable this service to capture attacks through ENIP on the default ENIP port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell PLC decoy

Service	Description
HTTP service	Enable s this service capture attack through HTTP on the default HTTP port. HTTP page title is user defined.
TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens Rockwell PLC decoy.
ENIP service	Enable this service to capture attack through ENIP on the default ENIP port. ENIP serial number is user-defined.

GE PLC decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined.
TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for GE PLC decoy.
ENIP service	Enable this service to capture attacks through ENIP on the default ENIP port. ENIP serial number is user-defined.

Schneider EcoStruxure BMS server decoy

Service	Description
SNMP service	Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Schneider EcoStruxure BMS server decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
TRICONEX service	Enable this service to capture attacks with the TRICONEX service.

MOXA NPORT 5110 decoy

Service	Description
SNMP service	Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for moxa nport 5110 decoy.
Telnet service	Login-required telnet service simulates moxa nport 5110 command line environment. Two command choices: 1 and 2
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
MOXA service	Download MOXA script from GitHub is required (https://github.com/Z-0ne/MoxaNportScan)

Schneider Power Meter - PM5560 decoy

Service	Description
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network Community name is user-defined. SNMP response is customized for Schneider Power Meter - PM5560 decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.
HTTP service	Enable this service to capture attacks through HTTP on default HTTP port.
DNP3 service	Enable this service to capture attacks through DNP3 on the default DNP3 port.
ENIP service	Enable this service to capture attacks through ENIP on the default ENIP port.

Schneider SCADAPack 333E decoy

Service	Description
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Schneider SCADAPack 333E decoy.
DNP3 service	Enable this service to capture attacks through DNP3.
Telnet service	Login-required telnet service simulates SCADAPack E Smart RTU command line environment.

Siemens S7-200 PLC decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
TFTP service	Enable this to service capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-200 PLC decoy.
MODBUS service	Enable this service to capture attacks through MODBUS on the default MODBUS port.
S7COMM service	Enable this service to capture attacks through S7COMM on the default S7COMM port. Module Type is user-defined. PLC Name is user-defined.

Siemens S7-300 PLC decoy

TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-300 PLC decoy.
IEC104 service	Enable this service to capture attacks through IEC104 on the default IEC104 port.

Siemens S7-1500 PLC decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
TFTP service	Enable this to service capture attacks through TFTP on the default TFTP port
IEC104 service	Enable this to service capture attacks through IEC104 on the default IEC104 port.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-1500 PLC decoy.
S7COMM service	Enable this service to capture attacks through S7COMM on the default S7COMM port. Module Type is user-defined. PLC Name is user-defined.
PROFINET service	Enable this service to capture attacks through PROFINET

Phoenix contact AXC 1050 decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Phoenix contact AXC 1050 decoy.
FTP service	Enable this service to capture attacks through FTP on the default FTP port FTP banner is user-defined Anonymous Access can be enabled which let user enters "anonymous" as a user ID and eliminate the need to authenticate themselves
PROFINET service	Enable this service to capture attacks through PROFINET

VAV-DD BACNET controller decoy

Service	Description
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for VAV-DD BACNET controller decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.

VOIP V1 OS

MQTT decoy

Service	Description
MQTT WEB	Enable this service to capture attacks through MQTT WEB on the default MQTT WEB port. Supports custom listening port. Default port is 18083. Supports adding User/Password.
CoAP	Enable this to service capture attacks through CoAP on the default CoAP port. Download `libcoap` from GitHub is required. Go to https://github.com/miri64/libcoap and follow the command `libcoap` command rule.

SIP decoy

Service	Description
SIP	Enable this service to capture attacks through MQTT WEB on the default SIP port. Supports adding User/Password. Users can connect to the SIP server from SIP client service (like Linphone) through UDP or TCP, and register an account, text message, voice call, and video call each other.

XMPP decoy

Service	Description
XMPP WEB	Enable this service to capture attacks through XMPP WEB on the default XMPP WEB port. Supports custom listening port (default port is 5280). Supports adding User/Password. Can be reached through HTTP.