FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When a hacker attacks a decoy, an alert is generated and their malicious activities are captured and analyzed in real-time. This analysis generates a mitigation and remediation response that protects the network.

The current FortiDeceptor decoy OS are:

Windows	Windows 7, Windows 10, Windows 10ltsc2021v1
Linux	Ubuntu Desktop, CentOS, ESXi ,ELK and EV2023
IoT/OT	SCADA version 3, Medical OS, IoT OS, and d VoIP version1.
VPN	Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)
Customized Windows	Windows 10, Windows 11, Windows Server 2016, Windows Sever 2019, Windows Sever 2022, French Windows 10, French Windows Server 2016
Customized Linux	Red Hat 7.9, Red Hat 8, Red Hat 9, Ubuntu20.04 Server

The current FortiDeceptor application decoys are:

Application Decoys

POS OS, ERP OS PACS and SAP

The current FortiDeceptor lure services are:

Windows	RDP, SMB, TCPListener, NBNSSpoofSpotter, ICMP, FTP, SMTP, SWIFT Lite2. Does not contain (Windows 7.
Linux	SSH, SAMBA, TCPListener, HTTP, HTTPS, GIT, ICMP and FTP
IoT/OT	HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, ENIP, Kamstrup, DNP3, Telnet, PACS-WEB, PACS, DICOM server, Infusion Pump (TELNET), Infusion Pump (FTP), POS-WEB, ERP-WEP, GUARDIAN-AST, IEC104, Jetdirect, Printer-WEB, IP Camera-WEB, UPnP, RTSP, CDP, TP-link WEB, CWMP, SAP DISPATCHER, SAP WEB, MOXA, MQTT WEB, CoAP, SIP, and XMPP WEB
SSL VPN	HTTPS
Customized Windows	RDP, SMB, NBNSSpoofSpotter, MSSQL, IIS (HTTP/HTTPS), ICMP, TCPListener, SMTP, SWIFT Lite2 and FTP
Customized Linux	HTTP, HTTPS, GIT, SAMBA, SSH, SMTP, TCPListener, FTP, RADIUS, ICMP

The current FortiDeceptor IP address capacity are:

A single EOL can host up to 16 deception VMs.
A single FDCIKG can host up to 20 deception VMs.
A single FDCVMS can host up to 20 deception VMs.
A single deception VM supports up to 24 IP addresses or decoys. Each IP represents a decoy.
A single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
A single FortiDeceptor appliance (HW/VM) can support up to 128 segments (VLANS).

VPN only supports 8 IPs.

Cisco Decoy only supports 1VLAN.

Decoy services details

Centos
EV2023
FortiGate
Ubuntu
Windows
Customized Windows
IoT OS
- Printers
- Camera
- Switch
- Routers
- VPN Gateway
Medical
POS
CRM(ERP)
SAP
SCADA
VOIP V1 OS

Centos

centosv1 Decoy

Service	Description
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.
SAMBA	Enable this service to capture attacks through SMB on the default SMB port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the default HTTPS port.
GIT	HTTP port can be adjusted. HTTPS port can be adjusted. GIT Users are user-defined. Git Repository Import is optional.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
ICMP	Enable this service to capture ping/attacks through ICMP.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials
RADIUS	Enable this service to capture attacks through RADIUS. Authentication port can be adjusted. Accouting port can be adjusted. FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Electric Vehicles (EV2023)

EV-CPO Decoy

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

FortiGate

fgt601v1 Decoy

(FGT-60E/FGT-100F/FGT-1500D/FGT-2000E/FGT-3700D)

Service	Description
SSLVPN	Enable this service to capture attacks through SSLVPN on the user-defined port.

fgt601v2 Decoy

(FGT-60F/FGT-100F/FGT-1500D/FGT-2000E/FGT-3700D/ FGT-60F-DMZ/FGT-100F-DMZ/FGT-1500D-DMZ/FGT-2000E-DMZ/FGT-3700D-DMZ)

Service	Description
SSLVPN	Enable this service to capture attacks through SSLVPN on the user-defined port.

Ubuntu

ESXI Decoy (Ubuntu16v2)

Service	Description
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Elastic Search (Ubuntu16v2)

Service	Description
Elastic Search	ES port can be adjusted, and the user-defined port will be used for HTTP REST API calls to interact with the Elasticsearch cluster. ES node name is to define a unique identifier for the default created node with in the Cluster. Decoy hostname will be used if empty. ES cluster name is required to setup the decoy.

Linux Decoy (Ubuntu16v2)

Service	Description
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.
SAMBA	Enable this service to capture attacks through SMB on the default SMB port.
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
GIT	HTTP port can be adjusted. HTTPS port can be adjusted. GIT Users are user-defined. Git Repository Import is optional.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials
RADIUS	Enable this service to capture attacks through RADIUS. Authentication port can be adjusted. Accounting port can be adjusted. Secret Password is user-defined.
VNC	Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

Mac Decoy (Ubuntu16v2)

Service	Description
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.
VNC	Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

Citrix ADC Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Application Delivery Management Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Endpoint Management Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Receiver Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

ESXI Decoy (Ubuntu18v1)

Service

Description

SSH

Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.

SSH banner is user-defined.

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Elastic Search (Ubuntu18v1)

Service	Description
Elastic Search	ES port can be adjusted, and the user-defined port will be used for HTTP REST API calls to interact with the Elasticsearch cluster. ES node name is to define a unique identifier for the default created node with in the Cluster. Decoy hostname will be used if empty. ES cluster name is required to setup the decoy.

Linux Decoy (Ubuntu18v1)

Service	Description
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.
SAMBA	Enable this service to capture attacks through SMB on the default SMB port.
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
GIT	HTTP port can be adjusted. HTTPS port can be adjusted. GIT Users are user-defined. Git Repository Import is optional.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials.
RADIUS	Enable this service to capture attacks through RADIUS. Authentication port can be adjusted. Accounting port can be adjusted. Secret Password is user-defined.
VNC	Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

MySql MariaDB Decoy (Ubuntu18v1)

Service	Description
MariaDB	Enable this service to open the user defined port on the decoy VM and respond to MySQL database requests within the network. Database name must match the name of database in the uploaded SQL schema. Database content requires a SQL schema file for organizing database objects, providing a structured way to manage data and the relationships between different objects within the database system.
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.

Nginx Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

ScadaBR Decoy (Ubuntu18v1)

Service	Description
ScadaBR	Enable this service to capture attacks through ScadaBR web access on the user-defined HTTP port.

Tomcat Decoy (Ubuntu18v1)

Service	Description
TOMCAT (HTTP)	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
TOMCAT (HTTPS)	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.

Webmin Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Windows

Windows 7 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port.
SMB	Enable this service to capture attacks through SMB on the default SMB port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 10 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port.
SMB	Enable this service to capture attacks through SMB on the default SMB port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on Windows 10 decoy. MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 10ltsc2021v1 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port.
SMB	Enable this service to capture attacks through SMB on the default SMB port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener NBNSSpoofSpotter	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined. Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on Windows 10 decoy. MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials.

Customized Windows

Customized Windows 10 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port. Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.
SMB	Enable this service to capture attacks through SMB on the default SMB port. Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
MSSQL	Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on Windows 10 decoy. MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 11 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service
SMB	Enable this service to capture attacks through SMB on the default SMB port Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
MSSQL	Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on Windows 10 decoy. MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2016 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service
SMB	Enable this service to capture attacks through SMB on the default SMB port Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
MSSQL	Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPs	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query tyo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on Windows 10 decoy. MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2019 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port. Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.
SMB MSSQL	Enable this service to capture attacks through SMB on the default SMB port Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener NBNSSpoofSpotter	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined. Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on deployed Windows decoy MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2022 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service
SMB	Enable this service to capture attacks through SMB on the default SMB port Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted.
MSSQL	MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPs	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.
ICMP SWIFT Lite2	Enable this service to capture ping/traceroute attacks through ICMP. Enable this service to activate SWIFT Lite2 on deployed Windows decoy MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized French Windows 10 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service
SMB	Enable this service to capture attacks through SMB on the default SMB port Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted.
MSSQL	Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on deployed Windows decoy MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized French Windows Server 2016 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port. Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.
SMB	Enable this service to capture attacks through SMB on the default SMB port. Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service.
MSSQL	Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on deployed Windows decoy MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

IoT OS

IoT refers to a network of devices, vehicles, appliances and other physical objects that are embedded with sensors, software and network connectivity.

Printers

Brother MFC Printer Decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Brother MFC Printer decoy.
Jetdirect	Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.
Printer-WEB	A web GUI that simulates the administration GUI of Brother NC-340h printer.

HP Printer Decoy

Service	Description
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for HP printer decoy.
Jetdirect	Enable this service to open port 9100 on the decoy VM, and respond to PJL (Printer Job Language) requests.
Printer-WEB	A web GUI that simulates the administration GUI of HP Officejet Pro X451dw printer.

Lexmark Printer Decoy

Service

Description

SNMP

Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
Community name is user-defined.
SNMP response is customized for Lexmark Printer decoy

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Lexmark MX410de printer.

*Please provide Cisco IOS software to run the Cisco decoy. You can copy the IOS from any Cisco router/switch flash by using TFTP server and running the copy flash tftp: command on the Cisco router/switch side, and then completing the deployment wizard.

Camera

IP Camera Decoy

Service	Description
IP Camera-WEB	A login-required service that displays videos to simulate IP cameras. Default videos are available. However, we strongly recommend uploading 1-8 .mp4 videos that fit best with the working environment.
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network Community name is user-defined. SNMP response is customized for IP camera decoy.
UPnP service	Enable this service to open port 8080 on the decoy VM and simulate UPnP service. A UPnP msg will broadcast within the network. Within the msg there is a URL for the attacker to download a .xml file showing device information.
RTSP service	When this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video. The RTSP port can be adjusted. To upload the video, you can use ffmpeg, or any other method to infinitely loop a video so it is available to the attacker Example: To infinitely loop a video:`sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};` From the attacker perspective, the live camera stream is available at `rtsp://{ip}:{port}/{name_you_choose}`

Switch

HP Switch Decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for HP switch decoy.
Telnet service	A login-required service.
CDP	Enable this service to allow the decoy VM to send CDP traffic within the network.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Routers

Cisco Router Decoy

Service	Description
Models*	4 Cisco images (models) are supported: 2691, 3660, 3725 and 3745. An error is displayed if you upload an image that is not supported.
Router Running-Config (optional)	Allows you to upload a customized Cisco config file to predefine the Cisco router setting
Telnet service	A login-required service that enables attackers to utilize all Cisco router functions.
HTTP service	A login-required GUI service similar to the telnet service but with less functionality.
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP(v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Cisco router decoy.
CDP service	Enable this service to allow the decoy VM to send CDP traffic within the network.

TP-LINK Router Decoy

Service	Description
TP-LINK WEB	Enable this service to allow attackers to login to a fake TP-link setting site.
CWMP	Enable this service to send data using CWMP protocol to {ip}:{port}/cpe.

MikroTik Router Decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for MikroTik router decoy.
Telnet service	A login-required service that enables attackers to utilize all MikroTik router functions.
CDP	Enable this service to allow the decoy VM to send CDP traffic within the network.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

VPN Gateway

SWIFT VPN Gateway decoy

Service	Description
Telnet service	A login-required service.
HTTPS	Enable this service to capture attacks through HTTPS on the default HTTPS port.

Medical

PACS Decoy

Service	Description
Infusion Pump (Telnet) service	Simulates Infusion Pump (telnet) A username/password is required to login.
Infusion Pump (FTP)	Simulates Infusion Pump (FTP) A username/password is required to login.
PACS service	A user-defined name for the PACS system.
PACS-WEB service	Login-required web GUI for PACS, with existing medical data Port can be adjusted
DICOM Server service	Server port can be adjusted Server name can be adjusted DICOM operations (e.g. C-STORE, C-FIND) are supported

Infusomat Decoy

Service	Description
Http service	Enable this service to capture attacks through HTTP on the default HTTP port.
Https Service	Enable this service to capture attacks through HTTPS on the default HTTPS port.
CAN Bus Protocol	Enable this service to capture attacks through TCP on the default TCP port(1500)
B.BRAUN	Enable this service to capture attacks through HTTP port 8080.

Spacecom Decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
HTTP Service	Enable this service to capture attacks through HTTPS on the default HTTPS port.
FTPService	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined Enable Anonymous Access to allow files access through FTP without needing specific user credentials
CAN Bus Protocol	Enable this service to capture attacks through TCP on the default TCP port(1500).
SSH Service	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network SSH banner is user-defined

POS

Service	Description
POS-WEB service	Login-required web GUI simulate POS website Port can be adjusted

CRM(ERP)

Service	Description
ERP-WEB service	Login-required web GUI simulates ERP website Port can be adjusted

SAP

Service	Description
SAP ROUTER	Enable SAP ROUTER Service so SAP Logon can configure the SAProuter String. Use the default port to ensure SAP Logon can connect.
SAP DISPATCHER	Enable SAP DISPATCHER so SAP Logon can get responses from the SAP decoy. Use the default port to ensure SAP Logon can connect.
SAP WEB	A fake SAP HTTP and HTTPS GUI for SAP Fiori Launchpad or Legacy WebGUI.

SCADA (version3) OS

Ascent Compass MNG decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
FTP service	Enable this service to capture attacks through FTP on the default FTP port FTP banner is user-defined.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network Community name is user-defined SNMP response is customized for Ascent Compass MNG decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.

Guardian-AST decoy

Service	Description
Guardian-AST service	Enable this service to simulate an AST’s satellite communications remote asset tracking system named Guardian. To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

IPMI Device decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for IPMI Device decoy.
FTP service	Enable this service to capture attacks through FTP on the default FTP port. FTP banner is user-defined.
IPMI service	Enable this service to capture attack through IPMI on the default IPMI port.

KAMSTRUP 382 decoy

Service	Description
KAMSTRUP service	Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

Liebert Spruce UPS decoy

Service	Description
TFTP	Enable this to service capture attacks through TFTP on default TFTP port
SNMP	Enable this service to open port 161 on decoy VM and respond to SNMP(v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Liebert Spruce UPS decoy.
HTTP	Enable this service to capture attacks through HTTP on default HTTP port.

Niagara4 Station decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for IPMI Device decoy.
HTTP	Enable this service to capture attacks through HTTP on default HTTP port.
BACNET	Enable this service to capture attack through BACNET on default BACNET port.

NiagaraAX Station decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for IPMI Device decoy.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.
BACNET	Enable this service to capture attacks through BACNET on the default BACNET port.

PowerLogic ION7650 decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for PowerLogic ION7650 decoy.
MODBUS	Enable this service to capture attacks through MODBUS on the default MODBUS port.
DNP3	Enable this service to capture attacks through DNP3 on the default DNP3 port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L16ER/BLOGIX5316ER decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Rockwell 1769-L16ER/B LOGIX5316ER decoy.
ENIP	Enable this service to capture attacks through ENIP on the default ENIP port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L35E Ethernet Port decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Rockwell 1769-L35E Ethernet Port decoy.
ENIP	Enable this service to capture attacks through ENIP on the default ENIP port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell PLC decoy

Service	Description
HTTP service	Enable s this service capture attack through HTTP on the default HTTP port. HTTP page title is user defined.
TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens Rockwell PLC decoy.
ENIP service	Enable this service to capture attack through ENIP on the default ENIP port. ENIP serial number is user-defined.

GE PLC decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined.
TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for GE PLC decoy.
ENIP service	Enable this service to capture attacks through ENIP on the default ENIP port. ENIP serial number is user-defined.

Schneider EcoStruxure BMS server decoy

Service	Description
SNMP service	Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Schneider EcoStruxure BMS server decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
TRICONEX service	Enable this service to capture attacks with the TRICONEX service.

MOXA NPORT 5110 decoy

Service	Description
SNMP service	Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for moxa nport 5110 decoy.
Telnet service	Login-required telnet service simulates moxa nport 5110 command line environment. Two command choices: 1 and 2
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
MOXA service	Download MOXA script from GitHub is required (https://github.com/Z-0ne/MoxaNportScan)

Schneider Power Meter - PM5560 decoy

Service	Description
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network Community name is user-defined. SNMP response is customized for Schneider Power Meter - PM5560 decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.
HTTP service	Enable this service to capture attacks through HTTP on default HTTP port.
DNP3 service	Enable this service to capture attacks through DNP3 on the default DNP3 port.
ENIP service	Enable this service to capture attacks through ENIP on the default ENIP port.

Schneider SCADAPack 333E decoy

Service	Description
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Schneider SCADAPack 333E decoy.
DNP3 service	Enable this service to capture attacks through DNP3.
Telnet service	Login-required telnet service simulates SCADAPack E Smart RTU command line environment.

Siemens S7-200 PLC decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
TFTP service	Enable this to service capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-200 PLC decoy.
MODBUS service	Enable this service to capture attacks through MODBUS on the default MODBUS port.
S7COMM service	Enable this service to capture attacks through S7COMM on the default S7COMM port. Module Type is user-defined. PLC Name is user-defined.

Siemens S7-300 PLC decoy

TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-300 PLC decoy.
IEC104 service	Enable this service to capture attacks through IEC104 on the default IEC104 port.

Siemens S7-1500 PLC decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
TFTP service	Enable this to service capture attacks through TFTP on the default TFTP port
IEC104 service	Enable this to service capture attacks through IEC104 on the default IEC104 port.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-1500 PLC decoy.
S7COMM service	Enable this service to capture attacks through S7COMM on the default S7COMM port. Module Type is user-defined. PLC Name is user-defined.
PROFINET service	Enable this service to capture attacks through PROFINET

Phoenix contact AXC 1050 decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Phoenix contact AXC 1050 decoy.
FTP service	Enable this service to capture attacks through FTP on the default FTP port FTP banner is user-defined Anonymous Access can be enabled which let user enters "anonymous" as a user ID and eliminate the need to authenticate themselves
PROFINET service	Enable this service to capture attacks through PROFINET

VAV-DD BACNET controller decoy

Service	Description
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for VAV-DD BACNET controller decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.

C-More HMI decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
HTTPS service	Enable this service to capture attacks through HTTPS on the default HTTPS port.
FTP service	Enable this service to capture attacks through FTP on the default FTP port. FTP banner is user-defined.
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined.

Modicon M580 decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
MODBUS service	Enable this service to capture attacks through MODBUS on the default MODBUS port.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network. Community name is user-defined.
ENIP service	Enable this service to capture attacks through ENIP on the default ENIP port.

Modicon M241 decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
MODBUS service	Enable this service to capture attacks through MODBUS on the default MODBUS port.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network. Community name is user-defined.
ENIP service	Enable this service to capture attacks through ENIP on the default ENIP port.

Emerson iPro by Dixell decoy

Service

Description

HTTP service

Enable this service to capture attacks through HTTP on the default HTTP port.

MODBUS service

Enable this service to capture attacks through MODBUS on the default MODBUS port.

SNMP service

Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
Community name is user-defined.

Lantronix XPORT V1.8/2.0 decoy

Service

Description

HTTP service

Enable this service to capture attacks through HTTP on the default HTTP port.

Lantronix Discovery Protocol service

This protocol allows the discovery of Lantronix devices using the Lantronix discovery protocol.

SNMP service

Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
Community name is user-defined.

VOIP V1 OS

MQTT decoy

Service	Description
MQTT WEB	Enable this service to capture attacks through MQTT WEB on the default MQTT WEB port. Supports custom listening port. Default port is 18083. Supports adding User/Password.
CoAP	Enable this to service capture attacks through CoAP on the default CoAP port. Download `libcoap` from GitHub is required. Go to https://github.com/miri64/libcoap and follow the command `libcoap` command rule.

SIP decoy

Service	Description
SIP	Enable this service to capture attacks. SIP port can be adjusted. Supports adding User/Password. Users can connect to the SIP server from SIP client service (like Linphone) through UDP or TCP, and register an account, text message, voice call, and video call each other.

XMPP decoy

Service	Description
XMPP WEB	Enable this service to cpature attacks and XMPP WEB Listening port can be adjusted Supports custom listening port (default port is 5280). Supports adding User/Password. Can be reached through HTTP.

4G/5G 3GPP decoy

Service

Description

NextEPC WEB

Enable this service to capture attacks through NextEPC WEB on the default port.
Supports adding User/Password.

SCTP & GTP-C

Enable this service to capture attacks through Stream Control Transmission Protocol (SCTP) and GTP-C.

GTP-U

Enable the service to capture attacks through GTP-U.

FortiDeceptor decoys

The current FortiDeceptor decoy OS are:

Windows	Windows 7, Windows 10, Windows 10ltsc2021v1
Linux	Ubuntu Desktop, CentOS, ESXi ,ELK and EV2023
IoT/OT	SCADA version 3, Medical OS, IoT OS, and d VoIP version1.
VPN	Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)
Customized Windows	Windows 10, Windows 11, Windows Server 2016, Windows Sever 2019, Windows Sever 2022, French Windows 10, French Windows Server 2016
Customized Linux	Red Hat 7.9, Red Hat 8, Red Hat 9, Ubuntu20.04 Server

The current FortiDeceptor application decoys are:

Application Decoys

POS OS, ERP OS PACS and SAP

The current FortiDeceptor lure services are:

Windows	RDP, SMB, TCPListener, NBNSSpoofSpotter, ICMP, FTP, SMTP, SWIFT Lite2. Does not contain (Windows 7.
Linux	SSH, SAMBA, TCPListener, HTTP, HTTPS, GIT, ICMP and FTP
IoT/OT	HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, ENIP, Kamstrup, DNP3, Telnet, PACS-WEB, PACS, DICOM server, Infusion Pump (TELNET), Infusion Pump (FTP), POS-WEB, ERP-WEP, GUARDIAN-AST, IEC104, Jetdirect, Printer-WEB, IP Camera-WEB, UPnP, RTSP, CDP, TP-link WEB, CWMP, SAP DISPATCHER, SAP WEB, MOXA, MQTT WEB, CoAP, SIP, and XMPP WEB
SSL VPN	HTTPS
Customized Windows	RDP, SMB, NBNSSpoofSpotter, MSSQL, IIS (HTTP/HTTPS), ICMP, TCPListener, SMTP, SWIFT Lite2 and FTP
Customized Linux	HTTP, HTTPS, GIT, SAMBA, SSH, SMTP, TCPListener, FTP, RADIUS, ICMP

The current FortiDeceptor IP address capacity are:

A single EOL can host up to 16 deception VMs.
A single FDCIKG can host up to 20 deception VMs.
A single FDCVMS can host up to 20 deception VMs.
A single deception VM supports up to 24 IP addresses or decoys. Each IP represents a decoy.
A single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
A single FortiDeceptor appliance (HW/VM) can support up to 128 segments (VLANS).

VPN only supports 8 IPs.

Cisco Decoy only supports 1VLAN.

Decoy services details

Centos
EV2023
FortiGate
Ubuntu
Windows
Customized Windows
IoT OS
- Printers
- Camera
- Switch
- Routers
- VPN Gateway
Medical
POS
CRM(ERP)
SAP
SCADA
VOIP V1 OS

Centos

centosv1 Decoy

Service	Description
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.
SAMBA	Enable this service to capture attacks through SMB on the default SMB port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the default HTTPS port.
GIT	HTTP port can be adjusted. HTTPS port can be adjusted. GIT Users are user-defined. Git Repository Import is optional.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
ICMP	Enable this service to capture ping/attacks through ICMP.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials
RADIUS	Enable this service to capture attacks through RADIUS. Authentication port can be adjusted. Accouting port can be adjusted. FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Electric Vehicles (EV2023)

EV-CPO Decoy

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

FortiGate

fgt601v1 Decoy

(FGT-60E/FGT-100F/FGT-1500D/FGT-2000E/FGT-3700D)

Service	Description
SSLVPN	Enable this service to capture attacks through SSLVPN on the user-defined port.

fgt601v2 Decoy

(FGT-60F/FGT-100F/FGT-1500D/FGT-2000E/FGT-3700D/ FGT-60F-DMZ/FGT-100F-DMZ/FGT-1500D-DMZ/FGT-2000E-DMZ/FGT-3700D-DMZ)

Service	Description
SSLVPN	Enable this service to capture attacks through SSLVPN on the user-defined port.

Ubuntu

ESXI Decoy (Ubuntu16v2)

Service	Description
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Elastic Search (Ubuntu16v2)

Service	Description
Elastic Search	ES port can be adjusted, and the user-defined port will be used for HTTP REST API calls to interact with the Elasticsearch cluster. ES node name is to define a unique identifier for the default created node with in the Cluster. Decoy hostname will be used if empty. ES cluster name is required to setup the decoy.

Linux Decoy (Ubuntu16v2)

Service	Description
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.
SAMBA	Enable this service to capture attacks through SMB on the default SMB port.
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
GIT	HTTP port can be adjusted. HTTPS port can be adjusted. GIT Users are user-defined. Git Repository Import is optional.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials
RADIUS	Enable this service to capture attacks through RADIUS. Authentication port can be adjusted. Accounting port can be adjusted. Secret Password is user-defined.
VNC	Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

Mac Decoy (Ubuntu16v2)

Service	Description
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.
VNC	Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

Citrix ADC Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Application Delivery Management Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Endpoint Management Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Citrix Receiver Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

ESXI Decoy (Ubuntu18v1)

Service

Description

SSH

Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network.

SSH banner is user-defined.

HTTP

Enable this service to capture attacks through HTTP on the user-defined HTTP port.

HTTPS

Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Elastic Search (Ubuntu18v1)

Service	Description
Elastic Search	ES port can be adjusted, and the user-defined port will be used for HTTP REST API calls to interact with the Elasticsearch cluster. ES node name is to define a unique identifier for the default created node with in the Cluster. Decoy hostname will be used if empty. ES cluster name is required to setup the decoy.

Linux Decoy (Ubuntu18v1)

Service	Description
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.
SAMBA	Enable this service to capture attacks through SMB on the default SMB port.
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
GIT	HTTP port can be adjusted. HTTPS port can be adjusted. GIT Users are user-defined. Git Repository Import is optional.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials.
RADIUS	Enable this service to capture attacks through RADIUS. Authentication port can be adjusted. Accounting port can be adjusted. Secret Password is user-defined.
VNC	Enable this service to capture remote control/support attacks through VNC (Virtual Network Computing) system.

MySql MariaDB Decoy (Ubuntu18v1)

Service	Description
MariaDB	Enable this service to open the user defined port on the decoy VM and respond to MySQL database requests within the network. Database name must match the name of database in the uploaded SQL schema. Database content requires a SQL schema file for organizing database objects, providing a structured way to manage data and the relationships between different objects within the database system.
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.

Nginx Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

ScadaBR Decoy (Ubuntu18v1)

Service	Description
ScadaBR	Enable this service to capture attacks through ScadaBR web access on the user-defined HTTP port.

Tomcat Decoy (Ubuntu18v1)

Service	Description
TOMCAT (HTTP)	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
TOMCAT (HTTPS)	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
SSH	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network. SSH banner is user-defined.

Webmin Decoy (Ubuntu18v1)

Service	Description
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.

Windows

Windows 7 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port.
SMB	Enable this service to capture attacks through SMB on the default SMB port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 10 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port.
SMB	Enable this service to capture attacks through SMB on the default SMB port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on Windows 10 decoy. MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 10ltsc2021v1 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port.
SMB	Enable this service to capture attacks through SMB on the default SMB port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener NBNSSpoofSpotter	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined. Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on Windows 10 decoy. MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials.

Customized Windows

Customized Windows 10 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port. Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.
SMB	Enable this service to capture attacks through SMB on the default SMB port. Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
MSSQL	Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on Windows 10 decoy. MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Windows 11 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service
SMB	Enable this service to capture attacks through SMB on the default SMB port Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
MSSQL	Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query yo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on Windows 10 decoy. MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2016 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service
SMB	Enable this service to capture attacks through SMB on the default SMB port Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service
MSSQL	Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPs	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query tyo use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600, to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on Windows 10 decoy. MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2019 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port. Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.
SMB MSSQL	Enable this service to capture attacks through SMB on the default SMB port Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener NBNSSpoofSpotter	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined. Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on deployed Windows decoy MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized Windows Server 2022 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service
SMB	Enable this service to capture attacks through SMB on the default SMB port Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted.
MSSQL	MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPs	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.
ICMP SWIFT Lite2	Enable this service to capture ping/traceroute attacks through ICMP. Enable this service to activate SWIFT Lite2 on deployed Windows decoy MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized French Windows 10 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service
SMB	Enable this service to capture attacks through SMB on the default SMB port Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted.
MSSQL	Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on deployed Windows decoy MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

Customized French Windows Server 2016 Decoy

Service	Description
RDP	Enable this service to capture attacks through RDP on the default RDP port. Enable Allow domain user to access RDP to allow Active Directory (AD) user in RDP service.
SMB	Enable this service to capture attacks through SMB on the default SMB port. Enable Allow domain user to access SMB to allow Active Directory (AD) user in SMB service.
MSSQL	Enable this service to capture attacks through MSSQL (Microsoft SQL Server). Listening port can be adjusted. MSSQL Database is user-defined but needs to match the name of database in the uploaded SQL schema. SQL Database Content import is mandatory. Enable ODBC Lure to allow ODBC Lure on Deception Token of this Decoy. DSN name is user-defined (after enabling ODBC lure) DSN Description is user-defined (after enabling ODBC lure)
HTTP	Enable this service to capture attacks through HTTP on the user-defined HTTP port.
HTTPS	Enable this service to capture attacks through HTTPS on the user-defined HTTPS port.
SMTP	Enable this service to capture attacks through SMTP (Simple Mail Transfer Protocol). Listening port can be adjusted. SMTP Domain is user-defined. SMTP Banner is user-defined. Enable Secure SMTP to activate TLS (Transport Layer Security) protocol on SMTP service. Enable Anonymous Relay to allow anyone to send email to the decoy without requiring authentication.
TCPListener	Enable this service to capture the port scan attacks on the defined ports. TCP banner is user-defined.
NBNSSpoofSpotter	Enable this service to capture attacks through NBNS (NetBIOS Name Service) NBNS Username is user-defined. NBNS Password is user-defined. NBNS Domain is user-defined. (Not mandatory) NBNS Hostname is user-defined. Enable NBNS User Hostname for Query to use the above NBNS hostname for query directly; disable NBNS User Hostname, system will generate fake hostnames based on the provided string NBNS Interval setting ranges from 60 to 3600 to manage the frequency of NBNS activities.
ICMP	Enable this service to capture ping/traceroute attacks through ICMP.
SWIFT Lite2	Enable this service to activate SWIFT Lite2 on deployed Windows decoy MT file import is mandatory.
FTP	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined. Enable Anonymous Access to allow files access through FTP without needing specific user credentials

IoT OS

IoT refers to a network of devices, vehicles, appliances and other physical objects that are embedded with sensors, software and network connectivity.

Printers

Brother MFC Printer Decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Brother MFC Printer decoy.
Jetdirect	Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.
Printer-WEB	A web GUI that simulates the administration GUI of Brother NC-340h printer.

HP Printer Decoy

Service	Description
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for HP printer decoy.
Jetdirect	Enable this service to open port 9100 on the decoy VM, and respond to PJL (Printer Job Language) requests.
Printer-WEB	A web GUI that simulates the administration GUI of HP Officejet Pro X451dw printer.

Lexmark Printer Decoy

Service

Description

SNMP

Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network.
Community name is user-defined.
SNMP response is customized for Lexmark Printer decoy

Jetdirect

Enable this service to open port 9100 on the decoy VM and respond to PJL (Printer Job Language) requests.

Printer-WEB

A web GUI that simulates the administration GUI of Lexmark MX410de printer.

Camera

IP Camera Decoy

Service	Description
IP Camera-WEB	A login-required service that displays videos to simulate IP cameras. Default videos are available. However, we strongly recommend uploading 1-8 .mp4 videos that fit best with the working environment.
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) requests from within the network Community name is user-defined. SNMP response is customized for IP camera decoy.
UPnP service	Enable this service to open port 8080 on the decoy VM and simulate UPnP service. A UPnP msg will broadcast within the network. Within the msg there is a URL for the attacker to download a .xml file showing device information.
RTSP service	When this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video. The RTSP port can be adjusted. To upload the video, you can use ffmpeg, or any other method to infinitely loop a video so it is available to the attacker Example: To infinitely loop a video:`sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};` From the attacker perspective, the live camera stream is available at `rtsp://{ip}:{port}/{name_you_choose}`

Switch

HP Switch Decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for HP switch decoy.
Telnet service	A login-required service.
CDP	Enable this service to allow the decoy VM to send CDP traffic within the network.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Routers

Cisco Router Decoy

Service	Description
Models*	4 Cisco images (models) are supported: 2691, 3660, 3725 and 3745. An error is displayed if you upload an image that is not supported.
Router Running-Config (optional)	Allows you to upload a customized Cisco config file to predefine the Cisco router setting
Telnet service	A login-required service that enables attackers to utilize all Cisco router functions.
HTTP service	A login-required GUI service similar to the telnet service but with less functionality.
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP(v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Cisco router decoy.
CDP service	Enable this service to allow the decoy VM to send CDP traffic within the network.

TP-LINK Router Decoy

Service	Description
TP-LINK WEB	Enable this service to allow attackers to login to a fake TP-link setting site.
CWMP	Enable this service to send data using CWMP protocol to {ip}:{port}/cpe.

MikroTik Router Decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for MikroTik router decoy.
Telnet service	A login-required service that enables attackers to utilize all MikroTik router functions.
CDP	Enable this service to allow the decoy VM to send CDP traffic within the network.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

VPN Gateway

SWIFT VPN Gateway decoy

Service	Description
Telnet service	A login-required service.
HTTPS	Enable this service to capture attacks through HTTPS on the default HTTPS port.

Medical

PACS Decoy

Service	Description
Infusion Pump (Telnet) service	Simulates Infusion Pump (telnet) A username/password is required to login.
Infusion Pump (FTP)	Simulates Infusion Pump (FTP) A username/password is required to login.
PACS service	A user-defined name for the PACS system.
PACS-WEB service	Login-required web GUI for PACS, with existing medical data Port can be adjusted
DICOM Server service	Server port can be adjusted Server name can be adjusted DICOM operations (e.g. C-STORE, C-FIND) are supported

Infusomat Decoy

Service	Description
Http service	Enable this service to capture attacks through HTTP on the default HTTP port.
Https Service	Enable this service to capture attacks through HTTPS on the default HTTPS port.
CAN Bus Protocol	Enable this service to capture attacks through TCP on the default TCP port(1500)
B.BRAUN	Enable this service to capture attacks through HTTP port 8080.

Spacecom Decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
HTTP Service	Enable this service to capture attacks through HTTPS on the default HTTPS port.
FTPService	Enable this service to capture attacks through FTP on the user-defined FTP port FTP banner is user-defined Enable Anonymous Access to allow files access through FTP without needing specific user credentials
CAN Bus Protocol	Enable this service to capture attacks through TCP on the default TCP port(1500).
SSH Service	Enable this service to open port 22 on the decoy VM and respond to SSH (Secure Shell) requests within the network SSH banner is user-defined

POS

Service	Description
POS-WEB service	Login-required web GUI simulate POS website Port can be adjusted

CRM(ERP)

Service	Description
ERP-WEB service	Login-required web GUI simulates ERP website Port can be adjusted

SAP

Service	Description
SAP ROUTER	Enable SAP ROUTER Service so SAP Logon can configure the SAProuter String. Use the default port to ensure SAP Logon can connect.
SAP DISPATCHER	Enable SAP DISPATCHER so SAP Logon can get responses from the SAP decoy. Use the default port to ensure SAP Logon can connect.
SAP WEB	A fake SAP HTTP and HTTPS GUI for SAP Fiori Launchpad or Legacy WebGUI.

SCADA (version3) OS

Ascent Compass MNG decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
FTP service	Enable this service to capture attacks through FTP on the default FTP port FTP banner is user-defined.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network Community name is user-defined SNMP response is customized for Ascent Compass MNG decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.

Guardian-AST decoy

Service	Description
Guardian-AST service	Enable this service to simulate an AST’s satellite communications remote asset tracking system named Guardian. To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available

IPMI Device decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for IPMI Device decoy.
FTP service	Enable this service to capture attacks through FTP on the default FTP port. FTP banner is user-defined.
IPMI service	Enable this service to capture attack through IPMI on the default IPMI port.

KAMSTRUP 382 decoy

Service	Description
KAMSTRUP service	Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available

Liebert Spruce UPS decoy

Service	Description
TFTP	Enable this to service capture attacks through TFTP on default TFTP port
SNMP	Enable this service to open port 161 on decoy VM and respond to SNMP(v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Liebert Spruce UPS decoy.
HTTP	Enable this service to capture attacks through HTTP on default HTTP port.

Niagara4 Station decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for IPMI Device decoy.
HTTP	Enable this service to capture attacks through HTTP on default HTTP port.
BACNET	Enable this service to capture attack through BACNET on default BACNET port.

NiagaraAX Station decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for IPMI Device decoy.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.
BACNET	Enable this service to capture attacks through BACNET on the default BACNET port.

PowerLogic ION7650 decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for PowerLogic ION7650 decoy.
MODBUS	Enable this service to capture attacks through MODBUS on the default MODBUS port.
DNP3	Enable this service to capture attacks through DNP3 on the default DNP3 port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L16ER/BLOGIX5316ER decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Rockwell 1769-L16ER/B LOGIX5316ER decoy.
ENIP	Enable this service to capture attacks through ENIP on the default ENIP port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell 1769-L35E Ethernet Port decoy

Service	Description
SNMP	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Rockwell 1769-L35E Ethernet Port decoy.
ENIP	Enable this service to capture attacks through ENIP on the default ENIP port.
HTTP	Enable this service to capture attacks through HTTP on the default HTTP port.

Rockwell PLC decoy

Service	Description
HTTP service	Enable s this service capture attack through HTTP on the default HTTP port. HTTP page title is user defined.
TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens Rockwell PLC decoy.
ENIP service	Enable this service to capture attack through ENIP on the default ENIP port. ENIP serial number is user-defined.

GE PLC decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined.
TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for GE PLC decoy.
ENIP service	Enable this service to capture attacks through ENIP on the default ENIP port. ENIP serial number is user-defined.

Schneider EcoStruxure BMS server decoy

Service	Description
SNMP service	Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Schneider EcoStruxure BMS server decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
TRICONEX service	Enable this service to capture attacks with the TRICONEX service.

MOXA NPORT 5110 decoy

Service	Description
SNMP service	Enable this service to open port 161 on decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for moxa nport 5110 decoy.
Telnet service	Login-required telnet service simulates moxa nport 5110 command line environment. Two command choices: 1 and 2
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
MOXA service	Download MOXA script from GitHub is required (https://github.com/Z-0ne/MoxaNportScan)

Schneider Power Meter - PM5560 decoy

Service	Description
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network Community name is user-defined. SNMP response is customized for Schneider Power Meter - PM5560 decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.
HTTP service	Enable this service to capture attacks through HTTP on default HTTP port.
DNP3 service	Enable this service to capture attacks through DNP3 on the default DNP3 port.
ENIP service	Enable this service to capture attacks through ENIP on the default ENIP port.

Schneider SCADAPack 333E decoy

Service	Description
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Schneider SCADAPack 333E decoy.
DNP3 service	Enable this service to capture attacks through DNP3.
Telnet service	Login-required telnet service simulates SCADAPack E Smart RTU command line environment.

Siemens S7-200 PLC decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
TFTP service	Enable this to service capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-200 PLC decoy.
MODBUS service	Enable this service to capture attacks through MODBUS on the default MODBUS port.
S7COMM service	Enable this service to capture attacks through S7COMM on the default S7COMM port. Module Type is user-defined. PLC Name is user-defined.

Siemens S7-300 PLC decoy

TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-300 PLC decoy.
IEC104 service	Enable this service to capture attacks through IEC104 on the default IEC104 port.

Siemens S7-1500 PLC decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
TFTP service	Enable this to service capture attacks through TFTP on the default TFTP port
IEC104 service	Enable this to service capture attacks through IEC104 on the default IEC104 port.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Siemens S7-1500 PLC decoy.
S7COMM service	Enable this service to capture attacks through S7COMM on the default S7COMM port. Module Type is user-defined. PLC Name is user-defined.
PROFINET service	Enable this service to capture attacks through PROFINET

Phoenix contact AXC 1050 decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port. HTTP page title is user defined. Plant Identification is user-defined. Serial Number is user-defined.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Phoenix contact AXC 1050 decoy.
FTP service	Enable this service to capture attacks through FTP on the default FTP port FTP banner is user-defined Anonymous Access can be enabled which let user enters "anonymous" as a user ID and eliminate the need to authenticate themselves
PROFINET service	Enable this service to capture attacks through PROFINET

VAV-DD BACNET controller decoy

Service	Description
SNMP service	Enable this service to open port 161 on the decoy VM and respond to SNMP (v1 or v2c) requests from within the network. Community name is user-defined. SNMP response is customized for VAV-DD BACNET controller decoy.
BACNET service	Enable this service to capture attacks through BACNET on the default BACNET port.

C-More HMI decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
HTTPS service	Enable this service to capture attacks through HTTPS on the default HTTPS port.
FTP service	Enable this service to capture attacks through FTP on the default FTP port. FTP banner is user-defined.
SNMP service	Enable this service to open port 161 on the decoy VM, and respond to SNMP (v1 or v2c) request from within the network. Community name is user-defined.

Modicon M580 decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
MODBUS service	Enable this service to capture attacks through MODBUS on the default MODBUS port.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network. Community name is user-defined.
ENIP service	Enable this service to capture attacks through ENIP on the default ENIP port.

Modicon M241 decoy

Service	Description
HTTP service	Enable this service to capture attacks through HTTP on the default HTTP port.
TFTP service	Enable this service to capture attacks through TFTP on the default TFTP port.
MODBUS service	Enable this service to capture attacks through MODBUS on the default MODBUS port.
SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network. Community name is user-defined.
ENIP service	Enable this service to capture attacks through ENIP on the default ENIP port.

Emerson iPro by Dixell decoy

Service

Description

HTTP service

Enable this service to capture attacks through HTTP on the default HTTP port.

MODBUS service

Enable this service to capture attacks through MODBUS on the default MODBUS port.

SNMP service

Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
Community name is user-defined.

Lantronix XPORT V1.8/2.0 decoy

Service

Description

HTTP service

Enable this service to capture attacks through HTTP on the default HTTP port.

Lantronix Discovery Protocol service

This protocol allows the discovery of Lantronix devices using the Lantronix discovery protocol.

SNMP service

Enable this service to open port 161 on decoy VM, and respond to SNMP (v1 or v2c) request from within the network.
Community name is user-defined.

VOIP V1 OS

MQTT decoy

Service	Description
MQTT WEB	Enable this service to capture attacks through MQTT WEB on the default MQTT WEB port. Supports custom listening port. Default port is 18083. Supports adding User/Password.
CoAP	Enable this to service capture attacks through CoAP on the default CoAP port. Download `libcoap` from GitHub is required. Go to https://github.com/miri64/libcoap and follow the command `libcoap` command rule.

SIP decoy

Service	Description
SIP	Enable this service to capture attacks. SIP port can be adjusted. Supports adding User/Password. Users can connect to the SIP server from SIP client service (like Linphone) through UDP or TCP, and register an account, text message, voice call, and video call each other.

XMPP decoy

Service	Description
XMPP WEB	Enable this service to cpature attacks and XMPP WEB Listening port can be adjusted Supports custom listening port (default port is 5280). Supports adding User/Password. Can be reached through HTTP.

4G/5G 3GPP decoy

Service

Description

NextEPC WEB

Enable this service to capture attacks through NextEPC WEB on the default port.
Supports adding User/Password.

SCTP & GTP-C

Enable this service to capture attacks through Stream Control Transmission Protocol (SCTP) and GTP-C.

GTP-U

Enable the service to capture attacks through GTP-U.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

FortiDeceptor decoys

FortiDeceptor decoys

The current FortiDeceptor decoy OS are:

The current FortiDeceptor application decoys are:

The current FortiDeceptor lure services are:

The current FortiDeceptor IP address capacity are:

Decoy services details

Centos

centosv1 Decoy

Electric Vehicles (EV2023)

EV-CPO Decoy