anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

refactor(ssh): consolidate real_ssh into ssh, remove duplication

Browse Source 
real_ssh was a separate service name pointing to the same template and
behaviour as ssh. Merged them: ssh is now the single real-OpenSSH service.

- Rename templates/real_ssh/ → templates/ssh/
- Remove decnet/services/real_ssh.py
- Deaddeck archetype updated: services=["ssh"]
- Merge test_real_ssh.py into test_ssh.py (includes deaddeck + logging tests)
- Drop decnet.services.real_ssh from test_build module list
This commit is contained in:
anti
2026-04-11 19:51:41 -04:00
parent d77def64c4
commit c79f96f321
45 changed files with 1610 additions and 239 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.claude/settings.local.json
View File

@@ -17,7 +17,11 @@
"Bash(xxd)", "Bash(xxd)",
"Bash(curl -s http://192.168.1.200:2375/version)", "Bash(curl -s http://192.168.1.200:2375/version)",
"Bash(python3 -m json.tool)", "Bash(python3 -m json.tool)",
"Bash(curl -s http://192.168.1.200:9200/)" "Bash(curl -s http://192.168.1.200:9200/)",
"Bash(docker image:*)",
"Read(//home/anti/Tools/cowrie/src/cowrie/data/txtcmds/**)",
"Read(//home/anti/Tools/cowrie/src/cowrie/data/txtcmds/bin/**)",
"mcp__plugin_context-mode_context-mode__ctx_index"
] ]
} }
} }

4
.hypothesis/constants/2107e411391c4391 Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--parallel', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/390b2f90b99b41d6 Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/deployer.py
# hypothesis_version: 6.151.11
[5.0, ', ', '--build', '--no-cache', '--watch', '-d', '-f', '1', 'DECNET Deckies', 'DOCKER_BUILDKIT', 'Decky', 'Deployed Deckies', 'Hostname', 'IP', 'IPvlan', 'IPvlan L2', 'MACVLAN', 'Services', 'Status', '[green]up[/]', '[red]degraded[/]', 'absent', 'bold', 'build', 'cmdline', 'compose', 'decnet-compose.yml', 'decnet.cli', 'decnet.web.api:app', 'decnet_logging.py', 'docker', 'down', 'green', 'manifest for', 'manifest unknown', 'mutate', 'name', 'not found', 'pid', 'pull access denied', 'red', 'rm', 'running', 'stop', 'templates', 'up', 'uvicorn']

4
.hypothesis/constants/4dac674385794ba3 Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--parallel', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '.collector.log', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', '__main__', 'a', 'archetypes', 'bold cyan', 'collect', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/582281e144215c53 Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/web/collector.py
# hypothesis_version: 6.151.11
['"', '%Y-%m-%d %H:%M:%S', '-', '.json', '/', 'Actor', 'Attributes', 'Collector error: %s', 'Unknown', '[', '\\', '\\"', '\\\\', '\\]', '\\]\\s+(.+)$', ']', 'a', 'attacker_ip', 'client_ip', 'container', 'decky', 'decnet', 'decnet.web.collector', 'event', 'event_type', 'fields', 'id', 'ip', 'msg', 'name', 'raw_line', 'remote_ip', 'replace', 'service', 'src', 'src_ip', 'start', 'timestamp', 'type', 'utf-8']

4
.hypothesis/constants/60a3c86a584e294c Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/archetypes.py
# hypothesis_version: 6.151.11
[', ', 'Database Server', 'DevOps Host', 'Domain Controller', 'File Server', 'IoT Device', 'Linux Server', 'Mail Server', 'Monitoring Node', 'Network Printer', 'VoIP Server', 'Web Server', 'Windows Server', 'Windows Workstation', 'alpine', 'conpot', 'database-server', 'deaddeck', 'debian', 'devops-host', 'docker_api', 'domain-controller', 'embedded', 'fedora', 'file-server', 'ftp', 'http', 'imap', 'industrial-control', 'iot-device', 'k8s', 'ldap', 'linux', 'linux-server', 'llmnr', 'mail-server', 'monitoring-node', 'mqtt', 'mysql', 'pop3', 'postgres', 'printer', 'rdp', 'redis', 'rocky9', 'sip', 'smb', 'smtp', 'snmp', 'ssh', 'telnet', 'ubuntu20', 'ubuntu22', 'voip-server', 'web-server', 'windows', 'windows-server', 'windows-workstation']

4
.hypothesis/constants/6ba706253a49285d Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/os_fingerprint.py
# hypothesis_version: 6.151.12
['0', '1', '128', '15', '2', '255', '3', '30', '6', '60', '64', 'bsd', 'cisco', 'embedded', 'linux', 'net.ipv4.tcp_ecn', 'net.ipv4.tcp_sack', 'windows']

4
.hypothesis/constants/791b462f64ea40d5 Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/os_fingerprint.py
# hypothesis_version: 6.151.12
['0', '1', '128', '15', '2', '255', '3', '30', '6', '60', '64', 'bsd', 'cisco', 'embedded', 'linux', 'net.ipv4.tcp_ecn', 'net.ipv4.tcp_sack', 'windows']

4
.hypothesis/constants/8fed64ad712afb13 Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--parallel', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'collect', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/b2a5c1b311f8c5a5 Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/os_fingerprint.py
# hypothesis_version: 6.151.12
['0', '1', '1000', '128', '15', '2', '250', '255', '3', '30', '6', '60', '6168', '64', 'bsd', 'cisco', 'embedded', 'linux', 'net.ipv4.tcp_ecn', 'net.ipv4.tcp_sack', 'windows']

4
.hypothesis/constants/b3253f4311be6feb Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/web/collector.py
# hypothesis_version: 6.151.11
['"', '%Y-%m-%d %H:%M:%S', '-', '.json', '/', 'Actor', 'Attributes', 'Collector error: %s', 'Unknown', '[', '\\', '\\"', '\\\\', '\\]', '\\]\\s+(.+)$', ']', 'a', 'attacker_ip', 'client_ip', 'container', 'decky', 'decnet.web.collector', 'event', 'event_type', 'fields', 'id', 'ip', 'msg', 'name', 'raw_line', 'remote_ip', 'replace', 'service', 'src', 'src_ip', 'start', 'timestamp', 'type', 'utf-8']

4
.hypothesis/constants/b73e974453072677 Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--parallel', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '.collector.log', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', '__main__', 'a', 'archetypes', 'bold cyan', 'collect', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/c7dc8a77b9584727 Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--parallel', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'collect', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/de34182254a7e1ec Normal file
View File

@@ -0,0 +1,4 @@
# file: /home/anti/Tools/DECNET/decnet/composer.py
# hypothesis_version: 6.151.11
['10m', '3.8', '5', 'BASE_IMAGE', 'HOSTNAME', 'NET_ADMIN', 'args', 'build', 'cap_add', 'command', 'container_name', 'depends_on', 'driver', 'environment', 'external', 'hostname', 'image', 'infinity', 'ipv4_address', 'json-file', 'logging', 'max-file', 'max-size', 'network_mode', 'networks', 'options', 'restart', 'services', 'sleep', 'sysctls', 'unless-stopped', 'version']

BIN
.hypothesis/unicode_data/16.0.0/codec-utf-8.json.gz
View File

Binary file not shown.

1
decnet.collector.log Normal file
View File

@@ -0,0 +1 @@
Collector starting → /home/anti/Tools/DECNET/decnet.log

2
decnet/archetypes.py
View File

@@ -148,7 +148,7 @@ ARCHETYPES: dict[str, Archetype] = {
slug="deaddeck", slug="deaddeck",
display_name="Deaddeck (Entry Point)", display_name="Deaddeck (Entry Point)",
description="Internet-facing entry point with real interactive SSH — no honeypot emulation", description="Internet-facing entry point with real interactive SSH — no honeypot emulation",
services=["real_ssh"], services=["ssh"],
preferred_distros=["debian", "ubuntu22"], preferred_distros=["debian", "ubuntu22"],
nmap_os="linux", nmap_os="linux",
), ),

46
decnet/services/real_ssh.py
View File

@@ -1,46 +0,0 @@
from pathlib import Path
from decnet.services.base import BaseService
TEMPLATES_DIR = Path(__file__).parent.parent.parent / "templates" / "real_ssh"
class RealSSHService(BaseService):
"""
Fully interactive OpenSSH server — no honeypot emulation.
Used for the deaddeck (entry-point machine). Attackers get a real shell.
Credentials are intentionally weak to invite exploitation.
service_cfg keys:
password Root password (default: "admin")
hostname Override container hostname
"""
name = "real_ssh"
ports = [22]
default_image = "build"
def compose_fragment(
self,
decky_name: str,
log_target: str | None = None,
service_cfg: dict | None = None,
) -> dict:
cfg = service_cfg or {}
env: dict = {
"SSH_ROOT_PASSWORD": cfg.get("password", "admin"),
}
if "hostname" in cfg:
env["SSH_HOSTNAME"] = cfg["hostname"]
return {
"build": {"context": str(TEMPLATES_DIR)},
"container_name": f"{decky_name}-real-ssh",
"restart": "unless-stopped",
"cap_add": ["NET_BIND_SERVICE"],
"environment": env,
}
def dockerfile_context(self) -> Path:
return TEMPLATES_DIR

2
decnet/services/ssh.py
View File

@@ -2,7 +2,7 @@ from pathlib import Path
from decnet.services.base import BaseService from decnet.services.base import BaseService
TEMPLATES_DIR = Path(__file__).parent.parent.parent / "templates" / "real_ssh" TEMPLATES_DIR = Path(__file__).parent.parent.parent / "templates" / "ssh"
class SSHService(BaseService): class SSHService(BaseService):

2
development/DEVELOPMENT.md
View File

@@ -4,7 +4,7 @@
*Goal: Ensure every service is interactive enough to feel real during manual exploration.* *Goal: Ensure every service is interactive enough to feel real during manual exploration.*
### Remote Access & Shells ### Remote Access & Shells
- [x] **SSH (Cowrie)** — Custom filesystem, realistic user database, and command execution. - [ ] **SSH (Cowrie)** — Custom filesystem, realistic user database, and command execution.
- [ ] **Telnet (Cowrie)** — Realistic banner and command emulation. - [ ] **Telnet (Cowrie)** — Realistic banner and command emulation.
- [ ] **RDP** — Realistic NLA authentication and screen capture (where possible). - [ ] **RDP** — Realistic NLA authentication and screen capture (where possible).
- [ ] **VNC** — Realistic RFB protocol handshake and authentication. - [ ] **VNC** — Realistic RFB protocol handshake and authentication.

476
development/nmap-output-post-fixes.txt Normal file
View File

@@ -0,0 +1,476 @@
Nmap scan report for 192.168.1.200
Host is up (0.0000020s latency).
Not shown: 65515 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd (before 2.0.8) or WU-FTPD
23/tcp open telnet?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, DistCCD, JavaRMI, LANDesk-RC, LDAPBindReq, NULL, NotesRPC, RPCCheck, Radmin, TerminalServer, WMSRequest, X11Probe, mydoom, tn3270:
| login:
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, LDAPSearchReq, RTSPRequest:
| login:
| Password:
| Login incorrect
| login:
| Hello, Help, Kerberos, LPDString, NessusTPv10, NessusTPv11, NessusTPv12, SSLSessionReq, SSLv23SessionReq, TerminalServerCookie, Verifier, VerifierAdvanced, WWWOFFLEctrlstat:
| login:
| Password:
| SIPOptions:
| login:
| Password:
| Login incorrect
| login: Password:
| Login incorrect
| login: Password:
| Login incorrect
| login: Password:
| Login incorrect
| login: Password:
| Login incorrect
|_ login: Password:
25/tcp open smtp Postfix smtpd
|_smtp-commands: omega-decky, PIPELINING, SIZE 10240000, VRFY, ETRN, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.4.54
|_http-title: 403 Forbidden
|_http-server-header: Werkzeug/3.1.8 Python/3.11.2
110/tcp open pop3 Dovecot pop3d ([omega-decky])
|_pop3-capabilities: USER
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 AUTH=PLAIN OK completed AUTH=LOGINA0001 CAPABILITY
389/tcp open ldap Cisco LDAP server
445/tcp open microsoft-ds
| fingerprint-strings:
| SMBProgNeg:
| SMBr
|_ "3DUfw
1433/tcp open ms-sql-s?
1883/tcp open mqtt
| mqtt-subscribe:
| Topics and their most recent payloads:
| plant/water/pump2/status: STANDBY
| plant/alarm/high_pressure: 0
| plant/water/chlorine/residual: 0.8
| plant/water/chlorine/dosing: 1.2
| plant/water/pump1/rpm: 1419
| plant/water/tank1/level: 76.6
| plant/$SYS/broker/uptime: 2847392
| plant/$SYS/broker/version: Mosquitto 2.0.15
| plant/water/valve/inlet/state: OPEN
| plant/water/valve/drain/state: CLOSED
| plant/water/tank1/pressure: 2.86
| plant/water/pump1/status: RUNNING
| plant/alarm/low_chlorine: 0
|_ plant/alarm/pump_fault: 0
2375/tcp open docker Docker 24.0.5
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/3.1.8 Python/3.11.2
| Date: Fri, 10 Apr 2026 06:25:23 GMT
| Content-Type: application/json
| Content-Length: 46
| Connection: close
| {"message": "page not found", "response": 404}
| HTTPOptions:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.1.8 Python/3.11.2
| Date: Fri, 10 Apr 2026 06:25:23 GMT
| Content-Type: text/html; charset=utf-8
| Allow: HEAD, OPTIONS, GET
| Content-Length: 0
| Connection: close
| Hello:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('EHLO').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
| </html>
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
| </html>
| docker:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.1.8 Python/3.11.2
| Date: Fri, 10 Apr 2026 06:25:23 GMT
| Content-Type: application/json
| Content-Length: 187
| Connection: close
|_ {"Version": "24.0.5", "ApiVersion": "1.43", "MinAPIVersion": "1.12", "GitCommit": "ced0996", "GoVersion": "go1.20.6", "Os": "linux", "Arch": "amd64", "KernelVersion": "5.15.0-76-generic"}
| docker-version:
| KernelVersion: 5.15.0-76-generic
| MinAPIVersion: 1.12
| Arch: amd64
| Os: linux
| GoVersion: go1.20.6
| Version: 24.0.5
| GitCommit: ced0996
|_ ApiVersion: 1.43
3306/tcp open mysql MySQL 5.7.38-log
| mysql-info:
| Protocol: 10
| Version: 5.7.38-log
| Thread ID: 1
| Capabilities flags: 63487
| Some Capabilities: Support41Auth, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, ConnectWithDatabase, SupportsTransactions, IgnoreSpaceBeforeParenthesis, SupportsCompression, LongColumnFlag, SupportsLoadDataLocal, ODBCClient, LongPassword, Speaks41ProtocolNew, InteractiveClient, FoundRows, IgnoreSigpipes, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: pv!magic!O}%>UM|gu^1
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server xrdp
5060/tcp open sip (SIP end point; Status: 401 Unauthorized)
| fingerprint-strings:
| HTTPOptions:
| SIP/2.0 401 Unauthorized
| Via:
| From:
| Call-ID:
| CSeq:
| WWW-Authenticate: Digest realm="omega-decky", nonce="fa63b9f8e719d810", algorithm=MD5
| Content-Length: 0
| RTSPRequest:
| SIP/2.0 401 Unauthorized
| Via:
| From:
| Call-ID:
| CSeq:
| WWW-Authenticate: Digest realm="omega-decky", nonce="25b193b6f8c63e9d", algorithm=MD5
| Content-Length: 0
| SIPOptions:
| SIP/2.0 401 Unauthorized
| Via: SIP/2.0/TCP nm;branch=foo
| From: <sip:nm@nm>;tag=root
| <sip:nm2@nm2>
| Call-ID: 50000
| CSeq: 42 OPTIONS
| WWW-Authenticate: Digest realm="omega-decky", nonce="7d2aa09cb9bfbac0", algorithm=MD5
|_ Content-Length: 0
5432/tcp open postgresql?
5900/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
|_ VNC Authentication (2)
6379/tcp open redis?
| fingerprint-strings:
| HELP4STOMP, HTTPOptions, Hello, Help, Kerberos, LPDString, Memcache, NessusTPv10, NessusTPv11, NessusTPv12, RTSPRequest, SSLSessionReq, SSLv23SessionReq, Socks5, SqueezeCenter_CLI, TLSSessionReq, TerminalServerCookie, Verifier, VerifierAdvanced, WWWOFFLEctrlstat, ajp, dominoconsole, firebird:
| -ERR unknown command
| LDAPSearchReq, hp-pjl, pervasive-btrieve:
| -ERR unknown command
| -ERR unknown command
| SIPOptions:
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| redis-server:
| $150
| Server
| redis_version:7.2.7
| redis_mode:standalone
| os:Linux 5.15.0
| arch_bits:64
| tcp_port:6379
| uptime_in_seconds:864000
| connected_clients:1
|_ Keyspace
6443/tcp open sun-sr-https?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/3.1.8 Python/3.11.2
| Date: Fri, 10 Apr 2026 06:25:23 GMT
| Content-Type: application/json
| Content-Length: 52
| Connection: close
| {"kind": "Status", "status": "Failure", "code": 404}
| HTTPOptions:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.1.8 Python/3.11.2
| Date: Fri, 10 Apr 2026 06:25:23 GMT
| Content-Type: text/html; charset=utf-8
| Allow: GET, HEAD, OPTIONS
| Content-Length: 0
| Connection: close
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
| </html>
| SSLSessionReq:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('
| &lt;=
| ').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
9200/tcp open wap-wsp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Server: elasticsearch
| Date: Fri, 10 Apr 2026 06:25:23 GMT
| Content-Type: application/json; charset=UTF-8
| Content-Length: 477
| X-elastic-product: Elasticsearch
| {"name": "omega-decky", "cluster_name": "elasticsearch", "cluster_uuid": "xC3Pr9abTq2mNkOeLvXwYA", "version": {"number": "7.17.9", "build_flavor": "default", "build_type": "docker", "build_hash": "ef48222227ee6b9e70e502f0f0daa52435ee634d", "build_date": "2023-01-31T05:34:43.305517834Z", "build_snapshot": false, "lucene_version": "8.11.1", "minimum_wire_compatibility_version": "6.8.0", "minimum_index_compatibility_version": "6.0.0-beta1"}, "tagline": "You Know, for Search"}
| HTTPOptions:
| HTTP/1.0 501 Unsupported method ('OPTIONS')
| Server: elasticsearch
| Date: Fri, 10 Apr 2026 06:25:23 GMT
| Connection: close
| Content-Type: text/html;charset=utf-8
| Content-Length: 360
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 501</p>
| <p>Message: Unsupported method ('OPTIONS').</p>
| <p>Error code explanation: 501 - Server does not support this operation.</p>
| </body>
| </html>
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
27017/tcp open mongod?
|_mongodb-databases: ERROR: Script execution failed (use -d to debug)
|_mongodb-info: ERROR: Script execution failed (use -d to debug)
8 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port23-TCP:V=7.92%I=9%D=4/10%Time=69D897D3%P=x86_64-redhat-linux-gnu%r(
SF:NULL,7,"login:\x20")%r(GenericLines,2C,"login:\x20\xff\xfb\x01Password:
SF:\x20\nLogin\x20incorrect\nlogin:\x20")%r(tn3270,16,"login:\x20\xff\xfe\
SF:x18\xff\xfe\x19\xff\xfc\x19\xff\xfe\0\xff\xfc\0")%r(GetRequest,2C,"logi
SF:n:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(HTT
SF:POptions,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nl
SF:ogin:\x20")%r(RTSPRequest,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogi
SF:n\x20incorrect\nlogin:\x20")%r(RPCCheck,7,"login:\x20")%r(DNSVersionBin
SF:dReqTCP,7,"login:\x20")%r(DNSStatusRequestTCP,7,"login:\x20")%r(Hello,1
SF:4,"login:\x20\xff\xfb\x01Password:\x20")%r(Help,14,"login:\x20\xff\xfb\
SF:x01Password:\x20")%r(SSLSessionReq,14,"login:\x20\xff\xfb\x01Password:\
SF:x20")%r(TerminalServerCookie,14,"login:\x20\xff\xfb\x01Password:\x20")%
SF:r(SSLv23SessionReq,14,"login:\x20\xff\xfb\x01Password:\x20")%r(Kerberos
SF:,14,"login:\x20\xff\xfb\x01Password:\x20")%r(X11Probe,7,"login:\x20")%r
SF:(FourOhFourRequest,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogin\x20in
SF:correct\nlogin:\x20")%r(LPDString,14,"login:\x20\xff\xfb\x01Password:\x
SF:20")%r(LDAPSearchReq,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogin\x20
SF:incorrect\nlogin:\x20")%r(LDAPBindReq,7,"login:\x20")%r(SIPOptions,BE,"
SF:login:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20Pass
SF:word:\x20\nLogin\x20incorrect\nlogin:\x20Password:\x20\nLogin\x20incorr
SF:ect\nlogin:\x20Password:\x20\nLogin\x20incorrect\nlogin:\x20Password:\x
SF:20\nLogin\x20incorrect\nlogin:\x20Password:\x20")%r(LANDesk-RC,7,"login
SF::\x20")%r(TerminalServer,7,"login:\x20")%r(NotesRPC,7,"login:\x20")%r(D
SF:istCCD,7,"login:\x20")%r(JavaRMI,7,"login:\x20")%r(Radmin,7,"login:\x20
SF:")%r(NessusTPv12,14,"login:\x20\xff\xfb\x01Password:\x20")%r(NessusTPv1
SF:1,14,"login:\x20\xff\xfb\x01Password:\x20")%r(NessusTPv10,14,"login:\x2
SF:0\xff\xfb\x01Password:\x20")%r(WMSRequest,7,"login:\x20")%r(mydoom,7,"l
SF:ogin:\x20")%r(WWWOFFLEctrlstat,14,"login:\x20\xff\xfb\x01Password:\x20"
SF:)%r(Verifier,14,"login:\x20\xff\xfb\x01Password:\x20")%r(VerifierAdvanc
SF:ed,14,"login:\x20\xff\xfb\x01Password:\x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port445-TCP:V=7.92%I=9%D=4/10%Time=69D897D8%P=x86_64-redhat-linux-gnu%r
SF:(SMBProgNeg,51,"\0\0\0M\xffSMBr\0\0\0\0\x80\0\xc0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0@\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\xfa\0\0\0\0\x01\0\0\0
SF:\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\x08\x08\0\x11\"3DUfw\x88");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1433-TCP:V=7.92%I=9%D=4/10%Time=69D897D8%P=x86_64-redhat-linux-gnu%
SF:r(ms-sql-s,2F,"\x04\x01\0/\0\0\x01\0\0\0\x1a\0\x06\x01\0\x20\0\x01\x02\
SF:0!\0\x01\x03\0\"\0\x04\x04\0&\0\x01\xff\x0e\0\x07\xd0\0\0\x02\0\0\0\0\0
SF:\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5060-TCP:V=7.92%I=9%D=4/10%Time=69D897E0%P=x86_64-redhat-linux-gnu%
SF:r(SIPOptions,F7,"SIP/2\.0\x20401\x20Unauthorized\r\nVia:\x20SIP/2\.0/TC
SF:P\x20nm;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@
SF:nm2>\r\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nWWW-Authenticate
SF::\x20Digest\x20realm=\"omega-decky\",\x20nonce=\"7d2aa09cb9bfbac0\",\x2
SF:0algorithm=MD5\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,AE,"SIP/
SF:2\.0\x20401\x20Unauthorized\r\nVia:\x20\r\nFrom:\x20\r\nTo:\x20\r\nCall
SF:-ID:\x20\r\nCSeq:\x20\r\nWWW-Authenticate:\x20Digest\x20realm=\"omega-d
SF:ecky\",\x20nonce=\"fa63b9f8e719d810\",\x20algorithm=MD5\r\nContent-Leng
SF:th:\x200\r\n\r\n")%r(RTSPRequest,AE,"SIP/2\.0\x20401\x20Unauthorized\r\
SF:nVia:\x20\r\nFrom:\x20\r\nTo:\x20\r\nCall-ID:\x20\r\nCSeq:\x20\r\nWWW-A
SF:uthenticate:\x20Digest\x20realm=\"omega-decky\",\x20nonce=\"25b193b6f8c
SF:63e9d\",\x20algorithm=MD5\r\nContent-Length:\x200\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5432-TCP:V=7.92%I=9%D=4/10%Time=69D897E2%P=x86_64-redhat-linux-gnu%
SF:r(SMBProgNeg,D,"R\0\0\0\x0c\0\0\0\x05\x96\xbci&")%r(Kerberos,D,"R\0\0\0
SF:\x0c\0\0\0\x05\xa7\x87:~")%r(ZendJavaBridge,D,"R\0\0\0\x0c\0\0\0\x05\xe
SF:d\x9f\xf8\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6379-TCP:V=7.92%I=9%D=4/10%Time=69D897D8%P=x86_64-redhat-linux-gnu%
SF:r(redis-server,9E,"\$150\r\n#\x20Server\nredis_version:7\.2\.7\nredis_m
SF:ode:standalone\nos:Linux\x205\.15\.0\narch_bits:64\ntcp_port:6379\nupti
SF:me_in_seconds:864000\nconnected_clients:1\n#\x20Keyspace\n\r\n")%r(GetR
SF:equest,5,"\$-1\r\n")%r(HTTPOptions,16,"-ERR\x20unknown\x20command\r\n")
SF:%r(RTSPRequest,16,"-ERR\x20unknown\x20command\r\n")%r(Hello,16,"-ERR\x2
SF:0unknown\x20command\r\n")%r(Help,16,"-ERR\x20unknown\x20command\r\n")%r
SF:(SSLSessionReq,16,"-ERR\x20unknown\x20command\r\n")%r(TerminalServerCoo
SF:kie,16,"-ERR\x20unknown\x20command\r\n")%r(TLSSessionReq,16,"-ERR\x20un
SF:known\x20command\r\n")%r(SSLv23SessionReq,16,"-ERR\x20unknown\x20comman
SF:d\r\n")%r(Kerberos,16,"-ERR\x20unknown\x20command\r\n")%r(FourOhFourReq
SF:uest,5,"\$-1\r\n")%r(LPDString,16,"-ERR\x20unknown\x20command\r\n")%r(L
SF:DAPSearchReq,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20comma
SF:nd\r\n")%r(SIPOptions,DC,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown
SF:\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command
SF:\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x2
SF:0unknown\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x2
SF:0command\r\n-ERR\x20unknown\x20command\r\n")%r(NessusTPv12,16,"-ERR\x20
SF:unknown\x20command\r\n")%r(NessusTPv11,16,"-ERR\x20unknown\x20command\r
SF:\n")%r(NessusTPv10,16,"-ERR\x20unknown\x20command\r\n")%r(WWWOFFLEctrls
SF:tat,16,"-ERR\x20unknown\x20command\r\n")%r(Verifier,16,"-ERR\x20unknown
SF:\x20command\r\n")%r(VerifierAdvanced,16,"-ERR\x20unknown\x20command\r\n
SF:")%r(Socks5,16,"-ERR\x20unknown\x20command\r\n")%r(OfficeScan,5,"\$-1\r
SF:\n")%r(HELP4STOMP,16,"-ERR\x20unknown\x20command\r\n")%r(Memcache,16,"-
SF:ERR\x20unknown\x20command\r\n")%r(firebird,16,"-ERR\x20unknown\x20comma
SF:nd\r\n")%r(pervasive-btrieve,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20
SF:unknown\x20command\r\n")%r(ajp,16,"-ERR\x20unknown\x20command\r\n")%r(h
SF:p-pjl,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command\r\n"
SF:)%r(SqueezeCenter_CLI,16,"-ERR\x20unknown\x20command\r\n")%r(dominocons
SF:ole,16,"-ERR\x20unknown\x20command\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6443-TCP:V=7.92%I=9%D=4/10%Time=69D897D3%P=x86_64-redhat-linux-gnu%
SF:r(SSLSessionReq,1E8,"<!DOCTYPE\x20HTML>\n<html\x20lang=\"en\">\n\x20\x2
SF:0\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"utf
SF:-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>
SF:\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Messa
SF:ge:\x20Bad\x20request\x20syntax\x20\('\\x16\\x03\\x00\\x00S\\x01\\x00\\
SF:x00O\\x03\\x00\?G\xc3\x97\xc3\xb7\xc2\xba,\xc3\xae\xc3\xaa\xc2\xb2`~\xc
SF:3\xb3\\x00\xc3\xbd\\x82{\xc2\xb9\xc3\x95\\x96\xc3\x88w\\x9b\xc3\xa6\xc3
SF:\x84\xc3\x9b&lt;=\xc3\x9bo\xc3\xaf\\x10n\\x00\\x00\(\\x00\\x16\\x00\\x1
SF:3\\x00'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20ex
SF:planation:\x20400\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported
SF:\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(GetRequest,E0,
SF:"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werkzeug/3\.1\.8\x20Pyt
SF:hon/3\.11\.2\r\nDate:\x20Fri,\x2010\x20Apr\x202026\x2006:25:23\x20GMT\r
SF:\nContent-Type:\x20application/json\r\nContent-Length:\x2052\r\nConnect
SF:ion:\x20close\r\n\r\n{\"kind\":\x20\"Status\",\x20\"status\":\x20\"Fail
SF:ure\",\x20\"code\":\x20404}")%r(HTTPOptions,C7,"HTTP/1\.1\x20200\x20OK\
SF:r\nServer:\x20Werkzeug/3\.1\.8\x20Python/3\.11\.2\r\nDate:\x20Fri,\x201
SF:0\x20Apr\x202026\x2006:25:23\x20GMT\r\nContent-Type:\x20text/html;\x20c
SF:harset=utf-8\r\nAllow:\x20GET,\x20HEAD,\x20OPTIONS\r\nContent-Length:\x
SF:200\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,16C,"<!DOCTYPE\x20H
SF:TML>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x
SF:20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20
SF:\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</
SF:h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x2
SF:0\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20cod
SF:e\x20explanation:\x20400\x20-\x20Bad\x20request\x20syntax\x20or\x20unsu
SF:pported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9200-TCP:V=7.92%I=9%D=4/10%Time=69D897D3%P=x86_64-redhat-linux-gnu%
SF:r(GetRequest,293,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20elasticsearch\x2
SF:0\r\nDate:\x20Fri,\x2010\x20Apr\x202026\x2006:25:23\x20GMT\r\nContent-T
SF:ype:\x20application/json;\x20charset=UTF-8\r\nContent-Length:\x20477\r\
SF:nX-elastic-product:\x20Elasticsearch\r\n\r\n{\"name\":\x20\"omega-decky
SF:\",\x20\"cluster_name\":\x20\"elasticsearch\",\x20\"cluster_uuid\":\x20
SF:\"xC3Pr9abTq2mNkOeLvXwYA\",\x20\"version\":\x20{\"number\":\x20\"7\.17\
SF:.9\",\x20\"build_flavor\":\x20\"default\",\x20\"build_type\":\x20\"dock
SF:er\",\x20\"build_hash\":\x20\"ef48222227ee6b9e70e502f0f0daa52435ee634d\
SF:",\x20\"build_date\":\x20\"2023-01-31T05:34:43\.305517834Z\",\x20\"buil
SF:d_snapshot\":\x20false,\x20\"lucene_version\":\x20\"8\.11\.1\",\x20\"mi
SF:nimum_wire_compatibility_version\":\x20\"6\.8\.0\",\x20\"minimum_index_
SF:compatibility_version\":\x20\"6\.0\.0-beta1\"},\x20\"tagline\":\x20\"Yo
SF:u\x20Know,\x20for\x20Search\"}")%r(HTTPOptions,223,"HTTP/1\.0\x20501\x2
SF:0Unsupported\x20method\x20\('OPTIONS'\)\r\nServer:\x20elasticsearch\x20
SF:\r\nDate:\x20Fri,\x2010\x20Apr\x202026\x2006:25:23\x20GMT\r\nConnection
SF::\x20close\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Lengt
SF:h:\x20360\r\n\r\n<!DOCTYPE\x20HTML>\n<html\x20lang=\"en\">\n\x20\x20\x2
SF:0\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"utf-8\"
SF:>\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x
SF:20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>
SF:Error\x20code:\x20501</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\
SF:x20Unsupported\x20method\x20\('OPTIONS'\)\.</p>\n\x20\x20\x20\x20\x20\x
SF:20\x20\x20<p>Error\x20code\x20explanation:\x20501\x20-\x20Server\x20doe
SF:s\x20not\x20support\x20this\x20operation\.</p>\n\x20\x20\x20\x20</body>
SF:\n</html>\n")%r(RTSPRequest,16C,"<!DOCTYPE\x20HTML>\n<html\x20lang=\"en
SF:\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20c
SF:harset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20resp
SF:onse</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP/1\.0'\)\.</p>\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20explanation:\x20400
SF:\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\
SF:n\x20\x20\x20\x20</body>\n</html>\n");
MAC Address: F2:5F:2F:EE:5B:96 (Unknown)
Service Info: Hosts: omega-decky, omega-decky
Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| smb2-time:
| date: 2026-04-10T06:33:53
|_ start_date: 2026-04-10T06:33:53
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.0.2:
|_ Message signing enabled but not required
|_clock-skew: mean: -77663d15h16m57s, deviation: 109832d23h14m31s, median: -155327d06h33m54s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 784.93 seconds

549
postpostfixnmap.txt Normal file
View File

@@ -0,0 +1,549 @@
# Nmap 7.92 scan initiated Sat Apr 11 04:21:11 2026 as: nmap -A -O -p- -sV -sC --version-intensity 9 -oN postpostfixnmap.txt 192.168.1.200,201
Nmap scan report for 192.168.1.200
Host is up (0.000031s latency).
Not shown: 65510 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd (before 2.0.8) or WU-FTPD
23/tcp open telnet?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, DistCCD, JavaRMI, LANDesk-RC, LDAPBindReq, NULL, NotesRPC, RPCCheck, Radmin, TLSSessionReq, TerminalServer, WMSRequest, X11Probe, mydoom, tn3270:
| login:
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, LDAPSearchReq, RTSPRequest:
| login:
| Password:
| Login incorrect
| login:
| Hello, Help, Kerberos, LPDString, NessusTPv10, NessusTPv11, NessusTPv12, SSLSessionReq, SSLv23SessionReq, TerminalServerCookie, Verifier, VerifierAdvanced, WWWOFFLEctrlstat:
| login:
| Password:
| SIPOptions:
| login:
| Password:
| Login incorrect
| login: Password:
| Login incorrect
| login: Password:
| Login incorrect
| login: Password:
| Login incorrect
| login: Password:
| Login incorrect
|_ login: Password:
25/tcp open smtp Postfix smtpd
|_smtp-commands: omega-decky, PIPELINING, SIZE 10240000, VRFY, ETRN, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.4.54
|_http-server-header: Werkzeug/3.1.8 Python/3.11.2
|_http-title: 403 Forbidden
110/tcp open pop3
|_pop3-capabilities: TOP AUTH-RESP-CODE SASL RESP-CODES UIDL USER
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, NULL, RPCCheck, SMBProgNeg, X11Probe:
| +OK omega-decky Dovecot POP3 ready.
| FourOhFourRequest, GetRequest, HTTPOptions, Hello, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie:
| +OK omega-decky Dovecot POP3 ready.
| -ERR Command not recognized
| LDAPSearchReq:
| +OK omega-decky Dovecot POP3 ready.
| -ERR Command not recognized
|_ -ERR Command not recognized
143/tcp open imap Dovecot imapd
|_imap-capabilities: ENABLE LOGIN-REFERRALS ID completed SASL-IR CAPABILITY AUTH=PLAIN AUTH=LOGINA0001 IDLE OK LITERAL+ IMAP4rev1
389/tcp open ldap Cisco LDAP server
445/tcp open microsoft-ds
| fingerprint-strings:
| SMBProgNeg:
| SMBr
|_ "3DUfw
502/tcp open mbap?
1433/tcp open ms-sql-s?
1883/tcp open mqtt
| mqtt-subscribe:
| Topics and their most recent payloads:
| plant/alarm/pump_fault: 0
| plant/water/tank1/pressure: 2.65
| plant/alarm/high_pressure: 0
| plant/$SYS/broker/version: Mosquitto 2.0.15
| plant/alarm/low_chlorine: 0
| plant/water/valve/inlet/state: OPEN
| plant/water/chlorine/residual: 0.7
| plant/water/pump1/status: RUNNING
| plant/water/pump2/status: STANDBY
| plant/water/valve/drain/state: CLOSED
| plant/water/pump1/rpm: 1432
| plant/water/tank1/level: 77.9
| plant/water/chlorine/dosing: 1.2
|_ plant/$SYS/broker/uptime: 2847392
2121/tcp open ccproxy-ftp?
| fingerprint-strings:
| GenericLines:
| 200 FTP server ready.
| Command '
| understood
| NULL:
|_ 200 FTP server ready.
2375/tcp open docker Docker 24.0.5
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/3.1.8 Python/3.11.2
| Date: Sat, 11 Apr 2026 08:21:18 GMT
| Content-Type: application/json
| Content-Length: 46
| Connection: close
| {"message": "page not found", "response": 404}
| HTTPOptions:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.1.8 Python/3.11.2
| Date: Sat, 11 Apr 2026 08:21:18 GMT
| Content-Type: text/html; charset=utf-8
| Allow: HEAD, GET, OPTIONS
| Content-Length: 0
| Connection: close
| Hello:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('EHLO').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
| </html>
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
| </html>
| docker:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.1.8 Python/3.11.2
| Date: Sat, 11 Apr 2026 08:21:18 GMT
| Content-Type: application/json
| Content-Length: 187
| Connection: close
|_ {"Version": "24.0.5", "ApiVersion": "1.43", "MinAPIVersion": "1.12", "GitCommit": "ced0996", "GoVersion": "go1.20.6", "Os": "linux", "Arch": "amd64", "KernelVersion": "5.15.0-76-generic"}
| docker-version:
| GitCommit: ced0996
| GoVersion: go1.20.6
| KernelVersion: 5.15.0-76-generic
| Version: 24.0.5
| Arch: amd64
| MinAPIVersion: 1.12
| ApiVersion: 1.43
|_ Os: linux
3306/tcp open mysql MySQL 5.7.38-log
| mysql-info:
| Protocol: 10
| Version: 5.7.38-log
| Thread ID: 1
| Capabilities flags: 63487
| Some Capabilities: LongPassword, LongColumnFlag, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, InteractiveClient, Speaks41ProtocolOld, SupportsCompression, Speaks41ProtocolNew, IgnoreSigpipes, DontAllowDatabaseTableColumn, SupportsTransactions, Support41Auth, ODBCClient, ConnectWithDatabase, FoundRows, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: pv!magic!O}%>UM|gu^1
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server xrdp
5060/tcp open sip (SIP end point; Status: 401 Unauthorized)
| fingerprint-strings:
| HTTPOptions:
| SIP/2.0 401 Unauthorized
| Via:
| From:
| Call-ID:
| CSeq:
| WWW-Authenticate: Digest realm="omega-decky", nonce="39b4807e4f2565a7", algorithm=MD5
| Content-Length: 0
| RTSPRequest:
| SIP/2.0 401 Unauthorized
| Via:
| From:
| Call-ID:
| CSeq:
| WWW-Authenticate: Digest realm="omega-decky", nonce="73b517049d1e9586", algorithm=MD5
| Content-Length: 0
| SIPOptions:
| SIP/2.0 401 Unauthorized
| Via: SIP/2.0/TCP nm;branch=foo
| From: <sip:nm@nm>;tag=root
| <sip:nm2@nm2>
| Call-ID: 50000
| CSeq: 42 OPTIONS
| WWW-Authenticate: Digest realm="omega-decky", nonce="4895a904f454dcfb", algorithm=MD5
|_ Content-Length: 0
5432/tcp open postgresql?
5900/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
|_ VNC Authentication (2)
6379/tcp open redis?
| fingerprint-strings:
| HELP4STOMP, HTTPOptions, Hello, Help, Kerberos, LPDString, Memcache, NessusTPv10, NessusTPv11, NessusTPv12, RTSPRequest, SSLSessionReq, SSLv23SessionReq, Socks5, SqueezeCenter_CLI, TLSSessionReq, TerminalServerCookie, Verifier, VerifierAdvanced, WWWOFFLEctrlstat, ajp, dominoconsole, firebird:
| -ERR unknown command
| LDAPSearchReq, hp-pjl, pervasive-btrieve:
| -ERR unknown command
| -ERR unknown command
| SIPOptions:
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| -ERR unknown command
| redis-server:
| $150
| Server
| redis_version:7.2.7
| redis_mode:standalone
| os:Linux 5.15.0
| arch_bits:64
| tcp_port:6379
| uptime_in_seconds:864000
| connected_clients:1
|_ Keyspace
6443/tcp open sun-sr-https?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/3.1.8 Python/3.11.2
| Date: Sat, 11 Apr 2026 08:21:18 GMT
| Content-Type: application/json
| Content-Length: 52
| Connection: close
| {"kind": "Status", "status": "Failure", "code": 404}
| HTTPOptions:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.1.8 Python/3.11.2
| Date: Sat, 11 Apr 2026 08:21:18 GMT
| Content-Type: text/html; charset=utf-8
| Allow: HEAD, GET, OPTIONS
| Content-Length: 0
| Connection: close
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
| </html>
| SSLSessionReq:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request syntax ('
| &lt;=
| ').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
8800/tcp open sunwebadmin?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 302 Found
| Date: Sat, 11 Apr 2026 08:17:44 GMT
| Content-Type: text/html
| Location: /index.html
| Content-Length: 0
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Sat, 11 Apr 2026 08:17:44 GMT
| Allow: GET,HEAD,POST,OPTIONS,TRACE
| Content-Length: 0
| Connection: close
|_ Content-Type: text/html
9200/tcp open wap-wsp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Server: elasticsearch
| Date: Sat, 11 Apr 2026 08:21:18 GMT
| Content-Type: application/json; charset=UTF-8
| Content-Length: 477
| X-elastic-product: Elasticsearch
| {"name": "omega-decky", "cluster_name": "elasticsearch", "cluster_uuid": "xC3Pr9abTq2mNkOeLvXwYA", "version": {"number": "7.17.9", "build_flavor": "default", "build_type": "docker", "build_hash": "ef48222227ee6b9e70e502f0f0daa52435ee634d", "build_date": "2023-01-31T05:34:43.305517834Z", "build_snapshot": false, "lucene_version": "8.11.1", "minimum_wire_compatibility_version": "6.8.0", "minimum_index_compatibility_version": "6.0.0-beta1"}, "tagline": "You Know, for Search"}
| HTTPOptions:
| HTTP/1.0 501 Unsupported method ('OPTIONS')
| Server: elasticsearch
| Date: Sat, 11 Apr 2026 08:21:18 GMT
| Connection: close
| Content-Type: text/html;charset=utf-8
| Content-Length: 360
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 501</p>
| <p>Message: Unsupported method ('OPTIONS').</p>
| <p>Error code explanation: 501 - Server does not support this operation.</p>
| </body>
| </html>
| RTSPRequest:
| <!DOCTYPE HTML>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error response</title>
| </head>
| <body>
| <h1>Error response</h1>
| <p>Error code: 400</p>
| <p>Message: Bad request version ('RTSP/1.0').</p>
| <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
| </body>
|_ </html>
10201/tcp open rsms?
27017/tcp open mongod?
|_mongodb-info: ERROR: Script execution failed (use -d to debug)
|_mongodb-databases: ERROR: Script execution failed (use -d to debug)
44818/tcp open EtherNetIP-2?
9 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port23-TCP:V=7.92%I=9%D=4/11%Time=69DA047E%P=x86_64-redhat-linux-gnu%r(
SF:NULL,7,"login:\x20")%r(GenericLines,2C,"login:\x20\xff\xfb\x01Password:
SF:\x20\nLogin\x20incorrect\nlogin:\x20")%r(tn3270,16,"login:\x20\xff\xfe\
SF:x18\xff\xfe\x19\xff\xfc\x19\xff\xfe\0\xff\xfc\0")%r(GetRequest,2C,"logi
SF:n:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(HTT
SF:POptions,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nl
SF:ogin:\x20")%r(RTSPRequest,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogi
SF:n\x20incorrect\nlogin:\x20")%r(RPCCheck,7,"login:\x20")%r(DNSVersionBin
SF:dReqTCP,7,"login:\x20")%r(DNSStatusRequestTCP,7,"login:\x20")%r(Hello,1
SF:4,"login:\x20\xff\xfb\x01Password:\x20")%r(Help,14,"login:\x20\xff\xfb\
SF:x01Password:\x20")%r(SSLSessionReq,14,"login:\x20\xff\xfb\x01Password:\
SF:x20")%r(TerminalServerCookie,14,"login:\x20\xff\xfb\x01Password:\x20")%
SF:r(TLSSessionReq,7,"login:\x20")%r(SSLv23SessionReq,14,"login:\x20\xff\x
SF:fb\x01Password:\x20")%r(Kerberos,14,"login:\x20\xff\xfb\x01Password:\x2
SF:0")%r(X11Probe,7,"login:\x20")%r(FourOhFourRequest,2C,"login:\x20\xff\x
SF:fb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(LPDString,14,"l
SF:ogin:\x20\xff\xfb\x01Password:\x20")%r(LDAPSearchReq,2C,"login:\x20\xff
SF:\xfb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(LDAPBindReq,7
SF:,"login:\x20")%r(SIPOptions,BE,"login:\x20\xff\xfb\x01Password:\x20\nLo
SF:gin\x20incorrect\nlogin:\x20Password:\x20\nLogin\x20incorrect\nlogin:\x
SF:20Password:\x20\nLogin\x20incorrect\nlogin:\x20Password:\x20\nLogin\x20
SF:incorrect\nlogin:\x20Password:\x20\nLogin\x20incorrect\nlogin:\x20Passw
SF:ord:\x20")%r(LANDesk-RC,7,"login:\x20")%r(TerminalServer,7,"login:\x20"
SF:)%r(NotesRPC,7,"login:\x20")%r(DistCCD,7,"login:\x20")%r(JavaRMI,7,"log
SF:in:\x20")%r(Radmin,7,"login:\x20")%r(NessusTPv12,14,"login:\x20\xff\xfb
SF:\x01Password:\x20")%r(NessusTPv11,14,"login:\x20\xff\xfb\x01Password:\x
SF:20")%r(NessusTPv10,14,"login:\x20\xff\xfb\x01Password:\x20")%r(WMSReque
SF:st,7,"login:\x20")%r(mydoom,7,"login:\x20")%r(WWWOFFLEctrlstat,14,"logi
SF:n:\x20\xff\xfb\x01Password:\x20")%r(Verifier,14,"login:\x20\xff\xfb\x01
SF:Password:\x20")%r(VerifierAdvanced,14,"login:\x20\xff\xfb\x01Password:\
SF:x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port110-TCP:V=7.92%I=9%D=4/11%Time=69DA047E%P=x86_64-redhat-linux-gnu%r
SF:(NULL,25,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n")%r(Gen
SF:ericLines,25,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n")%r
SF:(GetRequest,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n-E
SF:RR\x20Command\x20not\x20recognized\r\n")%r(HTTPOptions,42,"\+OK\x20omeg
SF:a-decky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\x20not\x20reco
SF:gnized\r\n")%r(RTSPRequest,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x
SF:20ready\.\r\n-ERR\x20Command\x20not\x20recognized\r\n")%r(RPCCheck,25,"
SF:\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n")%r(DNSVersionBin
SF:dReqTCP,25,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n")%r(D
SF:NSStatusRequestTCP,25,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\
SF:.\r\n")%r(Hello,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r
SF:\n-ERR\x20Command\x20not\x20recognized\r\n")%r(Help,42,"\+OK\x20omega-d
SF:ecky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\x20not\x20recogni
SF:zed\r\n")%r(SSLSessionReq,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x2
SF:0ready\.\r\n-ERR\x20Command\x20not\x20recognized\r\n")%r(TerminalServer
SF:Cookie,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x2
SF:0Command\x20not\x20recognized\r\n")%r(TLSSessionReq,42,"\+OK\x20omega-d
SF:ecky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\x20not\x20recogni
SF:zed\r\n")%r(SSLv23SessionReq,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3
SF:\x20ready\.\r\n-ERR\x20Command\x20not\x20recognized\r\n")%r(Kerberos,42
SF:,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\
SF:x20not\x20recognized\r\n")%r(SMBProgNeg,25,"\+OK\x20omega-decky\x20Dove
SF:cot\x20POP3\x20ready\.\r\n")%r(X11Probe,25,"\+OK\x20omega-decky\x20Dove
SF:cot\x20POP3\x20ready\.\r\n")%r(FourOhFourRequest,42,"\+OK\x20omega-deck
SF:y\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\x20not\x20recognized
SF:\r\n")%r(LPDString,42,"\+OK\x20omega-decky\x20Dovecot\x20POP3\x20ready\
SF:.\r\n-ERR\x20Command\x20not\x20recognized\r\n")%r(LDAPSearchReq,5F,"\+O
SF:K\x20omega-decky\x20Dovecot\x20POP3\x20ready\.\r\n-ERR\x20Command\x20no
SF:t\x20recognized\r\n-ERR\x20Command\x20not\x20recognized\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port445-TCP:V=7.92%I=9%D=4/11%Time=69DA0483%P=x86_64-redhat-linux-gnu%r
SF:(SMBProgNeg,51,"\0\0\0M\xffSMBr\0\0\0\0\x80\0\xc0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0@\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\xfa\0\0\0\0\x01\0\0\0
SF:\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\x08\x08\0\x11\"3DUfw\x88");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1433-TCP:V=7.92%I=9%D=4/11%Time=69DA0483%P=x86_64-redhat-linux-gnu%
SF:r(ms-sql-s,2F,"\x04\x01\0/\0\0\x01\0\0\0\x1a\0\x06\x01\0\x20\0\x01\x02\
SF:0!\0\x01\x03\0\"\0\x04\x04\0&\0\x01\xff\x0e\0\x07\xd0\0\0\x02\0\0\0\0\0
SF:\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2121-TCP:V=7.92%I=9%D=4/11%Time=69DA047E%P=x86_64-redhat-linux-gnu%
SF:r(NULL,17,"200\x20FTP\x20server\x20ready\.\r\n")%r(GenericLines,3A,"200
SF:\x20FTP\x20server\x20ready\.\r\n500\x20Command\x20'\\r\\n'\x20not\x20un
SF:derstood\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5060-TCP:V=7.92%I=9%D=4/11%Time=69DA048A%P=x86_64-redhat-linux-gnu%
SF:r(SIPOptions,F7,"SIP/2\.0\x20401\x20Unauthorized\r\nVia:\x20SIP/2\.0/TC
SF:P\x20nm;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@
SF:nm2>\r\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nWWW-Authenticate
SF::\x20Digest\x20realm=\"omega-decky\",\x20nonce=\"4895a904f454dcfb\",\x2
SF:0algorithm=MD5\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,AE,"SIP/
SF:2\.0\x20401\x20Unauthorized\r\nVia:\x20\r\nFrom:\x20\r\nTo:\x20\r\nCall
SF:-ID:\x20\r\nCSeq:\x20\r\nWWW-Authenticate:\x20Digest\x20realm=\"omega-d
SF:ecky\",\x20nonce=\"39b4807e4f2565a7\",\x20algorithm=MD5\r\nContent-Leng
SF:th:\x200\r\n\r\n")%r(RTSPRequest,AE,"SIP/2\.0\x20401\x20Unauthorized\r\
SF:nVia:\x20\r\nFrom:\x20\r\nTo:\x20\r\nCall-ID:\x20\r\nCSeq:\x20\r\nWWW-A
SF:uthenticate:\x20Digest\x20realm=\"omega-decky\",\x20nonce=\"73b517049d1
SF:e9586\",\x20algorithm=MD5\r\nContent-Length:\x200\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5432-TCP:V=7.92%I=9%D=4/11%Time=69DA048D%P=x86_64-redhat-linux-gnu%
SF:r(SMBProgNeg,D,"R\0\0\0\x0c\0\0\0\x059=\xdb\x16")%r(Kerberos,D,"R\0\0\0
SF:\x0c\0\0\0\x05\xae>;\xd5")%r(ZendJavaBridge,D,"R\0\0\0\x0c\0\0\0\x05\x8
SF:3l\x7f\x8c");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6379-TCP:V=7.92%I=9%D=4/11%Time=69DA0483%P=x86_64-redhat-linux-gnu%
SF:r(redis-server,9E,"\$150\r\n#\x20Server\nredis_version:7\.2\.7\nredis_m
SF:ode:standalone\nos:Linux\x205\.15\.0\narch_bits:64\ntcp_port:6379\nupti
SF:me_in_seconds:864000\nconnected_clients:1\n#\x20Keyspace\n\r\n")%r(GetR
SF:equest,5,"\$-1\r\n")%r(HTTPOptions,16,"-ERR\x20unknown\x20command\r\n")
SF:%r(RTSPRequest,16,"-ERR\x20unknown\x20command\r\n")%r(Hello,16,"-ERR\x2
SF:0unknown\x20command\r\n")%r(Help,16,"-ERR\x20unknown\x20command\r\n")%r
SF:(SSLSessionReq,16,"-ERR\x20unknown\x20command\r\n")%r(TerminalServerCoo
SF:kie,16,"-ERR\x20unknown\x20command\r\n")%r(TLSSessionReq,16,"-ERR\x20un
SF:known\x20command\r\n")%r(SSLv23SessionReq,16,"-ERR\x20unknown\x20comman
SF:d\r\n")%r(Kerberos,16,"-ERR\x20unknown\x20command\r\n")%r(FourOhFourReq
SF:uest,5,"\$-1\r\n")%r(LPDString,16,"-ERR\x20unknown\x20command\r\n")%r(L
SF:DAPSearchReq,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20comma
SF:nd\r\n")%r(SIPOptions,DC,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown
SF:\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command
SF:\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x2
SF:0unknown\x20command\r\n-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x2
SF:0command\r\n-ERR\x20unknown\x20command\r\n")%r(NessusTPv12,16,"-ERR\x20
SF:unknown\x20command\r\n")%r(NessusTPv11,16,"-ERR\x20unknown\x20command\r
SF:\n")%r(NessusTPv10,16,"-ERR\x20unknown\x20command\r\n")%r(WWWOFFLEctrls
SF:tat,16,"-ERR\x20unknown\x20command\r\n")%r(Verifier,16,"-ERR\x20unknown
SF:\x20command\r\n")%r(VerifierAdvanced,16,"-ERR\x20unknown\x20command\r\n
SF:")%r(Socks5,16,"-ERR\x20unknown\x20command\r\n")%r(OfficeScan,5,"\$-1\r
SF:\n")%r(HELP4STOMP,16,"-ERR\x20unknown\x20command\r\n")%r(Memcache,16,"-
SF:ERR\x20unknown\x20command\r\n")%r(firebird,16,"-ERR\x20unknown\x20comma
SF:nd\r\n")%r(pervasive-btrieve,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20
SF:unknown\x20command\r\n")%r(ajp,16,"-ERR\x20unknown\x20command\r\n")%r(h
SF:p-pjl,2C,"-ERR\x20unknown\x20command\r\n-ERR\x20unknown\x20command\r\n"
SF:)%r(SqueezeCenter_CLI,16,"-ERR\x20unknown\x20command\r\n")%r(dominocons
SF:ole,16,"-ERR\x20unknown\x20command\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6443-TCP:V=7.92%I=9%D=4/11%Time=69DA047E%P=x86_64-redhat-linux-gnu%
SF:r(SSLSessionReq,1E8,"<!DOCTYPE\x20HTML>\n<html\x20lang=\"en\">\n\x20\x2
SF:0\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"utf
SF:-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>
SF:\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Messa
SF:ge:\x20Bad\x20request\x20syntax\x20\('\\x16\\x03\\x00\\x00S\\x01\\x00\\
SF:x00O\\x03\\x00\?G\xc3\x97\xc3\xb7\xc2\xba,\xc3\xae\xc3\xaa\xc2\xb2`~\xc
SF:3\xb3\\x00\xc3\xbd\\x82{\xc2\xb9\xc3\x95\\x96\xc3\x88w\\x9b\xc3\xa6\xc3
SF:\x84\xc3\x9b&lt;=\xc3\x9bo\xc3\xaf\\x10n\\x00\\x00\(\\x00\\x16\\x00\\x1
SF:3\\x00'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20ex
SF:planation:\x20400\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported
SF:\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(GetRequest,E0,
SF:"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werkzeug/3\.1\.8\x20Pyt
SF:hon/3\.11\.2\r\nDate:\x20Sat,\x2011\x20Apr\x202026\x2008:21:18\x20GMT\r
SF:\nContent-Type:\x20application/json\r\nContent-Length:\x2052\r\nConnect
SF:ion:\x20close\r\n\r\n{\"kind\":\x20\"Status\",\x20\"status\":\x20\"Fail
SF:ure\",\x20\"code\":\x20404}")%r(HTTPOptions,C7,"HTTP/1\.1\x20200\x20OK\
SF:r\nServer:\x20Werkzeug/3\.1\.8\x20Python/3\.11\.2\r\nDate:\x20Sat,\x201
SF:1\x20Apr\x202026\x2008:21:18\x20GMT\r\nContent-Type:\x20text/html;\x20c
SF:harset=utf-8\r\nAllow:\x20HEAD,\x20GET,\x20OPTIONS\r\nContent-Length:\x
SF:200\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,16C,"<!DOCTYPE\x20H
SF:TML>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x
SF:20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20<title>Error\x20response</title>\n\x20\x20\x20\x20</head>\n\x20\x20
SF:\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Error\x20response</
SF:h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20request\x20version\x2
SF:0\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20cod
SF:e\x20explanation:\x20400\x20-\x20Bad\x20request\x20syntax\x20or\x20unsu
SF:pported\x20method\.</p>\n\x20\x20\x20\x20</body>\n</html>\n");
MAC Address: 5A:84:B9:11:A3:E8 (Unknown)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.3 - 5.4
Network Distance: 1 hop
Service Info: Hosts: omega-decky, omega-decky
Host script results:
| smb2-security-mode:
| 2.0.2:
|_ Message signing enabled but not required
|_clock-skew: mean: -77664d04h15m02s, deviation: 109833d17h34m55s, median: -155328d08h30m05s
| smb2-time:
| date: 2026-04-11T08:30:06
|_ start_date: 2026-04-11T08:30:06
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
TRACEROUTE
HOP RTT ADDRESS
1 0.03 ms 192.168.1.200
Nmap scan report for 192.168.1.201
Host is up (0.000037s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: relay-decky, PIPELINING, SIZE 10240000, VRFY, ETRN, AUTH PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
MAC Address: 0E:84:8E:09:6A:47 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=4/11%OT=25%CT=1%CU=38325%PV=Y%DS=1%DC=D%G=Y%M=0E848E%T
OS:M=69DA07BC%P=x86_64-redhat-linux-gnu)SEQ(SP=101%GCD=1%ISR=10F%TI=Z%CI=Z%
OS:TS=A)SEQ(SP=101%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NWA%O2=
OS:M5B4ST11NWA%O3=M5B4NNT11NWA%O4=M5B4ST11NWA%O5=M5B4ST11NWA%O6=M5B4ST11)WI
OS:N(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FA
OS:F0%O=M5B4NNSNWA%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3
OS:(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%R
OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: Host: relay-decky
TRACEROUTE
HOP RTT ADDRESS
1 0.04 ms 192.168.1.201
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 11 04:35:08 2026 -- 2 IP addresses (2 hosts up) scanned in 836.75 seconds

89
templates/conpot/decnet_logging.py Normal file
View File

@@ -0,0 +1,89 @@
#!/usr/bin/env python3
"""
Shared RFC 5424 syslog helper for DECNET service templates.
Services call syslog_line() to format an RFC 5424 message, then
write_syslog_file() to emit it to stdout — Docker captures it, and the
host-side collector streams it into the log file.
RFC 5424 structure:
<PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [SD-ELEMENT] MSG
Facility: local0 (16), PEN for SD element ID: decnet@55555
"""
from datetime import datetime, timezone
from typing import Any
# ─── Constants ────────────────────────────────────────────────────────────────
_FACILITY_LOCAL0 = 16
_SD_ID = "decnet@55555"
_NILVALUE = "-"
SEVERITY_EMERG = 0
SEVERITY_ALERT = 1
SEVERITY_CRIT = 2
SEVERITY_ERROR = 3
SEVERITY_WARNING = 4
SEVERITY_NOTICE = 5
SEVERITY_INFO = 6
SEVERITY_DEBUG = 7
_MAX_HOSTNAME = 255
_MAX_APPNAME = 48
_MAX_MSGID = 32
# ─── Formatter ────────────────────────────────────────────────────────────────
def _sd_escape(value: str) -> str:
"""Escape SD-PARAM-VALUE per RFC 5424 §6.3.3."""
return value.replace("\\", "\\\\").replace('"', '\\"').replace("]", "\\]")
def _sd_element(fields: dict[str, Any]) -> str:
if not fields:
return _NILVALUE
params = " ".join(f'{k}="{_sd_escape(str(v))}"' for k, v in fields.items())
return f"[{_SD_ID} {params}]"
def syslog_line(
service: str,
hostname: str,
event_type: str,
severity: int = SEVERITY_INFO,
timestamp: datetime | None = None,
msg: str | None = None,
**fields: Any,
) -> str:
"""
Return a single RFC 5424-compliant syslog line (no trailing newline).
Args:
service: APP-NAME (e.g. "http", "mysql")
hostname: HOSTNAME (decky node name)
event_type: MSGID (e.g. "request", "login_attempt")
severity: Syslog severity integer (default: INFO=6)
timestamp: UTC datetime; defaults to now
msg: Optional free-text MSG
**fields: Encoded as structured data params
"""
pri = f"<{_FACILITY_LOCAL0 * 8 + severity}>"
ts = (timestamp or datetime.now(timezone.utc)).isoformat()
host = (hostname or _NILVALUE)[:_MAX_HOSTNAME]
appname = (service or _NILVALUE)[:_MAX_APPNAME]
msgid = (event_type or _NILVALUE)[:_MAX_MSGID]
sd = _sd_element(fields)
message = f" {msg}" if msg else ""
return f"{pri}1 {ts} {host} {appname} {_NILVALUE} {msgid} {sd}{message}"
def write_syslog_file(line: str) -> None:
"""Emit a syslog line to stdout for Docker log capture."""
print(line, flush=True)
def forward_syslog(line: str, log_target: str) -> None:
"""No-op stub. TCP forwarding is now handled by rsyslog, not by service containers."""
pass

89
templates/cowrie/decnet_logging.py Normal file
View File

@@ -0,0 +1,89 @@
#!/usr/bin/env python3
"""
Shared RFC 5424 syslog helper for DECNET service templates.
Services call syslog_line() to format an RFC 5424 message, then
write_syslog_file() to emit it to stdout — Docker captures it, and the
host-side collector streams it into the log file.
RFC 5424 structure:
<PRI>1 TIMESTAMP HOSTNAME APP-NAME PROCID MSGID [SD-ELEMENT] MSG
Facility: local0 (16), PEN for SD element ID: decnet@55555
"""
from datetime import datetime, timezone
from typing import Any
# ─── Constants ────────────────────────────────────────────────────────────────
_FACILITY_LOCAL0 = 16
_SD_ID = "decnet@55555"
_NILVALUE = "-"
SEVERITY_EMERG = 0
SEVERITY_ALERT = 1
SEVERITY_CRIT = 2
SEVERITY_ERROR = 3
SEVERITY_WARNING = 4
SEVERITY_NOTICE = 5
SEVERITY_INFO = 6
SEVERITY_DEBUG = 7
_MAX_HOSTNAME = 255
_MAX_APPNAME = 48
_MAX_MSGID = 32
# ─── Formatter ────────────────────────────────────────────────────────────────
def _sd_escape(value: str) -> str:
"""Escape SD-PARAM-VALUE per RFC 5424 §6.3.3."""
return value.replace("\\", "\\\\").replace('"', '\\"').replace("]", "\\]")
def _sd_element(fields: dict[str, Any]) -> str:
if not fields:
return _NILVALUE
params = " ".join(f'{k}="{_sd_escape(str(v))}"' for k, v in fields.items())
return f"[{_SD_ID} {params}]"
def syslog_line(
service: str,
hostname: str,
event_type: str,
severity: int = SEVERITY_INFO,
timestamp: datetime | None = None,
msg: str | None = None,
**fields: Any,
) -> str:
"""
Return a single RFC 5424-compliant syslog line (no trailing newline).
Args:
service: APP-NAME (e.g. "http", "mysql")
hostname: HOSTNAME (decky node name)
event_type: MSGID (e.g. "request", "login_attempt")
severity: Syslog severity integer (default: INFO=6)
timestamp: UTC datetime; defaults to now
msg: Optional free-text MSG
**fields: Encoded as structured data params
"""
pri = f"<{_FACILITY_LOCAL0 * 8 + severity}>"
ts = (timestamp or datetime.now(timezone.utc)).isoformat()
host = (hostname or _NILVALUE)[:_MAX_HOSTNAME]
appname = (service or _NILVALUE)[:_MAX_APPNAME]
msgid = (event_type or _NILVALUE)[:_MAX_MSGID]
sd = _sd_element(fields)
message = f" {msg}" if msg else ""
return f"{pri}1 {ts} {host} {appname} {_NILVALUE} {msgid} {sd}{message}"
def write_syslog_file(line: str) -> None:
"""Emit a syslog line to stdout for Docker log capture."""
print(line, flush=True)
def forward_syslog(line: str, log_target: str) -> None:
"""No-op stub. TCP forwarding is now handled by rsyslog, not by service containers."""
pass

62
templates/cowrie/honeyfs/etc/group Normal file
View File

@@ -0,0 +1,62 @@
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,admin
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:admin
floppy:x:25:
tape:x:26:
sudo:x:27:admin
audio:x:29:
dip:x:30:admin
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:admin
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
crontab:x:104:
messagebus:x:105:
systemd-timesync:x:106:
input:x:107:
sgx:x:108:
kvm:x:109:
render:x:110:
syslog:x:110:
tss:x:111:
uuidd:x:112:
tcpdump:x:113:
ssl-cert:x:114:
landscape:x:115:
fwupd-refresh:x:116:
usbmux:x:46:
lxd:x:117:admin
systemd-coredump:x:999:
mysql:x:119:
netdev:x:120:admin
admin:x:1000:

1
templates/cowrie/honeyfs/etc/hostname Normal file
View File

@@ -0,0 +1 @@
NODE_NAME

5
templates/cowrie/honeyfs/etc/hosts Normal file
View File

@@ -0,0 +1,5 @@
127.0.0.1 localhost
127.0.1.1 NODE_NAME
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

2
templates/cowrie/honeyfs/etc/issue Normal file
View File

@@ -0,0 +1,2 @@
Ubuntu 22.04.3 LTS \n \l

1
templates/cowrie/honeyfs/etc/issue.net Normal file
View File

@@ -0,0 +1 @@
Ubuntu 22.04.3 LTS

26
templates/cowrie/honeyfs/etc/motd Normal file
View File

@@ -0,0 +1,26 @@
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Jan 15 09:12:44 UTC 2024
System load: 0.08 Processes: 142
Usage of /: 34.2% of 49.10GB Users logged in: 0
Memory usage: 22% IPv4 address for eth0: 10.0.1.5
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for K8s security.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
Last login: Sun Jan 14 23:45:01 2024 from 10.0.0.1

12
templates/cowrie/honeyfs/etc/os-release Normal file
View File

@@ -0,0 +1,12 @@
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

36
templates/cowrie/honeyfs/etc/passwd Normal file
View File

@@ -0,0 +1,36 @@
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
admin:x:1000:1000:Admin User,,,:/home/admin:/bin/bash

4
templates/cowrie/honeyfs/etc/resolv.conf Normal file
View File

@@ -0,0 +1,4 @@
# This file is managed by man:systemd-resolved(8). Do not edit.
nameserver 8.8.8.8
nameserver 8.8.4.4
search company.internal

36
templates/cowrie/honeyfs/etc/shadow Normal file
View File

@@ -0,0 +1,36 @@
root:$6$rounds=4096$randomsalt$hashed_root_password:19000:0:99999:7:::
daemon:*:19000:0:99999:7:::
bin:*:19000:0:99999:7:::
sys:*:19000:0:99999:7:::
sync:*:19000:0:99999:7:::
games:*:19000:0:99999:7:::
man:*:19000:0:99999:7:::
lp:*:19000:0:99999:7:::
mail:*:19000:0:99999:7:::
news:*:19000:0:99999:7:::
uucp:*:19000:0:99999:7:::
proxy:*:19000:0:99999:7:::
www-data:*:19000:0:99999:7:::
backup:*:19000:0:99999:7:::
list:*:19000:0:99999:7:::
irc:*:19000:0:99999:7:::
gnats:*:19000:0:99999:7:::
nobody:*:19000:0:99999:7:::
systemd-network:*:19000:0:99999:7:::
systemd-resolve:*:19000:0:99999:7:::
messagebus:*:19000:0:99999:7:::
systemd-timesync:*:19000:0:99999:7:::
syslog:*:19000:0:99999:7:::
_apt:*:19000:0:99999:7:::
tss:*:19000:0:99999:7:::
uuidd:*:19000:0:99999:7:::
tcpdump:*:19000:0:99999:7:::
landscape:*:19000:0:99999:7:::
pollinate:*:19000:0:99999:7:::
fwupd-refresh:*:19000:0:99999:7:::
usbmux:*:19000:0:99999:7:::
sshd:*:19000:0:99999:7:::
systemd-coredump:!!:19000::::::
lxd:!:19000::::::
mysql:!:19000:0:99999:7:::
admin:$6$rounds=4096$xyz123$hashed_admin_password:19000:0:99999:7:::

14
templates/cowrie/honeyfs/home/admin/.aws/credentials Normal file
View File

@@ -0,0 +1,14 @@
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
region = us-east-1
[production]
aws_access_key_id = AKIAI44QH8DHBEXAMPLE
aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
region = us-east-1
[backup-role]
aws_access_key_id = AKIAIOSFODNN7BACKUP1
aws_secret_access_key = 9drTJvcXLB89EXAMPLEKEY/bPxRfiCYBACKUPKEY
region = eu-west-2

33
templates/cowrie/honeyfs/home/admin/.bash_history Normal file
View File

@@ -0,0 +1,33 @@
ls -la
cd /var/www/html
git status
git pull origin main
sudo systemctl restart nginx
sudo systemctl status nginx
df -h
free -m
top
ps aux | grep nginx
aws s3 ls
aws s3 ls s3://company-prod-backups
aws s3 cp /var/www/html/backup.tar.gz s3://company-prod-backups/
aws ec2 describe-instances --region us-east-1
kubectl get pods -n production
kubectl get services -n production
kubectl describe pod api-deployment-7d4b9c5f6-xk2pz -n production
docker ps
docker images
docker-compose up -d
mysql -u admin -pSup3rS3cr3t! -h 10.0.1.5 production
cat /etc/mysql/my.cnf
tail -f /var/log/nginx/access.log
tail -f /var/log/auth.log
ssh root@10.0.1.10
scp admin@10.0.1.20:/home/admin/.aws/credentials /tmp/
cat ~/.aws/credentials
vim ~/.aws/credentials
sudo crontab -l
ls /opt/app/
cd /opt/app && npm run build
git log --oneline -20
history

2
templates/cowrie/honeyfs/home/admin/.ssh/authorized_keys Normal file
View File

@@ -0,0 +1,2 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekeyforadminuser+xamplekey admin@workstation
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbackupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline+backupkeyfordeploymentpipeline deploy@ci-runner

22
templates/cowrie/honeyfs/root/.bash_history Normal file
View File

@@ -0,0 +1,22 @@
whoami
id
uname -a
cat /etc/passwd
cat /etc/shadow
ls /home
ls /home/admin
cat /home/admin/.bash_history
cat /home/admin/.aws/credentials
find / -name "*.pem" 2>/dev/null
find / -name "id_rsa" 2>/dev/null
find / -name "*.key" 2>/dev/null
netstat -tunlp
ss -tunlp
iptables -L
cat /etc/crontab
crontab -l
ps aux
systemctl list-units
cat /etc/mysql/my.cnf
mysql -u root -p
history -c

12
templates/cowrie/honeyfs/var/log/auth.log Normal file
View File

@@ -0,0 +1,12 @@
Jan 14 23:31:04 NODE_NAME sshd[1832]: Accepted publickey for admin from 10.0.0.1 port 54321 ssh2: RSA SHA256:xAmPlEkEyHaSh1234567890abcdefghijklmnop
Jan 14 23:31:04 NODE_NAME sshd[1832]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Jan 14 23:31:46 NODE_NAME sudo[1901]: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/systemctl restart nginx
Jan 14 23:31:46 NODE_NAME sudo[1901]: pam_unix(sudo:session): session opened for user root by admin(uid=0)
Jan 14 23:31:47 NODE_NAME sudo[1901]: pam_unix(sudo:session): session closed for user root
Jan 14 23:45:01 NODE_NAME sshd[1832]: pam_unix(sshd:session): session closed for user admin
Jan 15 00:02:14 NODE_NAME sshd[2104]: Failed password for invalid user oracle from 185.220.101.47 port 38291 ssh2
Jan 15 00:02:16 NODE_NAME sshd[2106]: Failed password for invalid user postgres from 185.220.101.47 port 38295 ssh2
Jan 15 00:02:19 NODE_NAME sshd[2108]: Failed password for root from 185.220.101.47 port 38301 ssh2
Jan 15 00:02:19 NODE_NAME sshd[2108]: error: maximum authentication attempts exceeded for root from 185.220.101.47 port 38301 ssh2 [preauth]
Jan 15 09:12:44 NODE_NAME sshd[2891]: Accepted password for admin from 10.0.0.5 port 51243 ssh2
Jan 15 09:12:44 NODE_NAME sshd[2891]: pam_unix(sshd:session): session opened for user admin by (uid=0)

0
templates/real_ssh/Dockerfile → templates/ssh/Dockerfile
View File

0
templates/real_ssh/decnet_logging.py → templates/ssh/decnet_logging.py
View File

0
templates/real_ssh/entrypoint.sh → templates/ssh/entrypoint.sh
View File

1
tests/test_build.py
View File

@@ -51,7 +51,6 @@ MODULES = [
"decnet.services.imap", "decnet.services.imap",
"decnet.services.pop3", "decnet.services.pop3",
"decnet.services.conpot", "decnet.services.conpot",
"decnet.services.real_ssh",
"decnet.services.registry", "decnet.services.registry",
] ]

188
tests/test_real_ssh.py
View File

@@ -1,188 +0,0 @@
"""
Tests for the RealSSHService plugin and the deaddeck archetype.
"""
from pathlib import Path
from decnet.services.registry import all_services, get_service
from decnet.archetypes import get_archetype
# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------
def _fragment(service_cfg: dict | None = None, log_target: str | None = None) -> dict:
return get_service("real_ssh").compose_fragment(
"test-decky", log_target=log_target, service_cfg=service_cfg
)
# ---------------------------------------------------------------------------
# Registration
# ---------------------------------------------------------------------------
def test_real_ssh_registered():
assert "real_ssh" in all_services()
def test_real_ssh_ports():
svc = get_service("real_ssh")
assert svc.ports == [22]
def test_real_ssh_is_build_service():
svc = get_service("real_ssh")
assert svc.default_image == "build"
def test_real_ssh_dockerfile_context_exists():
svc = get_service("real_ssh")
ctx = svc.dockerfile_context()
assert ctx is not None
assert ctx.is_dir(), f"Dockerfile context directory missing: {ctx}"
assert (ctx / "Dockerfile").exists(), "Dockerfile missing in real_ssh template dir"
assert (ctx / "entrypoint.sh").exists(), "entrypoint.sh missing in real_ssh template dir"
# ---------------------------------------------------------------------------
# compose_fragment structure
# ---------------------------------------------------------------------------
def test_compose_fragment_has_build():
frag = _fragment()
assert "build" in frag
assert "context" in frag["build"]
def test_compose_fragment_container_name():
frag = _fragment()
assert frag["container_name"] == "test-decky-real-ssh"
def test_compose_fragment_restart_policy():
frag = _fragment()
assert frag["restart"] == "unless-stopped"
def test_compose_fragment_cap_add():
frag = _fragment()
assert "NET_BIND_SERVICE" in frag.get("cap_add", [])
def test_compose_fragment_default_password():
frag = _fragment()
env = frag["environment"]
assert env["SSH_ROOT_PASSWORD"] == "admin"
# ---------------------------------------------------------------------------
# service_cfg overrides
# ---------------------------------------------------------------------------
def test_custom_password():
frag = _fragment(service_cfg={"password": "s3cr3t!"})
assert frag["environment"]["SSH_ROOT_PASSWORD"] == "s3cr3t!"
def test_custom_hostname():
frag = _fragment(service_cfg={"hostname": "srv-prod-01"})
assert frag["environment"]["SSH_HOSTNAME"] == "srv-prod-01"
def test_no_hostname_by_default():
frag = _fragment()
assert "SSH_HOSTNAME" not in frag["environment"]
# ---------------------------------------------------------------------------
# log_target: real_ssh does not forward logs via LOG_TARGET
# (no log aggregation on the entry-point — attacker shouldn't see it)
# ---------------------------------------------------------------------------
def test_no_log_target_env_injected():
frag = _fragment(log_target="10.0.0.1:5140")
assert "LOG_TARGET" not in frag.get("environment", {})
# ---------------------------------------------------------------------------
# Deaddeck archetype
# ---------------------------------------------------------------------------
def test_deaddeck_archetype_exists():
arch = get_archetype("deaddeck")
assert arch.slug == "deaddeck"
def test_deaddeck_uses_real_ssh():
arch = get_archetype("deaddeck")
assert "real_ssh" in arch.services
def test_deaddeck_nmap_os():
arch = get_archetype("deaddeck")
assert arch.nmap_os == "linux"
def test_deaddeck_preferred_distros_not_empty():
arch = get_archetype("deaddeck")
assert len(arch.preferred_distros) >= 1
# ---------------------------------------------------------------------------
# Logging pipeline wiring (Dockerfile + entrypoint)
# ---------------------------------------------------------------------------
def _dockerfile_text() -> str:
svc = get_service("real_ssh")
return (svc.dockerfile_context() / "Dockerfile").read_text()
def _entrypoint_text() -> str:
svc = get_service("real_ssh")
return (svc.dockerfile_context() / "entrypoint.sh").read_text()
def test_dockerfile_has_rsyslog():
assert "rsyslog" in _dockerfile_text()
def test_dockerfile_runs_as_root():
"""sshd requires root — no USER directive should appear after setup."""
lines = [l.strip() for l in _dockerfile_text().splitlines()]
user_lines = [l for l in lines if l.startswith("USER ")]
assert user_lines == [], f"Unexpected USER directive(s): {user_lines}"
def test_dockerfile_rsyslog_conf_created():
df = _dockerfile_text()
assert "99-decnet.conf" in df
assert "RFC5424fmt" in df
def test_dockerfile_sudoers_syslog():
df = _dockerfile_text()
assert "syslog=auth" in df
assert "log_input" in df
assert "log_output" in df
def test_dockerfile_prompt_command_logger():
df = _dockerfile_text()
assert "PROMPT_COMMAND" in df
assert "logger" in df
def test_entrypoint_creates_named_pipe():
assert "mkfifo" in _entrypoint_text()
def test_entrypoint_starts_rsyslogd():
assert "rsyslogd" in _entrypoint_text()
def test_entrypoint_sshd_no_dash_e():
ep = _entrypoint_text()
assert "sshd -D" in ep
# -e flag would bypass syslog; must not be present
assert "sshd -D -e" not in ep

78
tests/test_ssh.py
View File

@@ -3,6 +3,7 @@ Tests for the SSHService plugin (real OpenSSH, Cowrie removed).
""" """
from decnet.services.registry import all_services, get_service from decnet.services.registry import all_services, get_service
from decnet.archetypes import get_archetype
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
@@ -15,6 +16,14 @@ def _fragment(service_cfg: dict | None = None, log_target: str | None = None) ->
) )
def _dockerfile_text() -> str:
return (get_service("ssh").dockerfile_context() / "Dockerfile").read_text()
def _entrypoint_text() -> str:
return (get_service("ssh").dockerfile_context() / "entrypoint.sh").read_text()
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
# Registration # Registration
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
@@ -23,6 +32,10 @@ def test_ssh_registered():
assert "ssh" in all_services() assert "ssh" in all_services()
def test_real_ssh_not_registered():
assert "real_ssh" not in all_services()
def test_ssh_ports(): def test_ssh_ports():
assert get_service("ssh").ports == [22] assert get_service("ssh").ports == [22]
@@ -88,3 +101,68 @@ def test_no_hostname_by_default():
def test_no_log_target_in_env(): def test_no_log_target_in_env():
assert "LOG_TARGET" not in _fragment(log_target="10.0.0.1:5140").get("environment", {}) assert "LOG_TARGET" not in _fragment(log_target="10.0.0.1:5140").get("environment", {})
# ---------------------------------------------------------------------------
# Logging pipeline wiring (Dockerfile + entrypoint)
# ---------------------------------------------------------------------------
def test_dockerfile_has_rsyslog():
assert "rsyslog" in _dockerfile_text()
def test_dockerfile_runs_as_root():
lines = [l.strip() for l in _dockerfile_text().splitlines()]
user_lines = [l for l in lines if l.startswith("USER ")]
assert user_lines == [], f"Unexpected USER directive(s): {user_lines}"
def test_dockerfile_rsyslog_conf_created():
df = _dockerfile_text()
assert "99-decnet.conf" in df
assert "RFC5424fmt" in df
def test_dockerfile_sudoers_syslog():
df = _dockerfile_text()
assert "syslog=auth" in df
assert "log_input" in df
assert "log_output" in df
def test_dockerfile_prompt_command_logger():
df = _dockerfile_text()
assert "PROMPT_COMMAND" in df
assert "logger" in df
def test_entrypoint_creates_named_pipe():
assert "mkfifo" in _entrypoint_text()
def test_entrypoint_starts_rsyslogd():
assert "rsyslogd" in _entrypoint_text()
def test_entrypoint_sshd_no_dash_e():
ep = _entrypoint_text()
assert "sshd -D" in ep
assert "sshd -D -e" not in ep
# ---------------------------------------------------------------------------
# Deaddeck archetype
# ---------------------------------------------------------------------------
def test_deaddeck_uses_ssh():
arch = get_archetype("deaddeck")
assert "ssh" in arch.services
assert "real_ssh" not in arch.services
def test_deaddeck_nmap_os():
assert get_archetype("deaddeck").nmap_os == "linux"
def test_deaddeck_preferred_distros_not_empty():
assert len(get_archetype("deaddeck").preferred_distros) >= 1