nuclei-templates/network/honeypot/dionaea-ftp-honeypot-detect...

31 lines
883 B
YAML
Raw Permalink Normal View History

id: dionaea-ftp-honeypot-detect
info:
2023-11-08 06:13:53 +00:00
name: Dionaea FTP Honeypot - Detect
author: UnaPibaGeek
severity: info
description: |
A Dionaea FTP honeypot has been identified.
The response to the 'PASS' command differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 1
vendor: dionaea
product: ftp
tags: dionaea,ftp,honeypot,ir,cti,network,tcp
tcp:
2023-11-08 15:12:25 +00:00
- inputs:
- data: "USER root\r\n"
read: 1024
- data: "PASS \r\n"
read: 1024
2023-11-08 15:12:25 +00:00
host:
- "{{Hostname}}"
port: 21
read-size: 2048
2023-11-08 15:12:25 +00:00
matchers:
- type: word
words:
- "500 Syntax error: PASS requires an argument"
# digest: 490a0046304402202c5f8ad39af1fd2351185674757f12369a93299d27d1c675783d8a786a1017c202201a1ab62e8318db26da5d5457bdfc99c0949e2f12d7487b8d50931fd45e33347c:922c64590222798bb761d5b6d8e72950