nuclei-templates/network/honeypot/dionaea-ftp-honeypot-detect.yaml

id: dionaea-ftp-honeypot-detect

info:
  name: Dionaea FTP Honeypot - Detect
  author: UnaPibaGeek
  severity: info
  description: |
    A Dionaea FTP honeypot has been identified.
    The response to the 'PASS' command differs from real installations, signaling a possible deceptive setup.    
  metadata:
    max-request: 1
    product: ftp
    vendor: dionaea
  tags: dionaea,ftp,honeypot,ir,cti,network

tcp:
  - inputs:
      - data: "USER root\r\n"
        read: 1024
      - data: "PASS \r\n"
        read: 1024

    host:
      - "{{Hostname}}"
    port: 21
    read-size: 2048

    matchers:
      - type: word
        words:
          - "500 Syntax error: PASS requires an argument"
# digest: 4a0a00473045022100be0bb8582adcb69d0a589e8b3bb74fb8825d78af640609d2860515e9b2f72778022016f5b38a618ef9825c8699f330f74d0ee4a896fc553f15b16d6ed10ef2a29238:922c64590222798bb761d5b6d8e72950