Add some new titles

[omergunal]

Hi, when i scan conpot with nmap, im getting this output:

i want to add some new values like "Basic Hardware" and change sequence. For example "version" will not become first value.how can i do that? Shodan always know this is "conpot". What should i do? Thanks

[Vingaard]

Hi there, To change this - please edit the following file located in the conpot template dir aka: /templates/default/template.xml

However, be aware that conpot are a low interaction honeypot, and hence pretty easy to spot /Mikael, Honeypot.dk

[omergunal]

@Vingaard I can change values in "/templates/default/template.xml" . But i want to add new titles and changing titles sequence.Like this:

System name: Omer
Serial number: 123
This is new Title: Example

Yes its low iteraction, i think there is a way to detecting conpot

[Vingaard]

Got it, that would -most likely- require that you change 'quite a bit' of the current code.

However, that would not make any signification different in the profile, and might just trow a red flag into the scanning, that this is not a standard S7 Siemens PLC.

A similar discussions was mentioned in item #343 /Mikael, Honeypot.dk

[omergunal]

They discussed about dont use default template file. I think i need more information about my issue.

[Vingaard]

@omergunal - got it, I took a look on the NSE script yersday evening (https://svn.nmap.org/nmap/scripts/s7-info.nse) and the outputs structure are actual predefined. The script are set to e.g. (Basic Hardware,Serial number etc) values as expected a real Siemens S7 PLC would display.

So my initial feeling would be that e.g. even when you have changed the ranking of the list of values - the NSE script will always display it (as it is now) .Adding e.g somenewfield: Omer-example will no be detected by the S7-Info script and hence not outputted to the overall NMAP result.

[omergunal]

Yes, you are right. This is the original plc output.

--102/tcp open  Siemens S7 PLC
--| s7-info:
--|   Basic Hardware: 6ES7 315-2AG10-0AB0
--|   System Name: SIMATIC 300(1)
--|   Copyright: Original Siemens Equipment
--|   Version: 2.6.9
--|   Module Type: CPU 315-2 DP
--|   Module: 6ES7 315-2AG10-0AB0
--|_  Serial Number: S C-X4U421302009

and this is conpot:

| s7-info: 
|   Version: 0.0
|   System Name: Technodrome
|   Module Type: Siemens, SIMATIC, S7-200
|   Serial Number: 88111222
|   Plant Identification: Mouser Factory
|_  Copyright: Original Siemens Equipment

I want to add Basic Hardware and Module title like original plc, also remove Plant Identification. Lastly i want to titles put sequence like original plc

[Vingaard]

Ok - I see your point clear now - you might want to deep dive into /default/s7comm/s7comm.xml and play around with the code - however as mention, that might require quite a lot of changes in the code incl adding new values

[omergunal]

yes I wanted help for this reason, maybe someone knows where to add codes.( without s7comm.xml)

[xandfury]

@omergunal As you might be aware different types of packets trigger different responses. Adding new 'titles'/changing the order could leave you with an invalid PDU.

SSL/SZL request has a specific encoding format (A request that nmap sends during scan to which conpot responds). If you still want to tweak conpot's responses to such requests, I suggest starting here.

[omergunal]

@xandfury i actually want to do this: https://github.com/mushorg/conpot/issues/373#issuecomment-393105989

[xandfury]

@omergunal For the screen shot you posted, you change those defaults from your template. Consider default/template.xml, locate the values you are looking for - and change them with your desired values.

For the second part, as I stated previously we'll need to investigate what exactly is NMAP sending to scan Conpot. Look for the the exact PDU (bytes). I'll try to have a look into this in the next couple of weeks. :-)

[glaslos]

Closing this in reference to #343