This may be something I'm just doing wrong. I was playing with impersonating services, nothing specific, but I wanted it to look "real", so I grabbed some banners from /usr/share/nmap/nmap-service-probes. Setting SSH server_id to something expecting a \r\n ending works fine. However, a server_id ending in \n cannot be set:

Working Example

From the service probes file I can find this:

match ssh m|^SSH-([\d.]+)-PSFTPd\. Secure FTP Server ready\r\n| p/PSFTPd/ i/protocol $1/ o/Windows/ cpe:/a:pleis:psftpd/ cpe:/o:microsoft:windows/a

And set my server_id to this:

SSH-2.3-PSFTPd. Secure FTP Server ready

and Nmap correctly identifies the service as:

PORT     STATE SERVICE REASON         VERSION
2222/tcp open  ssh     syn-ack ttl 63 PSFTPd (protocol 2.3)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Non-working example

However, if I try something like this:

match ssh m|^SSH-([\d.]+)-TECHNICOLOR_SW_([\d.]+)\n| p/Technicolor SA sshd/ v/$2/ i/protocol $1/ d/broadband router/

And set my server_id to:

SSH-1.99-TECHNICOLOR_SW_2.0

I get back:

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.91%I=7%D=8/29%Time=612B8DBD%P=x86_64-pc-linux-gnu%r(NU
SF:LL,1D,"SSH-1\.99-TECHNICOLOR_SW_2\.0\r\n");

As near as I can tell that should match except for the ending, I've tried numerous variations though. It seems the problem is Nmap wasn't expecting the carriage return preceding the line feed, e.g the "\r\n" on the last line that wasn't specified by the user.

If I insert a new line between the end of the string (2.0) and the last single tick ('), this seems to get interpreted in Nmap as \x20 (space?). If I look at this in a hex editor though, it appears to be the correct CR character (0A). Trying to manually insert a CR in vim (e.g. CTRL+V 10) seems to insert a 00 (null) character, and result in the error below (no surprise)

bbk@ubuntu:~/medusa$ ./medusa 
thread 'main' panicked at 'error parsing service file: Scan(ScanError { mark: Marker { index: 46, line: 3, col: 11 }, info: "while scanning a quoted scalar, found unexpected end of stream" })', src/main.rs:83:49
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

I might be doing something wrong, I'm going between various escape characters and ascii tables in ocatal/dec/hex but there doesn't appear to be a way to force a CR only at the end of the server_id string, and without being able to do that, it seems some server banners are going to be impossible to impersonate.

In some cases (depending on the setup) it is possible to kill the jail docker container with

kill 1

as the command.

This would kill the init parent process in the container and stop the container. The honeypot would then return errors instead of delegating to the running container for commands that are not already cached.

This could probably be prevented on the docker/host side by having the container always restart or having different users for starting and running the exec.

Maybe a configurable blacklist of commands that wont be sent to the container. I know it's not the core of the project, and need not be changed. :-) I am just mentioning it.

Good morning,

So I have recently been attempting to configure the medusa honeypot for research and fun purposes and I ran into one particulary annoying issue getting the https protocol to function correctly.

It would appear that rustls::pemfile::rsa_private_keys requires the private key to be in PKCS#1 format, however the cert/key generation step in the readme openssl req -newkey rsa:2048 -nodes -keyout medusa-https.key -x509 -days 365 -out medusa-https.crt generates a private key in PKCS#8 format, which causes rust to panic and die when running medusa. Not sure if this is an issue with openssl version difference maybe? I'm using OpenSSL 1.1.1

This was remediated by adding RSA to the header in the key file.

Before: -----BEGIN PRIVATE KEY----- After: -----BEGIN RSA PRIVATE KEY-----

Also I noticed that the certificate path in http/config.rs has the cert file as medusa-https.cert whereas the command in the readme generates medusa-https.crt which tripped me up for longer than I would care to admit ha ha ha.

Kind regards, Kyle.