Publication
False Flavor Honeypot: Deceiving Vulnerability Scanning Tools
Tillmann Angeli; Daniel Reti; Daniel Schneider; Hans Dieter Schotten
In: 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE European Symposium on Security and Privacy Workshops (EuroSPW-2024), 3rd Workshop on Active Defense and Deception (AD&D), July 8-12, Vienna, Austria, IEEE, 7/2024.
Abstract
As reliance on digital services continues to expand, so too does the frequency and severity of cyber attacks, resulting in substantial financial losses. Consequently, there is a pressing demand for enhanced information security measures to safeguard systems. One effective approach to identifying vulnerabilities within systems or networks is through the utilization of vulnerability scanning tools. These sophisticated tools meticulously analyze running services, assess their versions, and pinpoint potential vulnerabilities, offering a range of strategies for mitigation. However, while these tools are intended to bolster security, they are also frequently exploited by malicious actors seeking to identify potential attack vectors. To address this threat, this work introduces the False Flavor Honeypot, a proof of concept honeypot designed to manipulate vulnerability scan results. Unlike traditional counterparts that aim to lure and engage attackers by convincingly mimicking services, the False Flavor Honeypot has a unique focus: deceiving vulnerability scanning tools. Rather than directly engaging with attackers, this honeypot manipulates the behavior of these scanning tools, through the modification or creation of various TCP packets, aiming to mislead potential attackers regarding exploitable vulnerabilities. Its primary objective lies in disrupting the scanning process itself, thereby compromising the accuracy of scanning results. The False Flavor Honeypot successfully replicated \~90\% of the results obtained from a vulnerability scan conducted on an outdated and vulnerable HTTP server, without introducing these or any new vulnerabilities. This emphasizes the efficacy of the honeypot and highlights the possible unreliability of results generated by vulnerability scanning tools.