Description:
Your Canaries ship with split personalities, this drives attackers crazy.
A personality is a "preset" of ports, services and IP stack for various vendors that you'd find on a network.
Each Canary can take on the personality of real systems that you have deployed on your network (and maybe some that you don't).
These help your Canary present themselves to match the real deal when they show up in network scans.
Note:
Canaries are configured to emulate their personalities at a network level. This means no licenses (e.g. Microsoft License) or OS images are required.
Note:
If there is a device not in the list that you'd like to see included, feel free to reach out to support@canary.tools to let us know!
Personalities: Below is a list of the various personalities your Canaries support.
Windows:
IIS 10
IIS 7
Microsoft AD Domain Controller 2012
Microsoft AD Domain Controller 2016
Microsoft AD Domain Controller 2019
MS Sharepoint 2010
Windows 11 Desktop Fileshare
Windows 10 Desktop Fileshare
Windows 7 Desktop Fileshare
Windows 8 Desktop Fileshare
Windows Server 2000 Office Fileshare
Windows Server 2003 Office Fileshare
Windows Server 2008 Office Fileshare
Windows Server 2012 Office Fileshare
Windows Server 2016 Office Fileshare
Windows Server 2019 Office Fileshare
Windows XP Desktop Fileshare
Linux:
CentOS 7 Server
Linux Database
Linux Proxy
Oracle Enterprise Linux 6
Oracle Enterprise Linux 7
Oracle Enterprise Linux 8
Red Hat Enterprise Linux 9
Standard Linux Server
Apple:
Mac OS X Fileshare
Networking:
Check Point Mobile VPN
Cisco Router
Cisco SSL VPN
Cisco VoIP Phone 7975G
Citrix Gateway
Dell Switch
F5 BIG-IP Edge Gateway
FortiGate
Integrated Dell Remote Access Controller
Juniper SRX 550
Palo Alto Firewall
Pulse VPN
SonicWALL NSA 220 Firewall Appliance
Vendors:
Canon ImageRUNNER 2525
Confluence 9
CUPS Service
GitLab Server
HP iLO Server
IBM z/OS Mainframe
JBoss Login
Jenkins Login
Jira
Joomla Server
Kibana Server
Outlook Web Access
SAP NetWeaver Windows Server
Solarwinds
Sophos User Portal
Sophos Web Console
Splunk Linux Server
Splunk Windows Server
Synology DiskStation 5 NAS
Synology DiskStation 6.2 NAS
Synology DiskStation 7.1 NAS
VMware ESXi 7 Server
VMware ESXi Server
VMware vCenter 7 Server
SCADA:
Hirschmann RS20 Industrial Switch
Rockwell Automation PLC
Siemens Simatic 300 PLC
Services: Below is a full list of available services that any Canary can emulate:
File Transfer (FTP)
File Transfer (TFTP)
GIT Repository
LDAP
Microsoft SQL Server
Modbus
MongoDB Database
MySQL
Portscan Detection
Redis
Remote Desktop Protocol
SSH
Telnet
Time Server
TN3270
VNC
VOIP (SIP)
Web Proxy
Webserver
Windows File Share
Windows Remote Management
Custom TCP Services:
Our custom TCP service allows you to create any number of services on your Canary that we don't support out of the box. For example, you could add TCP/25 to your Canary to have it emulate the SMTP service. Any activity detected on this port will generate an alert. Click here for our guide on setting up custom TCP Services.
Emulation:
Personality emulation goes beyond just an Operating System fingerprint and some port listeners. We do a bunch of tweaking under the hood to make sure your Canaries also talk on the right protocol for each of their services.
If your Canary has been set up as a SCADA device, it will talk on the proper Modbus protocol too!
The scan below shows a port and OS scan performed on a Canary, which has been configured as a Cisco router.
We spoof the MAC address (so it looks legit) and the actual OS identifies as a version of IOS running on Cisco kit.
To get this result, we take things like TTL response times, TCP Sequencing, OS fingerprint, and more into account, so all that an attacker sees is a Cisco device, and you get an alert when any of it's services are touched.