Decoy-Hunter: Bypassing "All Ports Open" Deception in Offensive Security
#redteam#cybersecurity#webdev#python
KL3FT3Z

KL3FT3Z @toxy4ny

About: 🔭 I’m currently working in Red Team of Hackteam.RED. 🌱 I’m currently learning Red Team's Ops 2025. 👯 I’m looking to collaborate with Cyber Security Enthusiasts and Hackers.

Joined:
Mar 20, 2025

Decoy-Hunter: Bypassing "All Ports Open" Deception in Offensive Security

Publish Date: Sep 26
36 21

The defensive idea belongs to https://t.me/s0i37_channel

🛡️→⚔️ Decoy-Hunter: Bypassing "All Ports Open" Deception in Offensive Security

Defensive deception is powerful — but not invisible.

This tool helps red teams and penetration testers cut through the noise of fake services and find real attack surfaces.

🔥 The Problem: "All Ports Are Open" Deception

In modern defensive architectures, it's becoming common to confuse attackers by making every TCP port appear open. This is often achieved with simple iptables rules:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m conntrack --ctstate NEW -j REDIRECT --to-ports 1234
while sleep 1; do nc -nv -lp 1234; done
Enter fullscreen mode Exit fullscreen mode

Or more advanced tools like portspoof, which return random service banners on every port.

The goal? Waste the attacker’s time, trigger false positives in scanners, and hide real services among thousands of decoys.

But here’s the catch: most deception implementations are flawed.

  • portspoof returns different banners on each scan → easily detectable.
  • Static banner emulators (e.g., using nmap-service-probes responses) lack protocol logic.
  • Fake services often respond to any input with the same static string — real services don’t work that way.

This creates an opportunity for offensive counter-deception.

🕵️‍♂️ Introducing decoy-hunter

decoy-hunter is a stealthy, protocol-aware scanner designed to:

  • Detect fake services behind "all ports open" traps,
  • Identify real, exploitable services hidden in the noise,
  • Operate with traffic obfuscation to avoid detection by the defender.

Unlike nmap -sV, which can be fooled by consistent fake banners, decoy-hunter:

  • Uses real nmap-service-probes to send legitimate client requests,
  • Validates protocol behavior, not just banners,
  • Supports TCP + UDP up to port 10,000 (or full range),
  • Mimics human-like timing and request patterns.

🧠 How It Works

1. Realistic Probing

Instead of sending raw strings, decoy-hunter:

  • Sends valid HTTP requests with real User-Agent,
  • Initiates TLS handshakes on HTTPS ports,
  • Uses SMTP EHLO, FTP USER, Redis PING, etc.,
  • Leverages the official nmap-service-probes database for accuracy.

2. Protocol Validation

A fake SSH service might return SSH-2.0-OpenSSH_8.9, but:

  • It won’t complete a key exchange,
  • It won’t respond correctly to malformed packets,
  • It may reply with an SSH banner on port 8080 — which is suspicious.

decoy-hunter checks:

  • Does the response match the expected protocol state?
  • Is the service consistent across multiple probes?
  • Does it only respond to one probe type, ignoring others?

3. Traffic Obfuscation (Anti-Detection)

To avoid being flagged as a scanner:

  • Random delays between connections (0.2–2.0s),
  • Limited concurrency (default: 15),
  • No aggressive payload spraying,
  • TLS used where expected (e.g., port 443),
  • No repeated identical patterns.

🔒 Goal: Make traffic look like a curious user or misconfigured client — not a pentest tool.

🚀 Quick Start

1. Install dependencies 

pip install tqdm
Enter fullscreen mode Exit fullscreen mode

2. Download nmap-service-probes 

wget https://raw.githubusercontent.com/nmap/nmap/master/nmap-service-probes
Enter fullscreen mode Exit fullscreen mode

3. Run a scan 

# Scan top 10k TCP ports
python3 decoy_hunter.py 192.168.1.10

# Include UDP (slower)
python3 decoy_hunter.py target.com -sU -c 5

# Custom ports
python3 decoy_hunter.py 10.0.0.5 -p 22,80,443,8080,1234
Enter fullscreen mode Exit fullscreen mode

Sample Output 

[REAL] 22/tcp open ssh (via passive/NULL) → SSH-2.0-OpenSSH_8.9p1
[FAKE] 8080/tcp open http (via GetRequest) → SSH-2.0-OpenSSH_8.9p1  ← 🚩 Mismatch!
[REAL] 443/tcp open http (via GetRequest) → HTTP/1.1 200 OK
Enter fullscreen mode Exit fullscreen mode

Notice: SSH banner on port 8080 → clear sign of deception.

🛠️ Technical Highlights

Feature Description
Full nmap-service-probes support Accurate service detection using Nmap’s official database
Async I/O with asyncio Fast, scalable scanning without blocking
UDP + TCP scanning Covers both transport layers
Stealth mode Randomized timing, realistic requests, low concurrency
Progress bar Visual feedback with tqdm
No external dependencies (except tqdm) Pure Python, easy to run anywhere

📚 Why This Matters

Defensive deception is a valid and useful tactic — but it shouldn’t create a false sense of security. As red teamers and ethical hackers, we must:

  • Understand defensive tricks,
  • Develop tools to see through them,
  • Help organizations test the effectiveness of their deception layers.

decoy-hunter is not just a scanner — it’s a counter-deception framework for the modern attack surface.

🤝 Contributing

Found a fake service that decoy-hunter missed?

Have an idea to improve obfuscation or probe coverage?

Pull requests welcome!

→ Issues and feature requests encouraged.

⚠️ Legal & Ethical Note

This tool is for authorized penetration testing and research only.

Never scan systems you don’t own or don’t have explicit permission to test.

📦 Repository Structure 

decoy-hunter/
├── decoy_hunter.py          # Main CLI tool
├── probes.py                # Probe logic & obfuscation
├── service_probes_parser.py # Parses nmap-service-probes
├── nmap-service-probes      # (Download separately)
├── README.md                # This file
└── requirements.txt         # tqdm
Enter fullscreen mode Exit fullscreen mode

💡 Inspired By

🔍 Real security isn’t about hiding — it’s about resilience.

Use decoy-hunter to ensure your defenses are tested, not just decorated.

Author: [KL3FT3Z]

License: MIT

GitHub: github.com/toxy4ny/decoy-hunter

Comments 21 total

  • Yogesh Bamanier
    Yogesh BamanierSep 26, 2025

    impressive

  • Aaron Rose
    Aaron RoseSep 26, 2025

    thanks KL3FT3Z💯

    • KL3FT3Z
      KL3FT3ZSep 27, 2025

      Thank you for your high rating, this is still in concept and idea stage, as soon as there is a possibility to test the software, I will do it. If you get it earlier, let me know.

  • Om Shree
    Om ShreeSep 27, 2025

    Nice

  • Antonio Jose Socorro Marin
    Antonio Jose Socorro MarinSep 28, 2025

    Decoy-Hunter: Technical Enhancement for Verifiable Evidence and Stateful Protocol Probes

    Dear author,

    Excellent analysis and a very valuable contribution to the community. Your exposition on the weaknesses of “all ports open” deception (fake banners, static responses) caught my attention and motivated me to prepare a practical technical contribution to complement the tool. The goal is to provide mechanisms so that findings are verifiable, resilient against banner-based traps, and manageable by evidence management infrastructures.

    Below I present the full technical proposal, including example code, detailed line-by-line notes, and a signed report template that can be integrated into the tool’s pipeline.

    Contribution Summary

    Integrity and non-repudiation of reports: sign every report with ECDSA P-256 managed by a PKCS#11/HSM module; use canonical JSON serialization for deterministic signing.

    Stateful protocol probes: complete handshakes and validate protocol states (TLS handshake + valid HTTP request; SSH banner + KEXINIT detection; valid commands for SMTP/FTP/Redis; UDP probes with payload validation).

    Evidence format: canonical JSON schema for signed reports and clear result codes (real_service, probable_decoy, inconclusive).

    Operational playbook: checklist for authorized tests, HSM usage, trace recording, and secure delivery of evidence.

    1) Report Integrity — Technical Principles

    Use ECDSA with curve P-256 and SHA-256 to sign reports. JSON serialization must be deterministic (sorted keys, compact separators) to ensure reproducibility of the signature.

    Store the private signing key inside an HSM or PKCS#11 module; the key must never leave the hardware. The HSM is responsible for executing the signing operation.

    Each report should include: metadata (target, timestamps in UTC), list of probes with detailed results, executive summary, and Base64 signature together with signer identifier.

    For compatibility with enterprise infrastructures, the report can be encapsulated in a CMS container if required; the signed JSON should preserve a manifest with verified hashes of artifacts (pcap, logs).

    2) Heuristics and Recommended Probes
    2.1 Principle

    Validate protocol behavior: the main criterion is not the banner but whether the entity completes the expected protocol flow.

    2.2 Probes and Checks

    HTTPS/TLS (e.g., port 443):

    Complete TLS handshake (including SNI and ALPN where applicable).

    If handshake succeeds, send GET / with a real User-Agent and parse status code and dynamic headers.

    If handshake fails but a banner exists, mark as inconsistent → probable_decoy.

    SSH (e.g., port 22):

    Read SSH-2.0-... banner.

    Send client identification string according to RFC4253.

    Detect KEXINIT binary bytes (0x14) or non-printable byte ratios to confirm the server progresses in the key exchange.

    If only ASCII banner and no binary progression, mark as probable_decoy.

    UDP (DNS, Redis, etc.):

    Send valid payloads for the service and check consistency across responses (e.g., Redis PING → PONG).

    Repeat probes with slight variations to validate response stability.

    2.3 Result Codes

    real_service: completed handshake + at least 2 consistent probes.

    probable_decoy: inconsistent banner, failed handshake, or response to only one probe.

    inconclusive: timeouts or network issues — repeat the scan.

    3) Example Code — PKCS#11 Signing, HTTPS Probe, SSH Probe, JSON Schema and Report Example

    All scripts include the author’s signature in the file headers.

    A) PKCS#11 Signing Example

    file: sign_report_pkcs11.py

    Author: Antonio José Socorro Marín © 2025

    Usage: python sign_report_pkcs11.py report.json /lib/pkcs11.so token_label key_label PIN

    import json, sys, base64
    from datetime import datetime

    def canonicalize(jsobj):
    return json.dumps(jsobj, sort_keys=True, separators=(',',':'), ensure_ascii=False).encode('utf-8')

    def sign_with_pkcs11(report_obj, pkcs11_lib_path, token_label, key_label, pin):
    from pkcs11 import Lib, Mechanism
    lib = Lib(pkcs11_lib_path)
    with lib.get_token(token_label=token_label).open(user_pin=pin) as session:
    priv = session.get_key(label=key_label, key_type='EC', object_class='PRIVATE_KEY')
    data = canonicalize(report_obj)
    signature = priv.sign(data, mechanism=Mechanism.ECDSA_SHA256)
    return base64.b64encode(signature).decode('ascii')

    def main():
    if len(sys.argv) < 6:
    print("Usage: sign_report_pkcs11.py report.json /lib/pkcs11.so token_label key_label PIN")
    sys.exit(1)
    report_path, libpath, token_label, key_label, pin = sys.argv[1:6]
    report = json.load(open(report_path, "r", encoding="utf-8"))
    sig = sign_with_pkcs11(report, libpath, token_label, key_label, pin)
    out = {"report": report, "signature_b64": sig, "signed_at": datetime.utcnow().isoformat()+"Z", "signer": "CN="+key_label}
    print(json.dumps(out, ensure_ascii=False, indent=2))

    if name == "main":
    main()

    B) HTTPS / TLS Probe

    file: probe_https.py

    Author: Antonio José Socorro Marín © 2025

    import socket, ssl, json, time

    def probe_https(host, port=443, server_name=None, timeout=5.0):
    result = {
    "host": host,
    "port": port,
    "timestamp": time.time(),
    "tls_handshake": False,
    "tls_error": None,
    "http_response_code": None,
    "http_headers": None,
    "notes": []
    }
    server_name = server_name or host
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(timeout)
    try:
    sock.connect((host, port))
    except Exception as e:
    result["tls_error"] = f"tcp_connect_failed: {e}"
    return result
    context = ssl.create_default_context()
    try:
    ssock = context.wrap_socket(sock, server_hostname=server_name)
    result["tls_handshake"] = True
    except Exception as e:
    result["tls_error"] = str(e)
    return result
    try:
    http_req = ("GET / HTTP/1.1\r\n"
    f"Host: {host}\r\n"
    "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\n"
    "Connection: close\r\n\r\n")
    ssock.sendall(http_req.encode('utf-8'))
    data = ssock.recv(65536)
    if data:
    header_text = data.decode('iso-8859-1').split("\r\n\r\n",1)[0]
    status_line = header_text.splitlines()[0]
    parts = status_line.split()
    if len(parts) >= 2:
    result["http_response_code"] = int(parts[1])
    except Exception as e:
    result["notes"].append(f"http_request_error: {e}")
    finally:
    ssock.close()
    return result

    C) SSH Stateful Probe

    file: probe_ssh_stateful.py

    Author: Antonio José Socorro Marín © 2025

    import socket, time

    def probe_ssh_stateful(host, port=22, timeout=5.0):
    r = {"host": host, "port": port, "timestamp": time.time(), "banner": None,
    "kex_received": False, "details": []}
    try:
    s = socket.create_connection((host, port), timeout=timeout)
    except Exception as e:
    r["details"].append(f"tcp_connect_failed: {e}")
    return r
    try:
    data = b""
    s.settimeout(2.0)
    while b'\n' not in data:
    piece = s.recv(1024)
    if not piece:
    break
    data += piece
    if len(data) > 4096:
    break
    banner_line = data.splitlines()[0] if data else b""
    r["banner"] = banner_line.decode('ascii', errors='ignore').strip()
    client_id = b"SSH-2.0-OpenSSH_9.0-AntonioProbe\r\n"
    s.sendall(client_id)
    s.settimeout(3.0)
    more = s.recv(4096)
    if more:
    if b'\x14' in more[:64]:
    r["kex_received"] = True
    r["details"].append("kexinit_detected_binary")
    else:
    nonprint_ratio = sum(1 for b in more[:64] if b < 32 or b > 126) / max(1, min(64,len(more)))
    if nonprint_ratio > 0.2:
    r["kex_received"] = True
    r["details"].append(f"binary_noise_ratio={nonprint_ratio:.2f}")
    else:
    r["details"].append("only_ascii_after_banner; likely decoy")
    else:
    r["details"].append("no_response_after_client_id")
    except Exception as e:
    r["details"].append(f"probe_error: {e}")
    finally:
    s.close()
    return r

    D) ECDSA Signing in Memory (testing only)

    file: sign_report_ec.py

    Author: Antonio José Socorro Marín © 2025

    import json, base64
    from cryptography.hazmat.primitives import hashes, serialization
    from cryptography.hazmat.primitives.asymmetric import ec

    def sign_report_ec_p256(report_dict, private_key_pem):
    canonical = json.dumps(report_dict, sort_keys=True, separators=(',',':')).encode('utf-8')
    private_key = serialization.load_pem_private_key(private_key_pem, password=None)
    signature = private_key.sign(canonical, ec.ECDSA(hashes.SHA256()))
    sig_b64 = base64.b64encode(signature).decode('ascii')
    return {'report': report_dict, 'signature_b64': sig_b64}

    E) JSON Schema for Signed Reports
    {
    "$schema": "json-schema.org/draft-07/schema#",
    "title": "DecoyHunter Signed Report",
    "type": "object",
    "required": ["report", "signature_b64", "signed_at", "signer"],
    "properties": {
    "report": {
    "type": "object",
    "required": ["target", "scans", "summary"],
    "properties": {
    "target": {"type":"string"},
    "scans": {
    "type":"array",
    "items": {
    "type":"object",
    "required":["port","protocol","timestamp","result_code"],
    "properties":{
    "port":{"type":"integer"},
    "protocol":{"type":"string"},
    "timestamp":{"type":"string","format":"date-time"},
    "result_code":{"type":"string"},
    "details":{"type":"object"}
    }
    }
    },
    "summary":{"type":"object"}
    }
    },
    "signature_b64":{"type":"string"},
    "signed_at":{"type":"string","format":"date-time"},
    "signer":{"type":"string"}
    }
    }

    F) Example Signed Report
    {
    "report": {
    "target": "192.168.1.10",
    "scans": [
    {
    "port": 22,
    "protocol": "ssh",
    "timestamp": "2025-09-28T12:34:56Z",
    "result_code": "real_service",
    "details": {
    "banner": "SSH-2.0-OpenSSH_8.9p1",
    "kex_received": true
    }
    },
    {
    "port": 8080,
    "protocol": "http",
    "timestamp": "2025-09-28T12:35:13Z",
    "result_code": "probable_decoy",
    "details": {
    "banner": "SSH-2.0-OpenSSH_8.9p1",
    "http_response": null,
    "note": "SSH banner on HTTP port; inconsistency detected"
    }
    }
    ],
    "summary": {
    "real_services": 1,
    "probable_decoys": 1
    }
    },
    "signature_b64": "BASE64_SIGNATURE_PLACEHOLDER",
    "signed_at": "2025-09-28T12:36:00Z",
    "signer": "CN=Antonio_Socorro_ScanKey"
    }

    4) Operational Playbook (Checklist)

    Authorization: written authorization and clear scope (targets, windows, allowed IPs).

    Key generation: ECDSA P-256 keys generated inside HSM; publish only the public certificate.

    Initial reconnaissance: map open ports with low concurrency and human-like delays.

    Stateful probes: TLS (handshake + GET), SSH (banner + KEX detection), SMTP/FTP/Redis (EHLO/USER/PING), UDP payload-based probes.

    Recording: store pcap traces, session logs, and canonical JSON report.

    Signing: sign report with HSM/PKCS#11; include signer identifier and UTC timestamp.

    Delivery: provide signed report and hash manifest to authorized recipients.

    Key rotation: documented policy for key rotation and revocation.

    Metrics: in controlled tests, generate ROC metrics (false positives/negatives) to calibrate heuristics.

    5) Legal and Ethical Considerations

    Any probes interacting with real protocols must have explicit authorization.

    Avoid unauthorized authentication attempts, data modification, or exploitation. Probes must be limited to protocol validation.

    Maintain clear evidence custody procedures and retention policies.

    Conclusion

    I greatly appreciate the quality of the original analysis. The proposal included here aims to provide verifiable evidence, reduce ambiguity in interpreting banners, and facilitate integration of results into management infrastructures (PKI/CMS/IDMS).

    The code presented is a starting point: it includes operational examples for signing and validating results, and probes that complete real protocol flows rather than banners alone.

    Incorporating this approach into the tool’s pipeline would make reports audit-ready and significantly reduce the ability of banner-based deception to hide real services.

    • KL3FT3Z
      KL3FT3ZSep 29, 2025

      Thank you for your ideas, I completely agree with them, your contribution to the development of this program is extremely important and interesting for its further development and improvement of both the concept and the code itself. What you propose is most suitable for developing a professional offensive security tool for detecting honeypots and blue team programs. Thanks again for the ideas provided here. Since the license for my program is MIT, you can always rework it and add your innovative ideas, the only thing I ask is to let me know, please, the results of its work with new features or your github to study!

  • Antonio Jose Socorro Marin
    Antonio Jose Socorro MarinSep 29, 2025

    decoy-hunter — Countering the "All Ports Are Open" Deception
    Author: Antonio José Socorro Marín
    Date: September 28, 2025

    Executive Summary

    The approach outlined for decoy-hunter is solid and necessary in environments where all ports open deception techniques attempt to confuse attackers and automated scanners. The original proposal presents the problem clearly and offers a coherent technical design. I endorse this approach and submit this consolidated contribution to reinforce the proposal, clarify the architecture, document operational controls, and provide a reproducible validation mindset for professional adoption.

    1. Motivation

    Defensive deception techniques that make every TCP port appear open—implemented via iptables redirects, portspoof-like tools, or static banner emulators—seek to waste an adversary’s time and to cause false positives in automated scanning. However, many practical deployments are superficial and leave detectable artifacts:

    Banners change between scans without consistent protocol behavior.

    Static banner emulators lack stateful protocol logic.

    Fake services commonly reply identically to any input; real services do not behave that way.

    Mismatched protocols across ports (e.g., SSH banners returned on HTTP ports) betray deception.

    These weaknesses provide a practical opportunity for a counter-deception methodology that validates protocol behavior rather than trusting banners alone.

    1. Technical Objective

    decoy-hunter is conceived as a counter-deception framework with two primary objectives:

    Detect genuine, exploitable services hidden among high-noise deception layers.

    Provide defenders with a pragmatic tool to evaluate the effectiveness of their deception deployment and to identify misconfigurations that create false assurance.

    The tool is designed for authorized security assessments: red teams operating with permission, internal security validation, and joint offense-defense exercises.

    1. Design Principles

    decoy-hunter’s design rests on five core principles:

    Realistic Probing. Use legitimate client-style requests derived from a service probe database (e.g., nmap-service-probes), not ad-hoc strings. Examples: HTTP GET/HEAD with valid User-Agent, TLS ClientHello with SNI and ALPN, SMTP EHLO sequence, FTP USER/STAT, Redis PING, etc.

    Stateful Protocol Validation. Verify protocol state transitions and expected behaviors (e.g., SSH key-exchange sequence, TLS handshake completion and certificate properties, SMTP command sequences and reply codes). Banner matching alone is insufficient.

    Traffic Obfuscation (Anti-Detection). Use randomized delays, low concurrency defaults, varied request patterns and non-repeating sequences so traffic resembles legitimate client activity and reduces detection by simplistic scanner signatures.

    Data Minimization & Auditability. Default to not persisting response bodies. When payload capture is enabled it must be explicitly opted in and recorded under governance controls. Audit logs and exported reports should be signed to preserve integrity.

    Artifact Integrity. Maintain cryptographic integrity of the probes database and released artifacts (for example, sign the nmap-service-probes file). Verify signatures at runtime before using probes.

    1. Components & Architecture

    A modular architecture keeps responsibilities separated and facilitates review and adoption:

    decoy_hunter.py — CLI entrypoint and orchestration: argument parsing, execution policies, and reporting.

    probes.py — Probe implementation: sends requests, enforces jitter and concurrency, handles retries and timeouts. Implements async I/O (asyncio) for scalability.

    service_probes_parser.py — Parses the probe database (nmap-service-probes), performs signature verification, and normalizes probe definitions.

    fingerprints.py — Passive fingerprinting module: JA3/JA3S hashes for TLS, TCP/IP stack attributes (TTL, window sizes) and optional heuristics for OS/stack inference.

    scoring & assessment module — Aggregates probe results and computes a confidence score with an explanation vector (banner match, handshake success, multi-probe consistency, certificate validity, etc.).

    audit/forensics export — Produces signed JSON reports and optional PCAPs for evidence; supports encryption at rest for captured artifacts.

    testbed directory (recommended) — Docker compose setup to reproduce evaluation scenarios (real services, simple decoys, stateful fake services, IDS sensor).

    1. How It Works — Operational Flow

    Initialization & Integrity Check. Verify the signature of the probe database before parsing. Abort if verification fails.

    Targeting & Configuration. Accept host(s), port ranges, TCP/UDP mode, concurrency, and aversion settings (timing, stealth). By default, concurrency and timing are conservative.

    Probing Stage. Execute realistic probes according to the parsed probe definitions. For TLS endpoints, perform ClientHello and examine server responses. For SSH endpoints, attempt controlled handshake progress to validate KEX behavior without authenticating.

    Stateful Validation. Confirm that responses progress through expected protocol states and that malformed or variant inputs elicit protocol-consistent error handling.

    Cross-Probe Correlation. Compare responses across different probe types and ports on the same host for coherence (e.g., identical banners on multiple unrelated ports is suspicious).

    Scoring & Classification. Assign classification labels: REAL, FAKE, AMBIGUOUS. Provide confidence score (0.0–1.0) and the rationale decomposition.

    Reporting & Evidence. Emit console output and optional signed JSON report. If enabled, export PCAP and signed artifacts for audit.

    1. Example CLI & Sample Output

    Example invocations (illustrative):

    Scan top 10k TCP ports

    python3 decoy_hunter.py 192.168.1.10

    Include UDP scanning (slower)

    python3 decoy_hunter.py target.com --udp --concurrency 5

    Custom ports

    python3 decoy_hunter.py 10.0.0.5 --ports 22,80,443,8080,1234

    Sample output:

    [REAL] 22/tcp open ssh → SSH-2.0-OpenSSH_8.9p1 (confidence: 0.92)
    [FAKE] 8080/tcp open http → SSH-2.0-OpenSSH_8.9p1 ← 🚩 protocol mismatch (confidence: 0.12)
    [REAL] 443/tcp open https → HTTP/1.1 200 OK (confidence: 0.88)

    An SSH banner on port 8080 flagged as suspicious is an immediate indicator of deceptive configuration.

    1. Evaluation & Validation Strategy

    A robust validation approach is essential to prove efficacy and to quantify false positives/negatives:

    Testbed: Create a reproducible environment (Docker compose recommended) including:

    Real service containers: OpenSSH, nginx, SMTP server, Redis.

    Simple decoy containers: static banner servers returning a variety of banners on many ports.

    Stateful decoy containers: emulate partial protocol progress for TLS/SSH to challenge stateful checks.

    IDS sensor: Suricata/Zeek to measure detection patterns and to evaluate stealth settings.

    Metrics to collect:

    Precision and Recall for detection of real services.

    Mean time per host and scan duration under stealth settings.

    IDS activation rate: number of triggered alerts per scan configuration.

    False positive / false negative counts per decoy category.

    Test methodology: run systematic experiments varying:

    Decoy sophistication (static → stateful partial → stateful near-complete).

    Timing/concurrency profiles.

    Middlebox presence (load balancer, reverse proxy, NAT).

    1. Security, Privacy & Governance

    decoy-hunter is intended for authorized use only. Operational controls and governance must be enforced:

    Authorization & Evidence. Require documented authorization prior to scans. Record the authorization token reference or signed authorization artifact in audit records.

    Artifact Integrity. Sign probe databases and release artifacts using approved cryptographic primitives (ECDSA P-256 / SHA-256 recommended). Verify signatures at runtime.

    TLS Certificate Validation. Validate certificate chains and, where feasible, check revocation status (OCSP / CRL). Mark endpoints with certificate validation failures as ambiguous and include in the rationale.

    Data Minimization. Do not persist response bodies by default. If payloads are captured, apply encryption at rest and limit retention periods.

    Auditing & Signed Evidence. Export signed JSON reports and optional PCAPs for forensic review. Maintain chain-of-custody metadata where required by policy.

    Operational Safety. Avoid aggressive probing modes by default; do not perform destructive or intrusive actions unless explicitly authorized and documented.

    1. Contribution Statement

    I value the original design and approach of decoy-hunter. After a technical review, I contributed this consolidated document to clarify architecture, operational controls, and validation methodology so that the project can be adopted responsibly by professional teams. My contribution emphasizes integrity of artifacts, protocol-aware validation, evidence capture under governance, and reproducible testing.

    1. Implementation Notes (Operational Defaults)

    The following operational defaults are recommended for a conservative, professional posture:

    Default concurrency: low (e.g., 8).

    Default jitter between probes: randomized within a conservative window (e.g., 0.3–1.5s).

    Default payload persistence: disabled (opt-in via explicit flag).

    Require explicit interactive acknowledgment or an authorization token for production scans.

    Validate probes database signature prior to use.

    These defaults reduce the risk of accidental disruption and increase the likelihood that scans remain within acceptable detection bounds in a controlled authorized engagement.

    1. Final Remarks

    Deception can be an effective defensive tool, but bad deception can create a false sense of security. Practical evaluation requires tools that validate behavior rather than banners alone. decoy-hunter is a pragmatic counter-deception framework that pairs realistic probing with stateful protocol validation, traffic obfuscation, evidence integrity, and a reproducible validation strategy.

    I appreciate the original proposal and endorse this consolidation as a step toward a professional, auditable, and useful counter-deception capability. Real security demands resilience and verifiability — not artifice.

    • KL3FT3Z
      KL3FT3ZSep 29, 2025

      Thank you for your ideas, I completely agree with them, your contribution to the development of this program is extremely important and interesting for its further development and improvement of both the concept and the code itself. What you propose is most suitable for developing a professional offensive security tool for detecting honeypots and blue team programs. Thanks again for the ideas provided here. Since the license for my program is MIT, you can always rework it and add your innovative ideas, the only thing I ask is to let me know, please, the results of its work with new features or your github to study!

    • Samuel Adeduntan
      Samuel Adeduntan Oct 5, 2025

      Impressive consolidation, Antonio. This expanded documentation adds real maturity to the original Decoy-Hunter concept especially your emphasis on stateful validation, artifact integrity, and auditable evidence handling. The structured architecture and validation framework make it much easier for red and blue teams to adopt responsibly.

      Your inclusion of testbed reproducibility (Docker-based validation) and TLS/JA3 fingerprinting is particularly valuable for teams that want to measure deception effectiveness rather than just bypass it. One enhancement worth considering could be a modular reporting API (JSON/CSV export with confidence scoring) that integrates with SIEM or purple-team dashboards.

      Overall, this contribution bridges the gap between a proof-of-concept and a professionally governed offensive validation framework a solid step toward responsible counter-deception tooling. 👏

      • Antonio Jose Socorro Marin
        Antonio Jose Socorro MarinOct 8, 2025

        Thank you, Samuel, for your detailed and technically grounded assessment.
        Your comment reflects a precise understanding of the intent behind this consolidation — to transition Decoy-Hunter from a conceptual framework into a governed, reproducible, and auditable counter-deception system suitable for professional environments.
        I particularly appreciate your emphasis on stateful validation and artifact integrity, as these principles are central to ensuring that validation results can withstand forensic scrutiny and support both red and blue team accountability. Your observation regarding the testbed reproducibility aligns perfectly with the philosophy of controlled experimentation that drives this project.
        Your suggestion to introduce a modular reporting API with JSON/CSV export and confidence scoring is excellent. It would extend the framework toward direct interoperability with SIEM platforms and purple-team dashboards, enabling measurable deception metrics and automated evidence correlation. This integration will be considered in the next iteration under a structured reporting layer, maintaining the same cryptographic signing and auditability standards.
        I sincerely value your contribution — it helps strengthen the bridge between responsible offensive validation and verifiable defensive assurance.
        Thank you once again for engaging with the project in such a constructive and professional manner.

        — Antonio José Socorro Marín
        Author & Contributor, Decoy-Hunter Consolidated Framework

        • Samuel Adeduntan
          Samuel Adeduntan Oct 8, 2025

          Yeah, thanks

          • KL3FT3Z
            KL3FT3ZOct 13, 2025

            thank you, the ideas are really cool, as soon as I have time, I will try to implement them in the new version of the program.

  • Ali Farhat
    Ali FarhatSep 29, 2025

    Great post! 🙌

    • KL3FT3Z
      KL3FT3ZSep 29, 2025

      Thanx for you're assessment)))

  • Melissa ryan
    Melissa ryanOct 1, 2025

    As a victim of a cryptocurrency scam, I understand the frustration and fear that comes with losing significant investments. I was persuaded to invest $188,600 in what turned out to be a bogus platform, and the realization hit hard when I discovered I had been scammed. It felt like I had lost everything, especially since this was my life savings.
    However, after nearly losing hope, a friend recommended a service called RHIANNON RECOVERY LOST, and I decided to give it a try. Thanks to their expertise and dedication, I was able to recover my funds in just 42 hours.
    If you find yourself in a similar situation, I highly recommend reaching out to professionals with proven success in recovering lost crypto assets. With the right help, there is hope, and you can regain what was taken. Contact on via email: RHIANNONRECOVERYLOST@GMAIL.COM Also on Telegram or WhatsApp +1 (213) 783-6645..

  • Samuel Adeduntan
    Samuel Adeduntan Oct 5, 2025

    Great work this is a practical and well-thought-out counter-deception tool that moves beyond banner-matching to validate real protocol behavior. I especially like the use of nmap-service-probes and the traffic-obfuscation features to reduce detection. A few suggestions to increase impact: add TLS handshake/JA3 and certificate validation to better distinguish faux HTTPS; export findings with a confidence score and reproducible “failure signatures” so triage is easier; and include an output mode formatted for SIEM/ELK ingestion to help purple teams measure deception effectiveness. Finally, consider a short lab playbook (safe test plan + example benign targets) in the README so newcomers can evaluate responsibly. Overall excellent and timely tool for red/purple teams.

    • KL3FT3Z
      KL3FT3ZOct 5, 2025

      Thank you for your additions and ideas, they will really expand the program's capabilities and the accuracy of detecting fake ports and honeypots. Thank you for your high praise of my developments!

Add comment