🍯 16 honeypots in a single pypi package (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres & MySQL)

Any chance you could support native JSON file logging? This would make ingesting into the ELK stack a lot more straight forward.

Currently there already is a JSON message part of the logs ...

[2022-01-21 11:24:16,395] [honeypotslogger_QSSHServer_57d43b72] [INFO] - ['servers', {'status': 'failed', 'ip': '1.2.3.4', 'port': 54161, 'username': 'adm', 'password': 'test'}]
[2022-01-21 11:24:17,055] [honeypotslogger_QSSHServer_57d43b72] [INFO] - ['servers', {'ip': '1.2.3.4', 'port': 44822}]
[2022-01-21 11:24:17,762] [honeypotslogger_QSSHServer_57d43b72] [INFO] - ['servers', {'status': 'failed', 'ip': '1.2.3.4', 'port': 44822, 'username': 'bob', 'password': 'bob'}]

... but having this type of format would be very helpful

{"timestamp": "2022-01-21T11:19:41.948469Z", "protocol": "ssh_server", "action": "connection", "src_ip": "1.2.3.4", "src_port": 30786, "dest_port": 22}
{"timestamp": "2022-01-21T11:19:43.350640Z", "protocol": "ssh_server", "action": "login", "status": "failed", "src_ip": "1.2.3.4", "src_port": 30786, "dest_port": 22, "username": "demo", "password": "password"}
{"timestamp": "2022-01-21T11:19:44.047591Z", "protocol": "ssh_server", "action": "connection", "src_ip": "1.2.3.4", "src_port": 2853, "dest_port": 22}
{"timestamp": "2022-01-21T11:19:46.211620Z", "protocol": "ssh_server", "action": "login", "status": "failed", "src_ip": "1.2.3.4", "src_port": 2853, "dest_port": 22, "username": "root", "password": "administrator"}

In my fork I adjusted all honeypots accordingly as a PoC if you are looking for samples.

Hi o/. I was wondering if it was possible to have a centralized log file, instead of creating new ones for each new event. This way one could monitor a single file instead of the entire folder.

Also, I've tried testing the DNS honeypot using nslookup and dig without luck, although the integrated startup test works just fine. Am i missing something? I've tried testing other ones like LDAP or SMB and they work just fine.

Thanks!

i have some problems with mysql. I'm running the mysql honeypot like this; python3 mysql_server.py --custom --port 3306

then i try to connect with mysql client; mysql -h 0.0.0.0 -p 3306 --user=test

it returns this error code; ERROR 2026 (HY000): SSL connection error: error:00000000:lib(0):func(0):reason(0)

than i try this; mysql -h 0.0.0.0 -p 3306 --user=root --ssl-mode=DISABLED

now current error is; ERROR 2000 (HY000): Unknown MySQL error

When I debug the code's errors it handles the connectionMade function. then connectionLost works. I can't get username and password because dataReceived is not working.

First of all, this is an awesome project and really simple to use. Thanks for it

Is it possible to run this honeypot in background like daemon, could be a real advantage.

As discussed in discussion #953 we need the possibility to forward X-Forwarded-For from origin (attacker) at honeypot, not from our loadbalancer. Please implement it to the sourcecode.

[2021-04-13 15:12:33] [ssh] [connection] -> {"ip": "127.0.0.1", "port": 52429} [2021-04-13 15:12:39] [ssh] [login] -> {"ip": "127.0.0.1", "password": "admin", "port": 52429, "status": "failed", "username": "admin"}

I want to save the output of honeypot to a log or file. How can I get the output of the console?

Hi, Thank you for this great repository!

I Am running some pots as a linux service under systemd. This causes an issue with the application mechanism, specifically I get an

EOFError: EOF when reading a line

which is caused due to this line which makes sense since there is not stdin.

I modified the input('') to a busy loop and it exit on SIGTERM properly.

Would you say it's a valid change?

Hello,

I'm running the build from scratch on fresh Debian Bullseye. And I spotted some small issues:

The chains DOCKER-ISOLATION-STAGE-1 and DOCKER in NAT table were non-existing, and I needed to create them manually: `1) Setup requirements (docker, docker-compose) 2) Test the project (All servers and Sniffer) 7) Run deploy 8) Run dev 9) Run test

2 Creating network "chameleon_backend" with the default driver ERROR: Failed to Setup IP tables: Unable to enable DROP INCOMING rule: (iptables failed: iptables --wait -I DOCKER-ISOL ATION-STAGE-1 -i br-a6a9464b3680 ! -d 172.24.0.0/16 -j DROP: iptables: No chain/target/match by that name. (exit status 1))`

The SMTP honeypot attempted to bind to 0.0.0.0 and it conflicted with my exim listening on 127.0.0.1, despite the fact I specified the interface and IP in the config.json file:

`Creating chameleon_honeypots_1 ... Creating chameleon_honeypots_1 ... error

ERROR: for chameleon_honeypots_1 Cannot start service honeypots: driver failed programming external connectivity on end point chameleon_honeypots_1 (7e0036301eb639a89e86d6b23ae5fb5ddab19936a3a019ffac92c29ee90195ac): Error starting userland proxy: listen tcp4 0.0.0.0:25: bind: address already in use`

Even after disabling my exim temporarily, I got errors in testing: honeypots_1 | honeypotslogger_QSMTPServer_e260509b - postgres connection is good honeypots_1 | Traceback (most recent call last): honeypots_1 | File "/usr/local/lib/python3.8/site-packages/honeypots/smtp_server.py", line 156, in honeypots_1 | qsmtpserver.run_server() honeypots_1 | File "/usr/local/lib/python3.8/site-packages/honeypots/smtp_server.py", line 126, in run_server honeypots_1 | self.smtp_server_main() honeypots_1 | File "/usr/local/lib/python3.8/site-packages/honeypots/smtp_server.py", line 103, in smtp_server_main honeypots_1 | CustomSMTPServer((self.ip, self.port), None) honeypots_1 | File "/usr/local/lib/python3.8/site-packages/honeypots/smtp_server.py", line 94, in init honeypots_1 | SMTPServer.init(self, localaddr, remoteaddr) honeypots_1 | File "/usr/local/lib/python3.8/smtpd.py", line 650, in init honeypots_1 | self.bind(localaddr) honeypots_1 | File "/usr/local/lib/python3.8/asyncore.py", line 326, in bind honeypots_1 | return self.socket.bind(addr) honeypots_1 | OSError: [Errno 99] Cannot assign requested address `

Some errors about SMB2:

Traceback (most recent call last): honeypots_1 | File "/usr/local/lib/python3.8/site-packages/impacket/smbserver.py", line 4270, in processRequest honeypots_1 | respCommands, respPackets, errorCode = self.__smb2Commands[smb2.SMB2_NEGOTIATE]( honeypots_1 | File "/usr/local/lib/python3.8/site-packages/impacket/smbserver.py", line 2696, in smb2Negotiate honeypots_1 | raise Exception('SMB2 not supported, fallbacking') honeypots_1 | Exception: SMB2 not supported, fallbacking honeypots_1 | Traceback (most recent call last): honeypots_1 | File "/usr/local/lib/python3.8/site-packages/impacket/smbserver.py", line 4270, in processRequest honeypots_1 | respCommands, respPackets, errorCode = self.__smb2Commands[smb2.SMB2_NEGOTIATE]( honeypots_1 | File "/usr/local/lib/python3.8/site-packages/impacket/smbserver.py", line 2696, in smb2Negotiate honeypots_1 | raise Exception('SMB2 not supported, fallbacking') honeypots_1 | Exception: SMB2 not supported, fallbacking ` And SSH:

honeypots_1 | honeypotslogger_QSSHServer_321de821 - postgres connection is good honeypots_1 | Exception: Error reading SSH protocol banner honeypots_1 | Traceback (most recent call last): honeypots_1 | File "/usr/local/lib/python3.8/site-packages/paramiko/transport.py", line 2211, in _check_banner honeypots_1 | buf = self.packetizer.readline(timeout) honeypots_1 | File "/usr/local/lib/python3.8/site-packages/paramiko/packet.py", line 380, in readline honeypots_1 | buf += self._read_timeout(timeout) honeypots_1 | File "/usr/local/lib/python3.8/site-packages/paramiko/packet.py", line 609, in _read_timeout honeypots_1 | raise EOFError() honeypots_1 | EOFError honeypots_1 | honeypots_1 | During handling of the above exception, another exception occurred: honeypots_1 | honeypots_1 | Traceback (most recent call last): honeypots_1 | File "/usr/local/lib/python3.8/site-packages/paramiko/transport.py", line 2039, in run honeypots_1 | self._check_banner() honeypots_1 | File "/usr/local/lib/python3.8/site-packages/paramiko/transport.py", line 2215, in _check_banner honeypots_1 | raise SSHException( honeypots_1 | paramiko.ssh_exception.SSHException: Error reading SSH protocol banner honeypots_1 |`

Please let me know if you want to get some additional information about my system, in order to help fixing these small issues.

HI,When I finish the install，i try run it，input python38 -m honeypots --setup ssh but I get back this error message: `Traceback (most recent call last): File "C:\Python37\lib\runpy.py", line 183, in _run_module_as_main mod_name, mod_spec, code = _get_module_details(mod_name, _Error) File "C:\Python37\lib\runpy.py", line 142, in _get_module_details return _get_module_details(pkg_main_name, error) File "C:\Python37\lib\runpy.py", line 109, in get_module_details import(pkg_name) File "C:\Python37\lib\site-packages\honeypots_init.py", line 2, in <module

from .__main__ import main_logic

File "C:\Python37\lib\site-packages\honeypots_main_.py", line 11, in from signal import signal, alarm, SIGALRM, SIG_IGN ImportError: cannot import name 'alarm' from 'signal' (C:\Python37\lib\signal.py )`

Hello,

First of all many thanks for this great work. I'm trying to install honeypots as a service with systemd integration.

My /etc/systemd/system/honeypots.service

[Unit] After=network.target

[Service] ExecStart=/usr/bin/python3 -m honeypots --setup ssh,mysql,http,https,ftp,ntp,postgres,httpproxy,socks5,elastic --config /etc/honeypots/config.json

[Install] WantedBy=default.target

The service start perfectly but end as soon as its started, I suppose this is due to the parent process dying, I'm not sure, I'm not a specialist. I just want to make things clean and standard. Any advice to help me ti achieve this ?

Thanks in advance.

Regards,

This cause a behavior change - Instead of exiting the process using any key, a SIGTERM should be sent (i.e CTRL-C)

Things to think about

• Perhaps fallback to this behavior using a flag?

After installing honeypots via pip3, I'm getting no results for the following commands:

python3 -m honeypots --setup all python3 -m honeypots --list

Nothing happens -- no success, no error, no log Any idea of what could be happening?

Python 3.6.9 Ubuntu 18.04

We have a load Balancer in front and we use the "new" X-Forwarded-For Option for the Traffic. When we count the send requests on the Load Balancer and compare them with the result on the qeeqbox there are requests missing.

The Problem is that the qeeqbox sends a RST back.

After further investigation we found that the URL is the reason for the reset from the qeeqbox .

Example:

> GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession HTTP/1.1
> Host: X.X.X.X
> User-Agent: curl/7.58.0
> Accept: */*
>
* OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104
* stopped the pause stream!
* Closing connection 0
* TLSv1.3 (OUT), TLS Unknown, Unknown (21):
curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 104

What Steps on the qeeqbox will help to get more details of the Reset?

I am trying to make some connection attempt on SIP protocol using the sipp utility, however the utility is sending connections to the port 5060, but the honeypot running on the same is not capturing anything as the sip.log is empty.

the command performed is as follows

sipp 192.168.100.27:5060 -au admin -ap admin

the config.json is as follows ...

"sip":{ "port":5060, "ip":"192.168.100.27", "username":"admin", "password":"admin", "log_file_name":"sip.log", "max_bytes":10000, "backup_count":10, "options":["capture_commands"] }

The following are the logs from the sipp utility.

----------------------------- Statistics Screen ------- [1-9]: Change Screen -- Start Time | 2022-07-30 07:16:22:444 1659179782.444098
Last Reset Time | 2022-07-30 07:16:35:468 1659179795.468695
Current Time | 2022-07-30 07:16:36:450 1659179796.450314
-------------------------+---------------------------+-------------------------- Counter Name | Periodic value | Cumulative value -------------------------+---------------------------+-------------------------- Elapsed Time | 00:00:00:981 | 00:00:14:006
Call Rate | 10.194 cps | 9.996 cps
-------------------------+---------------------------+-------------------------- Incoming call created | 0 | 0
OutGoing call created | 10 | 140
Total Call created | | 140
Current Call | 1 |
-------------------------+---------------------------+-------------------------- Successful call | 9 | 139
Failed call | 0 | 0
-------------------------+---------------------------+-------------------------- Response Time 1 | 00:00:00:007 | 00:00:00:009
Call Length | 00:00:00:015 | 00:00:00:018
------------------------------ Test Terminated --------------------------------

2022-07-30 07:16:36:357 1659179796.357174: Dead call [email protected] (successful), received 'SIP/2.0 200 OK Via: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-12601-139-7;received=192.168.100.36 To: service sip:[email protected]:5060 From: sipp sip:[email protected]:5060;tag=12601SIPpTag00139 Call-ID: [email protected] CSeq: 2 BYE

Sorry I am not that familiar with how SIP protocol works, or am I missing something?

Can you also please let me know if there is any tool I can use to simulate some connections to SIP honeypot.

Can you add a sample config file that has all the options including ability to capture commands for some of the services you mentioned.

currently im using the modified tpot.txt, what else can be added into this

{
   "logs":"file,terminal,json",
   "logs_location":"/honeypots/logs",
   "filter":"",
   "interface":"",
   "honeypots":{
      "ftp":{
         "port":21,
         "ip":"0.0.0.0",
         "username":"ftp",
         "password":"anonymous",
         "log_file_name":"ftp.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "httpproxy":{
         "port":8080,
         "ip":"0.0.0.0",
         "username":"admin",
         "password":"admin",
         "log_file_name":"httpproxy.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "http":{
         "port":80,
         "ip":"0.0.0.0",
         "username":"admin",
         "password":"admin",
         "log_file_name":"http.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "https":{
         "port":443,
         "ip":"0.0.0.0",
         "username":"admin",
         "password":"admin",
         "log_file_name":"https.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "imap":{
         "port":143,
         "ip":"0.0.0.0",
         "username":"root",
         "password":"123456",
         "log_file_name":"imap.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "mysql":{
         "port":3306,
         "ip":"0.0.0.0",
         "username":"root",
         "password":"123456",
         "log_file_name":"mysql.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "pop3":{
         "port":110,
         "ip":"0.0.0.0",
         "username":"root",
         "password":"123456",
         "log_file_name":"pop3.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "postgres":{
         "port":5432,
         "ip":"0.0.0.0",
         "username":"postgres",
         "password":"123456",
         "log_file_name":"postgres.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "redis":{
         "port":6379,
         "ip":"0.0.0.0",
         "username":"root",
         "password":"",
         "log_file_name":"redis.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "smb":{
         "port":445,
         "ip":"0.0.0.0",
         "username":"administrator",
         "password":"123456",
         "folders":"r&dbackup:/backup,secret:/secret,auth:/auth,vault:/vault",
         "log_file_name":"smb.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "smtp":{
         "port":25,
         "ip":"0.0.0.0",
         "username":"root",
         "password":"123456",
         "log_file_name":"smtp.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "socks5":{
         "port":1080,
         "ip":"0.0.0.0",
         "username":"admin",
         "password":"admin",
         "log_file_name":"socks5.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "ssh":{
         "port":22,
         "ip":"0.0.0.0",
         "username":"root",
         "password":"123456",
         "log_file_name":"ssh.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "telnet":{
         "port":23,
         "ip":"0.0.0.0",
         "username":"root",
         "password":"123456",
         "log_file_name":"telnet.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "vnc":{
         "port":5900,
         "ip":"0.0.0.0",
         "username":"administrator",
         "password":"123456",
         "log_file_name":"vnc.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "elastic":{
         "port":9200,
         "ip":"0.0.0.0",
         "username":"elastic",
         "password":"123456",
         "log_file_name":"elastic.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "mssql":{
         "port":1433,
         "ip":"0.0.0.0",
         "username":"sa",
         "password":"",
         "log_file_name":"mssql.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "ldap":{
         "port":389,
         "ip":"0.0.0.0",
         "username":"administrator",
         "password":"123456",
         "log_file_name":"ldap.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "ntp":{
         "port":123,
         "ip":"0.0.0.0",
         "username":"administrator",
         "password":"123456",
         "log_file_name":"ntp.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "memcache":{
         "port":11211,
         "ip":"0.0.0.0",
         "username":"admin",
         "password":"123456",
         "log_file_name":"memcache.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "oracle":{
         "port":1521,
         "ip":"0.0.0.0",
         "username":"bi",
         "password":"123456",
         "log_file_name":"oracle.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "snmp":{
         "port":161,
         "ip":"0.0.0.0",
         "username":"privUser",
         "password":"123456",
         "log_file_name":"snmp.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "irc":{
         "port":6667,
         "ip":"0.0.0.0",
         "username":"ircUser",
         "password":"123456",
         "log_file_name":"irc.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "sip":{
         "port":5060,
         "ip":"0.0.0.0",
         "username":"admin",
         "password":"123456",
         "log_file_name":"sip.log",
         "max_bytes":1000000,
         "backup_count":10
      },
      "sock5":{
         "port":1080,
         "ip":"0.0.0.0",
         "username":"admin",
         "password":"123456",
         "log_file_name":"sock5.log",
         "max_bytes":1000000,
         "backup_count":10
      },
   },
   "custom_filter":{
      "honeypots":{
         "change":{
            "server":"protocol"
         },
         "contains":[
            "protocol",
            "action",
            "src_ip",
            "src_port",
            "dest_ip",
            "dest_port"
         ],
         "remove":[
            
         ],
         "options":[
            "remove_errors",
            "remove_init",
            "remove_word_server"
         ]
      }
   }
}