From 3d53fafdf3d0e0f38fce2a9e8bd030846066d815 Mon Sep 17 00:00:00 2001 From: Stephen Chavez Date: Wed, 27 Apr 2016 08:58:45 -0600 Subject: [PATCH 1/8] First edit of readme. --- README.md | 136 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 135 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a74ae9..e74b1ae 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,139 @@ # SuperHoneyPot +The honey pot allows connections to be made to it, and mimics the appropriate protocols without actually allowing access. It gathers information from whoever attempts the connection, and stores the information remotely in a MongoDB database. This application was built around running on a RaspberryPi Zero to make it easy to deploy in any physical environment with a network. We wanted a cost effective solution that could be installed in a matter of minutes. + +Navigation +---------- +[SuperHoneyPot](#superhoneypot) | +[Requirements](#requirements) | +[Folder Structure](#folder-structure) | +[Installation](#installation) | +[Development](#development) | +[Deployment](#deployment) | +[Contributions](#contributions) | +[Team](#team) | +[Copyright](#copyright) | +[Licence](#licence) | +[Contact](#contact) + + +Requirements +------------ +This project assumes you have some python know how. + +Folder Structure +---------------- +
+.
+├── blah.txt
+├── honeypot
+│   ├── CHANGELOG.md
+│   ├── data_files
+│   │   ├── __init__.py
+│   │   ├── mail_info.txt
+│   │   ├── mongoClient.txt
+│   │   ├── plugins.txt
+│   │   ├── privateSSHKey.key
+│   │   └── ssl.pem
+│   ├── db_interface
+│   │   ├── honeypot_db_interface.py
+│   │   ├── honeypot_db_interface.pyc
+│   │   ├── __init__.py
+│   │   └── python_mail.py
+│   ├── demo_server.log
+│   ├── honey_loader
+│   │   ├── __init__.py
+│   │   ├── loader.py
+│   │   ├── loader.pyc
+│   │   ├── __main__.py
+│   │   ├── pluginsReader.py
+│   │   └── version.py
+│   ├── __init__.py
+│   ├── LICENSE
+│   ├── MANIFEST.in
+│   ├── plugins
+│   │   ├── http_reader.py
+│   │   ├── http_reader.pyc
+│   │   ├── https_reader.py
+│   │   ├── https_reader.pyc
+│   │   ├── __init__.py
+│   │   ├── ssh_plugin.py
+│   │   ├── ssh_plugin.pyc
+│   │   ├── telnet_reader.py
+│   │   └── telnet_reader.pyc
+│   ├── README.txt
+│   ├── requirements.txt
+│   ├── requires.txt
+│   ├── setup.py
+│   └── tests
+│       ├── http_reader_test.py
+│       ├── https_reader_test.py
+│       ├── loader_test.py
+│       ├── plugin_test.py
+│       ├── ssh_plugin_test.py
+│       └── telnet_reader_test.py
+└── README.md
+
+6 directories, 42 files
+
+
+ +Installation +------------ + + +Development +----------------------- +put text here. + +Deployment +---------- +There are a few ways to run the app, but first edit the login details for the database and email (used for adminsterating) under data_files folder. Then run `sudo python honeypot/honey_loader/loader.py` to test your changes. Or you can create a package for your OS. + +For Debian: You'll need stdeb then run `python setup.py --command-packages=stdeb.command bdist_deb` in the honeypot folder. Install the .deb file. Then run `sudo honeypot` + +For Pip: Run `python setup.py sdist` then run `sudo python setup.py install` To run it `sudo honeypot` + +Please note that your config files in data_files will be whatever they are set to when building a package. You may need to change them after installing the package. + +Contributions +------------- +We would love for other people to contribute to this. All work should be done on feature-specific branches and pull requests will be moderated by admins. :) + +#### General workflow +* `Make a new fork` +* `git branch ` +* `git checkout ` +* `git push -u origin ` + +Team +---- + +- Chris Benda +- Stephen Chavez +- Fred Montoya +- Mikhail Batkalin +- Brad Gill +- William King + +Copyright +--------- +© 2016 Stephen Chavez + +Licence +------- +AGPL + +Contact +------- +Email: stephen.chavez12@gmail.com + + Requirements are here: https://github.com/redragonx/HoneyPotExtras -[![Build Status](https://travis-ci.org/TheFixers/SuperHoneyPot.svg?branch=master)](https://travis-ci.org/TheFixers/SuperHoneyPot) \ No newline at end of file +[![Build Status](https://travis-ci.org/TheFixers/SuperHoneyPot.svg?branch=master)](https://travis-ci.org/TheFixers/SuperHoneyPot) From a07da4ca3c937c05c840ed9bbfcb8ffe01772ded Mon Sep 17 00:00:00 2001 From: Stephen Chavez Date: Wed, 27 Apr 2016 09:01:32 -0600 Subject: [PATCH 2/8] Update setup.py --- honeypot/setup.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/honeypot/setup.py b/honeypot/setup.py index cc25b1f..f44076f 100644 --- a/honeypot/setup.py +++ b/honeypot/setup.py @@ -63,7 +63,7 @@ description='A plugin based honeypot that\'s easy to install and use.', long_description=long_description, author='Chris Benda, Stephen Chavez, Fred Montoya, Mikhail Batkalin, Brad Gill, William King', - author_email='stephen.chavez12@gmail.com', + author_email='stephen@dicesoft.net', url='https://github.com/redragonx/SuperHoneyPot', packages=find_packages(), package_data={ @@ -92,4 +92,4 @@ 'Topic :: System :: Systems Administration', 'Topic :: Networking :: Network Sniffer' ], -) \ No newline at end of file +) From b40bba32a6741773cf744a2ef5e0806187edd8dc Mon Sep 17 00:00:00 2001 From: Stephen Chavez Date: Wed, 27 Apr 2016 09:02:45 -0600 Subject: [PATCH 3/8] Update README.md --- README.md | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index e74b1ae..05c1cc3 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # SuperHoneyPot -The honey pot allows connections to be made to it, and mimics the appropriate protocols without actually allowing access. It gathers information from whoever attempts the connection, and stores the information remotely in a MongoDB database. This application was built around running on a RaspberryPi Zero to make it easy to deploy in any physical environment with a network. We wanted a cost effective solution that could be installed in a matter of minutes. +The honey pot allows connections to be made to it, and mimics the appropriate protocols that are defined as plugins without actually allowing access. It gathers information from whoever attempts the connection, and stores the information remotely in a MongoDB database. This application was built around running on a RaspberryPi Zero to make it easy to deploy in any physical environment with a network. We wanted a cost effective solution that could be installed in a matter of minutes. Navigation ---------- @@ -131,9 +131,4 @@ AGPL Contact ------- -Email: stephen.chavez12@gmail.com - - -Requirements are here: https://github.com/redragonx/HoneyPotExtras - -[![Build Status](https://travis-ci.org/TheFixers/SuperHoneyPot.svg?branch=master)](https://travis-ci.org/TheFixers/SuperHoneyPot) +Email: stephen.chavez12@gmail.com From ebf46ac612dcef259729e7d2123e81375617f791 Mon Sep 17 00:00:00 2001 From: Stephen Chavez Date: Wed, 27 Apr 2016 09:04:06 -0600 Subject: [PATCH 4/8] Update README.md --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 05c1cc3..4cc120b 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,12 @@ The honey pot allows connections to be made to it, and mimics the appropriate protocols that are defined as plugins without actually allowing access. It gathers information from whoever attempts the connection, and stores the information remotely in a MongoDB database. This application was built around running on a RaspberryPi Zero to make it easy to deploy in any physical environment with a network. We wanted a cost effective solution that could be installed in a matter of minutes. + +Text file Client Requirements are here: https://github.com/redragonx/HoneyPotExtras + +[![Build Status](https://travis-ci.org/TheFixers/SuperHoneyPot.svg?branch=master)](https://travis-ci.org/TheFixers/SuperHoneyPot) + + Navigation ---------- [SuperHoneyPot](#superhoneypot) | From 5d3a58fcf8cb5620427c5dd5fe11c9863c305180 Mon Sep 17 00:00:00 2001 From: Stephen Chavez Date: Wed, 27 Apr 2016 09:05:16 -0600 Subject: [PATCH 5/8] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4cc120b..68eea4b 100644 --- a/README.md +++ b/README.md @@ -137,4 +137,4 @@ AGPL Contact ------- -Email: stephen.chavez12@gmail.com +Email: stephen@dicesoft.net From 6af00b0dbbef182282350e861c6bf6147959ed20 Mon Sep 17 00:00:00 2001 From: "Chris Benda \"daemoniclegend" Date: Thu, 28 Apr 2016 17:50:48 -0600 Subject: [PATCH 6/8] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 68eea4b..c8d5b98 100644 --- a/README.md +++ b/README.md @@ -88,8 +88,8 @@ Installation ------------
  • Install Python 2.7.11
    • -
  • You must have a MongoDB server installed somewhere
    • -
  • Install dependencies: go to your root project directory and type pip -r requirements.txt
    • +
  • You will need to have an instance of MongoDB server installed remotely, and add the access details to the mongoClient.txt configuration file.
    • +
  • Install dependencies: go to your project directory and type pip -r requirements.txt
  • Install nose tests if you want to run the tests
From f1b952dd118b458b20276cc984392b8705d4b6e1 Mon Sep 17 00:00:00 2001 From: fred15 Date: Sat, 30 Apr 2016 10:05:21 -0600 Subject: [PATCH 7/8] changes to pluginreader.py and loader --- honeypot/data_files/plugins.txt | 2 +- honeypot/honey_loader/loader.py | 7 ++- honeypot/honey_loader/pluginsReader.py | 65 +++++++++++++------------- 3 files changed, 36 insertions(+), 38 deletions(-) diff --git a/honeypot/data_files/plugins.txt b/honeypot/data_files/plugins.txt index fe42061..d49534b 100644 --- a/honeypot/data_files/plugins.txt +++ b/honeypot/data_files/plugins.txt @@ -2,4 +2,4 @@ http_reader 80 8080 25 https_reader 443 17603 ssh_plugin 22 4343 111 -telnet_reader 23 25 +telnet_reader 23 100-110 diff --git a/honeypot/honey_loader/loader.py b/honeypot/honey_loader/loader.py index 711ad2c..e130d49 100644 --- a/honeypot/honey_loader/loader.py +++ b/honeypot/honey_loader/loader.py @@ -54,10 +54,9 @@ def start(): try: # Read through the plugin list and load them with the indicated ports lock = threading.Lock() - for line in lines: - plug = line.pop(0) #first index is plugin name - plugin = __import__(plug) - for port in line: + for key in lines: #first index is plugin name + plugin = __import__(key) + for port in lines[key]: try: plugins.append(plugin.server_plugin(lock, port)) except socket.error as msg: diff --git a/honeypot/honey_loader/pluginsReader.py b/honeypot/honey_loader/pluginsReader.py index c42d914..d9bf0ce 100644 --- a/honeypot/honey_loader/pluginsReader.py +++ b/honeypot/honey_loader/pluginsReader.py @@ -23,11 +23,7 @@ def lineReader(): path = os.path.dirname(os.path.realpath(__file__)).replace("honey_loader", "data_files") text_file = open(path + os.path.sep + "plugins.txt", "r") - lines = removeExtraLines(re.split ('\n', text_file.read())) - lines = lines_to_line_plus_port(lines) - lines = dashes(lines) - lines = repeat_check(lines) - return lines + return removeExtraLines(re.split ('\n', text_file.read())) """ removes lines that start with # and blank lines @@ -37,26 +33,37 @@ def removeExtraLines(lines): for line in lines: if line != '' and line[:1] != '#' and not line.isspace(): temp.append(line) - return temp + return lines_to_line_plus_port(temp) """ - array example ['http_reader', '80', '1111'] - returns plugin in first lines_to_line_plus_port(position followed by ports to be used by plugin) + temp example [['http_reader', '80', '1111'], ...] + arr example {'http_reader' : ['80', '1111'], ...} + returns plugin in first plines_to_line_plus_port(osition followed by ports to be used by plugin """ def lines_to_line_plus_port(lines): temp = [] + arr = {} for line in lines: temp.append(line.split()) - return temp + + for line in temp: + key = line.pop(0); + if key in arr: + arr[key] = set(arr[key] + line) + else: + arr[key] = line + return dashes(arr) """ Checks to see if there are dashes in between port numbers, and then creates a range of ports to open + lines begining example {'http_reader' : ['80-82', '1111'], ...} + lines ending example {'http_reader' : ['80', '81', '82', '1111'], ...} + """ def dashes(lines): - temp = [] lineArray = [] - for line in lines: - for port in line: + for key in lines: + for port in lines[key]: if '-' in port: ranges = port.split('-') lowerLimit = int(float(ranges[0])) @@ -70,34 +77,26 @@ def dashes(lines): lineArray.append(str(upperLimit)) else: lineArray.append(port) - temp.append(lineArray[:]) + lines[key] = lineArray[:] del lineArray[:] - return temp + return repeat_check(lines) """ Checks the list again for repeats of plugin names or duplicate port numbers. """ def repeat_check(lines): ports = [] - plugins = [] - array = [] - temp = [] - for line in lines: - if not line[0] in plugins: - plugins.append(line[0]) - array.append(line.pop(0)) - for port in line: - if not port in ports: - ports.append(port) - array.append(port) - else: - print 'Error: attempted to open port:' + port + ' twice. This is not allowed. Only running first mention.' - temp.append(array[:]) - del array[:] - else: - print 'Error: attempted to have multiple lines of plugin: ' + line[0] + '. This is not allowed.' - - return temp + useablePorts = [] + for key in lines: + for port in lines[key]: + if not port in ports: + ports.append(port) + useablePorts.append(port) + else: + print 'Error: attempted to open port:' + port + ' twice. This is not allowed. Only running first mention.' + lines[key] = useablePorts[:] + del useablePorts[:] + return lines if __name__ == '__main__': From a198d19644badf4c2182ed20816f7aa85047f1b7 Mon Sep 17 00:00:00 2001 From: fred15 Date: Sat, 30 Apr 2016 10:43:51 -0600 Subject: [PATCH 8/8] fixes to telnet --- honeypot/plugins/telnet_reader.py | 133 ++++++++++++++++-------------- 1 file changed, 71 insertions(+), 62 deletions(-) diff --git a/honeypot/plugins/telnet_reader.py b/honeypot/plugins/telnet_reader.py index 5a7bd94..9f98478 100644 --- a/honeypot/plugins/telnet_reader.py +++ b/honeypot/plugins/telnet_reader.py @@ -134,75 +134,84 @@ def run(self): while True: #Receiving from client - data = self.conn.recv(4096) - # print repr(data) - if len(data) == 4096: - if overFlow: - if self.data == '': - self.data = 'OVERFLOW ATTEMPT' + try: + data = self.conn.recv(4096) + # print repr(data) + if len(data) == 4096: + if overFlow: + if self.data == '': + self.data = 'OVERFLOW ATTEMPT' + data[0:10] + else: + self.data = ' || OVERFLOW ATTEMPT'+ data[0:10] + break + overFlow = True; + + if '\xff\xf3\xff\xfd\x06' in data : + datarecieved += 'ctrl+\ was pressed' + elif "\r\n" in data or '\r\x00' in data : + + datarecieved = datarecieved + data + datarecieved = datarecieved.replace('\r\n','') + datarecieved = datarecieved.replace('\r\x00','') + + if i == 0: + if len(datarecieved) > 128: + self.username = datarecieved[0:127] + else: + self.username = datarecieved + if not linux: + self.conn.send(' ') + self.conn.send('password: ') + i += 1 + elif i == 1: + if len(datarecieved) > 128: + self.password = datarecieved[0:127] + else: + self.password = datarecieved + if linux: + self.conn.send('>> ') + else: + self.conn.send(' ') + i += 1 else: - self.data = ' || OVERFLOW ATTEMPT' + overFlow = False + if self.data == '': + self.data = datarecieved + else: + self.data = self.data +" || "+ datarecieved + if '\r\x00' in data: + self.conn.send('\nInvalid command\n') + else: + self.conn.send('Invalid command\n') + if linux: + self.conn.send('>> ') + i += 1 + datarecieved = "" + # first line on connection with linux is this giant string so just removing that nonsense + elif not '\xff\xfd\x03\xff\xfb\x18\xff\xfb\x1f\xff\xfb \xff\xfb!\xff\xfb"\xff\xfb\'\xff\xfd\x05\xff\xfb#' == data : + if 0 == i: + linux = False + datarecieved = datarecieved + data + + # these two are ctrl+c in linux and in windows. Easier way to end program. + if i == 12 or '\xff\xf4\xff\xfd\x06' == data or '\x03' == data or not data: + self.lock.acquire() + print self.ip + ':' + str(self.socket) + ': ' + 'Connection terminated.' + self.lock.release() break - overFlow = True; - - if '\xff\xf3\xff\xfd\x06' in data : - data.replace('\xff\xf3\xff\xfd\x06',' ctrl+\\') - elif "\r\n" in data or '\r\x00' in data : - datarecieved = datarecieved + data - datarecieved = datarecieved.replace('\r\n','') - datarecieved = datarecieved.replace('\r\x00','') - datarecieved = datarecieved.replace('\xff\xf3\xff\xfd\x06',' ctrl+\\') + if len(self.data) > 128 : + self.data = self.data[0:127] + break - if i == 0: - if len(datarecieved) > 128: - self.username = datarecieved[0:127] - else: - self.username = datarecieved - if not linux: - self.conn.send(' ') - self.conn.send('password: ') - i += 1 - elif i == 1: - if len(datarecieved) > 128: - self.password = datarecieved[0:127] - else: - self.password = datarecieved - if linux: - self.conn.send('>> ') - else: - self.conn.send(' ') - i += 1 + except SocketError as e: + if e.errno != errno.ECONNRESET: + raise # Not error we are looking for else: - overFlow = False if self.data == '': - self.data = datarecieved - else: - self.data = self.data +" || "+ datarecieved - if '\r\x00' in data: - self.conn.send('\nInvalid command\n') + self.data = "Connection reset by peer" else: - self.conn.send('Invalid command\n') - if linux: - self.conn.send('>> ') - i += 1 - datarecieved = "" - # first line on connection with linux is this giant string so just removing that nonsense - elif not '\xff\xfd\x03\xff\xfb\x18\xff\xfb\x1f\xff\xfb \xff\xfb!\xff\xfb"\xff\xfb\'\xff\xfd\x05\xff\xfb#' == data : - if 0 == i: - linux = False - datarecieved = datarecieved + data - - # these two are ctrl+c in linux and in windows. Easier way to end program. - if i == 12 or '\xff\xf4\xff\xfd\x06' == data or '\x03' == data or not data: - self.lock.acquire() - print self.ip + ':' + str(self.socket) + ': ' + 'Connection terminated.' - self.lock.release() - break - - if len(self.data) > 128 : - self.data = self.data[0:127] - break + self.data = self.data +"|| Connection reset by peer" self.conn.close() self.send_output()