HoneyPy - nmap honeypot
#1
I was clearing out my hard disks and found some old scripts and posts from hacksociety and some disclosures I never got around to putting on the internet..  Either way here's an old HS post.


HoneyPy is a tool (Written in the span of an hour) designed to place a passive port on your server that, when scanned for open ports/finger printed, will block the IP of a possible attacker.  This requires IPTables, Python, and Linux.

Let me know if you find any bugs/feature requests.

UPDATE: I have updated HoneyPy to work A LOT smoother.  I found a bug where generic scans (nmap 192.168.1.*) would not trigger a connection due to SYN methods.  Also using sudo nmap would completely bypass the honeypot, this has also been fixed in the newest version.

Code:
#!/usr/bin/env python
import socket, os, sys, getopt
from struct import *

print "\033[95m  /\\  /\\/ __\\"
print " / /_/ / /   Honeypy - A HoneyPot for port scans"
print "/ __  / /"
print "\\/ /_/\\____/ \033[0m"
print "Usage: ./honeypy -p 1337\n"
if not os.geteuid() == 0:
 sys.exit('\033[91mScript must be run as root\033[0m')
ops, args = getopt.getopt(sys.argv[1:],"p:h:l:")
h,p,noblock = '', 5000, False
for o, a in ops:
 if o == '-h':
   h = a
 if o == '-p':
   p = int(a)
 if o == '-l':
   noblock = True
ls, s = socket.socket(socket.AF_INET, socket.SOCK_STREAM), socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
ls.bind((h, p))
print '\033[92mStarted on listening on port \033[0m' + str(p)
ls.listen(5)
while 1:
 packet = s.recvfrom(500)
 packet = packet[0]
 iph = packet[0:20]
 iph = unpack('!BBHHHBBH4s4s' , iph)
 version = iph[0] >> 4
 ihl = iph[0] & 0xF
 iph_length = ihl * 4
 s_addr,d_addr = socket.inet_ntoa(iph[8]), socket.inet_ntoa(iph[9]);
 tcp_header = packet[iph_length:iph_length+20]
 tcph = unpack('!HHLLBBHHH' , tcp_header)
 dest_port,length = tcph[1], tcph[4] >> 4
 if (str(dest_port) == str(p)):
   print '\033[93mINDAVER DETECTED:\033[0m ', str(s_addr)
   if (noblock == False):
     print 'Blocking IP...'
     os.system("iptables -A INPUT -s " + str(s_addr)  + " -j DROP")
[Image: SvjfBvQ.png]

Notes:
Iptables will restart if your computer restarts
To flush ip table settings run
Code:
sudo iptables -F
To unblock an ip run
Code:
sudo iptables -D INPUT -s 127.0.0.1 -j DROP
Reply
#2
Sweet mother of Jesus you code chaotic, however that being said. This is a very nice script for people running web servers. Usually after spidering and fuzzing the web app, i proceed with a portscan to find any vulnerable services. For defensive oriented people this could come in handy. Not sure if i've asked you this before but do you have a github i could follow? You're an excellent programmer all things considered.

Also I hope you don't mind me saying so, but doing asterisk imports is bad practice in python.
Reply
#3
(08-11-2016, 04:19 PM)Vector Wrote: Sweet mother of Jesus you code chaotic, however that being said. This is a very nice script for people running web servers. Usually after spidering and fuzzing the web app, i proceed with a portscan to find any vulnerable services. For defensive oriented people this could come in handy. Not sure if i've asked you this before but do you have a github i could follow? You're an excellent programmer all things considered.

Also I hope you don't mind me saying so, but doing asterisk imports is bad practice in python.

Yeah this isn't my best work haha I typically try to only grab what I need and use it cleanly. I know the best practices but sometimes on dinky things like this I just spit them out. There are a ton of things I should have done including using parser haha, but I've written a lot more python since and it's gotten naturally cleaner. The idea behind this was a lightweight toll to run while at a place like Defcon or your favorite hacker meetup, just annoy attackers and make it inconvenient for them to attack you. As for GitHub I don't have an ultra1337 hax0r one, just the one I use for portfolio and professional work.
Reply
#4
(08-12-2016, 03:26 AM)NO-OP Wrote:
(08-11-2016, 04:19 PM)Vector Wrote: Sweet mother of Jesus you code chaotic, however that being said. This is a very nice script for people running web servers. Usually after spidering and fuzzing the web app, i proceed with a portscan to find any vulnerable services. For defensive oriented people this could come in handy. Not sure if i've asked you this before but do you have a github i could follow? You're an excellent programmer all things considered.

Also I hope you don't mind me saying so, but doing asterisk imports is bad practice in python.

Yeah this isn't my best work haha I typically try to only grab what I need and use it cleanly.  I know the best practices but sometimes on dinky things like this I just spit them out.  There are a ton of things I should have done including using parser haha, but I've written a lot more python since and it's gotten naturally cleaner.  The idea behind this was a lightweight toll to run while at a place like Defcon or your favorite hacker meetup, just annoy attackers and make it inconvenient for them to attack you. As for GitHub I don't have an ultra1337 hax0r one, just the one I use for portfolio and professional work.

Of course a determined adversary would only be slowed down by this. still that doesn't make the script useless. Also, i imagine you would be doxing yourself if you gave me the link to your professional github. So i guess that's out of the question, if not send me the link via PM for a little more privacy. Since i'd still be interested in your general portfolio.

Also you should consider an ultra1337 h4x0r github account. I'd follow that one for sure, as for me i am trying, but so far the best i've got is a super1226 h4x0r account so i'm still working on that one Tongue
Reply
#5
(08-11-2016, 01:00 PM)NO-OP Wrote: UPDATE: I have updated HoneyPy to work A LOT smoother. I found a bug where generic scans (nmap 192.168.1.*) would not trigger a connection due to SYN methods. Also using sudo nmap would completely bypass the honeypot, this has also been fixed in the newest version.

Cool man, 2 questions:
I only see the current itertation, how did sudo nmap bypass this?
Also what is the significance of the unpack lines? It's converting "BBHHHBBH4s4s" from a byte string to regular string? Or something like that?
Reply
#6
(10-11-2016, 02:07 AM)StickFigure Wrote:
(08-11-2016, 01:00 PM)NO-OP Wrote: UPDATE: I have updated HoneyPy to work A LOT smoother.  I found a bug where generic scans (nmap 192.168.1.*) would not trigger a connection due to SYN methods.  Also using sudo nmap would completely bypass the honeypot, this has also been fixed in the newest version.

Cool man, 2 questions:
I only see the current itertation, how did sudo nmap bypass this?
Also what is the significance of the unpack lines? It's converting "BBHHHBBH4s4s" from a byte string to regular string? Or something like that?

In the previous iteration it was simply a socket waiting for connections, but using root nmap can craft it's own packets and control how it actually impliments TCP and UDP which results in non complete connections by passing the old method. So what I did instead was grab every packet instead.

This is done with a raw socket. As for the line with the !BHBetc this is part of unpack. I'm basically just pulling out the binary data from the packet based on the format given in the first argument(almost similar to something like Scanf).

Here are some docs on it if you're interested
https://docs.python.org/3/library/struct...characters

But honestly I pulled the raw packet unpacker from some random project because I was feeling lazy haha.

This whole project was a proof of concept and could be written a lot better now.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Honeypot Attack Analysis DeepLogic 0 707 05-20-2020, 04:21 PM
Last Post: DeepLogic