F1TYM1

Honeyscanner – A vulnerability analyzer for Honeypots

Honeyscanner – A vulnerability analyzer for Honeypots

Honeyscanner is a vulnerability analyzer for honeypots designed to automatically attack a given honeypot, in order to determine if the honeypot is vulnerable to specific types of cyber attacks. It uses a variety of attacks, ranging from exploiting vulnerable software libraries to DoS, and fuzzing attacks. The analyzer then provides an evaluation report to the honeypot administrator, offering advice on how to enhance the security of the honeypot. Targeted toward security enthusiasts, open-source communities, and companies, Honeyscanner provides a much-needed safety check for various honeypots.

This project was presented at BlackHat Europe 2023 in London. For more information about Honeyscanner in BlackHat Europe click here.

Architecture

Install

Requirements

  • Python v3.9.12 – Required to run the project
  • Pipenv v2023.7.9 – Required to install Python dependencies
  • Git – Used to download the source code

  1. Download the Honeyscanner source code from GitHub. Open a terminal and introduce the following command.

    git clone https://github.com/honeynet/honeyscanner.git

  2. Navigate to the Honeyscanner’s folder, install the required Python packages, and activate the virtual environment.

    cd Honeyscanner/honeyscanner
    pipenv install
    pipenv shell

NOTE FOR PIPENV: To exit the virtual environment, you just need to enter the command “exit” in the terminal.

Configuration

  • Before you run Honeyscanner, you need to control or own a Honeypot instance. For testing purposes, this guide assumes that the targeted Honeypot runs on a Docker container on the local machine, where Honeyscanner runs.

  • To test Honeyscanner against the latest Cowrie version, you can use the official Docker Image here, pull it locally, and run a Docker container with it.

  • If you prefer to test Honeyscanner against Kippo, you can use the following Docker Image in DockerHub here.

  • For testing Honeyscanner against Dionaea, use the following Docker Image in DockerHub here.

  • For testing Honeyscanner against Conpot, use the following Docker Image in DockerHub here.

  • After running a Honeypot using Docker containers locally, you will be able to specify the following parameters: –target_ip 127.0.0.1 –port 2222 when running the Honeyscanner.

NOTE: NEVER RUN Honeyscanner AGAINST HONEYPOTS YOU DO NOT OWN, OR YOU DO NOT HAVE EXPLICIT PERMISSION TO TEST.

NOTE: Currently Honeyscanner can actively attack the Dionaea and the Conpot honeypots only by using the DoS attack module. The way it works is that initially Honeyscanner uses nmap to find the open ports on the targeted honeypot, then tries to DoS all ports simultaneously. In order to run the nmap scanner, run Honeyscanner with root privileges for scanning Dionaea and Conpot. This provides nmap with deeper view of the services that run behind each port on the honeypot.

NOTE: For Dionaea only version 0.11.0 is supported at this stage of Honeyscanner. For Conpot, all versions up to 0.6.0 are supported.

Use

Use the following examples as a reference for how to runHoneyscanner :

python3 main.py –honeypot cowrie –honeypot_version 2.5.0 –target_ip 127.0.0.1 –port 2222 –username root –password 1234

python3 main.py –honeypot kippo –honeypot_version 0.9 –target_ip 127.0.0.1 –port 2222

sudo python3 main.py –honeypot dionaea –honeypot_version 0.11.0 –target_ip 127.0.0.1 –port 2323

sudo python3 main.py –honeypot conpot –honeypot_version 0.6.0 –target_ip 127.0.0.1 –port 2323

Copyright (c) 2023 Aristofanis Chionis Koufakos

In:

Tags:

, , , , ,
Post
Filter
Apply Filters
Close