cymmetria / honeycomb_plugins Goto Github PK

Netgear router DGN2200v4 version 10.0.0.50 should theoretically encompass 4 CVEs at the same time:
CVE-2017-5521 (unauthenticated login)
CVE-2017-6334 (authenticated OS command injection)
CVE-2017-6077 (authenticated OS command injection)
CVE-2017-6366 (CSRF, hijack authenticated user session)

It's not clear how to run tests locally on a new service.

Medium interaction honeypot serving and responding to LDAP messages

Depending on the specific webcam model chosen, any of these could be relevant:

CVE-2017-8224 - Backdoor account
CVE-2017-8222 - RSA key and certificates
CVE-2017-8225 - Pre-Auth Info Leak (credentials) within the custom http server
Authenticated RCE as root
Pre-Auth RCE as root
CVE-2017-8223 - Misc - Streaming without authentication
CVE-2017-8221 - Misc - "Cloud" (Aka Botnet)

You could choose any one model and see the relevant CVEs for it, let's say Provision PT-737.
Look at this exploit and its supported devices list to understand how widespread this is:
https://github.com/threat9/routersploit/blob/master/routersploit/modules/exploits/cameras/multi/P2P_wificam_rce.py

D-Link router DIR-850L has many CVEs available (these are all from 2017! https://www.cvedetails.com/vulnerability-list/vendor_id-899/product_id-40187/year-2017/D-link-Dir-850l-Firmware.html)
firmware version FW114WWb07_h2ab_beta1 contains the following CVEs:
CVE-2017-14430 (unauthenticated DoS)
CVE-2017-14429 (unauthenticated RCE)
CVE-2017-14423 (unauthenticated attacker can reconfigure the router's DNS server)

Services already support basic testing, just need to build a simple unit tests for them

https://www.rapid7.com/db/modules/exploit/multi/misc/msfd_rce_remote

If you try to run simple_http on port 8080 and visit "127.0.0.1:8080/fap=432%424" it's going to crash. This is due to the overridden log_message which thinks the "%424" needs to turn into arguments in the "message % args" part of the log.

The solution can be to .replace("%", "%%") in log_request(), thus escaping the formatting.
(While I'm not versed in Python attacks, in C/C++ this would be a real vulnerability)

Could you make modules to detect fileless malware and capture it to folder. also capture any script is useful.
and at least would be great to port honeycomb to work on windows.

We could use some basic documentation with reference to simple_http as an example

⚠️ Here are the existing security issues we detected on your default branch:

iLO is HP's way to control appliances, equivalent to intel AMT.
https://en.wikipedia.org/wiki/HP_Integrated_Lights-Out

iDRAC is Dell's way to control appliances, see https://en.wikipedia.org/wiki/Dell_DRAC , equivalent to intel AMT

Port https://github.com/Cymmetria/ciscoasa_honeypot to honeycomb format
requires making IKE compatible with py2

Config file being used

version: 1

services:
  simple_http:
    parameters:
      port: 80
      version: "nginx"
      threading: false

integrations:
  elasticsearch:
    parameters:
      url: "http://xxx.xx.xxx.xxx:9200" (actual IP address is redacted)
      verify: false
      username: ""
      password: ""
      index: "firewall"

Command to run being used

honeycomb -c /home/log/.config/honeycomb/honeycomb.yml -v

Receiving the following error when attempting to use the elastisearch integration.

DEBUG [2018-10-29 16:46:21,242 base_service] simple_http_service.py:50 log_message: 76.21.103.242 - - [29/Oct/2018 16:46:21] "GET / HTTP/1.1" HTTPStatus.OK - DEBUG [2018-10-29 16:46:21,243 honeycomb.integrationmanager.tasks] tasks.py:126 send_alert_to_configured_integration: Sending alert {'id': UUID('8cf6f20e-c499-466c-8539-4ced207dafcc'), 'status': 2, 'timestamp': datetime.datetime(2018, 10, 29, 16, 46, 21, 242214), 'event_type': 'simple_http', 'event_description': 'HTTP Server Interaction', 'request': 'GET /', 'originating_ip': '76.21.103.242', 'originating_port': 62051, 'decoy_os': 'Linux'} to elasticsearch Exception in thread Thread-2: Traceback (most recent call last): File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner self.run() File "/usr/lib/python3.6/threading.py", line 864, in run self._target(*self._args, **self._kwargs) File "/home/log/.local/lib/python3.6/site-packages/honeycomb/integrationmanager/tasks.py", line 101, in create_integration_alert_and_call_send send_alert_to_configured_integration(integration_alert) File "/home/log/.local/lib/python3.6/site-packages/honeycomb/integrationmanager/tasks.py", line 127, in send_alert_to_configured_integration output_data, output_file_content = integration_actions_instance.send_event(alert_fields) File "/home/log/.config/honeycomb/integrations/elasticsearch/integration.py", line 26, in send_event response = session.post(url=url, auth=auth, json=alert_fields, verify=verify) File "/home/log/.local/lib/python3.6/site-packages/requests/sessions.py", line 559, in post return self.request('POST', url, data=data, json=json, **kwargs) File "/home/log/.local/lib/python3.6/site-packages/requests/sessions.py", line 498, in request prep = self.prepare_request(req) File "/home/log/.local/lib/python3.6/site-packages/requests/sessions.py", line 441, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), File "/home/log/.local/lib/python3.6/site-packages/requests/models.py", line 312, in prepare self.prepare_body(data, files, json) File "/home/log/.local/lib/python3.6/site-packages/requests/models.py", line 462, in prepare_body body = complexjson.dumps(json) File "/usr/lib/python3.6/json/__init__.py", line 231, in dumps return _default_encoder.encode(obj) File "/usr/lib/python3.6/json/encoder.py", line 199, in encode chunks = self.iterencode(o, _one_shot=True) File "/usr/lib/python3.6/json/encoder.py", line 257, in iterencode return _iterencode(o, 0) File "/usr/lib/python3.6/json/encoder.py", line 180, in default o.__class__.__name__) TypeError: Object of type 'UUID' is not JSON serializable

• The machine will look for dns record that don't respond to ping, and will "take over" that IP (black / white list possible instead of ping)
• That IP will be used by a nested machine / container that will run honeycomb as well.
• The chaos honeycomb service will try to guess the dns name meaning according to the name, and will try to deploy on the guest a campaign that is related to the name.
• Once an hour, the chaos service will take over a different dns record with a new campaign.

FreePBX 13.0.x < 13.0.188 should be vulnerable to:

EDB-ID: 40434 (RCE) for FreePBX < 13.0.188
EDB-ID: 40232 (RCE/PE) for FreePBX 13/14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26)
EDB-ID: 40614 (RCE/PE) for FreePBX 13/14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26)

and there's also:
CVE-2014-7235 (RCE) for FreePBX < 2.9.0.9, FreePBX 2.10.x, FreePBX < 2.11.1.5

https://www.rapid7.com/db/modules/exploit/linux/http/asuswrt_lan_rce

• Provide banner of a common FTP service
• Allow basic commands on a mock filesystem (consider keeping it as a dict to avoid actual exploitation)
• Alerts: Muted alert on basic interaction, Alert on file upload

https://wiki.wireshark.org/S7comm

Create a honeypot that monitors for the Simatic S7-1200 vulnerabilities mentioned here: https://www.speedguide.net/port.php?port=102

Per Imri's request, a telnet honeypot that responds in a Linux-y manner and has a configurable banner

https://www.asterisk.org/

it's very usefull if the honeypot detect x64 shellcode and download payload. i know it's hard but valuable

"parameters": [
{
"type": "text",
"value": "username",
"label": "Authentication username",
"required": true
},
{
"type": "text",
"value": "password",
"label": "Authentication password",
"required": true
},
{
"type": "file",
"value": "dit",
"label": "DIT file (database for the LDAP server)"
}

This works on Mazerunner, but HC reports this as:

"Error: [-] Parameters: 'file' is not a valid type"

https://www.rapid7.com/db/modules/auxiliary/scanner/memcached/memcached_amp

I was looking into the syslog integration and best I can tell a user setting a honeycomb.yml in core cannot override (or at least I haven't figured out how to set) a logging.handlers.SysLogHandler.LOG_USER to be something other than "user". I'd like to be able to set this in honeycomb.yml in the integration config to be able to pick a specific facility.

• Create a telnet service that can easily be configured to show any banner
• Should have a few builtin banners, at least one of them should be the cisco telnet banner (e.g. https://www.shodan.io/search?query=user+access+verification )

This is different than the existing banner service because this will be a full telnet honeypot (e.g. accepting telnet options, login, etc.)

The parameters should be:

• User/login for authentication - the users that will be accepted for authentication
• Banner - the banner that will be sent upon connection