cymmetria / honeycomb_plugins Goto Github PK
View Code? Open in Web Editor NEWThe plugin repository for Honeycomb, the honeypot framework by Cymmetria
License: MIT License
The plugin repository for Honeycomb, the honeypot framework by Cymmetria
License: MIT License
Netgear router DGN2200v4 version 10.0.0.50 should theoretically encompass 4 CVEs at the same time:
CVE-2017-5521 (unauthenticated login)
CVE-2017-6334 (authenticated OS command injection)
CVE-2017-6077 (authenticated OS command injection)
CVE-2017-6366 (CSRF, hijack authenticated user session)
It's not clear how to run tests locally on a new service.
Medium interaction honeypot serving and responding to LDAP messages
Depending on the specific webcam model chosen, any of these could be relevant:
CVE-2017-8224 - Backdoor account
CVE-2017-8222 - RSA key and certificates
CVE-2017-8225 - Pre-Auth Info Leak (credentials) within the custom http server
Authenticated RCE as root
Pre-Auth RCE as root
CVE-2017-8223 - Misc - Streaming without authentication
CVE-2017-8221 - Misc - "Cloud" (Aka Botnet)
You could choose any one model and see the relevant CVEs for it, let's say Provision PT-737.
Look at this exploit and its supported devices list to understand how widespread this is:
https://github.com/threat9/routersploit/blob/master/routersploit/modules/exploits/cameras/multi/P2P_wificam_rce.py
D-Link router DIR-850L has many CVEs available (these are all from 2017! https://www.cvedetails.com/vulnerability-list/vendor_id-899/product_id-40187/year-2017/D-link-Dir-850l-Firmware.html)
firmware version FW114WWb07_h2ab_beta1 contains the following CVEs:
CVE-2017-14430 (unauthenticated DoS)
CVE-2017-14429 (unauthenticated RCE)
CVE-2017-14423 (unauthenticated attacker can reconfigure the router's DNS server)
Services already support basic testing, just need to build a simple unit tests for them
If you try to run simple_http on port 8080 and visit "127.0.0.1:8080/fap=432%424" it's going to crash. This is due to the overridden log_message which thinks the "%424" needs to turn into arguments in the "message % args" part of the log.
The solution can be to .replace("%", "%%") in log_request(), thus escaping the formatting.
(While I'm not versed in Python attacks, in C/C++ this would be a real vulnerability)
Could you make modules to detect fileless malware and capture it to folder. also capture any script is useful.
and at least would be great to port honeycomb to work on windows.
We could use some basic documentation with reference to simple_http as an example
More info on how to fix Hard-Coded Secrets in General.
More info on how to fix Insecure Network Communication in Python.
iLO is HP's way to control appliances, equivalent to intel AMT.
https://en.wikipedia.org/wiki/HP_Integrated_Lights-Out
iDRAC is Dell's way to control appliances, see https://en.wikipedia.org/wiki/Dell_DRAC , equivalent to intel AMT
Port https://github.com/Cymmetria/ciscoasa_honeypot to honeycomb format
requires making IKE compatible with py2
Config file being used
version: 1
services:
simple_http:
parameters:
port: 80
version: "nginx"
threading: false
integrations:
elasticsearch:
parameters:
url: "http://xxx.xx.xxx.xxx:9200" (actual IP address is redacted)
verify: false
username: ""
password: ""
index: "firewall"
Command to run being used
honeycomb -c /home/log/.config/honeycomb/honeycomb.yml -v
Receiving the following error when attempting to use the elastisearch integration.
DEBUG [2018-10-29 16:46:21,242 base_service] simple_http_service.py:50 log_message: 76.21.103.242 - - [29/Oct/2018 16:46:21] "GET / HTTP/1.1" HTTPStatus.OK - DEBUG [2018-10-29 16:46:21,243 honeycomb.integrationmanager.tasks] tasks.py:126 send_alert_to_configured_integration: Sending alert {'id': UUID('8cf6f20e-c499-466c-8539-4ced207dafcc'), 'status': 2, 'timestamp': datetime.datetime(2018, 10, 29, 16, 46, 21, 242214), 'event_type': 'simple_http', 'event_description': 'HTTP Server Interaction', 'request': 'GET /', 'originating_ip': '76.21.103.242', 'originating_port': 62051, 'decoy_os': 'Linux'} to elasticsearch Exception in thread Thread-2: Traceback (most recent call last): File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner self.run() File "/usr/lib/python3.6/threading.py", line 864, in run self._target(*self._args, **self._kwargs) File "/home/log/.local/lib/python3.6/site-packages/honeycomb/integrationmanager/tasks.py", line 101, in create_integration_alert_and_call_send send_alert_to_configured_integration(integration_alert) File "/home/log/.local/lib/python3.6/site-packages/honeycomb/integrationmanager/tasks.py", line 127, in send_alert_to_configured_integration output_data, output_file_content = integration_actions_instance.send_event(alert_fields) File "/home/log/.config/honeycomb/integrations/elasticsearch/integration.py", line 26, in send_event response = session.post(url=url, auth=auth, json=alert_fields, verify=verify) File "/home/log/.local/lib/python3.6/site-packages/requests/sessions.py", line 559, in post return self.request('POST', url, data=data, json=json, **kwargs) File "/home/log/.local/lib/python3.6/site-packages/requests/sessions.py", line 498, in request prep = self.prepare_request(req) File "/home/log/.local/lib/python3.6/site-packages/requests/sessions.py", line 441, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), File "/home/log/.local/lib/python3.6/site-packages/requests/models.py", line 312, in prepare self.prepare_body(data, files, json) File "/home/log/.local/lib/python3.6/site-packages/requests/models.py", line 462, in prepare_body body = complexjson.dumps(json) File "/usr/lib/python3.6/json/__init__.py", line 231, in dumps return _default_encoder.encode(obj) File "/usr/lib/python3.6/json/encoder.py", line 199, in encode chunks = self.iterencode(o, _one_shot=True) File "/usr/lib/python3.6/json/encoder.py", line 257, in iterencode return _iterencode(o, 0) File "/usr/lib/python3.6/json/encoder.py", line 180, in default o.__class__.__name__) TypeError: Object of type 'UUID' is not JSON serializable
FreePBX 13.0.x < 13.0.188 should be vulnerable to:
EDB-ID: 40434 (RCE) for FreePBX < 13.0.188
EDB-ID: 40232 (RCE/PE) for FreePBX 13/14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26)
EDB-ID: 40614 (RCE/PE) for FreePBX 13/14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26)
and there's also:
CVE-2014-7235 (RCE) for FreePBX < 2.9.0.9, FreePBX 2.10.x, FreePBX < 2.11.1.5
https://wiki.wireshark.org/S7comm
Create a honeypot that monitors for the Simatic S7-1200 vulnerabilities mentioned here: https://www.speedguide.net/port.php?port=102
Per Imri's request, a telnet honeypot that responds in a Linux-y manner and has a configurable banner
it's very usefull if the honeypot detect x64 shellcode and download payload. i know it's hard but valuable
"parameters": [
{
"type": "text",
"value": "username",
"label": "Authentication username",
"required": true
},
{
"type": "text",
"value": "password",
"label": "Authentication password",
"required": true
},
{
"type": "file",
"value": "dit",
"label": "DIT file (database for the LDAP server)"
}
This works on Mazerunner, but HC reports this as:
"Error: [-] Parameters: 'file' is not a valid type"
I was looking into the syslog integration and best I can tell a user setting a honeycomb.yml in core cannot override (or at least I haven't figured out how to set) a logging.handlers.SysLogHandler.LOG_USER to be something other than "user". I'd like to be able to set this in honeycomb.yml in the integration config to be able to pick a specific facility.
This is different than the existing banner service because this will be a full telnet honeypot (e.g. accepting telnet options, login, etc.)
The parameters should be:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.