/PortScanHoneypot

This tool helps #blueteams detect bad actors who may be port scanning the network, and allows #redteams to practice honeypot evasion.

Primary LanguagePythonMIT LicenseMIT

Port Scan Honeypot

Reliability Rating Maintainability Rating Security Rating Quality Gate Status

Bugs Vulnerabilities Code Smells

This tool helps blue teams detect bad actors who may be port scanning the network, and allows red teams to practice honeypot evasion.

#blueteam vs #redteam = #FTW

Install

Install using:

git clone https://github.com/DanaEpp/PortScanHoneypot.git 
cd PortScanHoneypot
pip3 install -r requirements.txt

Dependencies will be installed and portscanhoneypot will be added to your path.

If you wish to run this as a daemon, you may want to copy the pshp.conf file to /etc. Otherwise you will need to use the -c switch to point to the config file.

sudo cp pshp.conf /etc/pshp.conf

Usage

python3 portscanhoneypot  
        [-c /path/to/config.conf] [-d] [--daemon]
  • -c, --config [optional] : The location file of the YAML config (default is /etc/pshp.conf)
  • -d, --debug [optional] : Enables debug logging
  • --daemon [optional]: Run port scan detector in daemon mode

NOTE: Due to the fact this tool uses raw sockets you must run this as root. Have concerns with that? Consider putting it into docker a container.

#blueteam TIP : Don't monitor this on a lot of ports. Pick a few that are sensitive and indicators of compromise that you KNOW users shouldn't be scanning inside your network. And for gawds sake, don't hang this on the Internet, or thou shall be shodan spammed. You have been warned. ;-)

#redteam TIP : When considering honeypot evasion, #blueteams might run these types of detection tools in dedicated containers standalone. Watch for DNS and NETBIOS chatter.... consider avoiding scanning hosts that aren't interacting with other hosts... they might just be a honeypot.

#bugbountyhunter TIP : Be loud and proud. You are not trying to evade port scan detectors. If the host is in scope and allows for port scanning, then go to town. Light up #blueteam's logs and see if they contact you. :-)

Webhooks support

To assist in notifying your team when port scans are detected consider using webhook notifications.

You can configure your webhooks in the pshp.conf file:

webhook_url: "https://your.url/to/your/webhook"
webhook_type: 0

You can set webhook_type to any of the following numbers:

  • 0 : NONE
  • 1 : GENERIC
  • 2 : SLACK
  • 3 : MS TEAMS
  • 4 : DISCORD

For more information on setting up webhook notifications for your favorite apps please see:

Working with generic webhooks like Microsoft Logic Apps

If you are wanting to get notifications to a different device or email, consider using the "generic" webhook option and configure it to point to a Microsoft Logic App. When defining the HTTP receive endpoint in Azure use the following Request Body JSON Schema:

{
    "properties": {
        "content": {
            "type": "string"
        },
        "username": {
            "type": "string"
        }
    },
    "type": "object"
}

By defining it in that way, the Logic App will parse out the payload and allow direct dynamic content variables for use in your workflow. From there you can do anything with the payload, from sending it via SMS to your phone or directly to email.

Have fun with it. Generic webhooks and Logic Apps can do some pretty powerful things.