HoneyThing is a honeypot for internet of TR-069 things. It's designed to act as completely a modem/router that has RomPager embedded web server and supports TR-069 (CWMP) protocol.
Project idea was created by Ali Ikinci and offered as Honeynet GSoC project in 2015.
Basic features:
- Emulates some popular vulnerabilities for RomPager as Misfortune Cookie, Rom-0 etc.
- TR-069 protocol support. Implements mostly used TR-069 CPE commands. e.g: GetRPCMethods, Get/Set ParameterValues, Download...
- Modem web interface to increase the interaction with attacker.
- All communication with services (http.log, cwmp.log) and state of honeypot (started/stopped, error etc. to honeything.log) are logged in parsable text format.
Debian and RPM packages will be available soon.
There're 2 ways to install HoneyThing:
For all of them, your system must have Python 2.7 (or above) and PycURL package.
- Setup Script: Using setup script requires python setuptools package installed on the system. After downloading and extracting HoneyThing, you can simply go to extracted directory and run;
python setup.py install
- Pre-Built Packages: HoneyThing can be installed by using pre-built packages for Ubuntu and CentOS. Packages can be downloaded from download section and will be added for any stable release.
For Ubuntu;
dpkg -i honeything_x.y.z.deb
For CentOS;
rpm -i honeything_x.y.z.rpm
After installation, some parameters can be changed optional by using configuration file. There're 4 section in config file:
- http: HTTP listen address/port can be edited in this section.
- cwmp: Some TR-069 parameters as listen address/port, ACS url, download directory for "download" CPE command, connection request path etc. can be edited.
- cpe: In cpe section, there're lots of variables related to modem/router device like manufacturer, serial number, model name etc. They can be edited to provide device variety in ACS communication.
- logging: Log file paths, log level and some protocol specific parameters can be changed in this section.
If you installed HoneyThing with setup script or pre-built packages, honeything can be run by using following commands:
service honeything {start|stop|restart|status}
or
/etc/init.d/honeything {start|stop|restart|status}
A paper about this project is published (in TURKISH) at International Conference on Information Security and Cryptology [ISCTurkey 2015]. It is accessible online from here.
The project:
- Developed by Ömer Erdem
- Idea by Ali Ikinci
- Advisor Dr. Mehmet Kara
and special thanks to Bâkır Emre for taking the first step.
Note: This project is also being developed as Istanbul Sehir University master's thesis.