25 low-high level honeypots in a single PyPI package for monitoring network traffic, bots activities, and username \ password credentials.
The honeypots respond back, non-blocking, can be used as objects, or called directly with the in-built auto-configure scripts! Also, they are easy to set up and customize; it takes 1-2 seconds to spin a honeypot up. You can spin up multiple instances with the same type. For easy integration, the output can be logged to a Postgres database, file[s], terminal, or Syslog.
This honeypots package is the only package that contains all the following: dns, ftp, httpproxy, http, https, imap, mysql, pop3, postgres, redis, smb, smtp, socks5, ssh, telnet, vnc, mssql, elastic, ldap, ntp, memcache, snmp, oracle, sip and irc.
Honeypots is in the awesome telekom security T-Pot project!
- Add
capture_commandsto options for capturing more information about the threat source (Look at the table if it's supported or not)
pip3 install honeypots
# or
sudo apt-get install postgresql
sudo apt-get install python-psycopg2
sudo apt-get install libpq-dev
pip3 install honeypots
Qeeqbox/honeypots customizable honeypots for monitoring network traffic, bots activities, and username\password credentials
Arguments:
--setup target honeypot E.g. ssh or you can have multiple E.g ssh,http,https
--list list all available honeypots
--kill kill all honeypots
--verbose Print error msgs
Honeypots options:
--ip Override the IP
--port Override the Port (Do not use on multiple!)
--username Override the username
--password Override the password
--config Use a config file for honeypots settings
--options Extra options (capture_commands for capturing all threat actor data)
General options:
--termination-strategy {input,signal} Determines the strategy to terminate by
--test Test a honeypot
--auto Setup the honeypot with random porthoneypot, or multiple honeypots separated by comma or word all
sudo -E python3 -m honeypots --setup ssh --options capture_commands
honeypot, or multiple honeypots separated by comma or word all
python3 -m honeypots --setup ssh --auto
Use as honeypot:port or multiple honeypots as honeypot:port,honeypot:port
sudo -E python3 -m honeypots --setup imap:143,mysql:3306,redis:6379
honeypot, or multiple honeypots in a dict
sudo -E python3 -m honeypots --setup ftp --config config.json{
"logs": "file,terminal,json",
"logs_location": "/var/log/honeypots/",
"syslog_address": "",
"syslog_facility": 0,
"postgres": "",
"sqlite_file":"",
"db_options": [],
"sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"ip": "0.0.0.0",
"username": "ftp",
"password": "anonymous",
"log_file_name": "ftp.log",
"max_bytes": 10000,
"backup_count": 10,
"options":["capture_commands"]
}
}
}{
"logs": "syslog",
"logs_location": "",
"syslog_address": "udp://localhost:514",
"syslog_facility": 3,
"postgres": "",
"sqlite_file":"",
"db_options": [],
"sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"ip": "0.0.0.0",
"username": "test",
"password": "test",
"options":["capture_commands"]
}
}
}
{
"logs": "db_postgres",
"logs_location": "",
"syslog_address":"",
"syslog_facility":0,
"postgres":"//username:password@172.19.0.2:9999/honeypots",
"sqlite_file":"",
"db_options":["drop"],
"sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"username": "test",
"password": "test"
}
}
}{
"logs": "db_postgres",
"logs_location": "",
"syslog_address":"",
"syslog_facility":0,
"postgres":"",
"sqlite_file":"/home/test.db",
"db_options":["drop"],
"sniffer_sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"username": "test",
"password": "test",
"options":["capture_commands"]
}
}
}[
{
"id": 1,
"date": "2021-11-18 06:06:42.304338+00",
"data": {
"server": "ftp_server",
"action": "process",
"status": "success",
"ip": "0.0.0.0",
"port": "21",
"username": "test",
"password": "test"
}
}
]from honeypots import QSSHServer
qsshserver = QSSHServer(port=9999)
qsshserver.run_server(process=True)
qsshserver.test_server(port=9999)
INFO:chameleonlogger:['servers', {'status': 'success', 'username': 'test', 'src_ip': '127.0.0.1', 'server': 'ssh_server', 'action': 'login', 'password': 'test', 'src_port': 38696}]
qsshserver.kill_server()#you need higher user permissions for binding\closing some ports
from honeypots import QSSHServer
qsshserver = QSSHServer(port=9999)
qsshserver.run_server(process=True)ssh test@127.0.0.1INFO:chameleonlogger:['servers', {'status': 'success', 'username': 'test', 'src_ip': '127.0.0.1', 'server': 'ssh_server', 'action': 'login', 'password': 'test', 'src_port': 38696}]
qsshserver.kill_server()'error' :'Information about current error'
'server' :'Server name'
'timestamp' :'Time in ISO'
'action' :'Query, login, etc..'
'data' :'More info about the action'
'status' :'The return status of the action (success or fail)'
'dest_ip' :'Server address'
'dest_port' :'Server port'
'src_ip' :'Attacker address'
'src_port' :'Attacker port'
'username' :'Attacker username'
'password' :'Attacker password'- QDNSServer
- Server: DNS
- Port: 53/udp
- Lib: Twisted.dns
- Logs: ip, port
- QFTPServer
- Server: FTP
- Port: 21/tcp
- Lib: Twisted.ftp
- Logs: ip, port, username and password (default)
- Options: Capture all threat actor commands and data (avalible)
- QHTTPProxyServer
- Server: HTTP Proxy
- Port: 8080/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port and data
- Options: Capture all threat actor commands and data (avalible)
- QHTTPServer
- Server: HTTP
- Port: 80/tcp
- Lib: Twisted.http
- Logs: ip, port, username and password
- Options: Capture all threat actor commands and data (avalible)
- QHTTPSServer
- Server: HTTPS
- Port: 443/tcp
- Lib: Twisted.https
- Logs: ip, port, username and password
- QIMAPServer
- Server: IMAP
- Port: 143/tcp
- Lib: Twisted.imap
- Logs: ip, port, username and password (default)
- Options: Capture all threat actor commands and data (avalible)
- QMysqlServer
- Emulator: Mysql
- Port: 3306/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password
- QPOP3Server
- Server: POP3
- Port: 110/tcp
- Lib: Twisted.pop3
- Logs: ip, port, username and password (default)
- Options: Capture all threat actor commands and data (avalible)
- QPostgresServer
- Emulator: Postgres
- Port: 5432/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password
- QRedisServer
- Emulator: Redis
- Port: 6379/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password
- QSMBServer
- Server: Redis
- Port: 445/tcp
- Lib: impacket
- Logs: ip, port and username
- QSMTPServer
- Server: SMTP
- Port: 25/tcp
- Lib: smtpd
- Logs: ip, port, username and password (default)
- Options: Capture all threat actor commands and data (avalible)
- QSOCKS5Server
- Server: SOCK5
- Port: 1080/tcp
- Lib: socketserver
- Logs: ip, port, username and password
- QSSHServer
- Server: SSH
- Port: 22/tcp
- Lib: paramiko
- Logs: ip, port, username and password
- Options: Capture all threat actor commands and data (avalible)
- QTelnetServer
- Server: Telnet
- Port: 23/tcp
- Lib: Twisted
- Logs: ip, port, username and password
- QVNCServer
- Emulator: VNC
- Port: 5900/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password
- QMSSQLServer
- Emulator: MSSQL
- Port: 1433/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password or hash
- QElasticServer
- Emulator: Elastic
- Port: 9200/tcp
- Lib: http.server
- Logs: ip, port and data
- QLDAPServer
- Emulator: LDAP
- Port: 389/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password
- QNTPServer
- Emulator: NTP
- Port: 123/udp
- Lib: Twisted (low level emulation)
- Logs: ip, port and data
- QMemcacheServer
- Emulator: Memcache
- Port: 11211/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port and data
- QOracleServer
- Emulator: Oracle
- Port: 1521/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port and connet data
- QSNMPServer
- Emulator: SNMP
- Port: 161/udp
- Lib: Twisted (low level emulation)
- Logs: ip, port and data
- QSIPServer
- Emulator: SIP
- Port: 5060/udp
- Lib: Twisted.sip
- Logs: ip, port and data
- Options: Capture all threat actor commands and data (avalible)
- QIRCServer
- Emulator: IRC
- Port: 6667/tcp
- Lib: Twisted.irc
- Logs: ip, port, username and password
- Options: Capture all threat actor commands and data (avalible)
- By using this framework, you are accepting the license terms of all these packages:
pipenv twisted psutil psycopg2-binary dnspython requests impacket paramiko redis mysql-connector pycryptodome vncdotool service_identity requests[socks] pygments http.server - Let me know if I missed a reference or resource!
- securityonline
- Almost all servers and emulators are stripped-down - You can adjust that as needed
