23 different honeypots in a single PyPI package for monitoring network traffic, bots activities, and username \ password credentials.
The honeypots respond back, non-blocking, can be used as objects, or called directly with the in-built auto-configure scripts! Also, they are easy to setup and customize, it takes 1-2 seconds to spin a honeypot up. The output can be logged to a postgres database, file[s], terminal or syslog for easy integration.
This honeypots package is the only package that contains all the following: dns, ftp, httpproxy, http, https, imap, mysql, pop3, postgres, redis, smb, smtp, socks5, ssh, telnet, vnc, mssql, elastic, ldap, ntp, memcache, snmp, and oracle.
Honeypots now is in the awesome telekom security T-Pot project!
pip3 install honeypots
honeypot, or multiple honeypots separated by comma or word all
python3 -m honeypots --setup ssh
honeypot, or multiple honeypots separated by comma or word all
sudo -E python3 -m honeypots --setup ssh:22
Use as honeypot:port or multiple honeypots as honeypot:port,honeypot:port
python3 -m honeypots --setup imap:143,mysql:3306,redis:6379
honeypot, or multiple honeypots separated by comma or word all
honeypot, or multiple honeypots in a dict
python3 -m honeypots --setup ftp --config config.json{
"logs": "file,terminal,json",
"logs_location": "/var/log/honeypots/",
"syslog_address": "",
"syslog_facility": 0,
"postgres": "",
"sqlite_file":"",
"db_options": [],
"sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"ip": "0.0.0.0",
"username": "ftp",
"password": "anonymous",
"log_file_name": "ftp.log",
"max_bytes": 10000,
"backup_count": 10
}
}
}{
"logs": "syslog",
"logs_location": "",
"syslog_address": "udp://localhost:514",
"syslog_facility": 3,
"postgres": "",
"sqlite_file":"",
"db_options": [],
"sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"ip": "0.0.0.0",
"username": "test",
"password": "test"
}
}
}
{
"logs": "db_postgres",
"logs_location": "",
"syslog_address":"",
"syslog_facility":0,
"postgres":"//username:[email protected]:9999/honeypots",
"sqlite_file":"",
"db_options":["drop"],
"sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"username": "test",
"password": "test"
}
}
}{
"logs": "db_postgres",
"logs_location": "",
"syslog_address":"",
"syslog_facility":0,
"postgres":"",
"sqlite_file":"/home/test.db",
"db_options":["drop"],
"sniffer_sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"username": "test",
"password": "test"
}
}
}[
{
"id": 1,
"date": "2021-11-18 06:06:42.304338+00",
"data": {
"server": "ftp_server",
"action": "process",
"status": "success",
"ip": "0.0.0.0",
"port": "21",
"username": "test",
"password": "test"
}
}
]#you need higher user permissions for binding\closing some ports
ip= String E.g. 0.0.0.0
port= Int E.g. 9999
username= String E.g. Test
password= String E.g. Test
options= Boolean or String E.g OpenSSH 7.0
logs= String E.g db, terminal or all
always remember to add process=true to run_server() for non-blocking
from honeypots import QSSHServer
qsshserver = QSSHServer(port=9999)
qsshserver.run_server(process=True)
qsshserver.test_server(port=9999)
INFO:chameleonlogger:['servers', {'status': 'success', 'username': 'test', 'src_ip': '127.0.0.1', 'server': 'ssh_server', 'action': 'login', 'password': 'test', 'src_port': 38696}]
qsshserver.kill_server()#you need higher user permissions for binding\closing some ports
from honeypots import QSSHServer
qsshserver = QSSHServer(port=9999)
qsshserver.run_server(process=True)INFO:chameleonlogger:['servers', {'status': 'success', 'username': 'test', 'src_ip': '127.0.0.1', 'server': 'ssh_server', 'action': 'login', 'password': 'test', 'src_port': 38696}]
qsshserver.kill_server()'error' :'Information about current error'
'server' :'Server name'
'timestamp' :'Time in ISO'
'action' :'Query, login, etc..'
'data' :'More info about the action'
'status' :'The return status of the action (success or fail)'
'dest_ip' :'Server address'
'dest_port' :'Server port'
'src_ip' :'Attacker address'
'src_port' :'Attacker port'
'username' :'Attacker username'
'password' :'Attacker password'- QDNSServer
- Server: DNS
- Port: 53/udp
- Lib: Twisted.dns
- Logs: ip, port
- QFTPServer
- Server: FTP
- Port: 21/tcp
- Lib: Twisted.ftp
- Logs: ip, port, username and password (default)
- Options: Capture all threat actor commands and data (avalible)
- QHTTPProxyServer
- Server: HTTP Proxy
- Port: 8080/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port and data
- QHTTPServer
- Server: HTTP
- Port: 80/tcp
- Lib: Twisted.http
- Logs: ip, port, username and password
- QHTTPSServer
- Server: HTTPS
- Port: 443/tcp
- Lib: Twisted.https
- Logs: ip, port, username and password
- QIMAPServer
- Server: IMAP
- Port: 143/tcp
- Lib: Twisted.imap
- Logs: ip, port, username and password (default)
- Options: Capture all threat actor commands and data (avalible)
- QMysqlServer
- Emulator: Mysql
- Port: 3306/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password
- QPOP3Server
- Server: POP3
- Port: 110/tcp
- Lib: Twisted.pop3
- Logs: ip, port, username and password (default)
- Options: Capture all threat actor commands and data (avalible)
- QPostgresServer
- Emulator: Postgres
- Port: 5432/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password
- QRedisServer
- Emulator: Redis
- Port: 6379/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password
- QSMBServer
- Server: Redis
- Port: 445/tcp
- Lib: impacket
- Logs: ip, port and username
- QSMTPServer
- Server: SMTP
- Port: 25/tcp
- Lib: smtpd
- Logs: ip, port, username and password (default)
- Options: Capture all threat actor commands and data (avalible)
- QSOCKS5Server
- Server: SOCK5
- Port: 1080/tcp
- Lib: socketserver
- Logs: ip, port, username and password
- QSSHServer
- Server: SSH
- Port: 22/tcp
- Lib: paramiko
- Logs: ip, port, username and password
- QTelnetServer
- Server: Telnet
- Port: 23/tcp
- Lib: Twisted
- Logs: ip, port, username and password
- QVNCServer
- Emulator: VNC
- Port: 5900/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password
- QMSSQLServer
- Emulator: MSSQL
- Port: 1433/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password or hash
- QElasticServer
- Emulator: Elastic
- Port: 9200/tcp
- Lib: http.server
- Logs: ip, port and data
- QLDAPServer
- Emulator: LDAP
- Port: 389/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port, username and password
- QNTPServer
- Emulator: NTP
- Port: 123/udp
- Lib: Twisted (low level emulation)
- Logs: ip, port and data
- QMemcacheServer
- Emulator: Memcache
- Port: 11211/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port and data
- QOracleServer
- Emulator: Oracle
- Port: 1521/tcp
- Lib: Twisted (low level emulation)
- Logs: ip, port and connet data
- QSNMPServer
- Emulator: SNMP
- Port: 161/udp
- Lib: Twisted (low level emulation)
- Logs: ip, port and data
- By using this framework, you are accepting the license terms of all these packages:
pipenv twisted psutil psycopg2-binary dnspython requests impacket paramiko redis mysql-connector pycryptodome vncdotool service_identity requests[socks] pygments http.server - Let me know if I missed a reference or resource!
- Almost all servers and emulators are stripped-down - You can adjust that as needed
