A Flask application to emulate the Docker API for honeypot purposes. Released as apart of ATT&CKCon 3.0 presentation, ATT&CKing Containers in The Cloud.
Whalehoney mocks some API endpoints detailed within the official Docker
Engine API guide. Incoming requests are logged to whalehoney-YYYY-MM-dd.log
.
No operation is performed on the incoming request other than logging it to a plaintext file.
- Create a virtual environment.
$> python3 -m venv venv
- Use virtual env.
$> source ./venv/bin/activate
- Install Python dependencies.
$> pip3 install -r requirements.txt
- Start whalehoney.
$> python3 wsgi.py --bind=0.0.0.0:2375
- Build the container
docker build . -t whalehoney:latest
- Run the container exposing the Docker port (2375) to the honeypot
docker run -p 2375:2375 --name whalehoney whalehoney:latest -d
Test endpoints to ensure the container is running:
$> curl localhost:2375/version;
$> curl localhost:2375/_ping;
Docker logs available within the conatiner at: ./logs/$DATE/whalehoney-$DATE.log
Reference the dockerapi/dockeroutes.py for more