Project: Honeyscanner: a vulnerability analysis tool for honeypots
Contributor: Aristofanis Chionis Koufakos
Organization: The Honeynet Project
Mentors: Emmanouil Vasilomanolakis, Shreyas Srinivasa, Ricardo Maria Yaben Lopezosa
A honeypot is a security resource that mimics a vulnerable system and is used to lure and trap cyber-attackers. Over the last decade, many open-source honeypots have been developed by the community as side projects without any funding or company behind them. This led to experimental implementations of honeypot ideas, that haven't been tested by security teams thoroughly. This project comes to solve this exact problem. Honeyscanner is an open-source vulnerability scanner for honeypots. Equipped with a penetration testing strategy that starts from reconnaissance techniques to more advanced ones like exploiting bugs in libraries used by the honeypot, fuzzing and DoS attacks. The tool is implemented in Python.
https://github.com/honeynet/honeyscanner
I designed and developed Honeyscanner from the ground up. I formulated and implemented each attack and module within the Honeyscanner tool.
Honeyscanner is currently capable of automated passive scanning and vulnerability assessment for the following honeypots:
It can also actively attack the above mentioned honeypots.
Furthermore, Honeyscanner can actively launch attacks against the aforementioned honeypots. For instance, it can target Cowrie and Kippo using the following active attack techniques:
- DoS attack
- Fuzzing attack
- Software exploitation
- Tarbomb attack
Against Dionaea and Conpot, Honeyscanner can execute active DoS attacks.
Ultimately, Honeyscanner generates a final report containing the outcomes of both passive and active attacks.
Honeyscanner serves as a powerful tool that underscores the significance of honeypot fingerprinting and highlights the potential actions an attacker can take upon discovering a specific open-source honeypot associated with an IP address. The inclusion of a DoS attack module is particularly noteworthy, as it represents the simplest yet effective means for attackers to incapacitate a honeypot, rendering it ineffective for the honeypot's owner. Additionally, the inclusion of more sophisticated attack methods, such as software exploitation and tarbomb attacks, demonstrates Honeyscanner's capability to pinpoint and exploit specific vulnerabilities within targeted honeypots. In conclusion, Honeyscanner emphasizes the significance of actively monitoring deployed honeypot instances, the value of switching all default honeypot configurations, and the necessity of hiding the honeypot's identity as best as possible, in order to avoid honeypot fingerprinting.
In the future Honeyscanner should support more active attacks for the Dionaea and Conpot honeypots. The attacks for these honeypots should be tailored to the specific services that they offer. For instance, since Dionaea provides services like FTP, HTTP, SMB, and TFTP (https://dionaea.readthedocs.io/en/latest/service/), Honeyscanner's attack strategies should align with the specific open ports associated with these protocols. Correspondingly crafted payloads should be dispatched to exploit vulnerabilities within the targeted honeypot.
Furthermore, Honeyscanner should broaden its support for more honeypot systems. The tool's functionality should extend to conducting attacks on other prominent open-source honeypots, such as sshesame and Glastopf, among others.
An additional area of improvement lies within Honeyscanner's Report Generation Module. Presently, the module generates a basic report outlining identified defects and vulnerabilities within the targeted honeypot. To enhance the overall security of honeypots, future iterations of Honeyscanner could incorporate remediation recommendations tailored for administrators and developers.
All code and commits associated with the project were authored by me. You can access them here: https://github.com/honeynet/honeyscanner/commits/main. A full list of commits is also included in this document and can be found here.
My participation in Google Summer of Code 2023 has proven to be an immensely rewarding experience, contributing substantially to both my personal and professional growth. I delved into open-source development, making meaningful contributions to the community. Throughout this journey, I encountered challenges related to effective time management and dedication required by a project of this scale. Maintaining self-discipline, setting weekly goals, and consistently achieving them demanded considerable effort. Aligning expectations and accurately estimating the time needed for developing specific features posed yet another challenge during GSoC. In summary, my time in GSoC was exceptionally fruitful; I acquired valuable insights and underwent significant personal and professional development. This experience has been enriching, and I wholeheartedly endorse it to my friends and colleagues.
When I needed to run Honeyscanner against Kippo, I faced the problem that I could not run a Kippo instance on my local machine, so I took the initiative to create my own Dockerfile, I used it to create a Docker image and spawn a Docker container running Kippo locally. After that I opened an issue in the Kippo project: desaster/kippo#241 and I suggested to add my Dockerfile in the official Kippo Honeypot codebase. The creator of the Kippo honeypot, opened a PR based on my issue and Dockerfile, in order to add it in the official codebase. More details can be found here: desaster/kippo#242. The Pull Request got merged into the master branch of the Kippo Honeypot project on the 26th of August 2023. I am immensely pleased with this contribution, as it signifies how my GSoC work has positively impacted the usability of a honeypot.
I want to deeply thank my mentors Manolis, Shreyas and Ricardo for their constant support and guidance throught GSoC. Our regular meetings played a pivotal role in keeping me on course and enabling me to create a functional and valuable tool - Honeyscanner.
commit 976d95fc69e79ded003bdb90e9cf43d9eb7af85c (HEAD -> main, origin/main)
Author: Aristofanis Chionis <aristofanis.chionis@cern.ch>
Date: Wed Aug 23 10:43:34 2023 +0200
ADD: Activating the passive attacks again
commit ef3eb404219d5dfa4ba5fcfa36d8021002f42c8b
Author: Aristofanis Chionis <aristofanis.chionis@cern.ch>
Date: Sat Aug 19 20:57:06 2023 +0200
Author: Aristofanis Chionis <aristofanis.chionis@cern.ch>
Date: Sat Aug 19 20:57:06 2023 +0200
ADD: Expand support for DoS attack against dionaea and conpot
commit 7adf64791d2c9264dfc7d14f018d0d931afb5c6e
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Wed Aug 9 18:33:40 2023 +0200
14 extend the honeypot portfolio (#24)
* ADD: Support for passive attacks on Dionaea honeypots
* ADD: support conpot
* ADD: extend honeypot support code
commit e96181fc0234905253b29bd7f6e8cdca5fca897e
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Aug 8 17:04:00 2023 +0200
Update README.md
commit e6ac574dabb09b3742f4706e1130ab2abcc5d079
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Aug 8 17:02:38 2023 +0200
Update README.md
commit 9b69b7f89d5529a40d3c29794e876341547e668b
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Aug 8 17:01:43 2023 +0200
Update README.md
commit 1efe41b9158fdb257852a7309a1d8ef3ec52b3b8
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Thu Jul 20 21:04:21 2023 +0200
ADD: fix for metasploit (#22)
commit 94dd6b85a2b97ef0a5743e498092c1046e76fd16
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 20:04:35 2023 +0200
Update README.md
commit 2b68e67acfc96624900e81f2b9cfd532901037bd
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 19:59:03 2023 +0200
Add files via upload
commit d12bfe2e88d6368b3658c690362d4ecea42a28bb
Author: Aristofanis Chionis <aristofanis.chionis@cern.ch>
Date: Tue Jul 11 19:57:34 2023 +0200
ADD: honeyscanner architecture better image
commit 91ea3e3f80d4670114b890fd7f78f7a21ec93fcb
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 19:45:29 2023 +0200
Update README.md
commit 348a556e27156b3e6d005f3994d80792c18555f1
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 19:30:25 2023 +0200
19 add pipenv support (#20)
* ADD: support for pipenv
* ADD: support for pipenv
commit bb688178ecbf87fb49328ebaab3b84390acaca8c
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 18:39:41 2023 +0200
ADD: Contributors file (#18)
commit 1cb7ccb27310b346a182667f7ddabd9fca859e88
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 16:55:18 2023 +0200
Develop (#17)
* WIP: readme improv
* WIP: fixes in readme, adding contributors removing todo
commit 42c571f407bd80bbd5b8d788777207a1dfba8989
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 14:04:24 2023 +0200
WIP: readme improv (#16)
commit 44903e24fc0577c158189e863cbcf9fe2781e094
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Sun Jul 2 17:08:13 2023 +0200
Develop (#13)
* ADD: fix BaseHoneypot class to follow best practises
* FIX: fix some things regarding kippo and the connection through ssh
* ADD: reporting capabilities in Honeyscanner, works good for kippo and cowrie and provides report
commit 4964aa9eb6ec4b1c7c89c84a3b16758492475d4a
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Sun Jul 2 13:54:56 2023 +0200
Develop (#12)
* ADD: fix BaseHoneypot class to follow best practises
* FIX: fix some things regarding kippo and the connection through ssh
commit 27de0e80cc946b7831065f2f51291cf03dbf88ce
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Sat Jul 1 23:04:47 2023 +0200
Update README.md
commit bbce4d2863c67682c081a2e90410fa486adb7986
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Sat Jul 1 23:00:04 2023 +0200
Develop (#11)
* ADD: improvements in trivy scanner and vuln_analyzer
* ADD: static analyzer + vuln_analyzer + trivy scanner all working properly
* ADD: all_cves results from running all analyzers
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* ADD: software exploit works with metasploit finder, all passive and active attacks should be now in good working condition against cowrie instance
* ADD: small changes in software exploit function
* ADD: software exploit and other small fixes
* ADD: New attack ssh_keep_aliver, still WIP maybe will not keep TBD, software exploit few improvements
* ADD: code that can read information from text file, connect to multiple machines simultaneously and use them as a botnet. It can control multiple machines through ssh and use them in
order to curl a website en masse.
* ADD: in order to expand the ddos attacker that uses honeypots as botnet, maybe try to perform a slowloris attack.
* ADD: Honeyscanner can be run from the main.py function and all tests and attacks will run automatically. It supports Cowrie and Kippo for now. There are a few TODOs left in order to
be working properly, it is still a bit unstable.
commit 5a90b499eb1e28e7ca0edd0e47e5bc05c31dfae9
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Wed Jun 21 16:36:23 2023 +0200
Develop (#10)
* ADD: improvements in trivy scanner and vuln_analyzer
* ADD: static analyzer + vuln_analyzer + trivy scanner all working properly
* ADD: all_cves results from running all analyzers
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* ADD: software exploit works with metasploit finder, all passive and active attacks should be now in good working condition against cowrie instance
* ADD: small changes in software exploit function
* ADD: software exploit and other small fixes
* ADD: New attack ssh_keep_aliver, still WIP maybe will not keep TBD, software exploit few improvements
* ADD: code that can read information from text file, connect to multiple machines simultaneously and use them as a botnet. It can control multiple machines through ssh and use them in
order to curl a website en masse.
* ADD: in order to expand the ddos attacker that uses honeypots as botnet, maybe try to perform a slowloris attack.
---------
commit 9b7958c514a5fbb8ef0f2dbe934ceb1f4fb1c82e
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Mon Jun 5 17:45:18 2023 +0200
Develop (#9)
* ADD: improvements in trivy scanner and vuln_analyzer
* ADD: static analyzer + vuln_analyzer + trivy scanner all working properly
* ADD: all_cves results from running all analyzers
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* ADD: software exploit works with metasploit finder, all passive and active attacks should be now in good working condition against cowrie instance
* ADD: small changes in software exploit function
* ADD: software exploit and other small fixes
* ADD: New attack ssh_keep_aliver, still WIP maybe will not keep TBD, software exploit few improvements
---------
commit c7d7535d2a835bbf7208f83af389ef4724d7135f
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Sat Jun 3 19:59:53 2023 +0200
Develop (#8)
* ADD: improvements in trivy scanner and vuln_analyzer
(base) ➜ Honeyscanner git:(main) git log
(base) ➜ Honeyscanner git:(main) git log > log.txt
(base) ➜ Honeyscanner git:(main) ✗ cat log.txt
commit 976d95fc69e79ded003bdb90e9cf43d9eb7af85c
Author: Aristofanis Chionis <aristofanis.chionis@cern.ch>
Date: Wed Aug 23 10:43:34 2023 +0200
ADD: Activating the passive attacks again
commit ef3eb404219d5dfa4ba5fcfa36d8021002f42c8b
Author: Aristofanis Chionis <aristofanis.chionis@cern.ch>
Date: Sat Aug 19 20:57:06 2023 +0200
ADD: Expand support for DoS attack against dionaea and conpot
commit 7adf64791d2c9264dfc7d14f018d0d931afb5c6e
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Wed Aug 9 18:33:40 2023 +0200
14 extend the honeypot portfolio (#24)
* ADD: Support for passive attacks on Dionaea honeypots
* ADD: support conpot
* ADD: extend honeypot support code
commit e96181fc0234905253b29bd7f6e8cdca5fca897e
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Aug 8 17:04:00 2023 +0200
Update README.md
commit e6ac574dabb09b3742f4706e1130ab2abcc5d079
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Aug 8 17:02:38 2023 +0200
Update README.md
commit 9b69b7f89d5529a40d3c29794e876341547e668b
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Aug 8 17:01:43 2023 +0200
Update README.md
commit 1efe41b9158fdb257852a7309a1d8ef3ec52b3b8
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Thu Jul 20 21:04:21 2023 +0200
ADD: fix for metasploit (#22)
commit 94dd6b85a2b97ef0a5743e498092c1046e76fd16
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 20:04:35 2023 +0200
Update README.md
commit 2b68e67acfc96624900e81f2b9cfd532901037bd
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 19:59:03 2023 +0200
Add files via upload
commit d12bfe2e88d6368b3658c690362d4ecea42a28bb
Author: Aristofanis Chionis <aristofanis.chionis@cern.ch>
Date: Tue Jul 11 19:57:34 2023 +0200
ADD: honeyscanner architecture better image
commit 91ea3e3f80d4670114b890fd7f78f7a21ec93fcb
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 19:45:29 2023 +0200
Update README.md
commit 348a556e27156b3e6d005f3994d80792c18555f1
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 19:30:25 2023 +0200
19 add pipenv support (#20)
* ADD: support for pipenv
* ADD: support for pipenv
commit bb688178ecbf87fb49328ebaab3b84390acaca8c
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 18:39:41 2023 +0200
ADD: Contributors file (#18)
commit 1cb7ccb27310b346a182667f7ddabd9fca859e88
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 16:55:18 2023 +0200
Develop (#17)
* WIP: readme improv
* WIP: fixes in readme, adding contributors removing todo
commit 42c571f407bd80bbd5b8d788777207a1dfba8989
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Tue Jul 11 14:04:24 2023 +0200
WIP: readme improv (#16)
commit 44903e24fc0577c158189e863cbcf9fe2781e094
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Sun Jul 2 17:08:13 2023 +0200
Develop (#13)
* ADD: fix BaseHoneypot class to follow best practises
* FIX: fix some things regarding kippo and the connection through ssh
* ADD: reporting capabilities in Honeyscanner, works good for kippo and cowrie and provides report
commit 4964aa9eb6ec4b1c7c89c84a3b16758492475d4a
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Sun Jul 2 13:54:56 2023 +0200
Develop (#12)
* ADD: fix BaseHoneypot class to follow best practises
* FIX: fix some things regarding kippo and the connection through ssh
commit 27de0e80cc946b7831065f2f51291cf03dbf88ce
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Sat Jul 1 23:04:47 2023 +0200
Update README.md
commit bbce4d2863c67682c081a2e90410fa486adb7986
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Sat Jul 1 23:00:04 2023 +0200
Develop (#11)
* ADD: improvements in trivy scanner and vuln_analyzer
* ADD: static analyzer + vuln_analyzer + trivy scanner all working properly
* ADD: all_cves results from running all analyzers
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* ADD: software exploit works with metasploit finder, all passive and active attacks should be now in good working condition against cowrie instance
* ADD: small changes in software exploit function
* ADD: software exploit and other small fixes
* ADD: New attack ssh_keep_aliver, still WIP maybe will not keep TBD, software exploit few improvements
* ADD: code that can read information from text file, connect to multiple machines simultaneously and use them as a botnet. It can control multiple machines through ssh and use them in order to curl a website en masse.
* ADD: in order to expand the ddos attacker that uses honeypots as botnet, maybe try to perform a slowloris attack.
* ADD: Honeyscanner can be run from the main.py function and all tests and attacks will run automatically. It supports Cowrie and Kippo for now. There are a few TODOs left in order to be working properly, it is still a bit unstable.
commit 5a90b499eb1e28e7ca0edd0e47e5bc05c31dfae9
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Wed Jun 21 16:36:23 2023 +0200
Develop (#10)
* ADD: improvements in trivy scanner and vuln_analyzer
* ADD: static analyzer + vuln_analyzer + trivy scanner all working properly
* ADD: all_cves results from running all analyzers
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* ADD: software exploit works with metasploit finder, all passive and active attacks should be now in good working condition against cowrie instance
* ADD: small changes in software exploit function
* ADD: software exploit and other small fixes
* ADD: New attack ssh_keep_aliver, still WIP maybe will not keep TBD, software exploit few improvements
* ADD: code that can read information from text file, connect to multiple machines simultaneously and use them as a botnet. It can control multiple machines through ssh and use them in order to curl a website en masse.
* ADD: in order to expand the ddos attacker that uses honeypots as botnet, maybe try to perform a slowloris attack.
---------
commit 9b7958c514a5fbb8ef0f2dbe934ceb1f4fb1c82e
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Mon Jun 5 17:45:18 2023 +0200
Develop (#9)
* ADD: improvements in trivy scanner and vuln_analyzer
* ADD: static analyzer + vuln_analyzer + trivy scanner all working properly
* ADD: all_cves results from running all analyzers
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* ADD: software exploit works with metasploit finder, all passive and active attacks should be now in good working condition against cowrie instance
* ADD: small changes in software exploit function
* ADD: software exploit and other small fixes
* ADD: New attack ssh_keep_aliver, still WIP maybe will not keep TBD, software exploit few improvements
---------
commit c7d7535d2a835bbf7208f83af389ef4724d7135f
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Sat Jun 3 19:59:53 2023 +0200
Develop (#8)
* ADD: improvements in trivy scanner and vuln_analyzer
* ADD: static analyzer + vuln_analyzer + trivy scanner all working properly
* ADD: all_cves results from running all analyzers
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* MOV: move metasploit to active attacks and I have to merge it to software exploit code
* ADD: software exploit works with metasploit finder, all passive and active attacks should be now in good working condition against cowrie instance
* ADD: small changes in software exploit function
---------
commit 7970f26d92019df62f7a6c2dd0492f36ddd4e0cb
Author: Aristofanis Chionis Koufakos <aristofanischionis@gmail.com>
Date: Thu Jun 1 22:38:39 2023 +0200
Develop (#7)
* ADD: improvements in trivy scanner and vuln_analyzer
* ADD: static analyzer + vuln_analyzer + trivy scanner all working properly
* ADD: all_cves results from running all analyzers
---------
commit 95b95648c6fd3d44987ae5117d1b4ea915feb70f
Author: Aristofanis Chionis <aristofanis.chionis@cern.ch>
Date: Thu Jun 1 20:55:53 2023 +0200
Initial commit