This project is a Low-Interaction honeypot designed to attract and analyze unauthorized access attempts. It consists of multiple bots designed to simulate various attack vectors, including brute force login attempts and form spam attacks. The honeypot collects data on these attacks, which can then be analyzed to improve security measures.
Fun Fact : I was actually inspired after 'Mr. Robot' 'eps1.8_m1rr0r1ng.qt' & then i dig deep in internet and explore more about it and found Low_Interaction Honeypots,so i decided to make it Custom in 1-2 nightouts ;0
- DecoyNet : Low-Interaction Honeypots
- Project Overview
- Table of Contents
- File Directory Structure
- Aim of the Honeypots
- Working of the Honeypots
- Honeypot Overview
- Types of Honeypots
- Aim of the Project
- Bots
- Usage
- Installation and Setup
- 1. Clone the Repository
- 2. Update and Upgrade System (for fresh Linux environments)
- 3. Install Python and Pip (if not already installed)
- 4. Install venv Package (if not already installed)
- 5. Create and Activate a Virtual Environment
- 6. Install Project Dependencies
- 7. Run the Honeypot Application
- 8. Run Attack Bots
- 9. Run the Flask Application (if applicable)
- 10. Deactivate the Virtual Environment
- Summary of Commands
- Links and References
DecoyNet
├── Archive
│ ├── bot.py
│ ├── dashboard.py
│ └── README.md
├── breachbot.py
├── data
│ ├── bot_trace.csv
│ ├── login.csv
│ ├── spams.csv
│ └── submissions.csv
├── formhpot.py
├── formspamattack.py
├── loginhpot.py
├── README.md
├── requirements.txt
├── ss
├── static
│ ├── bg.png
│ └── styles.css
└── templates
├── dashboard.html
├── form.html
├── index.html
└── login.html
Aim: The primary aim of the login honeypot is to simulate a vulnerable login endpoint that attracts brute force attack attempts. This honeypot is designed to detect and log unauthorized login attempts, which typically involve systematic trials of different password combinations. By capturing this data, the honeypot helps in understanding common attack patterns, identifying weak passwords, and improving overall security measures. It provides insights into attackers’ strategies and tools used during such attacks.
Aim: The form honeypot aims to simulate a vulnerable form on a web application to attract and detect spam attacks. By including hidden fields that only automated spam bots would fill, it differentiates between legitimate user interactions and spam submissions. This honeypot helps in understanding the nature of spam attacks, the types of data bots are trying to submit, and the frequency of such attacks. It aids in refining anti-spam mechanisms and enhances the robustness of form validation strategies.
-
Simulation: The login honeypot sets up a Flask server with an endpoint that appears to accept login credentials. The endpoint is intentionally vulnerable to attract brute force attacks.
-
Interaction: When an attacker tries to gain unauthorized access, they use automated tools to attempt various username-password combinations. The honeypot logs these attempts, including the IP addresses, timestamps, and the passwords used.
-
Logging: Each login attempt is captured and stored in a CSV file for analysis. This data includes failed login attempts and the patterns used by attackers.
Honeypot triggered! Potential spam detected.
127.0.0.1 - - [23/Jul/2024 15:59:18] "POST /submit HTTP/1.1" 302 -
127.0.0.1 - - [23/Jul/2024 15:59:18] "GET / HTTP/1.1" 200 -
Real ID: None, Real Password: None
Honeypot ID: None, Honeypot Password: aano
- Analysis: The logged data is analyzed to identify common password combinations, attack frequency, and potential vulnerabilities. This analysis helps in understanding attacker behavior and strengthening security protocols.
Timestamp,IP Address,User Agent,hpot ID,hpot Password
2024-07-23 15:59:17,127.0.0.1,python-requests/2.32.3,,aaaa
2024-07-23 15:59:17,127.0.0.1,python-requests/2.32.3,,aaab
2024-07-23 15:59:17,127.0.0.1,python-requests/2.32.3,,aaac
2024-07-23 15:59:17,127.0.0.1,python-requests/2.32.3,,aaad
2024-07-23 15:59:17,127.0.0.1,python-requests/2.32.3,,aaae
2024-07-23 15:59:17,127.0.0.1,python-requests/2.32.3,,aaaf
2024-07-23 15:59:17,127.0.0.1,python-requests/2.32.3,,aaag
2024-07-23 15:59:17,127.0.0.1,python-requests/2.32.3,,aaah
- Simulation: The form honeypot sets up a Flask server with a form containing both visible and hidden fields. The hidden fields are designed to attract spam bots, which typically fill all fields, including those not meant for legitimate users.
(myenv) kintsugi-warrior@kintsugi-machine:~/Documents/Warehouse2.0/Projects/DecoyNet$ python formhpot.py
* Serving Flask app 'formhpot'
* Debug mode: on
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on http://127.0.0.1:5000
Press CTRL+C to quit
* Restarting with stat
* Debugger is active!
* Debugger PIN: 288-869-580
127.0.0.1 - - [23/Jul/2024 16:08:11] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [23/Jul/2024 16:08:11] "GET /static/styles.css HTTP/1.1" 200 -
127.0.0.1 - - [23/Jul/2024 16:08:51] "GET /form HTTP/1.1" 200 -
127.0.0.1 - - [23/Jul/2024 16:08:51] "GET /static/styles.css HTTP/1.1" 304 -
127.0.0.1 - - [23/Jul/2024 16:10:23] "POST /submit HTTP/1.1" 200 -
- Interaction: Legitimate users fill only the visible fields, leaving the hidden fields empty. In contrast, spam bots automatically fill in both the visible and hidden fields with random or spammy data.
- Detection: Upon form submission, the server checks the hidden fields. If any hidden fields are filled, the submission is identified as spam. The data is discarded, and the spam attempt is logged.
Timestamp,IP Address,User Agent,hpot ID,hpot Name,hpot Option,hpot Phone,hpot Email,hpot Review
2024-07-22 20:40:15,127.0.0.1,python-requests/2.32.3,74848,XBBWL AWRXY,excellent,2095471582,[email protected],"Average service, could be better."
2024-07-22 20:40:15,127.0.0.1,python-requests/2.32.3,72322,NPCTQ BIDVI,poor,0084984062,[email protected],"Great experience, will come back again."
2024-07-22 20:40:15,127.0.0.1,python-requests/2.32.3,80129,PGSBQ OZMXT,excellent,5318343996,[email protected],"Great experience, will come back again."
2024-07-22 20:40:15,127.0.0.1,python-requests/2.32.3,85569,VIBLO YGVYH,average,8186494463,[email protected],"Average service, could be better."
2024-07-22 20:40:15,127.0.0.1,python-requests/2.32.3,31201,BONKT CDODY,good,4407142378,[email protected],"Amazing product, very happy with the purchase!"
2024-07-22 20:40:15,127.0.0.1,python-requests/2.32.3,66029,EMBVN QXDIH,average,4729452213,[email protected],"Average service, could be better."2024-07-23 16:12:48,127.0.0.1,python-requests/2.32.3,35335,EXVWG YQUAX,good,5967818097,[email protected],"Average service, could be better."
- Analysis: The data from spam attempts is collected and analyzed to understand spammer tactics, such as the types of data submitted and the frequency of attacks. This information is used to improve form validation and anti-spam mechanisms.
A honeypot is a security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. It consists of a computer, data, or a network site that appears to be part of a network but is actually isolated and monitored, and which seems to contain information or resources that would be of value to attackers.
The main aim of cybersecurity is to protect systems, networks, and data from cyber attacks. This involves preventing unauthorized access, ensuring data integrity, and maintaining the availability of resources.
- Definition: Simulate only a few aspects of the targeted system.
- Purpose: Capture basic information about attack vectors and techniques.
- Advantages: Easier to deploy and manage, lower risk.
- Disadvantages: Limited information on attackers' behavior and tactics.
- Definition: Fully functional systems that interact with attackers in a more realistic way.
- Purpose: Gather detailed information about attackers' methods and tools.
- Advantages: Comprehensive data collection, deeper insights into attacker strategies.
- Disadvantages: Higher risk, more complex to deploy and maintain.
- Detection: Identify unauthorized access and attacks.
- Deception: Mislead attackers and waste their time and resources.
- Research: Understand new attack techniques and develop countermeasures.
- Forensics: Collect evidence and analyze attack patterns for legal or analytical purposes.
- Planning: Define objectives and choose the type of honeypot.
- Configuration: Set up the honeypot system, ensuring it mimics real systems.
- Isolation: Keep the honeypot isolated from the actual network to prevent accidental breaches.
- Monitoring: Continuously monitor and log all activities within the honeypot.
- Analysis: Regularly analyze the collected data to gain insights into attack patterns and behaviors.
The aim of this project is to create a honeypot that can attract and log various types of cyber attacks. This information can then be analyzed to improve security measures and to better understand attacker behavior.
The honeypot application runs a Flask server that simulates a vulnerable web application. It logs all incoming requests, including attempted logins and form submissions, and stores this data in a CSV file. This data is then used for analysis.
@app.route('/submit', methods=['POST'])
def submit():
real_id = request.form.get('dtx000')
real_password = request.form.get('dtx001')
ip_address = request.remote_addr
user_agent = request.headers.get('User-Agent')
timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
hpot_id = request.form.get('id')
hpot_password = request.form.get('password')
# Debugging
print(f"Real ID: {real_id}, Real Password: {real_password}")
print(f"Honeypot ID: {hpot_id}, Honeypot Password: {hpot_password}")
if hpot_id or hpot_password:
print("Honeypot triggered! Potential spam detected.")
with open(bot_trace, 'a', newline='') as file:
writer = csv.writer(file)
writer.writerow([
timestamp,
ip_address,
user_agent,
hpot_id,
hpot_password
])
return redirect('/')
with open(data_file, 'a', newline='') as file:
writer = csv.writer(file)
writer.writerow([timestamp,
ip_address,
user_agent,
real_id,
real_password])
print("Form submitted successfully!")
return "Logged in successfully!"
- Real Users: Interact with and fill only the visible fields. The honeypot fields remain empty.
- Spam Bots: Fill both the visible and hidden fields, triggering the honeypot detection.
This differentiation allows the server to identify and filter out spam submissions while processing legitimate ones.
.hpot {
opacity: 0;
position: absolute;
top: 0;
left: 0;
height: 0;
width: 0;
z-index: -1;
}
-
Honeypot Flask Application:
- The Flask application runs a web server with endpoints that appear vulnerable to attackers.
- It logs all incoming requests, including IP addresses, timestamps, and payloads.
- Data is stored in .
- Login Honeypot Server: Simulates a decoy brute force attack security mechanism set to detect&deflect,by trying multiple password combinations on the login endpoint.
- Form Honeypot : Simulates a security mechanism set to detect&deflect spam attack by submitting multiple forms with random data.
-
Attack Bots:
- Breach Bot: Simulates a brute force attack by trying multiple password combinations on the login endpoint.
- Form Spam Attack Bot: Simulates a spam attack by submitting multiple forms with random data.
-
Data Analysis:
- The
analysis/analyze_data.pyscript analyzes the collected data and generates visualizations.
- The
-
User Interaction:
- A real user visits the form page and interacts with the visible fields only.
- The user fills in the fields with obfuscated names (
nameksljf,emaillkjkl) and leaves the hidden honeypot fields (name,email) untouched.
-
Form Data Submission:
- Upon form submission, the form data sent to the server includes values only for the obfuscated fields.
- The honeypot fields remain empty.
-
Server-Side Processing:
- The server checks the honeypot fields.
- Since the honeypot fields are empty, the submission is considered legitimate.
- The server then processes the real user data (e.g., saving it to a CSV file).
-
Outcome:
- The user receives a confirmation message indicating that the form submission was successful.
<label for="dtx000">Customer ID:</label>
<input type="text" id="dtx000" name="dtx000" required>
<label for="dtx001">Name:</label>
<input type="text" id="dtx001" name="dtx001" required>
<label for="dtx010">How would you rate our service?</label>
<select id="dtx010" name="dtx010" required>
<option value="">--Please choose an option--</option>
<option value="excellent">Excellent</option>
<option value="good">Good</option>
<option value="average">Average</option>
<option value="poor">Poor</option>
</select>
<label for="dtx011">Phone Number:</label>
<input type="tel" id="dtx011" name="dtx011" required>
<label for="dtx100">Email:</label>
<input type="email" id="dtx100" name="dtx100" required>
<label for="dtx101">Review :</label>
<textarea id="review" name="dtx101" rows="4" required></textarea>
-
Bot Interaction:
- A spam bot visits the form page and attempts to fill all input fields indiscriminately, including hidden fields.
- The bot fills in the visible fields as well as the honeypot fields with generic or spammy data.
-
Form Data Submission:
- Upon form submission, the form data sent to the server includes values for both the visible fields and the hidden honeypot fields.
-
Server-Side Processing:
- The server checks the honeypot fields.
- Since the honeypot fields are filled, the submission is identified as spam.
- The server discards the spam submission and may take additional actions (e.g., logging the spam attempt).
-
Outcome:
- The bot does not receive any confirmation, and the spam data is not processed or saved by the server.
<label class="hpot" for="id"></label>
<input class="hpot" type="text" id="id" name="id" autocomplete="off" placeholder="ID">
<label class="hpot" for="name"></label>
<input class="hpot" type="text" id="name" name="name" autocomplete="off" placeholder="Name">
<label class="hpot" for="option"></label>
<input class="hpot" type="text" id="option" name="option" autocomplete="off" placeholder="Option">
<label class="hpot" for="phone"></label>
<input class="hpot" type="text" id="phone" name="phone" autocomplete="off" placeholder="Phone">
<label class="hpot" for="email"></label>
<input class="hpot" type="email" id="email" name="email" autocomplete="off" placeholder="Email">
<label class="hpot" for="review"></label>
<textarea class="hpot" id="review" name="review" rows="4" placeholder="Review"></textarea>
This bot simulates a brute force attack by trying various password combinations on a login endpoint. It uses the requests library to send POST requests and logs the results.
This bot simulates a form spam attack by submitting multiple forms with random data. It uses the requests library to send POST requests to the form endpoint.
This bot combines various attack methods to simulate a more comprehensive breach attempt.
python loginhpot.pypython formhpot.pyBrute Force Login Bot:
python breachbot.pyForm Spam Attack Bot:
python formspamattack.pyHere's List of Steps which integrates the steps for cloning a repository, setting up a virtual environment, and configuring a Python Flask project:
Clone your project repository from GitHub:
git clone https://github.com/yourusername/honeypot_project.git
cd honeypot_projectUpdate and upgrade your system packages:
sudo apt update
sudo apt upgradeInstall Python and Pip:
sudo apt install python3 python3-pipInstall the venv package for creating virtual environments:
sudo apt install python3-venvCreate and activate a virtual environment named myenv:
python3 -m venv myenv
source myenv/bin/activate # On macOS and Linux
# myenv\Scripts\activate # On WindowsInstall the required packages listed in the requirements.txt file:
pip install -r requirements.txtExecute the honeypot application:
python loginhpot.py
python formhpot.py
Run any attack bots as required for your project:
python bot_scripts/brute_force_login.py
python bot_scripts/form_spam_attack.pyIf your project includes a Flask application, run it:
python loginhpot.py
python formhpot.py
Access the Flask app at http://127.0.0.1:5000 in your browser.
When you're done working, deactivate the virtual environment:
deactivate# Clone repository
git clone https://github.com/yourusername/honeypot_project.git
cd honeypot_project
# System update
sudo apt update
sudo apt upgrade
# Install Python and pip
sudo apt install python3 python3-pip
# Install venv
sudo apt install python3-venv
# Create and activate virtual environment
python3 -m venv myenv
source myenv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Run applications
python loginhpot.py
python formhpot.py
python brute_force_login.py
python form_spam_attack.py
# Or run Flask app if applicable
python loginhpot.py
python formhpot.py
# Deactivate virtual environment
deactivateThis guide should help you set up your project environment efficiently and cover all the necessary steps for a Python-based project on Linux.