-
-
Notifications
You must be signed in to change notification settings - Fork 144
Available Modules
Of course, this honeypot framework is not designed to be limited on any protocol or module, but in regard to developing built-in features, we had to develop a few modules as PoC for the existing features and demonstrate the use of existing classes to have some showcase for future designs. OWASP Python Honeypot Project now currently supports 5 modules namely FTP(File Transfer Protocol), SSH (Secure Socket Shell), HTTPS (Hyper Text Transfer Protocol Secure), SMTP (Simple Mail Transfer Protocol) and ICS (Industrial control systems).
When you deploy OWASP honeypot, it will deploy two docker containers each one of them with a sshd server running. The difference between them would be one of them has a weak password, and the other one has a strong password. The weak password sshd server is used to monitor hacker activities like what commands do the hacker perform after getting logged in easily. The strong password sshd server is used to monitor what does hacker provide as username/passwords to get into the system. As the system has a randomly generated password for the strong password module, it would not be that easy to log in to the system. Also, for each attempt to SSH login, there are logs stored in the database as to what is being used as the username and password by the hacker.
There are two versions of this module namely the weak password and the strong password. The weak password is used to monitor what type of files /malware does the hacker upload once logged in easily to the system. The username and password are very easy to guess, typically username as "root" and password as "123456", so the hacker can get in easily. The strong password is again used to monitor the username and password used to log in to the system and then also the type of file uploaded by the hacker. Each of these activities is logged in the docker container and on a timely basis sent to the database to store as a record. The database used in this project is MongoDB.
This module has also two versions of this module namely the weak password and the strong password. Weak passwords are used to monitor the requests on the server and also if the hacker is trying Denial of Service attacks it can be easily detected by this module. Strong passwords would again track the username and passwords used by the attacker to get into the system.
Industrial Control Systems honeypot is designed to be easy to deploy, modify, and extend. The SCADA Honeynet Project is a framework that allows a single Linux machine to simulate multiple devices in SCADA (supervisory control and data acquisition), DCS (distributed control system), and PLCs (programmable logic controller) networks. The ICS Honeypot which is being used in our project is GasPot. GasPot is a honeypot that has been designed to simulate a Veeder Root Guardian AST. These Tank Gauges are common in the oil and gas industry for Gas Station tanks to help with the Inventory of fuels. GasPot was designed to randomize as much as possible so no two instances look exactly the same.
SMTP stands for Simple Mail Transfer Protocol. SMTP is a standard language (protocol) used by all the applications to send emails. However, the same cannot be used for receiving emails. SMTP has a strong password version, which logs all the credential events and always rejects the AUTH request. This would track the username and passwords used by the attacker to get into the system.