• Stars
    star
    267
  • Rank 153,621 (Top 4 %)
  • Language
    Go
  • License
    GNU General Publi...
  • Created over 7 years ago
  • Updated over 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A PoC tool designed to enhance the effectiveness of your traps by spreading breadcrumbs & honeytokens across your systems to lure the attacker toward your honeypots

Honeybits

A simple PoC tool designed to enhance the effectiveness of your traps by spreading breadcrumbs & honeytokens across your production servers and workstations to lure the attacker toward your honeypots.

Author: Adel "0x4D31" Karimi.

The Windows version of this project: honeybits-win

Background

Although honeypots are used by security researchers to study the attackers’ tools, techniques and motives for many years, they still have not been widely accepted and deployed in production environments. One reason is that the traditional implementation of honeypots is static and success is based on an attacker discovering it (which usually requires network scanning)!

Taking a look at the Mitre ATT&CK Matrix, you will see that 'Network Service Scanning' is only one of the many different Post-compromise activities. The more you plant false or misleading information in response to the post-compromise techniques (specially the techniques under ‘credential access’, ‘Discovery’, and ‘Lateral movement’ tactics in ATT&CK matrix), the greater the chance of catching the attackers. Honeybits helps you automate the creation of breadcrumbs/honeytokens on your production Servers and Workstations. These honeytokens or breadcrumbs include:

  • Fake bash_history commands (such as ssh, ftp, rsync, scp, mysql, wget, awscli)
  • Fake AWS credentials and config files (you required to create fake AWS IAM users with no permissions and generate access keys for them)
  • Configuration, backup and connection files such as RDP and VPN
  • Fake entries in hosts, ARP table, etc.
  • Fake browser history, bookmarks and saved passwords
  • Injected fake credentials into LSASS
  • Fake registry keys

Honeybits

Features

  • Creating honeyfiles and monitoring the access to these traps using go-audit or auditd
  • Template based content generator for honeyfiles
  • Insert honeybits into AWS config and credentials file
  • Insert honeybits into /etc/hosts
  • Reading config from a Remote Key/Value Store such as Consul or etcd
  • Insert different honeybits into "bash_history", including the following sample commands:
    • ssh (sshpass -p '123456' ssh -p 2222 [email protected])
    • ftp (ftp ftp://backup:[email protected]:2121)
    • rsync (rsync -avz -e 'ssh -p 2222' [email protected]:/var/db/backup.tar.gz /tmp/backup.tar.gz)
    • scp (scp -P 2222 [email protected]:/var/db/backup.tar.gz /tmp/backup.tar.gz)
    • mysql (mysql -h 192.168.1.66 -P 3306 -u dbadmin -p12345 -e "show databases")
    • wget (wget http://192.168.1.66:8080/backup.zip)
    • any custom commands: (nano /tmp/backup/credentials.txt)
    • aws:
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws ec2 describe-instances --profile devops --region us-east-2

Requirements

  • Go Lang 1.7+
  • Viper (go get github.com/spf13/viper)
  • crypt (go get github.com/xordataexchange/crypt/config)
  • go-audit or auditd (if you want to monitor the honeyfiles)

Usage:

$ go build
$ sudo ./honeybits 

Failed reading remote config. Reading the local config file...
Local config file loaded.

[failed] honeyfile already exists at this path: /tmp/secret.txt
[done] go-audit rule for /home/test/secret.txt is added
[done] honeyfile is created (/home/test/secret.txt)
[done] go-audit rule for /opt/secret.txt is added
[done] sshpass honeybit is inserted
[done] wget honeybit is inserted
[done] ftp honeybit is inserted
[done] rsync honeybit is inserted
[done] scp honeybit is inserted
[done] mysql honeybit is inserted
[failed] aws honeybit already exists
[done] hostsconf honeybit is inserted
[done] awsconf honeybit is inserted
[done] awscred honeybit is inserted
[done] custom honeybit is inserted

TODO:

  • Rewrite the whole code. Current code is crap (just a PoC)!
  • Improve the Content generator
  • More traps, including:
    • Beacon documents
    • KeePass file with entries (.kdbx)
    • Database files/backups: SQLite, MySQL
    • Fake security scan results such as Nmap output
    • Binary files with hardcoded IP / credentials
  • More network traps
    • Fake PCAP / network traffic containing credentials and etc.
    • Fake ARP Table entries
    • Monitoring network traps using go-audit
  • Complete the Windows version (honeybits-win)
  • Documentation

More Repositories

1

awesome-threat-detection

✨ A curated list of awesome threat detection and hunting resources 🕵️‍♂️
3,062
star
2

awesome-oscp

A curated list of awesome OSCP resources
2,159
star
3

fatt

FATT /fingerprintAllTheThings - a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic
Python
625
star
4

honeyLambda

honeyλ - a simple, serverless application designed to create and monitor fake HTTP endpoints (i.e. URL honeytokens) automatically, on top of AWS Lambda and Amazon API Gateway
Python
499
star
5

burpa

Burp-Automator: A Burp Suite Automation Tool with Slack Integration. It can be used with Jenkins and Selenium to automate Dynamic Application Security Testing (DAST).
Python
479
star
6

deception-as-detection

Deception based detection techniques mapped to the MITRE’s ATT&CK framework
273
star
7

salt-scanner

Linux vulnerability scanner based on Salt Open and Vulners audit API, with Slack notifications and JIRA integration
Python
262
star
8

detection-and-response-pipeline

✨ A compilation of suggested tools/services for each component in a detection and response pipeline, along with real-world examples. The purpose is to create a reference hub for designing effective threat detection and response pipelines. 👷 🏗
219
star
9

sqhunter

A simple threat hunting tool based on osquery, Salt Open and Cymon API
Python
65
star
10

honeyku

A Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).
Python
58
star
11

hassh-utils

hassh-utils: Nmap NSE Script and Docker image for HASSH - the SSH client/server fingerprinting method (https://github.com/salesforce/hassh)
Lua
49
star
12

honeybits-win

Windows version of honeybits - a PoC tool to create breadcrumbs and honeytokens, to lead the attackers to your honeypots!
Go
24
star
13

quick

QUICk - a go library based on gopacket for analyzing QUIC CHLO messages
Go
22
star
14

Presentations

Some of the presentations given by me
15
star
15

0x4d31.github.io

HTML
2
star