HoneyBadger
project goals
- HoneyBadger is primarily a comprehensive TCP stream analysis tool for detecting and recording TCP injection attacks.
- This git repository also includes a variety of prototype TCP stream injections attacks.
details
- Read about HoneyBadger's design and implementation: https://honeybadger.readthedocs.org/
- Read the manual integration procedure - a reproduciable procedure which proves HoneyBadger's TCP injection attack detection is reliable; in less than 2 minutes you can perform a test on your loopback interface... and test that HoneyBadger can detect injected data into a netcat client-server connection.
- Read the godoc autogenerated API documentation
- HoneyBadger currently support 3 Data AcQuisition packet sources: libpcap, AF_PACKET and BSD_BPF.
This means that for instance on OpenBSD, you must use the BSD_BPF DAQ by specifying this CLI option:
"-daq=BSD_BPF"
HoneyBadger attack detecton CLI examples!
Build honeyBadger CLI command from source:
user@go-dev2:~/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger$ go build
Run honeyBadger against a pcap file called tshark2.pcap:
user@go-dev2:~/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger$ ./honeyBadger \ -max_concurrent_connections=1000 -max_pcap_log_size=100 -max_pcap_rotations=10 -max_ring_packets=40 \ -metadata_attack_log=false -total_max_buffer=1000 -connection_max_buffer=100 -archive_dir=./archive \ -log_packets -l=./incoming -pcapfile=./tshark2.pcap
honeyBadger will spew lots of things to stdout. Using the above command, it will record an attack report JSON file(s) to the "./archive" directory. Here's an example output with a pcap file containing an ordered coalesce injection:
2016/02/05 23:30:01 Starting libpcap packet capture on file ./tshark2.pcap 2016/02/05 23:30:01 connected 127.0.0.1:59670-127.0.0.1:9666 2016/02/05 23:30:01 race winner stream segment: 2016/02/05 23:30:01 00000000 20 69 73 20 6e 65 63 65 73 73 61 72 79 20 66 6f | is necessary fo| 00000010 72 20 61 6e 20 6f 70 65 6e 20 73 6f 63 69 65 74 |r an open societ| 00000020 79 20 69 6e 20 74 68 65 20 65 6c 65 63 74 72 6f |y in the electro| 00000030 6e 69 63 20 61 67 65 2e 20 50 72 69 76 61 63 79 |nic age. Privacy| 00000040 20 69 73 20 6e 6f 74 20 73 65 63 72 65 63 79 2e | is not secrecy.| 00000050 20 41 20 70 72 69 76 61 74 65 20 6d 61 74 74 65 | A private matte| 00000060 72 20 69 73 20 73 6f 6d 65 74 68 69 6e 67 20 6f |r is something o| 00000070 6e 65 20 64 6f 65 73 6e 27 74 20 77 61 6e 74 20 |ne doesn't want | 00000080 74 68 65 20 77 68 6f 6c 65 20 77 6f 72 6c 64 20 |the whole world | 00000090 74 6f 20 6b 6e 6f 77 2c 20 62 75 74 20 61 20 73 |to know, but a s| 000000a0 65 63 72 65 74 20 6d 61 74 74 65 72 20 69 73 20 |ecret matter is | 000000b0 73 6f 6d 65 74 68 69 6e 67 20 6f 6e 65 20 64 6f |something one do| 000000c0 65 73 6e 27 74 20 77 61 6e 74 20 61 6e 79 62 6f |esn't want anybo| 000000d0 64 79 20 74 6f 20 6b 6e 6f 77 2e 20 50 72 69 76 |dy to know. Priv| 000000e0 61 63 79 20 69 73 20 74 68 65 20 70 6f 77 65 72 |acy is the power| 000000f0 20 74 6f 20 73 65 6c 65 63 74 69 76 65 6c 79 20 | to selectively | 00000100 72 65 76 65 61 6c 20 6f 6e 65 73 65 6c 66 20 74 |reveal oneself t| 00000110 6f 20 74 68 65 20 77 6f 72 6c 64 2e |o the world.| 2016/02/05 23:30:01 race loser stream segment: 2016/02/05 23:30:01 00000000 50 72 69 76 61 63 79 20 69 73 20 6e 65 63 65 73 |Privacy is neces| 00000010 73 61 72 79 20 66 6f 72 20 61 6e 20 6f 70 65 6e |sary for an open| 00000020 20 73 6f 63 69 65 74 79 20 69 6e 20 74 68 65 20 | society in the | 00000030 65 6c 65 63 74 72 6f 6e 69 63 20 61 67 65 2e 20 |electronic age. | 00000040 50 72 69 76 61 63 79 20 69 73 20 6e 6f 74 20 73 |Privacy is not s| 00000050 65 63 72 65 63 79 2e 20 41 20 70 72 69 76 61 74 |ecrecy. A privat| 00000060 65 20 6d 61 74 74 65 72 20 69 73 20 73 6f 6d 65 |e matter is some| 00000070 74 68 69 6e 67 20 6f 6e 65 20 64 6f 65 73 6e 27 |thing one doesn'| 00000080 74 20 77 61 6e 74 20 74 68 65 20 77 68 6f 6c 65 |t want the whole| 00000090 20 77 6f 72 6c 64 20 74 6f 20 6b 6e 6f 77 2c 20 | world to know, | 000000a0 62 75 74 20 61 20 73 65 63 72 65 74 20 6d 61 74 |but a secret mat| 000000b0 74 65 72 20 69 73 20 73 6f 6d 65 74 68 69 6e 67 |ter is something| 000000c0 20 6f 6e 65 20 64 6f 65 73 6e 27 74 20 77 61 6e | one doesn't wan| 000000d0 74 20 61 6e 79 62 6f 64 79 20 74 6f 20 6b 6e 6f |t anybody to kno| 000000e0 77 2e 20 50 72 69 76 61 63 79 20 69 73 20 74 68 |w. Privacy is th| 000000f0 65 20 70 6f 77 65 72 20 74 6f 20 73 65 6c 65 63 |e power to selec| 00000100 74 69 76 65 6c 79 20 72 65 76 65 61 6c 20 6f 6e |tively reveal on| 00000110 65 73 65 6c 66 20 74 6f 20 74 68 65 |eself to the| 2016/02/05 23:30:01 detected an ordered coalesce injection 2016/02/05 23:30:01 FIN-WAIT-1: non-ACK packet received. 2016/02/05 23:30:01 ReadPacketData got EOF 2016/02/05 23:30:01 Close() 2016/02/05 23:30:01 1 connection(s) closed. 2016/02/05 23:30:01 Supervisor.Stopped() 2016/02/05 23:30:01 graceful shutdown: packet-source stopped
Or instead you can tell honeyBadger to analyze the wire with Linux's AF_PACKET capture mode. You should first disable offloading:
sudo apt-get install ethtool sudo ethtool -K eth0 gso off sudo ethtool -K eth0 tso off sudo ethtool -K eth0 gro off
And then run honeyBadger like this:
./honeyBadger -max_concurrent_connections=1000 -max_pcap_log_size=100 -max_pcap_rotations=10 \ -max_ring_packets=40 -metadata_attack_log=false -total_max_buffer=1000 -connection_max_buffer=100 \ -archive_dir=/home/user/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger/archive -log_packets \ -l=/home/user/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger/incoming -log_packets=true \ -i=eth0 -daq=AF_PACKET 2016/02/07 14:16:32 HoneyBadger: comprehensive TCP injection attack detection. 2016/02/07 14:16:32 PageCache: created 1024 new pages 2016/02/07 14:16:32 Starting AF_PACKET packet capture on interface eth0
Linux security note
If running on Linux you can avoid running as root by using the setcap command. In Linux you can run packet capture tools as an unprivileged user after you run setcap as root like this:
# setcap cap_net_raw,cap_net_admin=eip honeyBadger
BSD security note
When using the BSD_BPF
sniffer, avoid running as root by making sure your user has
read-write access to /dev/bpf*
If you are in the wheel
group and the bpf devices
are group owned by wheel
then this should work:
# chmod g+rw /dev/bpf*
license
HoneyBadger is free software made available via the GPL3... except for small sections of code which are BSD licensed.
contact
- email [email protected]
- gpg key ID 0x836501BE9F27A723
- gpg fingerprint F473 51BD 87AB 7FCF 6F88 80C9 8365 01BE 9F27 A723