Discover david415/HoneyBadger Open Source project

HoneyBadger

project goals

HoneyBadger is primarily a comprehensive TCP stream analysis tool for detecting and recording TCP injection attacks.
This git repository also includes a variety of prototype TCP stream injections attacks.

details

Read about HoneyBadger's design and implementation: https://honeybadger.readthedocs.org/
Read the manual integration procedure - a reproduciable procedure which proves HoneyBadger's TCP injection attack detection is reliable; in less than 2 minutes you can perform a test on your loopback interface... and test that HoneyBadger can detect injected data into a netcat client-server connection.

Read the godoc autogenerated API documentation

HoneyBadger currently support 3 Data AcQuisition packet sources: libpcap, AF_PACKET and BSD_BPF.

This means that for instance on OpenBSD, you must use the BSD_BPF DAQ by specifying this CLI option:

"-daq=BSD_BPF"

HoneyBadger attack detecton CLI examples!

Build honeyBadger CLI command from source:

user@go-dev2:~/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger$ go build

Run honeyBadger against a pcap file called tshark2.pcap:

user@go-dev2:~/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger$ ./honeyBadger \
-max_concurrent_connections=1000 -max_pcap_log_size=100 -max_pcap_rotations=10 -max_ring_packets=40 \
-metadata_attack_log=false -total_max_buffer=1000 -connection_max_buffer=100 -archive_dir=./archive \
-log_packets -l=./incoming -pcapfile=./tshark2.pcap

honeyBadger will spew lots of things to stdout. Using the above command, it will record an attack report JSON file(s) to the "./archive" directory. Here's an example output with a pcap file containing an ordered coalesce injection:

2016/02/05 23:30:01 Starting libpcap packet capture on file ./tshark2.pcap
2016/02/05 23:30:01 connected 127.0.0.1:59670-127.0.0.1:9666
2016/02/05 23:30:01 race winner stream segment:
2016/02/05 23:30:01 00000000  20 69 73 20 6e 65 63 65  73 73 61 72 79 20 66 6f  | is necessary fo|
00000010  72 20 61 6e 20 6f 70 65  6e 20 73 6f 63 69 65 74  |r an open societ|
00000020  79 20 69 6e 20 74 68 65  20 65 6c 65 63 74 72 6f  |y in the electro|
00000030  6e 69 63 20 61 67 65 2e  20 50 72 69 76 61 63 79  |nic age. Privacy|
00000040  20 69 73 20 6e 6f 74 20  73 65 63 72 65 63 79 2e  | is not secrecy.|
00000050  20 41 20 70 72 69 76 61  74 65 20 6d 61 74 74 65  | A private matte|
00000060  72 20 69 73 20 73 6f 6d  65 74 68 69 6e 67 20 6f  |r is something o|
00000070  6e 65 20 64 6f 65 73 6e  27 74 20 77 61 6e 74 20  |ne doesn't want |
00000080  74 68 65 20 77 68 6f 6c  65 20 77 6f 72 6c 64 20  |the whole world |
00000090  74 6f 20 6b 6e 6f 77 2c  20 62 75 74 20 61 20 73  |to know, but a s|
000000a0  65 63 72 65 74 20 6d 61  74 74 65 72 20 69 73 20  |ecret matter is |
000000b0  73 6f 6d 65 74 68 69 6e  67 20 6f 6e 65 20 64 6f  |something one do|
000000c0  65 73 6e 27 74 20 77 61  6e 74 20 61 6e 79 62 6f  |esn't want anybo|
000000d0  64 79 20 74 6f 20 6b 6e  6f 77 2e 20 50 72 69 76  |dy to know. Priv|
000000e0  61 63 79 20 69 73 20 74  68 65 20 70 6f 77 65 72  |acy is the power|
000000f0  20 74 6f 20 73 65 6c 65  63 74 69 76 65 6c 79 20  | to selectively |
00000100  72 65 76 65 61 6c 20 6f  6e 65 73 65 6c 66 20 74  |reveal oneself t|
00000110  6f 20 74 68 65 20 77 6f  72 6c 64 2e              |o the world.|
2016/02/05 23:30:01 race loser stream segment:
2016/02/05 23:30:01 00000000  50 72 69 76 61 63 79 20  69 73 20 6e 65 63 65 73  |Privacy is neces|
00000010  73 61 72 79 20 66 6f 72  20 61 6e 20 6f 70 65 6e  |sary for an open|
00000020  20 73 6f 63 69 65 74 79  20 69 6e 20 74 68 65 20  | society in the |
00000030  65 6c 65 63 74 72 6f 6e  69 63 20 61 67 65 2e 20  |electronic age. |
00000040  50 72 69 76 61 63 79 20  69 73 20 6e 6f 74 20 73  |Privacy is not s|
00000050  65 63 72 65 63 79 2e 20  41 20 70 72 69 76 61 74  |ecrecy. A privat|
00000060  65 20 6d 61 74 74 65 72  20 69 73 20 73 6f 6d 65  |e matter is some|
00000070  74 68 69 6e 67 20 6f 6e  65 20 64 6f 65 73 6e 27  |thing one doesn'|
00000080  74 20 77 61 6e 74 20 74  68 65 20 77 68 6f 6c 65  |t want the whole|
00000090  20 77 6f 72 6c 64 20 74  6f 20 6b 6e 6f 77 2c 20  | world to know, |
000000a0  62 75 74 20 61 20 73 65  63 72 65 74 20 6d 61 74  |but a secret mat|
000000b0  74 65 72 20 69 73 20 73  6f 6d 65 74 68 69 6e 67  |ter is something|
000000c0  20 6f 6e 65 20 64 6f 65  73 6e 27 74 20 77 61 6e  | one doesn't wan|
000000d0  74 20 61 6e 79 62 6f 64  79 20 74 6f 20 6b 6e 6f  |t anybody to kno|
000000e0  77 2e 20 50 72 69 76 61  63 79 20 69 73 20 74 68  |w. Privacy is th|
000000f0  65 20 70 6f 77 65 72 20  74 6f 20 73 65 6c 65 63  |e power to selec|
00000100  74 69 76 65 6c 79 20 72  65 76 65 61 6c 20 6f 6e  |tively reveal on|
00000110  65 73 65 6c 66 20 74 6f  20 74 68 65              |eself to the|
2016/02/05 23:30:01 detected an ordered coalesce injection
2016/02/05 23:30:01 FIN-WAIT-1: non-ACK packet received.
2016/02/05 23:30:01 ReadPacketData got EOF
2016/02/05 23:30:01 Close()
2016/02/05 23:30:01 1 connection(s) closed.
2016/02/05 23:30:01 Supervisor.Stopped()
2016/02/05 23:30:01 graceful shutdown: packet-source stopped

Or instead you can tell honeyBadger to analyze the wire with Linux's AF_PACKET capture mode. You should first disable offloading:

sudo apt-get install ethtool
sudo ethtool -K eth0 gso off
sudo ethtool -K eth0 tso off
sudo ethtool -K eth0 gro off

And then run honeyBadger like this:

./honeyBadger -max_concurrent_connections=1000 -max_pcap_log_size=100 -max_pcap_rotations=10 \
-max_ring_packets=40 -metadata_attack_log=false -total_max_buffer=1000 -connection_max_buffer=100 \
-archive_dir=/home/user/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger/archive -log_packets \
-l=/home/user/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger/incoming -log_packets=true \
-i=eth0 -daq=AF_PACKET

2016/02/07 14:16:32 HoneyBadger: comprehensive TCP injection attack detection.
2016/02/07 14:16:32 PageCache: created 1024 new pages
2016/02/07 14:16:32 Starting AF_PACKET packet capture on interface eth0

Linux security note

If running on Linux you can avoid running as root by using the setcap command. In Linux you can run packet capture tools as an unprivileged user after you run setcap as root like this:

# setcap cap_net_raw,cap_net_admin=eip honeyBadger

BSD security note

When using the BSD_BPF sniffer, avoid running as root by making sure your user has read-write access to /dev/bpf* If you are in the wheel group and the bpf devices are group owned by wheel then this should work:

# chmod g+rw /dev/bpf*

license

HoneyBadger is free software made available via the GPL3... except for small sections of code which are BSD licensed.

contact

email [email protected]
gpg key ID 0x836501BE9F27A723
gpg fingerprint F473 51BD 87AB 7FCF 6F88 80C9 8365 01BE 9F27 A723

david415/HoneyBadger

david415

Reviews

Repository Details