• Stars
    star
    304
  • Rank 137,274 (Top 3 %)
  • Language
    Go
  • License
    GNU General Publi...
  • Created about 10 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Quantum Insert detector/recorder

HoneyBadger

http://honeybadger.readthedocs.org/en/latest/_images/honey_badger-white-sm-1.png


https://travis-ci.org/david415/HoneyBadger.svg?branch=master https://coveralls.io/repos/github/david415/HoneyBadger/badge.svg?branch=master

project goals

  • HoneyBadger is primarily a comprehensive TCP stream analysis tool for detecting and recording TCP injection attacks.
  • This git repository also includes a variety of prototype TCP stream injections attacks.

details

  • Read about HoneyBadger's design and implementation: https://honeybadger.readthedocs.org/
  • Read the manual integration procedure - a reproduciable procedure which proves HoneyBadger's TCP injection attack detection is reliable; in less than 2 minutes you can perform a test on your loopback interface... and test that HoneyBadger can detect injected data into a netcat client-server connection.
  • HoneyBadger currently support 3 Data AcQuisition packet sources: libpcap, AF_PACKET and BSD_BPF.

This means that for instance on OpenBSD, you must use the BSD_BPF DAQ by specifying this CLI option:

"-daq=BSD_BPF"

HoneyBadger attack detecton CLI examples!

Build honeyBadger CLI command from source:

user@go-dev2:~/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger$ go build

Run honeyBadger against a pcap file called tshark2.pcap:

user@go-dev2:~/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger$ ./honeyBadger \
-max_concurrent_connections=1000 -max_pcap_log_size=100 -max_pcap_rotations=10 -max_ring_packets=40 \
-metadata_attack_log=false -total_max_buffer=1000 -connection_max_buffer=100 -archive_dir=./archive \
-log_packets -l=./incoming -pcapfile=./tshark2.pcap

honeyBadger will spew lots of things to stdout. Using the above command, it will record an attack report JSON file(s) to the "./archive" directory. Here's an example output with a pcap file containing an ordered coalesce injection:

2016/02/05 23:30:01 Starting libpcap packet capture on file ./tshark2.pcap
2016/02/05 23:30:01 connected 127.0.0.1:59670-127.0.0.1:9666
2016/02/05 23:30:01 race winner stream segment:
2016/02/05 23:30:01 00000000  20 69 73 20 6e 65 63 65  73 73 61 72 79 20 66 6f  | is necessary fo|
00000010  72 20 61 6e 20 6f 70 65  6e 20 73 6f 63 69 65 74  |r an open societ|
00000020  79 20 69 6e 20 74 68 65  20 65 6c 65 63 74 72 6f  |y in the electro|
00000030  6e 69 63 20 61 67 65 2e  20 50 72 69 76 61 63 79  |nic age. Privacy|
00000040  20 69 73 20 6e 6f 74 20  73 65 63 72 65 63 79 2e  | is not secrecy.|
00000050  20 41 20 70 72 69 76 61  74 65 20 6d 61 74 74 65  | A private matte|
00000060  72 20 69 73 20 73 6f 6d  65 74 68 69 6e 67 20 6f  |r is something o|
00000070  6e 65 20 64 6f 65 73 6e  27 74 20 77 61 6e 74 20  |ne doesn't want |
00000080  74 68 65 20 77 68 6f 6c  65 20 77 6f 72 6c 64 20  |the whole world |
00000090  74 6f 20 6b 6e 6f 77 2c  20 62 75 74 20 61 20 73  |to know, but a s|
000000a0  65 63 72 65 74 20 6d 61  74 74 65 72 20 69 73 20  |ecret matter is |
000000b0  73 6f 6d 65 74 68 69 6e  67 20 6f 6e 65 20 64 6f  |something one do|
000000c0  65 73 6e 27 74 20 77 61  6e 74 20 61 6e 79 62 6f  |esn't want anybo|
000000d0  64 79 20 74 6f 20 6b 6e  6f 77 2e 20 50 72 69 76  |dy to know. Priv|
000000e0  61 63 79 20 69 73 20 74  68 65 20 70 6f 77 65 72  |acy is the power|
000000f0  20 74 6f 20 73 65 6c 65  63 74 69 76 65 6c 79 20  | to selectively |
00000100  72 65 76 65 61 6c 20 6f  6e 65 73 65 6c 66 20 74  |reveal oneself t|
00000110  6f 20 74 68 65 20 77 6f  72 6c 64 2e              |o the world.|
2016/02/05 23:30:01 race loser stream segment:
2016/02/05 23:30:01 00000000  50 72 69 76 61 63 79 20  69 73 20 6e 65 63 65 73  |Privacy is neces|
00000010  73 61 72 79 20 66 6f 72  20 61 6e 20 6f 70 65 6e  |sary for an open|
00000020  20 73 6f 63 69 65 74 79  20 69 6e 20 74 68 65 20  | society in the |
00000030  65 6c 65 63 74 72 6f 6e  69 63 20 61 67 65 2e 20  |electronic age. |
00000040  50 72 69 76 61 63 79 20  69 73 20 6e 6f 74 20 73  |Privacy is not s|
00000050  65 63 72 65 63 79 2e 20  41 20 70 72 69 76 61 74  |ecrecy. A privat|
00000060  65 20 6d 61 74 74 65 72  20 69 73 20 73 6f 6d 65  |e matter is some|
00000070  74 68 69 6e 67 20 6f 6e  65 20 64 6f 65 73 6e 27  |thing one doesn'|
00000080  74 20 77 61 6e 74 20 74  68 65 20 77 68 6f 6c 65  |t want the whole|
00000090  20 77 6f 72 6c 64 20 74  6f 20 6b 6e 6f 77 2c 20  | world to know, |
000000a0  62 75 74 20 61 20 73 65  63 72 65 74 20 6d 61 74  |but a secret mat|
000000b0  74 65 72 20 69 73 20 73  6f 6d 65 74 68 69 6e 67  |ter is something|
000000c0  20 6f 6e 65 20 64 6f 65  73 6e 27 74 20 77 61 6e  | one doesn't wan|
000000d0  74 20 61 6e 79 62 6f 64  79 20 74 6f 20 6b 6e 6f  |t anybody to kno|
000000e0  77 2e 20 50 72 69 76 61  63 79 20 69 73 20 74 68  |w. Privacy is th|
000000f0  65 20 70 6f 77 65 72 20  74 6f 20 73 65 6c 65 63  |e power to selec|
00000100  74 69 76 65 6c 79 20 72  65 76 65 61 6c 20 6f 6e  |tively reveal on|
00000110  65 73 65 6c 66 20 74 6f  20 74 68 65              |eself to the|
2016/02/05 23:30:01 detected an ordered coalesce injection
2016/02/05 23:30:01 FIN-WAIT-1: non-ACK packet received.
2016/02/05 23:30:01 ReadPacketData got EOF
2016/02/05 23:30:01 Close()
2016/02/05 23:30:01 1 connection(s) closed.
2016/02/05 23:30:01 Supervisor.Stopped()
2016/02/05 23:30:01 graceful shutdown: packet-source stopped

Or instead you can tell honeyBadger to analyze the wire with Linux's AF_PACKET capture mode. You should first disable offloading:

sudo apt-get install ethtool
sudo ethtool -K eth0 gso off
sudo ethtool -K eth0 tso off
sudo ethtool -K eth0 gro off

And then run honeyBadger like this:

./honeyBadger -max_concurrent_connections=1000 -max_pcap_log_size=100 -max_pcap_rotations=10 \
-max_ring_packets=40 -metadata_attack_log=false -total_max_buffer=1000 -connection_max_buffer=100 \
-archive_dir=/home/user/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger/archive -log_packets \
-l=/home/user/gopath/src/github.com/david415/HoneyBadger/cmd/honeyBadger/incoming -log_packets=true \
-i=eth0 -daq=AF_PACKET

2016/02/07 14:16:32 HoneyBadger: comprehensive TCP injection attack detection.
2016/02/07 14:16:32 PageCache: created 1024 new pages
2016/02/07 14:16:32 Starting AF_PACKET packet capture on interface eth0

Linux security note

If running on Linux you can avoid running as root by using the setcap command. In Linux you can run packet capture tools as an unprivileged user after you run setcap as root like this:

# setcap cap_net_raw,cap_net_admin=eip honeyBadger

BSD security note

When using the BSD_BPF sniffer, avoid running as root by making sure your user has read-write access to /dev/bpf* If you are in the wheel group and the bpf devices are group owned by wheel then this should work:

# chmod g+rw /dev/bpf*

license

HoneyBadger is free software made available via the GPL3... except for small sections of code which are BSD licensed.

contact

  • email [email protected]
  • gpg key ID 0x836501BE9F27A723
  • gpg fingerprint F473 51BD 87AB 7FCF 6F88 80C9 8365 01BE 9F27 A723

More Repositories

1

linux-ftools

fork of http://code.google.com/p/linux-ftools/
C
98
star
2

ansible-tor

An Ansible role for using tor!
71
star
3

ParasiticTraceroute

Forward/Reverse TCP traceroute using Linux NFQueue
Go
36
star
4

reading_lists

reading lists
31
star
5

ansible-tahoe-lafs

An Ansible role for using Tahoe-LAFS!
21
star
6

dhcptakeover

DhcpTakeover - written with Python and scapy; a fork of the original author's code.
Python
15
star
7

obfsproxy

http://bananaphone.io/
Python
13
star
8

onionvpn

ipv6 to onion service virtual public network adapter
Python
12
star
9

hidden-tahoe-backup

Python
11
star
10

ipfs-onion-transport

Go
9
star
11

twistedcat

twistedcat - a "socat" like utility written in Python Twisted!
Python
9
star
12

ansible-openssh-hardened

Ansible role for being paranoid with OpenSSH
8
star
13

python-vnc-viewer

Automatically exported from code.google.com/p/python-vnc-viewer
Python
8
star
14

HoneyBadger_docs

Documentation for the HoneyBadger project
CSS
7
star
15

txtorhttpproxy

Twisted Python HTTP proxy server - Tor-ified.
Python
5
star
16

tor_partition_scanner

scanner for detecting partitions on the tor network
Python
5
star
17

cassandra-pagecache-usage

Python
5
star
18

mix_link

noise based cryptographic link layer for mix networks
Rust
4
star
19

ansible-tlsdate

there's plenty of time to be paranoid!
4
star
20

ml-py

machine learning algorithms - a Python library
Python
4
star
21

txsecrethandshake

Python
3
star
22

gmetric-daemon

A daemon that schedules collector tasks from Python metric modules and executes gmetric to submit the metric stats to gmond.
Python
3
star
23

txtorsocksx

Tor SOCKS client Twisted endpoint and parser
Python
2
star
24

rust-lioness

rust Lioness SPRP constructed with Blake2b and Chacha20
Rust
2
star
25

nfqueue-bindings

fork of git://www.wzdftpd.net/nfqueue-bindings.git
C
2
star
26

inotify-access

Report the number of file accesses (reads) per file in a directory or tree.
Python
2
star
27

ansible-ooniprobe

Ansible role for installing and configuring ooniprobe
Shell
2
star
28

honeybadger-pcap-files

Pcap files for testing Honeybadger TCP injection attack detection
2
star
29

anonbib

repo for submitting papers to anonbib
TeX
1
star
30

mix_server

experimental mix server for traffic analysis resistance messaging networks
Rust
1
star
31

tahoe_backup_agent

Tahoe-LAFS backup agent for secret agents
Python
1
star
32

work-portfolio

my work portfolio website
HTML
1
star
33

hadoop-tools

1
star
34

SprayTrace

Go
1
star
35

scan_tor_rfc5961

scan the tor network for vulnerable implementations of RFC 5961
Python
1
star
36

ecdh_wrapper

rust ecdh wrapper for X25519
Rust
1
star
37

panda

Phrase Automated Nym Discovery Authentication
Go
1
star
38

bananaphone_docs

Python
1
star
39

aez

rust AEZ
C
1
star
40

cryptocomrade

Creative commons licensed cryptography code examples in Rust and Go.
Go
1
star
41

spray

packet spraying inquisition toolkit for observing network interference
Rust
1
star
42

emacs-config

Emacs Lisp
1
star
43

lioness

fork of Yawning's golang lioness implementation
Go
1
star
44

cryptopals

my solutions to the cryptopals challenges - see https://cryptopals.com/
Rust
1
star
45

tails

fork of https://git-tails.immerda.ch/tails
Shell
1
star
46

epoch

Rust
1
star
47

sphinx_replay_cache

fast replay cache for sphinx packet tags
Rust
1
star