qeeqbox/chameleon qeeqbox/chameleon

  • Stars
    star
    657
  • Rank 68,589 (Top 2 %)
  • Language
    Dockerfile
  • License
    GNU Affero Genera...
  • Created over 4 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
qeeqbox/chameleon
github

qeeqbox

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

19 Customizable honeypots for monitoring network traffic, bots activities and username\password credentials (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, RDP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres, MySQL, MSSQL, Elastic and ldap)

19 Customizable honeypots for monitoring network traffic, bots activities, and username\password credentials (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, RDP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres, MySQL, MSSQL, Elastic and ldap)

If you want to implement the honeypots in your project, check QeeqBox honeypots

Chameleon is considered very effective. This is an active defense tool. The system simulates open, unprotected ports and takes on attempts to find vulnerabilities - by Dean Chester, Chief Editor of cooltechzone

Pon un Honeypot en tu vida by Hรฉctor Herrero, bujarra

Grafana Interface

NMAP Scan

Credentials Monitoring

General Features

  • Modular approach (honeypots run as scripts or imported as objects)
  • Most honeypots serve as servers (Only a few that emulate the application layer protocols)
  • Settings servers with username, password, and banner (Default username and password are test)
  • ICMP, DNS TCP, and UDP payloads are parsed and checked against common patterns
  • Visualized Grafana interfaces for monitoring the results (Filter by IP - default is all)
  • Unstructured and structured logs are parsed and inserted into Postgres
  • All honeypots contain clients for testing the servers
  • All ports are opened and monitored by default
  • Easy automation and can be deployed on AWS ec2
  • & More features to Explore

Install and run

On ubuntu 18 or 19 System (test)

git clone https://github.com/qeeqbox/chameleon.git
cd chameleon
sudo chmod +x ./run.sh
sudo ./run.sh test

The Grafana interface http://localhost:3000 will open automatically after the initialization process (username is admin and password is admin). If you don't see the Chameleon dashboard, click on the search icon in the left bar and add it.

On ubuntu 18 or 19 System (Deploy)

git clone https://github.com/qeeqbox/chameleon.git
cd chameleon
sudo chmod +x ./run.sh
sudo ./run.sh deploy

The Grafana interface http://localhost:3000 will open automatically after the initialization process (username is changeme457f6460cb287 and password is changemed23b8cc6a20e0). If you don't see the Chameleon dashboard, click on the search icon in the left bar and add it.

Wait for a few seconds until honeypot shows the IP address

...
honeypot_1  | Your IP: 172.19.0.3
honeypot_1  | Your MAC: 09:45:aa:23:10:03
...

You can interact with the honeypot from your local system

ping 172.19.0.3
or run any network tool against it
nmap 172.19.0.3

Nested - Docker

sudo docker run -it --privileged -v /var/run/docker.sock:/var/run/docker.sock ubuntu:latest
git clone https://github.com/qeeqbox/chameleon.git
cd chameleon
sudo chmod +x ./run.sh
sudo ./run.sh test

Or, import your desired non-blocking server as an object (SSH Server)

You can do that by using this package honeypots

If you don't see Chameleon dashboard, click on the search icon in the left bar and add it

Raspberry Pi 3B+ (setup zram first to avoid lockups)

Requirements (Servers only)

apt-get update -y && apt-get install -y iptables-persistent tcpdump nmap iputils-ping python python-pip python-psycopg2 lsof psmisc dnsutils
pip install scapy==2.4.4 netifaces==0.10.9 pyftpdlib==1.5.6 sqlalchemy==1.3.23 pyyaml==5.4.1 paramiko==2.7.1 impacket==0.9.22 twisted==20.3.0 psutil==5.8.0 requests==2.25.1 redis==3.5.3 mysql-connector-python==8.0.23 pygments==2.5.2
pip install -U requests[socks]
pip install -Iv rsa==4.0
pip install rdpy==1.3.2

Current Servers/Emulators

  • DNS (Server using Twisted)
  • HTTP Proxy (Server using Twisted)
  • HTTP (Server using Twisted)
  • HTTPS (Server using Twisted)
  • SSH (Server using socket)
  • POP3 (Server using Twisted)
  • IMAP (Server using Twisted)
  • STMP (Server using smtpd)
  • RDP (Server using Twisted)
  • SMB (Server using impacket)
  • SOCK5 (Server using socketserver)
  • TELNET (Server using Twisted)
  • VNC (Emulator using Twisted)
  • Postgres (Emulator using Twisted)
  • Redis (Emulator using Twisted)
  • Mysql (Emulator using Twisted)
  • Elasticsearch (Emulator using http.server)
  • Mssql (Emulator using Twisted)
  • Oracle (Coming..)
  • ldap (maybe)

Changes

  • 2020.V.01.05 added mysql
  • 2020.V.01.04 added redis
  • 2020.V.01.03 switched ftp servers to twisted
  • 2020.V.01.02 switched http and https servers to twisted
  • 2020.V.01.02 Fixed changing ip in grafana interface

Resources

Twisted, documentation, Impacket, documentation, Grafana, documentation, Expert, Twisted, robertheaton

Other Licenses

By using this framework, you are accepting the license terms of all these packages: grafana, tcpdump, nmap, psycopg, dnsutils, scapy, netifaces, pyftpdlib, sqlalchemy, pyyaml, paramiko, impacket, rdpy, psutil, requests, FreeRDP, SMBClient, tigervnc

Disclaimer\Notes

  • Do not deploy without proper configuration
  • Setup some security group rules and remove default credentials
  • Almost all servers and emulators are stripped-down - You can adjust that as needed
  • Please let me know if I missed a resource or dependency

Other Projects

More Repositories

1

social-analyzer

API, CLI, and Web App for analyzing and finding a person's profile in 1000 social media \ websites
JavaScript
11,527
star
2

honeypots

30 different honeypots in one package! (dhcp, dns, elastic, ftp, http proxy, https proxy, http, https, imap, ipp, irc, ldap, memcache, mssql, mysql, ntp, oracle, pjl, pop3, postgres, rdp, redis, sip, smb, smtp, snmp, socks5, ssh, telnet, vnc)
Python
666
star
3

analyzer

Analyze, extract and visualize features, artifacts and IoCs of files and memory dumps (Windows, Linux, Android, iPhone, Blackberry, macOS binaries, emails and more)
Python
267
star
4

url-sandbox

Scalable URL Sandbox for analyzing URLs and Domains from phishing attacks
Python
167
star
5

raven

Advanced Cyber Threat Map (Simplified, customizable, responsive and optimized)
JavaScript
159
star
6

docker-images

Kali and Parrot OS docker images accessible via VNC, RDP and Web
Dockerfile
111
star
7

mitre-visualizer

๐Ÿงฌ Mitre Interactive Network Graph (APTs, Malware, Tools, Techniques & Tactics)
Python
86
star
8

osint

Build custom OSINT tools and APIs (Ping, Traceroute, Scans, Archives, DNS, Scrape, Whois, Metadata & built-in database for more info) with this python package
Python
79
star
9

rhino

Agile Sandbox for analyzing Windows, Linux and macOS malware and execution behaviors
JavaScript
62
star
10

woodpecker

Custom security distro for remote penetration testing
51
star
11

seahorse

ELKFH - Elastic, Logstash, Kibana, Filebeat and Honeypot (HTTP, HTTPS, SSH, RDP, VNC, Redis, MySQL, MONGO, SMB, LDAP)
Python
45
star
12

image-analyzer

Interface for Image-Related Deep Learning Models (E.g. NSFW, MAYBE and SFW)
HTML
24
star
13

octopus

Pure Honeypots with an automated bash script
Shell
19
star
14

cyber-attacks

A collection of attacks metadata that were used in my previous pen-test tools
17
star
15

reports

Recent cyber attacks reports & interesting analysis files
15
star
16

APT-Malware-Reports-Set-1

Some extracted Features\IoCs\Artifacts\Patterns from APT Malware
HTML
14
star
17

pentest-labs

HTML
14
star
18

falcon

Collection of exploits that were verified by an automated system
13
star
19

two-factor-authentication-sim-swapping

An adversary may utilize a sim swapping attack for defeating 2fa authentication
11
star
20

worldmap

An interactive world-map that has been used in live Cyber Threat interfaces
JavaScript
11
star
21

two-factor-authentication-sim-cloning

An adversary may utilize a sim swapping attack for defeating 2fa authentication
11
star
22

threat-intelligence

Threat intelligence or Cyber Threat Intelligence is the process of identifying and analyzing gathered information about past, current, and future cyber threats (Collecting information about a potential threat, then analyzing that information to learn more about the negative events)
9
star
23

cyber-kill-chain

Cyber Kill Chain is a model that Lockheed Martin created for understanding (Describe the sequence of events) and stopping cyberattacks
7
star
24

ixora

Internal package for visualization
HTML
6
star
25

world-json

Multiple JSON files contain world cities with names, longitude & latitude, country, and timezone
6
star
26

automation-protocols-metadata

JSON file that contains an update metadata of Automation Protocols (Industrial control system, process automation, building automation, automatic meter reading, and automobile)
6
star
27

incident-response

Incident response is a set of steps that are used to handle the aftermath of a data breach or cyberattack
5
star
28

ics-visualizer

ICS-Visualizer is an interactive Industrial Control Systems (ICS) network graph that contains up-to-date related automation protocols metadata (Name, company, port, user manuals, external links, and mapped wireshark\namp modules and scripts).
Python
5
star
29

mobile-numbers-metadata

JSON file contains all mobile number metadata (Country, prefix, and carrier)
5
star
30

countries-metadata

JSON file contains all countries metadata (Country name, cc, a3, and flag)
4
star
31

digital-forensics

Digital Forensics is the process of finding and analyzing electronic data
4
star
32

stored-cross-site-scripting

An adversary may inject malicious content into a vulnerable target
4
star
33

cybersecurity

Cybersecurity is the measures taken to protect networks, devices, and data against cyberattacks
3
star
34

directory-listing

A threat actor may list files on a misconfigured server
3
star
35

dom-based-cross-site-scripting

A threat actor may inject malicious content into HTTP requests. The content is not reflected in the HTTP response and executed in the victim's browser.
3
star
36

vertical-privilege-escalation

A threat actor may perform unauthorized functions belonging to another user with a higher privileges level
3
star
37

ports-metadata

JSON file contains all ports metadata
3
star
38

reflected-cross-site-scripting

A threat actor may inject malicious content into HTTP requests. The content will be reflected in the HTTP response and executed in the victim's browser
3
star
39

client-side-template-injection

A threat actor may trick a victim into executing native template syntax on a vulnerable target
3
star
40

risk-management

Risk management is the process of identifying, assessing, treating, and monitoring any negative events that affect a company's ability to operate (Preventing them or minimizing their harmful impact)
3
star
41

data-compliance

Data compliance is the process of following various regulations and standards to ensure that sensitive digital assets (data) are guarded against loss, theft, and misuse
3
star
42

open-redirect

A threat actor may send a malicious redirection request for a vulnerable target to a victim; the victim gets redirected to a malicious website that downloads an executable file
3
star
43

public-ip-metadata

JSON file contains all public ip ranges with description
2
star
44

minimal-server

Asyncio websocket http server [Needed for internal testing]
Python
2
star
45

authentication-bypass

A threat actor may gain access to data and functionalities by bypassing the target authentication mechanism
2
star
46

credential-stuffing

A threat actor may guess the target credentials using a known username and password pairs gathered from previous brute-force attacks
2
star
47

horizontal-privilege-escalation

A threat actor may perform unauthorized functions belonging to another user with a similar privileges level
2
star
48

icterid-template

Icterid Webapp Template
HTML
2
star
49

threat-actors

A threat actor is any person, group, or entity that could harm to the cyber realm
2
star
50

session-hijacking

A threat actor may access the user's account using a stolen or leaked valid (existing) session identifier
2
star
51

xslt-injection

A threat actor may interfere with an application's processing of extensible stylesheet language transformations (XSLT) for extensible markup language (XML) to read or modify data on the target
2
star
52

default-credential

A threat actor may gain unauthorized access using the default username and password
2
star
53

private-ip-metadata

JSON file contains all private ip ranges with description
2
star
54

authorization-bypass

A threat actor may access the user's account using a stolen or leaked valid (existing) session identifier
2
star
55

proxy-firewall

HTTPS Proxy Firewall for testing
Python
2
star
56

two-factor-authentication-brute-force

A threat actor may lunch brute force to the two-factor authentication (2FA) logic causing unauthorized access to the target
2
star
57

session-fixation

A threat actor may trick a user into using a known session identifier to log in. after logging in, the session identifier is used to gain access to the user's account
2
star
58

xxe-injection

A threat actor may interfere with an application's processing of extensible markup language (XML) data to view the content of a target's files
2
star
59

data-security

Safeguarding your personal information (How your info is protected)
1
star
60

cross-site-request-forgery

A threat actor may trick an authenticated or trusted victim into executing unauthorized actions on their behalf
1
star
61

os-command-injection

A threat actor may inject arbitrary operating system (OS) commands on target
1
star
62

asynico-websockets-redis-server

asynico websockets redis server (Needed for internal testing)
Python
1
star
63

.github

Github Settings
1
star
64

global-scripts

Some scripts for workflows (Moved from Macaw)
Shell
1
star
65

xpath-injection

A threat actor may alter the XML path language (XPath) query to read data on the target
1
star
66

password-spraying

A threat actor may guess the target credentials using a single password with a large set of usernames against the target
1
star
67

data-classification

Data classification defines and categorizes data according to its type, sensitivity, and value
1
star
68

remote-file-inclusion

A threat actor may cause a vulnerable target to include/retrieve remote file
1
star
69

session-replay

A threat actor may re-use a stolen or leaked session identifier to access the user's account
1
star
70

security-controls

Countermeasures or safeguards for detecting, preventing, and mitigating cyber threats and attacks (Protect assets)
1
star
71

access-control

Access Control is using security techniques to protect a system against unauthorized access
1
star
72

sql-injection

A threat actor may alter structured query language (SQL) query to read, modify and write to the database or execute administrative commands for further chained attacks
1
star
73

social-engineering-methods

1
star
74

cryptography

1
star
75

malware-and-indicators-of-compromise

1
star
76

local-file-inclusion

A threat actor may cause a vulnerable target to include/retrieve local file
1
star
77

security-tools-and-technologies

1
star
78

data-states

Data states refer to structured and unstructured data divided into three categories (At Rest, In Use, and In Transit)
1
star
79

insecure-deserialization

A threat actor may tamper with a stream that gets deserialized on the target, causing the target to access data or perform non-intended actions
1
star
80

data-privacy-and-security

1
star
81

application-service-attacks

1
star
82

data-lifecycle-management

Data Lifecycle Management (DLM) is a policy-based model for managing data in an organization
1
star
83

tornado-websockets-redis-server

tornado websockets redis server (Needed for internal testing)
Python
1
star
84

identity-and-access-management

The practice of ensuring that people or objects have the right level of access to assets
1
star
85

server-side-template-injection

A threat actor may alter the template syntax on the vulnerable target to execute commands
1
star
86

captcha-bypass

captcha bypass vulnerability
1
star