[
{
"path": ".gitignore",
"content": ".DS_Store\n"
},
{
"path": "LICENSE",
"content": "MIT License\n\nCopyright (c) 2023 Sheila A. Berta\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n"
},
{
"path": "README.md",
"content": "# Honeypots Detection\nNuclei templates for honeypots detection.\n\nThis repository contains Nuclei templates to detect several well-known open-source honeypots, such as: ADBHoney, Conpot, Cowrie, Dionaea (multiple services), ElasticPot, Mailoney, Redis Honeypot, Snare, among others.\n\n## Usage\n\n1. Install Nuclei (https://github.com/projectdiscovery/nuclei#install-nuclei).\n2. Clone this repository: \n `git clone https://github.com/UnaPibaGeek/honeypots-detection.git`\n3. Move into the templates folder: \n `cd honeypots-detection/templates`\n4. Run the desired template as follows: \n `sudo nuclei -u {target_IP} -t ./{template_name}.yaml`\n\n## Example\n\n\n\nFor a more detailed output it is possible to use the `-debug-resp` parameter:\n\n\n\nThe requests will be sent to the honeypot's default port if not specified.\n\n## Acknowledgements\n- Thank you [Project Discovery](https://github.com/projectdiscovery/nuclei) for such a great tool and contribution to our community.\n- These templates were developed while researching honeypots at [Dreamlab Technologies](www.dreamlab.net) for [CYOBS](www.cyobs.com).\n\nMade with ❤️ by [UnaPibaGeek](https://www.twitter.com/UnaPibaGeek).\n"
},
{
"path": "templates/adbhoney-detection-cnxn.yaml",
"content": "id: adbhoney-honeypot-detection\n\ninfo:\n name: ADBHoney Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n ADBHoney honeypot has been identified.\n The response to the 'adb connect' command differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 4\n vendor: android\n product: adb\n tags: adbhoney,android,adb,honeypot\n\ntcp:\n - host:\n - \"{{Hostname}}\"\n - \"{{Host}}:5555\"\n inputs:\n - data: \"434e584e0100000100001000ea000000445b0000bcb1a7b1\" # CNXN\n type: hex\n - data: \"686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73\" # CLIENT INFO\n type: hex\n\n read-size: 1024\n matchers:\n - type: word\n words:\n - \"device::http://ro.product.name =starltexx;ro.product.model=SM-G960F\"\n"
},
{
"path": "templates/adbhoney-detection-shell.yaml",
"content": "id: adbhoney-honeypot-detection-shell\n\ninfo:\n name: ADBHoney Honeypot Detection (shell probe)\n author: UnaPibaGeek\n severity: info\n description: |\n ADBHoney honeypot has been identified.\n The response to the 'adb shell pwd' command differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 4\n vendor: android\n product: adb\n tags: adbhoney,android,adb,honeypot\n\ntcp:\n - host:\n - \"{{Hostname}}\"\n - \"{{Host}}:5555\"\n inputs:\n - data: \"434e584e0100000100001000ea000000445b0000bcb1a7b1\" # CNXN\n type: hex\n - data: \"686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73\" # CLIENT INFO\n type: hex\n - data: \"4f50454e6b000000000000000a0000009d030000b0afbab1\" # OPEN\n type: hex\n - data: \"7368656c6c3a70776400\" # SHELL: PWD\n type: hex\n\n read-size: 1024\n matchers:\n - type: binary\n binary:\n - \"57525445020000006b0000000000000000000000a8adabba\"\n"
},
{
"path": "templates/cisco-asa-honeypot-detection.yaml",
"content": "id: cisco-asa-honeypot-detection\n\ninfo:\n name: Cisco ASA Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A Cisco ASA honeypot has been identified.\n The HTTP response reveals a possible setup of the Cisco ASA web application honeypot.\n metadata:\n max-request: 2\n vendor: cisco\n product: asa\n tags: cisco,asa,honeypot\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/+CSCOE+/logon.html?fcadbadd=1\"\n - \"{{BaseURL}}:8443/+CSCOE+/logon.html?fcadbadd=1\"\n\n matchers-condition: and\n matchers:\n - type: status\n status:\n - 200\n\n - type: word\n part: body\n words:\n - ''\n"
},
{
"path": "templates/citrix-honeypot-detection.yaml",
"content": "id: citrix-honeypot-detection\n\ninfo:\n name: Citrix Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A Citrix honeypot has been identified.\n The HTTP response reveals a possible setup of the Citrix web application honeypot.\n metadata:\n max-request: 2\n vendor: citrix\n product: citrix\n tags: citrix,honeypot\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}\"\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - 'len(body)<2000'\n\n - type: word\n part: body\n words:\n - \"Citrix Login\"\n\n - type: word\n part: body\n words:\n - \"In order to use our services, you must agree to Citrix's Terms of Service.\"\n negative: true\n"
},
{
"path": "templates/conpot-siemens-honeypot-detection.yaml",
"content": "id: conpot-siemens-honeypot-detection\n\ninfo:\n name: Conpot (Siemens) Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A Conpot (Siemens) honeypot has been identified.\n The response to a first packet of a connection attempt differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 2\n vendor: conpot\n product: siemens\n tags: conpot,siemens,honeypot\n\ntcp:\n - host:\n - \"{{Hostname}}\"\n - \"{{Host}}:102\"\n inputs:\n - data: \"0300001611e00000000400c1020100c2020102c0010a\"\n type: hex\n\n read-size: 1024\n matchers:\n - type: binary\n binary:\n - \"030000130ed00000000000c1020000c2020000\"\n"
},
{
"path": "templates/cowrie-ssh-honeypot-detection.yaml",
"content": "id: cowrie-ssh-honeypot-detection\n\ninfo:\n name: Cowrie SSH Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A Cowrie (or Twisted) SSH honeypot has been identified.\n The response to a wrong SSH version differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 2\n vendor: cowrie\n product: ssh\n tags: cowrie,twisted,ssh,honeypot\n\ntcp:\n - host:\n - '{{Hostname}}'\n - '{{Host}}:22'\n\n inputs:\n - data: \"SSH-1337-OpenSSH_9.0\\r\\n\"\n\n matchers-condition: and\n matchers:\n - type: regex\n part: body\n regex:\n - 'SSH\\-([0-9.-A-Za-z_ ]+)'\n\n - type: word\n words:\n - Protocol major versions differ.\n - bad version 1337\n condition: or\n"
},
{
"path": "templates/dionaea-ftp-honeypot-detection.yaml",
"content": "id: dionaea-ftp-honeypot-detection\n\ninfo:\n name: Dionaea FTP Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A Dionaea FTP honeypot has been identified.\n The response to the 'PASS' command differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 4\n vendor: dionaea\n product: ftp\n tags: dionaea,ftp,honeypot\n\ntcp:\n - host:\n - \"{{Hostname}}\"\n - \"{{Host}}:21\"\n inputs:\n - data: \"USER root\\r\\n\"\n read: 1024\n - data: \"PASS \\r\\n\"\n read: 1024\n\n read-size: 2048\n matchers:\n - type: word\n words:\n - \"500 Syntax error: PASS requires an argument\"\n"
},
{
"path": "templates/dionaea-http-honeypot-detection.yaml",
"content": "id: dionaea-http-honeypot-detection\n\ninfo:\n name: Dionaea HTTP Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n Dionaea HTTP honeypot has been identified.\n The response to an incorrect HTTP method reveals a possible setup of the Dioanea web application honeypot.\n metadata:\n max-request: 2\n vendor: dionaea\n product: http\n tags: dionaea,http,honeypot\n\nhttp:\n - raw:\n - |\n AAAA / HTTP/1.1\n Host: {{Hostname}}\n\n matchers-condition: and\n matchers:\n - type: status\n status:\n - 501\n\n - type: word\n part: header\n words:\n - \"nginx\"\n\n - type: word\n part: body\n words:\n - ''\n"
},
{
"path": "templates/dionaea-mongodb-honeypot-detection.yaml",
"content": "id: dionaea-mongodb-honeypot-detection\n\ninfo:\n name: Dionaea MongoDB Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A MongoDB honeypot has been identified.\n The response to the 'buildinfo' command differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 2\n product: dionaea\n vendor: mongodb\n tags: dionaea,mongodb,honeypot\n\ntcp:\n - inputs:\n - data: 3b0000003c300000ffffffffd40700000000000061646d696e2e24636d640000000000ffffffff14000000106275696c64696e666f000100000000\n type: hex\n\n host:\n - \"{{Hostname}}\"\n - \"{{Host}}:27017\"\n read-size: 2048\n\n matchers:\n - type: word\n part: raw\n words:\n - \"version\"\n negative: true\n\n extractors:\n - type: regex\n regex:\n - \"([A-Za-z:0-9.]+)\"\n"
},
{
"path": "templates/dionaea-mqtt-honeypot-detection.yaml",
"content": "id: dionaea-mqtt-honeypot-detection\n\ninfo:\n name: Dionaea MQTT Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A Dionaea MQTT honeypot has been identified.\n The response to a MQTTv5 packet differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 2\n vendor: dionaea\n product: mqtt\n tags: dionaea,mqtt,honeypot\n\ntcp:\n - host:\n - \"{{Hostname}}\"\n - \"{{Host}}:1883\"\n inputs:\n - data: \"101000044d5154540502003c032100140000\"\n type: hex\n\n read-size: 1024\n matchers:\n - type: binary\n binary:\n - \"20020000\"\n"
},
{
"path": "templates/dionaea-mysql-honeypot-detect.yaml",
"content": "id: dionaea-mysql-honeypot-detection\n\ninfo:\n name: Dionaea MySQL Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A MySQL honeypot has been identified.\n The response to a connection command differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 2\n vendor: dionaea\n product: mysql\n tags: dionaea,mysql,honeypot\n\ntcp:\n - inputs:\n - data: \"\\x4a\\x00\\x00\\x00\\x0a\\x35\\x2e\\x31\\x2e\\x32\\x39\\x00\\x0b\\x00\\x00\\x00\\x21\\x3e\\x34\\x1b\\x51\\x3f\\x34\\x33\\x60\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n host:\n - \"{{Hostname}}\"\n - \"{{Host}}:3306\"\n read-size: 1024\n\n matchers-condition: and\n matchers:\n - type: word\n words:\n - \"5.7.16\"\n\n - type: word\n words:\n - \"aaaaaaaa\"\n"
},
{
"path": "templates/dionaea-smb-honeypot-detection.yaml",
"content": "id: dionaea-smb-honeypot-detection\n\ninfo:\n name: Dionaea SMB Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A Dionaea SMB honeypot has been identified.\n The response to an SMB connection packet differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 2\n vendor: dionaea\n product: dionaea\n tags: dionaea,smb,honeypot\n\ntcp:\n - host:\n - \"{{Hostname}}\"\n - \"{{Host}}:445\"\n inputs:\n - data: \"00000045ff534d4272000000000801c8000000000000000000000000ffff0100ffff0000002200024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00\"\n type: hex\n\n read-size: 1024\n matchers:\n - type: binary\n binary:\n - \"6538547e6c42\"\n"
},
{
"path": "templates/elasticpot-honeypot-detection.yaml",
"content": "id: elasticpot-honeypot-detection\n\ninfo:\n name: ElasticPot Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A ElasticPot (ElasticSearch) honeypot has been identified.\n The response to a '_cluster/settings' request differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 2\n vendor: ElasticPot\n product: Elasticsearch\n tags: elasticpot,elasticsearch,honeypot\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}:9200/_cluster/settings\"\n\n matchers:\n - type: word\n part: body\n words:\n - 'index_not_found_exception'\n"
},
{
"path": "templates/gaspot-honeypot-detection.yaml",
"content": "id: gaspot-honeypot-detection\n\ninfo:\n name: GasPot Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A GasPot honeypot has been identified.\n The response to the '^AI21400' command differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 2\n vendor: gaspot\n product: veeder-root\n tags: gaspot,veeder-root,ics,honeypot\n\ntcp:\n - host:\n - \"{{Hostname}}\"\n - \"{{Host}}:10001\"\n inputs:\n - data: \"^AI21400\"\n\n read-size: 1024\n matchers:\n - type: word\n words:\n - \"9999FF1B\"\n"
},
{
"path": "templates/mailoney-honeypot-detection.yaml",
"content": "id: mailoney-honeypot-detection\n\ninfo:\n name: Mailoney Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A Mailoney (SMTP) honeypot has been identified.\n The response to the 'HELP' command differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 2\n vendor: mailoney\n product: exim\n tags: mailoney,exim,smtp,honeypot\n\ntcp:\n - host:\n - \"{{Hostname}}\"\n - \"{{Host}}:25\"\n inputs:\n - data: \"HELP\\r\\n\"\n read: 1024\n\n read-size: 1024\n matchers:\n - type: word\n words:\n - \"502 Error: command \\\"HELP\\\" not implemented\"\n"
},
{
"path": "templates/redis-honeypot-detection.yaml",
"content": "id: redis-honeypot-detection\n\ninfo:\n name: Redis Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n A Redis honeypot has been identified.\n The response to the 'QUIT' command differs from real installations, signaling a possible deceptive setup.\n metadata:\n max-request: 2\n vendor: redis\n product: redis\n tags: redis,honeypot\n\ntcp:\n - host:\n - \"{{Hostname}}\"\n - \"{{Host}}:6379\"\n inputs:\n - data: \"QUIT\"\n\n read-size: 1024\n matchers:\n - type: word\n words:\n - \"-ERR unknown command `QUIT`, with args beginning with:\"\n"
},
{
"path": "templates/snare-honeypot-detection.yaml",
"content": "id: snare-honeypot-detection\n\ninfo:\n name: Snare Honeypot Detection\n author: UnaPibaGeek\n severity: info\n description: |\n Snare honeypot has been identified.\n The response to an incorrect HTTP version reveals a possible setup of the Snare web application honeypot.\n metadata:\n max-request: 2\n vendor: snare\n product: http\n tags: snare,http,honeypot\n\nhttp:\n - raw:\n - |\n GET / HTTP/1337\n Host: {{Hostname}}\n\n matchers-condition: or\n matchers:\n - type: word\n part: header\n words:\n - \"Python/3.10 aiohttp/3.8.3\"\n\n - type: word\n part: body\n words:\n - \"Bad status line 'Expected dot'\"\n"
}
]