Repository: UnaPibaGeek/honeypots-detection
Branch: main
Commit: b2a194f8fccd
Files: 20
Total size: 15.4 KB
Directory structure:
gitextract_juuft8tj/
├── .gitignore
├── LICENSE
├── README.md
└── templates/
├── adbhoney-detection-cnxn.yaml
├── adbhoney-detection-shell.yaml
├── cisco-asa-honeypot-detection.yaml
├── citrix-honeypot-detection.yaml
├── conpot-siemens-honeypot-detection.yaml
├── cowrie-ssh-honeypot-detection.yaml
├── dionaea-ftp-honeypot-detection.yaml
├── dionaea-http-honeypot-detection.yaml
├── dionaea-mongodb-honeypot-detection.yaml
├── dionaea-mqtt-honeypot-detection.yaml
├── dionaea-mysql-honeypot-detect.yaml
├── dionaea-smb-honeypot-detection.yaml
├── elasticpot-honeypot-detection.yaml
├── gaspot-honeypot-detection.yaml
├── mailoney-honeypot-detection.yaml
├── redis-honeypot-detection.yaml
└── snare-honeypot-detection.yaml
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
.DS_Store
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) 2023 Sheila A. Berta
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
# Honeypots Detection
Nuclei templates for honeypots detection.
This repository contains Nuclei templates to detect several well-known open-source honeypots, such as: ADBHoney, Conpot, Cowrie, Dionaea (multiple services), ElasticPot, Mailoney, Redis Honeypot, Snare, among others.
## Usage
1. Install Nuclei (https://github.com/projectdiscovery/nuclei#install-nuclei).
2. Clone this repository:
`git clone https://github.com/UnaPibaGeek/honeypots-detection.git`
3. Move into the templates folder:
`cd honeypots-detection/templates`
4. Run the desired template as follows:
`sudo nuclei -u {target_IP} -t ./{template_name}.yaml`
## Example
For a more detailed output it is possible to use the `-debug-resp` parameter:
The requests will be sent to the honeypot's default port if not specified.
## Acknowledgements
- Thank you [Project Discovery](https://github.com/projectdiscovery/nuclei) for such a great tool and contribution to our community.
- These templates were developed while researching honeypots at [Dreamlab Technologies](www.dreamlab.net) for [CYOBS](www.cyobs.com).
Made with ❤️ by [UnaPibaGeek](https://www.twitter.com/UnaPibaGeek).
================================================
FILE: templates/adbhoney-detection-cnxn.yaml
================================================
id: adbhoney-honeypot-detection
info:
name: ADBHoney Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
ADBHoney honeypot has been identified.
The response to the 'adb connect' command differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 4
vendor: android
product: adb
tags: adbhoney,android,adb,honeypot
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:5555"
inputs:
- data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN
type: hex
- data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO
type: hex
read-size: 1024
matchers:
- type: word
words:
- "device::http://ro.product.name =starltexx;ro.product.model=SM-G960F"
================================================
FILE: templates/adbhoney-detection-shell.yaml
================================================
id: adbhoney-honeypot-detection-shell
info:
name: ADBHoney Honeypot Detection (shell probe)
author: UnaPibaGeek
severity: info
description: |
ADBHoney honeypot has been identified.
The response to the 'adb shell pwd' command differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 4
vendor: android
product: adb
tags: adbhoney,android,adb,honeypot
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:5555"
inputs:
- data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN
type: hex
- data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO
type: hex
- data: "4f50454e6b000000000000000a0000009d030000b0afbab1" # OPEN
type: hex
- data: "7368656c6c3a70776400" # SHELL: PWD
type: hex
read-size: 1024
matchers:
- type: binary
binary:
- "57525445020000006b0000000000000000000000a8adabba"
================================================
FILE: templates/cisco-asa-honeypot-detection.yaml
================================================
id: cisco-asa-honeypot-detection
info:
name: Cisco ASA Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A Cisco ASA honeypot has been identified.
The HTTP response reveals a possible setup of the Cisco ASA web application honeypot.
metadata:
max-request: 2
vendor: cisco
product: asa
tags: cisco,asa,honeypot
http:
- method: GET
path:
- "{{BaseURL}}/+CSCOE+/logon.html?fcadbadd=1"
- "{{BaseURL}}:8443/+CSCOE+/logon.html?fcadbadd=1"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- ''
================================================
FILE: templates/citrix-honeypot-detection.yaml
================================================
id: citrix-honeypot-detection
info:
name: Citrix Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A Citrix honeypot has been identified.
The HTTP response reveals a possible setup of the Citrix web application honeypot.
metadata:
max-request: 2
vendor: citrix
product: citrix
tags: citrix,honeypot
http:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'len(body)<2000'
- type: word
part: body
words:
- "Citrix Login"
- type: word
part: body
words:
- "In order to use our services, you must agree to Citrix's Terms of Service."
negative: true
================================================
FILE: templates/conpot-siemens-honeypot-detection.yaml
================================================
id: conpot-siemens-honeypot-detection
info:
name: Conpot (Siemens) Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A Conpot (Siemens) honeypot has been identified.
The response to a first packet of a connection attempt differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 2
vendor: conpot
product: siemens
tags: conpot,siemens,honeypot
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:102"
inputs:
- data: "0300001611e00000000400c1020100c2020102c0010a"
type: hex
read-size: 1024
matchers:
- type: binary
binary:
- "030000130ed00000000000c1020000c2020000"
================================================
FILE: templates/cowrie-ssh-honeypot-detection.yaml
================================================
id: cowrie-ssh-honeypot-detection
info:
name: Cowrie SSH Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A Cowrie (or Twisted) SSH honeypot has been identified.
The response to a wrong SSH version differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 2
vendor: cowrie
product: ssh
tags: cowrie,twisted,ssh,honeypot
tcp:
- host:
- '{{Hostname}}'
- '{{Host}}:22'
inputs:
- data: "SSH-1337-OpenSSH_9.0\r\n"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'SSH\-([0-9.-A-Za-z_ ]+)'
- type: word
words:
- Protocol major versions differ.
- bad version 1337
condition: or
================================================
FILE: templates/dionaea-ftp-honeypot-detection.yaml
================================================
id: dionaea-ftp-honeypot-detection
info:
name: Dionaea FTP Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A Dionaea FTP honeypot has been identified.
The response to the 'PASS' command differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 4
vendor: dionaea
product: ftp
tags: dionaea,ftp,honeypot
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:21"
inputs:
- data: "USER root\r\n"
read: 1024
- data: "PASS \r\n"
read: 1024
read-size: 2048
matchers:
- type: word
words:
- "500 Syntax error: PASS requires an argument"
================================================
FILE: templates/dionaea-http-honeypot-detection.yaml
================================================
id: dionaea-http-honeypot-detection
info:
name: Dionaea HTTP Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
Dionaea HTTP honeypot has been identified.
The response to an incorrect HTTP method reveals a possible setup of the Dioanea web application honeypot.
metadata:
max-request: 2
vendor: dionaea
product: http
tags: dionaea,http,honeypot
http:
- raw:
- |
AAAA / HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: status
status:
- 501
- type: word
part: header
words:
- "nginx"
- type: word
part: body
words:
- ''
================================================
FILE: templates/dionaea-mongodb-honeypot-detection.yaml
================================================
id: dionaea-mongodb-honeypot-detection
info:
name: Dionaea MongoDB Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A MongoDB honeypot has been identified.
The response to the 'buildinfo' command differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 2
product: dionaea
vendor: mongodb
tags: dionaea,mongodb,honeypot
tcp:
- inputs:
- data: 3b0000003c300000ffffffffd40700000000000061646d696e2e24636d640000000000ffffffff14000000106275696c64696e666f000100000000
type: hex
host:
- "{{Hostname}}"
- "{{Host}}:27017"
read-size: 2048
matchers:
- type: word
part: raw
words:
- "version"
negative: true
extractors:
- type: regex
regex:
- "([A-Za-z:0-9.]+)"
================================================
FILE: templates/dionaea-mqtt-honeypot-detection.yaml
================================================
id: dionaea-mqtt-honeypot-detection
info:
name: Dionaea MQTT Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A Dionaea MQTT honeypot has been identified.
The response to a MQTTv5 packet differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 2
vendor: dionaea
product: mqtt
tags: dionaea,mqtt,honeypot
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:1883"
inputs:
- data: "101000044d5154540502003c032100140000"
type: hex
read-size: 1024
matchers:
- type: binary
binary:
- "20020000"
================================================
FILE: templates/dionaea-mysql-honeypot-detect.yaml
================================================
id: dionaea-mysql-honeypot-detection
info:
name: Dionaea MySQL Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A MySQL honeypot has been identified.
The response to a connection command differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 2
vendor: dionaea
product: mysql
tags: dionaea,mysql,honeypot
tcp:
- inputs:
- data: "\x4a\x00\x00\x00\x0a\x35\x2e\x31\x2e\x32\x39\x00\x0b\x00\x00\x00\x21\x3e\x34\x1b\x51\x3f\x34\x33\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
host:
- "{{Hostname}}"
- "{{Host}}:3306"
read-size: 1024
matchers-condition: and
matchers:
- type: word
words:
- "5.7.16"
- type: word
words:
- "aaaaaaaa"
================================================
FILE: templates/dionaea-smb-honeypot-detection.yaml
================================================
id: dionaea-smb-honeypot-detection
info:
name: Dionaea SMB Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A Dionaea SMB honeypot has been identified.
The response to an SMB connection packet differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 2
vendor: dionaea
product: dionaea
tags: dionaea,smb,honeypot
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:445"
inputs:
- data: "00000045ff534d4272000000000801c8000000000000000000000000ffff0100ffff0000002200024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00"
type: hex
read-size: 1024
matchers:
- type: binary
binary:
- "6538547e6c42"
================================================
FILE: templates/elasticpot-honeypot-detection.yaml
================================================
id: elasticpot-honeypot-detection
info:
name: ElasticPot Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A ElasticPot (ElasticSearch) honeypot has been identified.
The response to a '_cluster/settings' request differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 2
vendor: ElasticPot
product: Elasticsearch
tags: elasticpot,elasticsearch,honeypot
http:
- method: GET
path:
- "{{BaseURL}}:9200/_cluster/settings"
matchers:
- type: word
part: body
words:
- 'index_not_found_exception'
================================================
FILE: templates/gaspot-honeypot-detection.yaml
================================================
id: gaspot-honeypot-detection
info:
name: GasPot Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A GasPot honeypot has been identified.
The response to the '^AI21400' command differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 2
vendor: gaspot
product: veeder-root
tags: gaspot,veeder-root,ics,honeypot
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:10001"
inputs:
- data: "^AI21400"
read-size: 1024
matchers:
- type: word
words:
- "9999FF1B"
================================================
FILE: templates/mailoney-honeypot-detection.yaml
================================================
id: mailoney-honeypot-detection
info:
name: Mailoney Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A Mailoney (SMTP) honeypot has been identified.
The response to the 'HELP' command differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 2
vendor: mailoney
product: exim
tags: mailoney,exim,smtp,honeypot
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:25"
inputs:
- data: "HELP\r\n"
read: 1024
read-size: 1024
matchers:
- type: word
words:
- "502 Error: command \"HELP\" not implemented"
================================================
FILE: templates/redis-honeypot-detection.yaml
================================================
id: redis-honeypot-detection
info:
name: Redis Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
A Redis honeypot has been identified.
The response to the 'QUIT' command differs from real installations, signaling a possible deceptive setup.
metadata:
max-request: 2
vendor: redis
product: redis
tags: redis,honeypot
tcp:
- host:
- "{{Hostname}}"
- "{{Host}}:6379"
inputs:
- data: "QUIT"
read-size: 1024
matchers:
- type: word
words:
- "-ERR unknown command `QUIT`, with args beginning with:"
================================================
FILE: templates/snare-honeypot-detection.yaml
================================================
id: snare-honeypot-detection
info:
name: Snare Honeypot Detection
author: UnaPibaGeek
severity: info
description: |
Snare honeypot has been identified.
The response to an incorrect HTTP version reveals a possible setup of the Snare web application honeypot.
metadata:
max-request: 2
vendor: snare
product: http
tags: snare,http,honeypot
http:
- raw:
- |
GET / HTTP/1337
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
part: header
words:
- "Python/3.10 aiohttp/3.8.3"
- type: word
part: body
words:
- "Bad status line 'Expected dot'"