HoneyPoke is a Python Go application that shows you what attackers are poking around with. It sets up listeners on certain ports and records whatever is sent to it.
This information can be logged to different places, the currently supported outputs are:
- ElasticSearch 6
- ElasticSearch 7
- ElasticSearch 8
I'm not planning to support it anymore, I had too much trouble with memory leaks. Hopefully, in the long run, the new Go version will handle things better.
You can see the old code here: https://github.com/bocajspear1/honeypoke
A full tutorial on installing HoneyPoke and using it with ElasticSeach and Kibana is available in the wiki.
- Install the libpcap dev libraries (
libpcap-dev). - Change the port your SSH server is listening on so you can place a HoneyPoke listener there instead.
- Have Go >=1.13
- Download the GeoLite IP database from MaxMinds. Requires free account.
- Clone or download this repo
- Build using
make
- Copy
config.json.defaulttoconfig.jsonModify the config file.recrodersenables and disables recorders. This done with theenabledkey under the respective loggers. Some may need extra configuation, which is in theconfigkey.- The
udp_portskey sets the UDP listeners that you will be creating. Its just a list of ports. - The
tcp_portskey sets the TCP listeners that you will be creating. It has theportkey for the port andsslas a boolean to indicate if the listener should use SSL (See SSL Connections below for more details)config.json.samplecontains a sample list of ports. ignore_tcp_portsis used ignore TCP ports. This is useful for things like ElasticSearch and SSH so that these connections are not recorded as missing ports.interfaceis used by the missed port watcher to indicate what interface to listen on.useris the user you want the script to drop privileges to.groupis the group you want the script to drop privileges to.
- Run HoneyPoke with
./honeypoke
Note: Be sure you have nothing listening on the selected ports, or else HoneyPoke will not fully start.
Note: HoneyPoke is run using sudo (aka root). It will drop privileges though, and it will not process any connections until permissions are dropped. The script should report when privileges are dropped.
By setting the ssl key to true, the port will expect SSL connections. This means the socket will ignore non-SSL connections. Invalid SSL connections will produce a blank input, so only enable SSL on ports that are expected to SSL, such as 443.
SSL expects two files, the key in honeypoke_key.pem and the cert in honeypoke_cert.pem. Both should be created by the prepare.sh script.
You can manually create a self-signed cert with the following command:
openssl req -new -x509 -days 365 -nodes -out honeypoke_cert.pem -keyout honeypoke_key.pem
Binary data is converted into the Python/Golang bytes format ('\x00'). This ensures the data is stored safely, but also keeps strings in the binary readable. For small binary data (<4096 bytes), HoneyPoke will send the data as is to the output. If the data is larger than 4096 bytes, HoneyPoke will store the output into a file in the large directory and the location to the file is logged instead of the entire contents.
See here if you want to load the Python bytes format for manipulation or conversion.
Ports that have no listener are recorded by HoneyPoke in the missed.txt file in a special format:
<PORT> TCP| UDP
Use this is to modify your listeners with new ports.
Go at it! Open an issue, make a pull request, fork it, etc.
This project is licensed under the Mozilla Public License Version 2.0 license