Skip to content

czardoz/hornet

Repository files navigation

Hornet

travis coverage

Overview

Hornet is aimed to be a medium interaction SSH Honeypot, that supports multiple virtual hosts. Each virtual host is configured independently, and gets its own sandboxed filesystem. Hornet allows interactions across hosts, meaning that the attacker may login to one host from another (using the ssh command). A Hornet instance must contain a default host, which serves as a launchpad to log into the other hosts. Any configured host can be set to default with a simple configuration change.

At a high level, Hornet can be visualized to be working according to the following diagram:

                                               +-------------+
                                               | VirtualHost |
                            +----------------> |             |
                            |                  |     One     |
                            |                  +------+------+
                            |                         ^
                            |                         |
                            |                         |
                            v                         v
                   +--------+----+             +------+------+
                   |   Default   |             | VirtualHost |
Attacker+--------> |             | <---------> |             |
                   | VirtualHost |             |     One     |
                   +--------+----+             +------+------+
                            ^                         ^
                            |                         |
                            |                         |
                            |                         v
                            |                  +------+------+
                            |                  | VirtualHost |
                            +----------------> |             |
                                               |     One     |
                                               +-------------+

The double ended arrows signify possible interaction, through commands such as ssh, ping, etc.

Each VirtualHost has the following configurable attributes:

  • Hostname
  • IP Address
  • Sandboxed Filesystem
  • User Pool
  • DNS server (common across all VirtualHosts)
  • Shell environment parameters (such as $PATH)

Supported Commands

Hornet currently supports the following commands:

  • cd
  • ls
  • echo
  • ssh
  • logout
  • pwd
  • ifconfig
  • ping
  • uname

Installation

Installing is simple,

Install MySQL client libraries

$ sudo apt-get install libmysqlclient-dev

Then install hornet using pip

$ pip install git+https://github.com/czardoz/hornet.git

And since the latest version of telnetsrvlib on GitHub is super cool

$ pip install --upgrade git+https://github.com/ianepperson/telnetsrvlib.git#egg=telnetsrv-0.4.1

Usage

Create a directory anywhere

$ mkdir ~/honeypot

Initialize Hornet

$ cd honeypot
$ hornet -v

You should see something like this (ignore the errors):

2015-01-31 19:34:19,624 [INFO] (root) Starting Hornet, version: 0.0.1
2015-01-31 19:34:19,624 [INFO] (hornet.main) Config file /tmp/honeypot/config.json not found, copying default
2015-01-31 19:34:19,625 [DEBUG] (hornet.common.config) Default host set to: test02
2015-01-31 19:34:19,625 [INFO] (hornet.main) Creating directory /tmp/honeypot/vhosts for virtual host filesystems
2015-01-31 19:34:19,628 [ERROR] (hornet.core.host) IP address for test01 is not specified in the config file (or is "null")
2015-01-31 19:34:19,628 [INFO] (hornet.core.host) Assigned random IP 192.168.0.103 to host test01
2015-01-31 19:34:19,633 [ERROR] (hornet.core.host) IP Address 192.168.0.443 for test03 is not valid for the specified network
2015-01-31 19:34:19,633 [INFO] (hornet.core.host) Assigned random IP 192.168.0.27 to host test03
2015-01-31 19:34:19,640 [INFO] (hornet.main) SSH server listening on 127.0.0.1:59866

Once you get it working, you can set about configuring it. Hit Ctrl+C to stop the honeypot.

...
2015-01-31 19:34:19,640 [INFO] (hornet.main) SSH server listening on 127.0.0.1:59866
^CKeyboardInterrupt
2015-01-31 19:40:58,419 [INFO] (root) Quitting
2015-01-31 19:40:58,419 [DEBUG] (root) Stopping the server

Now, you'll see a config.json created in the current directory.

$ cat config.json
{
    "port": 0,
    "host": "127.0.0.1",
    "key_file": "test_server.key",
    "network": {
        "network_ip": "192.168.0.0/24",
        "dns_server": "192.168.0.2",
        "gateway": "192.168.0.1"
    },
    "virtual_hosts": [
        {
            "hostname": "test02",
            "valid_logins": {
                "mango": "apple",
                "vstfpd": "1q2w3e4r",
                "testuser": "testpassword"
            },
            "env": {
                "BROWSER": "firefox",
                "EDITOR": "gedit",
                "SHELL": "/bin/bash",
                "PAGER": "less"
            },
            "default": true,
            "ip_address": "192.168.0.232"
        },
        {
            "hostname": "test03",
            ...
            "ip_address": "192.168.0.443"
        }
    ]
}

Edit it according to your wish. You'll also see a vhosts/ directory. Inside it are the sandbox filesystems for each VirtualHost (as defined in the config file). These filesystems can be populated with any files you wish.

You can now restart the honeypot:

$ hornet -v

Careful!

Hornet is under development, and should not be used for production purposes yet. There are a fair amount of bugs, and perhaps security risks. Know what you're doing!

About

SSH Multipot

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages