Lurker

lurker is network based honeypot for capturing payload for all TCP ports. lurker sends spoofing TCP SYN-ACK packet against attacker and scanner's TCP SYN packet. Then they will send TCP data payload after 3-way handshake and lurker captures the data and notify and save it for security research. A lot of existing honeypot has each capture mechanism for specific protocol. lurker does not have such mechanism. However lurker can capture data to all TCP ports because it just simply replies a TCP ACK packet.

lurker should monitor unpublished IP address or network that are not expected to reach normal TCP connection, e.g. not associated to any domain name and services. However attackers are scanning IP address that has open TCP port everyday and finds unpublished IP address. lurker is just waiting a TCP packet from attacker silently.

Below is an example of captured bad TCP payload to port 8545 from an attacker. It seems like an exploit with CVE-2016-6277.

Features

• Reply spoofing TCP SYN-ACK packet to get the attacker to send TCP payload
• Can monitor network(s) e.g. CIDR block with one host and one process by ARP spoofing
• Send captured data to Slack for preview and to BigQuery for analytics

Setup

Install with go command

% go install github.com/m-mizutani/lurker@latest
% lurker -i eth0

Use docker image

% docker run --network host ghcr.io/m-mizutani/lurker:latest -i eth0

Usage

NOTE: Root privilege OR permissions of read/write to network device are required to capture and spoof raw packet. In general, use sudo command for lurker.

Monitoring traffic to IP address of eth0 device

% lurker -i eth0

Monitoring traffic to specified network

% lurker -i eth0 -n 192.168.0.0/24 -a

• -n (--network) option can be used multiply.
• -a option enables ARP packet spoofing to reply as multiple IP addresses

Exclude specified TCP port

Following example excludes port 22 to monitor and not reply SYN-ACK packet for port 22.

% lurker -i eth0 -e 22

• -e option can be used multiply.

Notify captured payload to Slack

You can send captured payload to Slack via Incoming Webhook. Please see slack document to create Incoming Webhook and set URL as lurker's option.

% lurker -i eth0 --slack-webhook-url https://hooks.slack.com/services/XXXXX/YYYYYYYY/zzzzzzzzzz

• Environment variable LURKER_SLACK_WEBHOOK is also available instead of --slack-webhook-url option.

Store captured payload to BigQuery

You can store captured payload and sender information to BigQuery.

% lurker -i eth0 --slack-webhook-url https://hooks.slack.com/services/XXXXX/YYYYYYYY/zzzzzzzzzz

Environment variables also can be used to configure BigQUery.

• LURKER_BIGQUERY_PROJECT_ID: instead of --bigquery-project-id
• LURKER_BIGQUERY_DATASET: instead of --bigquery-dataset

If you use Service Account to save record to BigQuery, use GOOGLE_APPLICATION_CREDENTIALS to specify service account credential of Google Cloud. See doc for more detail of Google Cloud authentication.

Table schema of BigQuery is below.

License

• Source code: BSD 2-Clause license
• Image: CC-BY-SA from Carbot Animation http://carbotanimations.wikia.com/wiki/Lurker