def detectionmethod4(ip): # mhn dashboard - ip:80, score 0 - 1 logging.info("Start check mhn dashboard") # check if port 80 is open if isPortOpen.is_open(ip, 80): # read content of webpage content_web_page = str(urllib.request.urlopen("http://" + ip).read()) # check if strings are in the content of the webpage if "Modern Honeypot Network" in content_web_page and "Modern Honeynet Framework" in content_web_page \ and "threatstream.com" in content_web_page: logging.info("This webpage is a dashboard from a mhn honeypot") mhndashboard = 1 else: logging.info("This webpage is not a dashboard from a mhn honeypot") mhndashboard = 0 else: logging.info("There is probably no mhn dashboard on this port") mhndashboard = 0 print( "\n#4: The possibility that this ip runs a mhn honeynetwork with a dashboard:\n" + str(mhndashboard) + "/1") logging.info("Result mhn dashboard: " + str(mhndashboard) + "/1") logging.info("End check mhn daschboard")
def detectionmethod3(ip): # T-Pot dashboard - ip:64297, score 0 - 1 logging.info("Start check T-Pot daschboard") # check if port 64297 is open if isPortOpen.is_open(ip, 64297): logging.info("There is probably an T-pot dashboard on this port") tpotdashboard = 1 else: logging.info("There is probably no T-pot dashboard on this port") tpotdashboard = 0 print( "\n#3: The possibility that this ip runs a T-pot honeynetwork with a dashboard:" "\n" + str(tpotdashboard) + "/1") logging.info("Result T-pot dashboard: " + str(tpotdashboard) + "/1") logging.info("End check T-Pot dashboard")
def check_kippo(ip, port): # check if port 22 is open on ip-address if isPortOpen.is_open(ip, port): # send data via socket to port 22 on ip-address s.connect((ip, port)) banner = s.recv(1024) s.send(banner + spacer) response = s.recv(1024) # test if the machine on ip-address is a kippo honeypot if b'Protocol mismatch' in response or b'bad packet length' in response: logging.info( "Got 'Protocol mismatch' or 'bad packet length' in response of probe. This might be a kippo honeypot!" ) return 1 else: logging.info( "Got no 'Protocol mismatch' or 'bad packet length' in response of probe. " "This might not be a kippo honeypot.") return 0 else: return 0
def detectionmethod7(ip): # dionaeaDetect, score 0 - 1 logging.info("Start dionaeaDetect") # set variables content = "" dionaeadetect = 0 # check if port 443 is open if isPortOpen.is_open(ip, 443): # try to connect to the ssl port of the machine and read the output try: logging.info("Try connection to the ssl port of the machine") # execute command to get ssl certificate info command = subprocess.Popen( ["openssl", "s_client", "-connect", ip + ":443"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) output = command.stdout.read() content = output.decode("utf-8") logging.info("Ssl connection established") except Exception as e: logging.warning( "The following error raise when trying connect to ssl port:" + str(e)) # if the string dionaea is in the content of the output dionaeadetect = 1 if "dionaea" in str(content): dionaeadetect = 1 print("\n#7: The possibility that this ip runs a dionaea honeypot:\n" + str(dionaeadetect) + "/1") logging.info("Result dionaeaDetect: " + str(dionaeadetect) + "/1") logging.info("End dionaeaDetect")
def check_kippo_cowrie(ip, port): if isPortOpen.is_open(ip, port): return detect_kippo_cowrie(ip, port) else: return 0
def detectionmethod6(ip): # check if ssh is running correctly logging.info("Start check ssh server") sshesame = False if isPortOpen.is_open(ip, 22): # set up ssh client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.WarningPolicy()) logging.info("Try to connect ssh server on " + str(ip)) # try to connect to ip:22 try: client.connect(ip, 22, 'root', '123456') # check hostname of ssh-server sshesame = check_sshesame() logging.info("Authentication root, 123456: accepted") # try to execute command try: stdin, stdout, stderr = client.exec_command('ifconfig').decode( "utf-8") # if there is no output, commands cannot be execute on the ssh-server if stdout == "" and stdin == "" and stderr == "": logging.info( 'Commands execution not supported by this ssh server') sshserver = 1 else: logging.info( 'Commands execution is supported by this ssh server') sshserver = 0 # if command execution failed except: logging.info( 'Commands execution not supported by this ssh server') sshserver = 1 # authentication error except paramiko.ssh_exception.AuthenticationException: sshesame = check_sshesame() logging.info("Authentication root, 123456: failure") sshserver = 0 # BadHostKeyException except paramiko.ssh_exception.BadHostKeyException: sshesame = check_sshesame() logging.info( "This server is probably a ssh honeypot witch does a man-in-the-middle attack" ) sshserver = 1 # other exceptions except Exception as e: sshesame = check_sshesame() logging.warning( "The following error raise when trying connect to ssh server:" + str(e)) sshserver = 0 else: logging.info("This is not a running ssh server") sshserver = 0 print("\n#6: The possibility that this ip runs a honeypot ssh server:" "\n" + str(sshserver) + "/1") logging.info("Result check ssh server: " + str(sshserver) + "/1") # check if the hostname of the machine is sshesame if sshesame: print( "\n#6.1: The hostname of the ssh server is sshesame (a known honeypot):\n1/1" ) logging.info( "Result of hostname ssh server is sshesame (a known honeypot): 1/1" ) else: print( "\n#6.1: The hostname of the ssh server is sshesame (a known honeypot):\n0/1" ) logging.info( "Result of hostname ssh server is sshesame (a known honeypot): 0/1" ) logging.info("End check ssh server")