Honeyroute is a honeypot written in Python, and it's configured for routing (in a concealed manner) various attacks to a dedicated honeypot machine, without being detected by the attacker. In other words, the attacker will believe his attack worked, but in reality he got fake information.
Honeyroute can detect and defend against the following attacks:
- SYN Flood - Blocks attackers and convinces them that the attack has succeeded, while still communicating with legit clients.
- SQL Injection - Routes the request to the honeypot, and returns data from a fake database.
- Anonymous FTP Session - Routes FTP commands & data to the honeypot so fake and dangerous files/folders don't appear on the asset
To run the main application:
$ python -m Honeypot.main
Honeyroute also includes a PowerShell script to automatically install the Windows feature for IIS Management, and start an FTP server configured to accept
anonymous users. To run the script, simply run the run_ftp.bat file.
- The GUI was written with PyQt5 and QML
Honeyroute uses PyDivert to catch packets before they reach their destination. The diverted packets are then handeled according to the protocol (FTP/HTTP)
Honeyroute uses a dictionary to store the number of SYN packets sent from a specific address. Once the number of packets exceeds the allowed amount,
Honeyroute defends against it - a new pydivert handle is started with higher priority than the main handle, and it catches the packets from the attacking address
for ~30 seconds.
The web server on the honeypot machine is intentionally vulnerable to SQL injection - when a user wants to log into an account, the server takes the first user that matches the following query:
'SELECT * FROM User WHERE email = "' + form.email.data + '" AND password = "' + form.password.data + '"'Therefore, by entering the expression " or ""=" the query will always be true, and the attacker will be logged into the first fake user in the database.
Honeyroute searches for the " and ' characters in the HTTP payload used to login.
If those characters appear, it routes the request to the honeypot and returns the fake user data to the attacker.
The IIS FTP server on the honeypot intentionally allows sessions from anonymous users. While this behavior can work in certain circumstances, it can result in many attacks targeting the file system.
To allow attacks on the honeypot, as well as normal usage of the asset FTP server, Honeyroute "whitelists" some passwords of legit users. Honeyroute then examines every login attempt to the asset, and if an attacker enters a non-whitelisted password, the session is routed to the honeypot. Even though FTP uses 2 TCP sessions (a command channel and a data channel) Honeyroute supports the main FTP functionalities: file/folder upload & download, file/folder deletion etc.
- Itay Margolin - Nisitay