def detectionmethod4(ip):
# mhn dashboard - ip:80, score 0 - 1
logging.info("Start check mhn dashboard")
# check if port 80 is open
if isPortOpen.is_open(ip, 80):
# read content of webpage
content_web_page = str(urllib.request.urlopen("http://" + ip).read())
# check if strings are in the content of the webpage
if "Modern Honeypot Network" in content_web_page and "Modern Honeynet Framework" in content_web_page \
and "threatstream.com" in content_web_page:
logging.info("This webpage is a dashboard from a mhn honeypot")
mhndashboard = 1
else:
logging.info("This webpage is not a dashboard from a mhn honeypot")
mhndashboard = 0
else:
logging.info("There is probably no mhn dashboard on this port")
mhndashboard = 0
print(
"\n#4: The possibility that this ip runs a mhn honeynetwork with a dashboard:\n"
+ str(mhndashboard) + "/1")
logging.info("Result mhn dashboard: " + str(mhndashboard) + "/1")
logging.info("End check mhn daschboard")
def detectionmethod3(ip):
# T-Pot dashboard - ip:64297, score 0 - 1
logging.info("Start check T-Pot daschboard")
# check if port 64297 is open
if isPortOpen.is_open(ip, 64297):
logging.info("There is probably an T-pot dashboard on this port")
tpotdashboard = 1
else:
logging.info("There is probably no T-pot dashboard on this port")
tpotdashboard = 0
print(
"\n#3: The possibility that this ip runs a T-pot honeynetwork with a dashboard:"
"\n" + str(tpotdashboard) + "/1")
logging.info("Result T-pot dashboard: " + str(tpotdashboard) + "/1")
logging.info("End check T-Pot dashboard")
def check_kippo(ip, port):
# check if port 22 is open on ip-address
if isPortOpen.is_open(ip, port):
# send data via socket to port 22 on ip-address
s.connect((ip, port))
banner = s.recv(1024)
s.send(banner + spacer)
response = s.recv(1024)
# test if the machine on ip-address is a kippo honeypot
if b'Protocol mismatch' in response or b'bad packet length' in response:
logging.info(
"Got 'Protocol mismatch' or 'bad packet length' in response of probe. This might be a kippo honeypot!"
)
return 1
else:
logging.info(
"Got no 'Protocol mismatch' or 'bad packet length' in response of probe. "
"This might not be a kippo honeypot.")
return 0
else:
return 0
def detectionmethod7(ip):
# dionaeaDetect, score 0 - 1
logging.info("Start dionaeaDetect")
# set variables
content = ""
dionaeadetect = 0
# check if port 443 is open
if isPortOpen.is_open(ip, 443):
# try to connect to the ssl port of the machine and read the output
try:
logging.info("Try connection to the ssl port of the machine")
# execute command to get ssl certificate info
command = subprocess.Popen(
["openssl", "s_client", "-connect", ip + ":443"],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
output = command.stdout.read()
content = output.decode("utf-8")
logging.info("Ssl connection established")
except Exception as e:
logging.warning(
"The following error raise when trying connect to ssl port:" +
str(e))
# if the string dionaea is in the content of the output dionaeadetect = 1
if "dionaea" in str(content):
dionaeadetect = 1
print("\n#7: The possibility that this ip runs a dionaea honeypot:\n" +
str(dionaeadetect) + "/1")
logging.info("Result dionaeaDetect: " + str(dionaeadetect) + "/1")
logging.info("End dionaeaDetect")
def check_kippo_cowrie(ip, port):
if isPortOpen.is_open(ip, port):
return detect_kippo_cowrie(ip, port)
else:
return 0
def detectionmethod6(ip):
# check if ssh is running correctly
logging.info("Start check ssh server")
sshesame = False
if isPortOpen.is_open(ip, 22):
# set up ssh
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.WarningPolicy())
logging.info("Try to connect ssh server on " + str(ip))
# try to connect to ip:22
try:
client.connect(ip, 22, 'root', '123456')
# check hostname of ssh-server
sshesame = check_sshesame()
logging.info("Authentication root, 123456: accepted")
# try to execute command
try:
stdin, stdout, stderr = client.exec_command('ifconfig').decode(
"utf-8")
# if there is no output, commands cannot be execute on the ssh-server
if stdout == "" and stdin == "" and stderr == "":
logging.info(
'Commands execution not supported by this ssh server')
sshserver = 1
else:
logging.info(
'Commands execution is supported by this ssh server')
sshserver = 0
# if command execution failed
except:
logging.info(
'Commands execution not supported by this ssh server')
sshserver = 1
# authentication error
except paramiko.ssh_exception.AuthenticationException:
sshesame = check_sshesame()
logging.info("Authentication root, 123456: failure")
sshserver = 0
# BadHostKeyException
except paramiko.ssh_exception.BadHostKeyException:
sshesame = check_sshesame()
logging.info(
"This server is probably a ssh honeypot witch does a man-in-the-middle attack"
)
sshserver = 1
# other exceptions
except Exception as e:
sshesame = check_sshesame()
logging.warning(
"The following error raise when trying connect to ssh server:"
+ str(e))
sshserver = 0
else:
logging.info("This is not a running ssh server")
sshserver = 0
print("\n#6: The possibility that this ip runs a honeypot ssh server:"
"\n" + str(sshserver) + "/1")
logging.info("Result check ssh server: " + str(sshserver) + "/1")
# check if the hostname of the machine is sshesame
if sshesame:
print(
"\n#6.1: The hostname of the ssh server is sshesame (a known honeypot):\n1/1"
)
logging.info(
"Result of hostname ssh server is sshesame (a known honeypot): 1/1"
)
else:
print(
"\n#6.1: The hostname of the ssh server is sshesame (a known honeypot):\n0/1"
)
logging.info(
"Result of hostname ssh server is sshesame (a known honeypot): 0/1"
)
logging.info("End check ssh server")