I a previous post we introduced what a Honeypot and honeynet were, and the different types of honeypots. The different implantation phases were also discussed. In this post we'll talk about the different open honeynet solutions available.
Open Honeynet solutions
A list of open honeynet solution is discussed next:
Modern Honey Network (MHN)
This is a tool for easily creating honeynet in a visual way. It allows the creation of high and low interaction deployments. It has a REST API to send information to external services. One of the cons of this tool is the number of false positives that show.
URL: https://github.com/threatstream/mhn
Dockpot
Dockpot is a honeypot system defined by SSH. Basically is a NAT device with capacity to act as a SSH proxy between the attacker and the honeypot itself, performing monitorign and logging tasks of the network activities that occur against the honeypot. One of the characteristicas of this tool is that dockpot runs the honeypot system (using docker technology) when it detects a new connection, and destroys the container when it detects there are no connections against the system. This allows to mount a high interaction network and no longer have to worry about the machines.
URL: https://github.com/docker/global-hack-day-3/tree/master/dockpot
Conpot
Conpot is a low-interation honeypot server focused on industrial control. It has capabilities to operate as a honeypot of both types, low and high interaction. It's designed to be easy to implement, modify and extend. By providing a range of common OT protocols, this system has the bases to emulate complex infrastructures, capable of convincing an adversary that he has in his hands a large industrial complex. To improve the ability to mislead, it also provides the possibility of a HMI server to increase surface honeypots attack.
This is OK for a first pilot. It's one of the tools that currently have a more active community.
As a low interaction honeypot, by default Conpot simulates to be an S7-200 device, although it has configuration parameters to simulate practically any device. As a high-interaction honeypot, Conpot can be used as a gateway to a physical device, so the attacker actually accesses this device, making it difficult to detect the honeypot itself.
URL: https://github.com/mushorg/conpot
Honeytokens
Honeytokens are artificial elements that emulate data which are deliberately placed in a real resource or system in order to detect unauthorized attempts to use this information. Honeytokens are characterized by properties that make them look like data. These elements must be accessible to potential attackers who intend to violate the security of an organization in an attempt to extract information in a malicious manner. One of the main challenges in honeytokens generation is the creation of data that simulate real values and are difficult to distinguish from false data. At this point it is recommended to follow the guidelines for the generation of an automatic value generation system. As an initial phase in the creation of a HoneyNet, we can use Open Canary to perform a series of tests provided they are not under OT protocols.
URL: https://github.com/thinkst/opencanary
GNS3
GNS3 is a graphical network simulator that allows to design complex network topologies and start simulations about them. This type of tools are very useful to be able to deploy and modify the different topologies of the honeynet network. GNS3 should be combined with this series of applications in order to obtain the expected performance in the project at hand:
- Dynamips, an IOS emulator that allows users execute binary images of Cisco Systems.
- Dynagen, a text front-end for Dynamips
- Qemu and VirtualBox, that allow to use virtual machines as a PIX firewall.
- VPCS, a PC emulator with basic networking functions
- IOU (IOS on Unix), special compilations of IOS provided by Cisco to run directly on UNIX Systems.
GNS3 is an excellent complementary tool to real labs for Cisco network administrators or people who want to pass their CCNA, CCNP, CCIE DAC or certifications.
Gridpot
honeypot for the electrical sector, uses conpot for its deployment, the specification has been added to have communications using the IEC 61850 protocol.
URL: https://github.com/sk4ld/gridpot
ScadaHoneynet
It's a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures. With this tool a single Linux host can simulate multiple industrial devices and complex network topologies. Given the variety of deployments and the lack of standard, well-defined architectures for industrial networks, it attempts to create the building blocks so that users can simulate their own networks.
URL: scadahoneynet.sourceforge.net
GasPot
GasPot is a honeypot that has been designed to simulate an AST Veeder Root Gaurdian.
These tank meters are common in the oil and gas industry for gas station tanks to assist with the fuel inventory. GasPot has been designed to generate different series of values in each use, which allows to make it more invisible to the experience of the attacker simulating with more precision a real system.
URL: https://github.com/sjhilt/GasPot
HoneyComb
System that automatically generates signatures for NIDS Systems. The system applies protocol analysis techniques and the detection pattern of captured traffic in trap systems. The use of traffic within the honeypot has the advantage of concentrating the traffic that in our opinion would be considered malicious by definition. The idea would be to be able to do something similar in the part exposed to the services subcontracted like System of intelligence.
The system is an extension of the trap system honeyd, it is specified for the inspection of the traffic inside the honeypot; Currently the system works by examining protocol headers as well as payload data. The integration of this system with honeyd has several advantages over an external probe approach, directly placed at the network level; It avoids duplication of effort, as it uses libpcap to capture relevant packets, it avoids common cold boot problems such as NIDSs, as it is integrated in the honeyd not only passively listens to traffic, but emulates consistent responses to respond to incoming requests. (Not for OT protocols, or so I think), with this mechanism we can determine exactly when a new connection is started or terminated.
URL: http://www.icir.org/christian/honeycomb/
IOThoneypot
python telnet server trying to act as a honeypot for IoT Malware which spreads over horribly insecure default passwords on telnet servers on the internet
URL: https://www.usenix.org/system/files/conference/woot15/woot15-paper-pa.pdf
PlanetLab
Set of distributed servers through the academic networks of the world. Forming a computational laboratory on a planetary scale, allowing to develop, install and execute applications in a test environment deployed over the network with real world conditions.
It Provides a platform for researchers to experiment with network services on a global scale with real workloads, being able to withstand short or long duration experiments, being able to execute at the same time in isolation and not to affect each other. What we are trying to achieve is to catalyze the evolution of the Internet towards a service-oriented architecture.