It would be nice to have a log explorer in webui with search and export features.

when I run `python ohp.py -m ssh/strong_password, honeypot is working without any output, tested on python3.7 osx. not even ohp logo is printing.

In the bottom of the page of the API server, where top 10 username and passwords are shown of the various modules, the IP of the docker gateway(eg 172.18.0.1) is printed instead of IP of source. Please let me know if this is an intended behavior or else I can work on it.

We can add smtp module by creating a smtp server with https://pypi.org/project/aiosmtpd/ and creating event logs. Suggestions @dhirensr @Ali-Razmjoo

something seems off. can someone investigate?

$ ls tmp
paramiko.log           thread_888888888888888 thread_KKKKKKKKKKKKKKK thread_ZZZZZZZZZZZZZZZ thread_ttttttttttttttt
readme.md              thread_999999999999999 thread_NNNNNNNNNNNNNNN thread_ccccccccccccccc thread_uuuuuuuuuuuuuuu
thread_000000000000000 thread_AAAAAAAAAAAAAAA thread_PPPPPPPPPPPPPPP thread_ddddddddddddddd thread_vvvvvvvvvvvvvvv
thread_111111111111111 thread_BBBBBBBBBBBBBBB thread_QQQQQQQQQQQQQQQ thread_eeeeeeeeeeeeeee thread_xxxxxxxxxxxxxxx
thread_222222222222222 thread_FFFFFFFFFFFFFFF thread_RRRRRRRRRRRRRRR thread_iiiiiiiiiiiiiii
thread_444444444444444 thread_GGGGGGGGGGGGGGG thread_SSSSSSSSSSSSSSS thread_lllllllllllllll
thread_555555555555555 thread_HHHHHHHHHHHHHHH thread_WWWWWWWWWWWWWWW thread_mmmmmmmmmmmmmmm
thread_777777777777777 thread_JJJJJJJJJJJJJJJ thread_YYYYYYYYYYYYYYY thread_ooooooooooooooo

issue:

https://github.com/zdresearch/OWASP-Honeypot/blob/b0298144bbbafa81a3772c2b1c630d5e1541e55c/core/load.py#L362-L364

[+] [2020-07-22 19:13:06] all selected modules started: ssh/weak_password
[X] [2020-07-22 19:13:09] tshark couldn't capture network, maybe run as root!
[X] [2020-07-22 19:13:09] Interrupting the application because network                                capturing thread is not alive!
[+] [2020-07-22 19:13:09] killing new_network_events_thread

fix suggestion:

            if not new_network_events_thread.is_alive():
                return error(
                    "Interrupting the application because network capturing thread is not alive!"
                )

Hi,

after adding the enhancement #1, if the user sets "virtual_machine_internet_access": False in module category configurations, the IP and Port is not accessible for the host, so port forwarding is not working, for now, I force internet access for all of the virtual machines and must fix later!

        # connect to owasp nettacker networks!
        if configuration[selected_module]["virtual_machine_internet_access"]:
            os.popen("docker network connect ohp_internet {0}".format(container_name)).read()
        else:
            # Bug! details: https://github.com/zdresearch/OWASP-Honeypot/issues/2
            # os.popen("docker network connect ohp_no_internet {0}".format(container_name)).read()
            os.popen("docker network connect ohp_internet {0}".format(container_name)).read()

the network creation process:

    if "ohp_internet" not in all_existing_networks():
        info("creating ohp_internet network")
        os.popen("docker network create ohp_internet  --opt com.docker.network.bridge.enable_icc=true "
                 "--opt com.docker.network.bridge.enable_ip_masquerade=true "
                 "--opt com.docker.network.bridge.host_binding_ipv4=0.0.0.0 --opt "
                 "com.docker.network.driver.mtu=1500").read()
        network_json = json.loads(os.popen("docker network inspect ohp_internet").read())[0]["IPAM"]["Config"][0]
        info("ohp_internet network created subnet:{0} gateway:{1}".format(network_json["Subnet"],
                                                                          network_json["Gateway"]))
    if "ohp_no_internet" not in all_existing_networks():
        info("creating ohp_no_internet network")
        os.popen("docker network create --internal ohp_no_internet  --opt com.docker.network.bridge.enable_icc=true "
                 "--opt com.docker.network.bridge.enable_ip_masquerade=true "
                 "--opt com.docker.network.bridge.host_binding_ipv4=0.0.0.0 --opt "
                 "com.docker.network.driver.mtu=1500").read()
        network_json = json.loads(os.popen("docker network inspect ohp_no_internet").read())[0]["IPAM"]["Config"][0]
        info("ohp_no_internet network created subnet:{0} gateway:{1}".format(network_json["Subnet"],
                                                                             network_json["Gateway"]))

something I did wrong with ohp_no_internet section?

a simple solution

we can create a virtual machine and connect both internet and internal network into it, then use the port forwarding with iptables to access the internal network!

• 1- sshserver = 172.0.0.2:22 (internal)
• 2- machine = 172.0.0.3, 173.0.0.2 (internal, internet)
• 3- host = 173.0.0.1:22->173.0.0.2:22->173.0.0.3:22->172.0.0.2:22(internet, internet, internal, internal)

this solution is odd, maybe someone with more docker knowledge could help?

Regards.

@Ali-Razmjoo : i think we can go for bulk insert instead of creating a write call for each record ,maybe that would be faster implementation than what we have now.
We need to think on the strategy of bulk insert meaning on timely basis or on record basis(every 100 records?)

it's good idea to check all modules dockerfiles if we can speed them up a little bit by not installing unnecessary packages. some of them take much time to be created.

[+] [2020-08-09 12:05:50] creating image ohp_ftpserver_weak_password
[+] [2020-08-09 12:06:10] image ohp_ftpserver_weak_password created
[+] [2020-08-09 12:06:10] creating image ohp_ftpserver_strong_password
[+] [2020-08-09 12:06:48] image ohp_ftpserver_strong_password created
[+] [2020-08-09 12:06:48] creating image ohp_sshserver_weak_password
[+] [2020-08-09 12:07:00] image ohp_sshserver_weak_password created
[+] [2020-08-09 12:07:00] creating image ohp_sshserver_strong_password
[+] [2020-08-09 12:07:52] image ohp_sshserver_strong_password created
[+] [2020-08-09 12:07:52] creating image ohp_httpserver_basic_auth_weak_password
[+] [2020-08-09 12:08:10] image ohp_httpserver_basic_auth_weak_password created
[+] [2020-08-09 12:08:10] creating image ohp_httpserver_basic_auth_strong_password
[+] [2020-08-09 12:08:11] image ohp_httpserver_basic_auth_strong_password created
[+] [2020-08-09 12:08:11] creating image ohp_icsserver_veeder_root_guardian_ast
[+] [2020-08-09 12:08:20] image ohp_icsserver_veeder_root_guardian_ast created

the files in /api are not clean at all and it's very hard to understand what are they doing... need a good refactor and a better in code docs, specially database_queries.py, server.py

The sort and search options stopped working after switching to server side pagination option. Need to fix this.

@Ali-Razmjoo : i saw that this project needs this api ,and if no one is working i would like to work on it.
The idea is group by country and then for all distinct countries return 1 ip right?
or should it take country as parameter and then calculate top 10 ips of that country?
Waiting for the reply.

@Ali-Razmjoo : just creating this ticket so that we document everything on wiki ,like the new routes we added and merged.
this ticket would act as a reminder to update the wiki.

Hello @Ali-Razmjoo ,
I just saw that there is a flag in network configuration store_network_captured_files and it's set default to False,but I didn't see it being used anywhere in the codebase.
I don't know whether it's bug or the feature doesn't exists in the codebase.
Just wanted to know if it's a feature,what should it do ? so I can take up this task.

The tshark command given here captures destination IP and source Port. Doesn't displaying IP of source and port of destination make more sense? I tried changing the command to tshark -Y "ip.dst != xyz.xyz.xyz.xyz" -T fields -e ip.src -e tcp.dstport but there's no difference in output. Probably because everything is running locally and there's no external IP trying to connect to it.

this would be a script in the container to log all malware,passwords,etc

Hello @Ali-Razmjoo ,
I noticed that the program title for command line is Nettacker which I believe is another project where it is taken from,
https://github.com/zdresearch/OWASP-Honeypot/blob/5935ba5356cad95a4e580d4c04901d83789de532/core/load.py#L470

shouldn't you change it to Honeypot?

I would like to add the media/tutorials gifs for the framework in this issue.

@Ali-Razmjoo
I saw that OWASP is accepted as organisation and would like to apply for this repo.(https://www.owasp.org/index.php/GSoC2019_Ideas#OHP_.28OWASP_Honeypot.29)
but on the link expected results and roadmap section is not given .
could you mention it here like what all features are expected in this project to develop,it would help me to make my proposal
Thank you.

We can create scope for using API endpoints https://github.com/zdresearch/OWASP-Honeypot/wiki/API on the separate views on front end Web UI. Suggestions please @Ali-Razmjoo @dhirensr

I've noticed when I run api server, it use to check for mongodb if it's up, otherwise return error, but now it just exit!!

batman@Batmans-MacBook-Pro:~/D/G/OWASP-Honeypot:master$ python3 ohp.py --start-api-server

      ______          __      _____ _____
     / __ \ \        / /\    / ____|  __     | |  | \ \  /\  / /  \  | (___ | |__) |
    | |  | |\ \/  \/ / /\ \  \___ \|  ___/
    | |__| | \  /\  / ____ \ ____) | |
     \____/   \/  \/_/    \_\_____/|_|
                      _    _                        _____      _
                     | |  | |                      |  __ \    | |
                     | |__| | ___  _ __   ___ _   _| |__) |__ | |_
                     |  __  |/ _ \| "_ \ / _ \ | | |  ___/ _ \| __|
                     | |  | | (_) | | | |  __/ |_| | |  | (_) | |_
                     |_|  |_|\___/|_| |_|\___|\__, |_|   \___/ \__|
                                               __/ |
                                              |___/   

batman@Batmans-MacBook-Pro:~/D/G/OWASP-Honeypot:master$ 

also what happened to logo? 😆

@ChakshuGupta @dhirensr please have a look and send a PR if you can.

this would be a script in the container to log all passwords in http module

Error

while using a module named ssh/strong_password i got an error paramiko return non-zero code and docker image not found (mentioned in image).

p.s: All other modules are working properly.

cmd: python ohp.py -m ssh/strong_password (as root user)

Hi,

Having access to the internet could be dangerous, so based user configuration in modules category (e.g. ssh config, ftp config, http config) we must apply the rule and create a docker network and add the adaptor to the container. (the key is "virtual_machine_internet_access": False)

useful information:

• create an adaptor with internet docker network create --subnet=172.19.0.0/16 internet
• create an adaptor without internet docker network create --internal --subnet 10.1.1.0/24 no-internet
• connect a container to adaptor (no internet) docker network connect no-internet container-name
• connect a container to adaptor (with internet) docker network connect internet container-name

keep in mind, since the images need to download the requirements (with apt-get or etc..), they must use an adaptor with the internet at the first and then based on user configuration, change the adaptor for containers.

Regards.

• add developers guideline
• add database/connection.py documents credential_events, honeypot_events_data, honeypot_events, network_events
• add module specific document (ics, http, etc)
  ....

module which are not storing credentials

• http/basic_auth_weak_password/
• ssh/weak_password

While using module http/basic_auth_strong_password/ which works completely fine and storing credential events while above mentioned modules credential events are not stored.

maybe show packets real-time submitting to database and more information in terminal...

Hi,
When I tried to deploy the Honeypot with the following command python3 ohp.py (default configuration), I got this error message:

Traceback (most recent call last):
  File "ohp.py", line 5, in <module>
    from core.load import load_honeypot_engine
  File "/home/aleix/Documentos/OWASP-Honeypot/core/load.py", line 11, in <module>
    from terminable_thread import Thread, threading
ModuleNotFoundError: No module named 'terminable_thread'

Is there anything I'm missing?

so we recently added the feature to store .pcap files in the tmp directory. time to organize them maybe?

• add --store-pcap to CLI and merge it with the config.py
• add github action test with --store-pcap flag
• store files to somewhere like files or similar
• submit the filename to database as stored_network_files or something similar
• ability to explorerpcap through AP
• ability to download pcap files through API
• ability to set timeout (integer) (seconds) from CLI and add it to config.py (it must be bigger than >=1s )and default 3600 is good.

any other ideas? feel free to add.

thanks.

As discussed with Ali,
the logic of the route is
**
honeypot->country->date->top_ips
network->country->date->top_ips
**
just creating this ticket to commit my code against this ticket.

Hello @Ali-Razmjoo again,
I saw that we also want 2 routes stating top network machine_name and top honeypot machine_name,and the logic would be
honeypot/network_event -> count -> sortby count
but my question is when the machine name is getting inserted in database it is taking from
https://github.com/zdresearch/OWASP-Honeypot/blob/6e3b71cac9869c0b4c1a56e238210d0f951d1a0f/config.py#L49
and it is never changing in the code ,so basically wouldn't it be just find :
machine_name: real_identifier_machine_name
and you wont get more than 1 record in top machine names ?
i just want clarification on this and then would work on it.

The logic of the route is

honeypot_events-> country-> top ports
network_events-> country-> top ports

Dependabot can't evaluate your Python dependency files.

As a result, Dependabot couldn't check whether any of your dependencies are out-of-date.

The error Dependabot encountered was:

Illformed requirement ["==0.10."]

View the update logs.

it would be nice to add other types of events here.

Hello,
i would like to test all the modules ftp,ssh,ics,etc thoroughly to understand what they do and fix them if they have bugs.

On Usage page there is a typo in the very beginning, it's says Nettacker instead it should read OWASP Honeypot

Hello @Ali-Razmjoo, I came across todo in the core/network.py regarding the replacement of tshark with python port sniffing (e.g. https://www.binarytides.com/python-packet-sniffer-code-linux), I would like to work on it. Please let me know if I can work on it.

@Ali-Razmjoo : hello again,
I saw that most of the api work is done from todo and also just 2 of them is left.
I would like to work on it ,what does combine api calls with date mean? could you clarify the logic of both ,combin api calls with data and rename api calls.
Also is rename api calls someway related to REST conventions? I have also created a ticket for that.

Waiting for your reply.

in the wiki docs I saw nowhere in the installation tab about mongodb installation,and when you locally install the other packages and run "python ohp.py" it gives you an error after the logo saying that cannot connect to mongodb.
If Mongodb is required it should be mentioned in the installation ! I would like to change the docs once @Ali-Razmjoo replies for further clarification!

Please review the 2 tickets i have created! @Ali-Razmjoo

Dependabot couldn't authenticate with https://pypi.python.org/simple/.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

OS : Ubuntu 18.04
Type : Virtual Machine
Steps to reproduce: python3 ohp.py --verbose

It shows :

Successfully tagged ohp_httpserver:latest
docker: Error response from daemon: driver failed programming external connectivity on endpoint ohp_sshserver_strong_password (8ca84e650f147501953a159707c9c0386af8971ae82292e753fd0dd52c14b5da): Error starting userland proxy: listen tcp 0.0.0.0:22: bind: address already in use.


[+] [2019-02-13 18:52:37] creating image ohp_httpserver
[+] [2019-02-13 18:53:00] image ohp_httpserver created
[+] [2019-02-13 18:53:01] container ohp_ftpserver_strong_password started, forwarding 0.0.0.0:21 to 172.18.0.2:21
[+] [2019-02-13 18:53:01] container ohp_sshserver_strong_password started, forwarding 0.0.0.0:22 to CANNOT_FIND_IP_ADDRESS:22
[+] [2019-02-13 18:53:03] container ohp_httpserver_basic_auth_strong_password started, forwarding 0.0.0.0:80 to 172.18.0.3:80

@Ali-Razmjoo : please reply about this ,because i am not able to configure honeypot on my local machine due to this ,no events are getting registered in db.

Hello @Ali-Razmjoo ,
I was thinking that all of our api does not follow the REST conventions which are like the standard guidelines to be followed when designing the Web api's
for eg : in all of the api's we have shell methods=["GET", "POST"] but they should be just get ,as they are just reading the databases and giving the values
if they modify the database,for example store the username or some attribute then it should be POST.

and also the names of the URI does not follow REST conventions
for example
like it should be segregated into /network and /honeypot and then the URI names should also be shortened

top_ten_ips_in_network_events_by_date should be something like /network/top_ips_by_date

I followed these links for reference : https://restfulapi.net/resource-naming/ and https://blog.miguelgrinberg.com/post/designing-a-restful-api-with-python-and-flask
What do you think @Ali-Razmjoo ? based on the feedback i would work on it.

seems it sometimes not working on py2.7 and it messes up the CI https://github.com/zdresearch/OWASP-Honeypot/blob/master/core/exit_helper.py#L31-L60

Hello,
for installation wiki I would like to improve the docs saying that for ubuntu : "sudo apt-get install tshark
" and other instructions instead of just specifying install tshark .
I would like to improve docs and would send a pull requests once you reply,because i dont know if someone is already working on it.

@Ali-Razmjoo :
During refactoring we noticed that there are references to the file core.log which is currently not present. (for eg: https://github.com/zdresearch/OWASP-Honeypot/blob/ae1156c524c3b6d23cfd1ecedf4e8736f9935bfe/core/alert.py#L139)
so I would need more details on it? is the file moved or should it be created and functions need to be written?

The problem is in this line :

https://github.com/zdresearch/OWASP-Honeypot/blob/cca5081bc828fed0ca195e36a07a97b127125e84/core/network.py#L105

the ip is getting splitted but the type(ip) is bytes and then shell netaddr.valid_ipv4(ip) always fails because of that ,so in my local computer i just converted it by ip=ip.decode('utf-8') .
shell netaddr.valid_ipv4(ip) does not work when ip is a type 'byte',it needs a string.
Because even if the ip is valid it is not getting registered in db because of the if condition failure
@Ali-Razmjoo : you could add the changes for this bug or i can send a PR of this change .

when running python3 oh.py --test I got a package error for oschmod which is imported here (https://github.com/zdresearch/OWASP-Honeypot/blob/master/core/file_monitor.py#L5)
but I'm wondering is this my local machine problem because the same command is not failing in github actions , hence creating an issue for confirmation of the same.

Hi,

I've granted access to github code scanning tools, it's still beta version but worth to try. https://github.com/zdresearch/OWASP-Honeypot/security/code-scanning

I will set it up later, maybe a good thing to check before release.

Regards.