diff --git a/http/honeypot/citrix-honeypot-detect.yaml b/http/honeypot/citrix-honeypot-detect.yaml new file mode 100644 index 0000000000..e1e82eb2bb --- /dev/null +++ b/http/honeypot/citrix-honeypot-detect.yaml @@ -0,0 +1,38 @@ +id: citrix-honeypot-detect + +info: + name: Citrix Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A Citrix honeypot has been identified. + The HTTP response reveals a possible setup of the Citrix web application honeypot. + metadata: + max-request: 2 + verified: true + shodan-query: http.title:“Citrix Login” + vendor: citrix + product: citrix + tags: citrix,honeypot,ir,cti + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'len(body)<2000' + + - type: word + part: body + words: + - "Citrix Login" + + - type: word + part: body + words: + - "In order to use our services, you must agree to Citrix's Terms of Service." + negative: true \ No newline at end of file diff --git a/http/honeypot/dionaea-http-honeypot-detect.yaml b/http/honeypot/dionaea-http-honeypot-detect.yaml new file mode 100644 index 0000000000..c3a781a0a6 --- /dev/null +++ b/http/honeypot/dionaea-http-honeypot-detect.yaml @@ -0,0 +1,37 @@ +id: dionaea-http-honeypot-detect + +info: + name: Dionaea HTTP Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + Dionaea HTTP honeypot has been identified. + The response to an incorrect HTTP method reveals a possible setup of the Dioanea web application honeypot. + metadata: + max-request: 1 + vendor: dionaea + product: http + tags: dionaea,honeypot,ir,cti + +http: + - raw: + - | + AAAA / HTTP/1.1 + Host: {{Hostname}} + + unsafe: true + matchers-condition: and + matchers: + - type: status + status: + - 501 + + - type: word + part: header + words: + - "nginx" + + - type: word + part: body + words: + - '' diff --git a/http/honeypot/elasticpot-honeypot-detect.yaml b/http/honeypot/elasticpot-honeypot-detect.yaml new file mode 100644 index 0000000000..a8705cc274 --- /dev/null +++ b/http/honeypot/elasticpot-honeypot-detect.yaml @@ -0,0 +1,26 @@ +id: elasticpot-honeypot-detect + +info: + name: ElasticPot Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A ElasticPot (ElasticSearch) honeypot has been identified. + The response to a '_cluster/settings' request differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 1 + vendor: elasticpot + product: elasticsearch + fofa-query: "index_not_found_exception" + tags: elasticpot,elasticsearch,honeypot,ir,cti + +http: + - method: GET + path: + - "{{BaseURL}}/_cluster/settings" + + matchers: + - type: word + part: body + words: + - 'index_not_found_exception' \ No newline at end of file diff --git a/http/honeypot/snare-honeypot-detect.yaml b/http/honeypot/snare-honeypot-detect.yaml new file mode 100644 index 0000000000..ec87e9aec4 --- /dev/null +++ b/http/honeypot/snare-honeypot-detect.yaml @@ -0,0 +1,35 @@ +id: snare-honeypot-detect + +info: + name: Snare Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + Snare honeypot has been identified. + The response to an incorrect HTTP version reveals a possible setup of the Snare web application honeypot. + metadata: + max-request: 1 + verified: true + shodan-query: '"Python/3.10 aiohttp/3.8.3" && Bad status' + vendor: snare + product: http + tags: snare,honeypot,ir,cti + +http: + - raw: + - | + GET / HTTP/1337 + Host: {{Hostname}} + + unsafe: true + matchers-condition: and + matchers: + - type: word + part: header + words: + - "Python/3.10 aiohttp/3.8.3" + + - type: word + part: body + words: + - "Bad status line 'Expected dot'" \ No newline at end of file diff --git a/network/honeypot/adbhoney-honeypot-cnxn-detect.yaml b/network/honeypot/adbhoney-honeypot-cnxn-detect.yaml new file mode 100644 index 0000000000..372637f83e --- /dev/null +++ b/network/honeypot/adbhoney-honeypot-cnxn-detect.yaml @@ -0,0 +1,33 @@ +id: adbhoney-honeypot-cnxn-detect + +info: + name: ADBHoney Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + ADBHoney honeypot has been identified. + The response to the 'adb connect' command differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 4 + verified: true + shodan-query: product:Android Debug Bridge (ADB) && SM-G960F + vendor: android + product: adb + tags: adbhoney,android,adb,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN + type: hex + - data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO + type: hex + + host: + - "{{Hostname}}" + port: 5555 + read-size: 1024 + + matchers: + - type: word + words: + - "device::http://ro.product.name =starltexx;ro.product.model=SM-G960F" \ No newline at end of file diff --git a/network/honeypot/adbhoney-honeypot-shell-detect.yaml b/network/honeypot/adbhoney-honeypot-shell-detect.yaml new file mode 100644 index 0000000000..3bbac3fd51 --- /dev/null +++ b/network/honeypot/adbhoney-honeypot-shell-detect.yaml @@ -0,0 +1,36 @@ +id: adbhoney-honeypot-shell-detect + +info: + name: ADBHoney Honeypot (shell probe) - Detect + author: UnaPibaGeek + severity: info + description: | + ADBHoney honeypot has been identified. + The response to the 'adb shell pwd' command differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 4 + verified: true + shodan-query: product:Android Debug Bridge (ADB) && SM-G960F + vendor: android + product: adb + tags: adbhoney,android,adb,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1" # CNXN + type: hex + - data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73" # CLIENT INFO + type: hex + - data: "4f50454e6b000000000000000a0000009d030000b0afbab1" # OPEN + type: hex + - data: "7368656c6c3a70776400" # SHELL: PWD + type: hex + host: + - "{{Hostname}}" + port: 5555 + read-size: 1024 + + matchers: + - type: binary + binary: + - "57525445020000006b0000000000000000000000a8adabba" \ No newline at end of file diff --git a/network/honeypot/conpot-siemens-honeypot-detect.yaml b/network/honeypot/conpot-siemens-honeypot-detect.yaml new file mode 100644 index 0000000000..b827ba77dd --- /dev/null +++ b/network/honeypot/conpot-siemens-honeypot-detect.yaml @@ -0,0 +1,31 @@ +id: conpot-siemens-honeypot-detect + +info: + name: Conpot (Siemens) Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A Conpot (Siemens) honeypot has been identified. + The response to a first packet of a connection attempt differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 1 + verified: true + vendor: conpot + product: siemens + shodan-query: html:"Overview - Siemens, SIMATIC" + tags: conpot,siemens,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "0300001611e00000000400c1020100c2020102c0010a" + type: hex + + host: + - "{{Hostname}}" + port: 102 + read-size: 1024 + + matchers: + - type: binary + binary: + - "030000130ed00000000000c1020000c2020000" \ No newline at end of file diff --git a/network/honeypot/cowrie-ssh-honeypot-detect.yaml b/network/honeypot/cowrie-ssh-honeypot-detect.yaml new file mode 100644 index 0000000000..dbd87ad24b --- /dev/null +++ b/network/honeypot/cowrie-ssh-honeypot-detect.yaml @@ -0,0 +1,35 @@ +id: cowrie-ssh-honeypot-detect + +info: + name: Cowrie SSH Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A Cowrie (or Twisted) SSH honeypot has been identified. + The response to a wrong SSH version differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 2 + vendor: cowrie + product: ssh + tags: cowrie,twisted,ssh,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "SSH-1337-OpenSSH_9.0\r\n" + + host: + - '{{Hostname}}' + port: 22 + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - 'SSH\-([0-9.-A-Za-z_ ]+)' + + - type: word + words: + - Protocol major versions differ. + - bad version 1337 + condition: or \ No newline at end of file diff --git a/network/honeypot/dionaea-ftp-honeypot-detect.yaml b/network/honeypot/dionaea-ftp-honeypot-detect.yaml new file mode 100644 index 0000000000..e6a35772d3 --- /dev/null +++ b/network/honeypot/dionaea-ftp-honeypot-detect.yaml @@ -0,0 +1,31 @@ +id: dionaea-ftp-honeypot-detect + +info: + name: Dionaea FTP Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A Dionaea FTP honeypot has been identified. + The response to the 'PASS' command differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 4 + vendor: dionaea + product: ftp + tags: dionaea,ftp,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "USER root\r\n" + read: 1024 + - data: "PASS \r\n" + read: 1024 + + host: + - "{{Hostname}}" + port: 21 + read-size: 2048 + + matchers: + - type: word + words: + - "500 Syntax error: PASS requires an argument" \ No newline at end of file diff --git a/network/honeypot/dionaea-mqtt-honeypot-detect.yaml b/network/honeypot/dionaea-mqtt-honeypot-detect.yaml new file mode 100644 index 0000000000..c97064e4eb --- /dev/null +++ b/network/honeypot/dionaea-mqtt-honeypot-detect.yaml @@ -0,0 +1,31 @@ +id: dionaea-mqtt-honeypot-detect + +info: + name: Dionaea MQTT Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A Dionaea MQTT honeypot has been identified. + The response to a MQTTv5 packet differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 2 + verified: true + shodan-query: product:"MQTT" + vendor: dionaea + product: mqtt + tags: dionaea,mqtt,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "101000044d5154540502003c032100140000" + type: hex + + host: + - "{{Hostname}}" + port: 1883 + read-size: 1024 + + matchers: + - type: binary + binary: + - "20020000" \ No newline at end of file diff --git a/network/honeypot/dionaea-mysql-honeypot-detect.yaml b/network/honeypot/dionaea-mysql-honeypot-detect.yaml new file mode 100644 index 0000000000..35b80df36c --- /dev/null +++ b/network/honeypot/dionaea-mysql-honeypot-detect.yaml @@ -0,0 +1,33 @@ +id: dionaea-mysql-honeypot-detect + +info: + name: Dionaea MySQL Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A MySQL honeypot has been identified. + The response to a connection command differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 2 + vendor: dionaea + product: mysql + tags: dionaea,mysql,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "\x4a\x00\x00\x00\x0a\x35\x2e\x31\x2e\x32\x39\x00\x0b\x00\x00\x00\x21\x3e\x34\x1b\x51\x3f\x34\x33\x60\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + + host: + - "{{Hostname}}" + port: 3306 + read-size: 1024 + + matchers-condition: and + matchers: + - type: word + words: + - "5.7.16" + + - type: word + words: + - "aaaaaaaa" \ No newline at end of file diff --git a/network/honeypot/dionaea-smb-honeypot-detect.yaml b/network/honeypot/dionaea-smb-honeypot-detect.yaml new file mode 100644 index 0000000000..175e1e22de --- /dev/null +++ b/network/honeypot/dionaea-smb-honeypot-detect.yaml @@ -0,0 +1,30 @@ +id: dionaea-smb-honeypot-detect + +info: + name: Dionaea SMB Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A Dionaea SMB honeypot has been identified. + The response to an SMB connection packet differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 1 + shodan-query: port:445 + vendor: dionaea + product: dionaea + tags: dionaea,smb,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "00000045ff534d4272000000000801c8000000000000000000000000ffff0100ffff0000002200024e54204c4d20302e31320002534d4220322e3030320002534d4220322e3f3f3f00" + type: hex + + host: + - "{{Hostname}}" + port: 445 + read-size: 1024 + + matchers: + - type: binary + binary: + - "6538547e6c42" \ No newline at end of file diff --git a/network/honeypot/gaspot-honeypot-detect.yaml b/network/honeypot/gaspot-honeypot-detect.yaml new file mode 100644 index 0000000000..64aba77c7c --- /dev/null +++ b/network/honeypot/gaspot-honeypot-detect.yaml @@ -0,0 +1,29 @@ +id: gaspot-honeypot-detect + +info: + name: GasPot Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A GasPot honeypot has been identified. + The response to the '^AI21400' command differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 2 + shodan-query: port:10001 + vendor: gaspot + product: veeder-root + tags: gaspot,veeder-root,ics,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "^AI21400" + + host: + - "{{Hostname}}" + port: 10001 + read-size: 1024 + + matchers: + - type: word + words: + - "9999FF1B" \ No newline at end of file diff --git a/network/honeypot/mailoney-honeypot-detect.yaml b/network/honeypot/mailoney-honeypot-detect.yaml new file mode 100644 index 0000000000..aa7bd399f4 --- /dev/null +++ b/network/honeypot/mailoney-honeypot-detect.yaml @@ -0,0 +1,29 @@ +id: mailoney-honeypot-detect + +info: + name: Mailoney Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A Mailoney (SMTP) honeypot has been identified. + The response to the 'HELP' command differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 2 + vendor: mailoney + product: exim + tags: mailoney,exim,smtp,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "HELP\r\n" + read: 1024 + + host: + - "{{Hostname}}" + port: 25 + read-size: 1024 + + matchers: + - type: word + words: + - "502 Error: command \"HELP\" not implemented" \ No newline at end of file diff --git a/network/honeypot/redis-honeypot-detect.yaml b/network/honeypot/redis-honeypot-detect.yaml new file mode 100644 index 0000000000..baba74b66b --- /dev/null +++ b/network/honeypot/redis-honeypot-detect.yaml @@ -0,0 +1,29 @@ +id: redis-honeypot-detect + +info: + name: Redis Honeypot - Detect + author: UnaPibaGeek + severity: info + description: | + A Redis honeypot has been identified. + The response to the 'QUIT' command differs from real installations, signaling a possible deceptive setup. + metadata: + max-request: 2 + shodan-query: redis + vendor: redis + product: redis + tags: redis,honeypot,ir,cti,network + +tcp: + - inputs: + - data: "QUIT" + + host: + - "{{Hostname}}" + port: 6379 + read-size: 1024 + + matchers: + - type: word + words: + - "-ERR unknown command `QUIT`, with args beginning with:" \ No newline at end of file