2017-03-21 15:15:12 +00:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'Shodan Honeyscore Client',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module uses the shodan API to check
|
|
|
|
|
if a server is a honeypot or not. The api
|
|
|
|
|
returns a score from 0.0 to 1.0. 1.0 being a honeypot.
|
|
|
|
|
A shodan API key is needed for this module to work properly.
|
|
|
|
|
|
|
|
|
|
If you don't have an account, go here to register:
|
|
|
|
|
https://account.shodan.io/register
|
2017-03-21 17:23:06 +00:00
|
|
|
For more info on how their honeyscore system works, go here:
|
|
|
|
|
https://honeyscore.shodan.io/
|
2017-03-21 15:15:12 +00:00
|
|
|
},
|
2017-03-22 23:39:45 +00:00
|
|
|
'Author' =>
|
|
|
|
|
[ 'thecarterb' ],
|
2017-03-21 15:15:12 +00:00
|
|
|
'License' => MSF_LICENSE
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
|
2017-03-22 23:39:45 +00:00
|
|
|
deregister_options('RHOST', 'SSL', 'DOMAIN', 'DigestAuthIIS', 'NTLM::SendLM',
|
2017-03-21 15:15:12 +00:00
|
|
|
'NTLM::SendNTLM', 'VHOST', 'RPORT', 'NTLM::SendSPN', 'NTLM::UseLMKey',
|
|
|
|
|
'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
2017-03-22 23:39:45 +00:00
|
|
|
OptString.new('TARGET', [true, 'The target to get the score of']),
|
2017-03-21 15:15:12 +00:00
|
|
|
OptString.new('SHODAN_APIKEY', [true, 'The SHODAN API key'])
|
|
|
|
|
], self.class)
|
|
|
|
|
end
|
|
|
|
|
|
2017-03-21 17:23:06 +00:00
|
|
|
def print_score(score)
|
2017-03-22 23:39:45 +00:00
|
|
|
tgt = datastore['TARGET']
|
|
|
|
|
print_status("#{tgt} honeyscore: #{score}")
|
2017-03-21 17:23:06 +00:00
|
|
|
end
|
|
|
|
|
|
2017-03-22 23:39:45 +00:00
|
|
|
def run
|
|
|
|
|
key = datastore['SHODAN_APIKEY']
|
|
|
|
|
tgt = datastore['TARGET']
|
|
|
|
|
print_status("Scanning #{tgt}")
|
|
|
|
|
cli = Rex::Proto::Http::Client.new('api.shodan.io', 443, {}, true)
|
|
|
|
|
cli.connect
|
|
|
|
|
req = cli.request_cgi({
|
|
|
|
|
'uri' => "/labs/honeyscore/#{tgt}?key=#{key}",
|
|
|
|
|
'method' => 'GET'
|
|
|
|
|
})
|
|
|
|
|
res = cli.send_recv(req)
|
|
|
|
|
cli.close
|
|
|
|
|
if res.nil?
|
|
|
|
|
fail_with(Failure::Unknown, 'Unable to connect to shodan')
|
|
|
|
|
end
|
2017-03-21 15:15:12 +00:00
|
|
|
|
2017-03-22 23:39:45 +00:00
|
|
|
if res.code != 200
|
2017-03-21 17:23:06 +00:00
|
|
|
print_error('Shodan did not respond in an expected way. Check your api key')
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
2017-03-22 23:39:45 +00:00
|
|
|
score = res.to_s.to_f # Change the score to a float to be able to determine value in the checks
|
|
|
|
|
|
|
|
|
|
if score == 0
|
|
|
|
|
print_error("#{tgt} is not a honeypot")
|
|
|
|
|
print_score(score)
|
|
|
|
|
elsif score < 0.4 && score != 0.0
|
|
|
|
|
print_error("#{tgt} is probably not a honeypot")
|
2017-03-21 17:23:06 +00:00
|
|
|
print_score(score)
|
2017-03-21 23:17:20 +00:00
|
|
|
elsif score > 0.4 && score < 0.6
|
2017-03-22 23:39:45 +00:00
|
|
|
print_status("#{tgt} might be a honeypot")
|
2017-03-21 17:23:06 +00:00
|
|
|
print_score(score)
|
2017-03-21 23:17:20 +00:00
|
|
|
elsif score > 0.6 && score < 1.0
|
2017-03-22 23:39:45 +00:00
|
|
|
print_good("#{tgt} is probably a honeypot")
|
2017-03-21 17:23:06 +00:00
|
|
|
print_score(score)
|
2017-03-21 15:15:12 +00:00
|
|
|
elsif score == 1.0
|
2017-03-22 23:39:45 +00:00
|
|
|
print_good("#{tgt} is definitely a honeypot")
|
2017-03-21 17:23:06 +00:00
|
|
|
print_score(score)
|
|
|
|
|
else # We shouldn't ever get here as the previous check should catch an unexpected response
|
|
|
|
|
print_error('An unexpected error occured.')
|
2017-03-21 15:15:12 +00:00
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
