Honeypot Checker
Checkpot is a honeypot checker: a tool meant to detect mistakes in the configuration of honeypots. It is aimed at security researchers who wish to check that their honeypots are properly set up, so they can be as hard to detect as possible and attract high-quality traffic. According to recent studies, honeypots using default or incorrect settings are surprisingly wide spread all over the internet so we consider Checkpot to be very relevant.
“Many researchers fail deploying honeypots that are easily detectable. There are trivial mistakes people can make when deploying a honeypot like leaving the default settings or templates. On the other hand there are some non-direct indicators of a honeypot including but not limited to running both Windows and Linux services on the same box or having two different ssh servers listening on the same IP. The goal of this project would be to create a simple and open source honeypot detection tool that would scan an IP looking for any traces of a honeypot and create a report with findings and their severity. Using this tool a researcher can scan their system before putting it online or in production and based on the report perform the necessary tuning.” - Honeynet GSoC 2018 project proposal
We don't want under any circumstances to make things easier for the bad guys, on the contrary, we wish to give them a hard time staying hidden by helping all researchers set up their honeypots properly.
All our tests are based on default settings or bugs that can be changed/avoided easily by security researchers. We NEVER publish tests that could expose honeypots when an easy fix for them is not available!
Keep in mind that this tool is based on port scanning and interacts with services on the target system in most cases. Even a simple port scan can be illegal in some jurisdictions. Please consult all laws that apply to your use case and make sure you understand exactly how the app works before you use it.
Our recommendation to make sure you stay out of trouble is to only scan systems that you own or systems whose owner has legally authorized you to scan (you can find an example here).
This tool is still in very early stages of development. Please keep this in mind when using it and contact the authors if you notice any problems (you can find all contact info at the bottom of this page).
-
Read the Disclaimer above very carefully. Remember: USE CHECKPOT AT YOUR OWN RISK!
-
If you do not understand the disclaimer stop now!
-
Clone this repository locally:
git clone https://www.github.com/honeynet/checkpot.git
-
Install
python3
(recommended version 3.5 or greater) andpip
(pip3
) using apt-get or tools like virtualenv or conda -
Install
nmap
using apt-get (or your distribution's default package manager) or build it from source using archives provided on their site -
Install
mercurial
using apt-get (or your distribution's default package manager). Mercurial is required for the download of a moddified version of python-nmap (that displays progress bars while scanning) during the next step. Alternatively you canpip install python-nmap
from the official channels but you will not see any progress bars. -
Install all required packages from requirements.txt:
pip install -r requirements.txt
-
Optional: If you wish to run the automated tests or use the containers framework for development purposes install docker.io:
sudo apt-get install docker.io
Run python checkpot.py
without any arguments to see all available commands
A typical usage example would be: python checkpot.py -t <IP> -l 3
You can read the documentation here.
We welcome bug reports, suggestions for new features, new tests or improvements for existing tests.
We always strive to make Checkpot as modular and easy to understand as possible so everyone can contribute.
If you are a honeypot developer you can help your users set it up properly by adding tests for your honeypot.
A guide for contributors can be found here.
If you still have doubts on how something works, you are facing any issues or have any suggestions you can contact us anytime on the official Honeynet slack channel or open an issue here on github. We are here to help!
Proudly developed during Google Summer of Code 2018 for The Honeynet Project.