Hey Hey Everyone,
I realize this is not a true honeypot, so before you purists attack me, it will be by the time this tutorial series is done. This is simply and introduction to set things up.
It's been a while since I've done any tutorials, so it's time to take it to the next level. I've decided to relate this to AO a little bit more. So today we're going to develop a simple honey pot. I've chosen the IIS 5.1 SMTP Server as our banner. This tutorial assumes you have read my previous tutorials, and previously mentioned commands will not be reiterated. For those of you that have not read the tutorials, they can be viewed here:
Python Introduction 1
Python Introduction 2
Python Introduction 3
1. Open your favourite editor(Vi, Pico, Notepad, Wordpad, Textpad, DOS Edit).
3. Save the script as honeypot.pyCode:# Demonstrates various methods of importing modules. from socket import * import string import time # create a socket of the basic type. s = socket(AF_INET, SOCK_STREAM) # define our banner. senddata1 = "220 desktop Microsoft ESMTP MAIL Service, Version 6.0.2600.1106 ready at" + time.strftime("%a, %d %b %Y %H:%M:%S %Z") # Query the user for their IP Address and set that and the port HOST = raw_input("Enter IP Address to bind socket to: ") PORT = 25 s.bind((HOST, PORT)) # Bind the socket to an IP Address and Port s.listen(1) # Have the socket listen for a connection (incomingsocket, address) = s.accept() # Accept an incoming connection incomingsocket.send(senddata1) # Send our banner straddress = str(address) # Convert incoming address to a string testlist = string.split(straddress, ",") # Split the tuple into lists gethost = string.split(testlist, "'") # Split the host portion of the list getaddr = string.split(testlist, ")") # Split the port portion of the list host = gethost # Remove just the address from the list incomingport = int(getaddr) # Remove just the port from the list # define our Warning senddata2 = "Illegal Access of this server, your IP [" + host +"] has been logged." # Print connection information to the stdout print "Connection attempt on port", PORT, "from", host, ":", incomingport # Listen for incoming data data = incomingsocket.recv(1024) # Send the Warning incomingsocket.send(senddata2) # Close the socket incomingsocket.close
4. Open the command prompt and type python honeypot.py (If you get an error, you may already have port 25 in use, simply edit the file to change the port number.)
5. You will be prompted with Enter IP Address to bind socket to: Enter the IP address you wish to have the honey pot listen on. This could be 127.0.0.1 if you simply with to test it, or your outgoing IP if you wish to actually listen for connection attempts.You will now notice nothing, however you can telnet or nc to the IP you entered on port 25. Your connection will display the defined banner 220 desktop Microsoft ESMTP MAIL Service, Version 6.0.2600.1106 ready at followed by the current time (the %<character -- A list of all values can be found at the end of this tutorial). The IP Address of the connection and the port used to connect. The warning will be displayed in your telnet/nc session and you will be disconnected and the socket will close.
This is only a single connect server and very basic, no complex commands. As time goes on I will post another tutorial on this same honey pot, only expanded to actually convince the user they are connected to the mail server.
The new commands in this tutorial include various socket commands, the time.strftime command and a few string commands.
time.strftime("format") - This command returns a string containing the time and date in the specified format.
str(non-string) - Converts a non-string to a string (there are also int() and tuple() commands).
string.split(string, delimitor) - Splits a string into a list at every delimitor. The list is then referenced by listname[list object number] (numbering begins at 0).
This script contains similar starting socket commands as my first Python Tutorial, however it includes a few extras. After accepting the connection, this script sends the banner using the incomingsocket.send command. This takes the variable we defined on the s.accept (socket accept command) and tells the computer to send data back to it. It then lists for data (incomingsocket.recv) with a maximum buffer size of 1024. Upon recieving this data it again transmits data to the connecting PC and closes the connect with incomingsocket.close.
That's all for now people, hopefully you'll enjoy the few new commands and the honeypot concept. I'll expand the code and try to post a completed honeypot in the next week or two with instructions on it's creation and modification.
time.strftime format flags
%a Locale's abbreviated weekday name.
%A Locale's full weekday name.
%b Locale's abbreviated month name.
%B Locale's full month name.
%c Locale's appropriate date and time representation.
%d Day of the month as a decimal number [01,31].
%H Hour (24-hour clock) as a decimal number [00,23].
%I Hour (12-hour clock) as a decimal number [01,12].
%j Day of the year as a decimal number [001,366].
%m Month as a decimal number [01,12].
%M Minute as a decimal number [00,59].
%p Locale's equivalent of either AM or PM.
%S Second as a decimal number [00,61].
%U Week number of the year (Sunday as the first day of the week) as a decimal number [00,53]. All days in a new year preceding the first Sunday are considered to be in week 0.
%w Weekday as a decimal number [0(Sunday),6].
%W Week number of the year (Monday as the first day of the week) as a decimal number [00,53]. All days in a new year preceding the first Monday are considered to be in week 0.
%x Locale's appropriate date representation.
%X Locale's appropriate time representation.
%y Year without century as a decimal number [00,99].
%Y Year with century as a decimal number.
%Z Time zone name (no characters if no time zone exists).
%% A literal "%" character.