A PoC tool designed to enhance the effectiveness of your traps by spreading breadcrumbs & honeytokens across your systems to lure the attacker toward your honeypots
A simple PoC tool designed to enhance the effectiveness of your traps by spreading breadcrumbs & honeytokens across your production servers and workstations to lure the attacker toward your honeypots.
Author: Adel "0x4D31" Karimi.
The Windows version of this project: honeybits-win
Although honeypots are used by security researchers to study the attackers’ tools, techniques and motives for many years, they still have not been widely accepted and deployed in production environments. One reason is that the traditional implementation of honeypots is static and success is based on an attacker discovering it (which usually requires network scanning)!
Taking a look at the Mitre ATT&CK Matrix, you will see that 'Network Service Scanning' is only one of the many different Post-compromise activities. The more you plant false or misleading information in response to the post-compromise techniques (specially the techniques under ‘credential access’, ‘Discovery’, and ‘Lateral movement’ tactics in ATT&CK matrix), the greater the chance of catching the attackers. Honeybits helps you automate the creation of breadcrumbs/honeytokens on your production Servers and Workstations. These honeytokens or breadcrumbs include: * Fake bash_history commands (such as ssh, ftp, rsync, scp, mysql, wget, awscli) * Fake AWS credentials and config files (you required to create fake AWS IAM users with no permissions and generate access keys for them) * Configuration, backup and connection files such as RDP and VPN * Fake entries in hosts, ARP table, etc. * Fake browser history, bookmarks and saved passwords * Injected fake credentials into LSASS * Fake registry keys
(sshpass -p '123456' ssh -p 2222 [email protected])
(ftp ftp://backup:[email protected]:2121)
(rsync -avz -e 'ssh -p 2222' [email protected]:/var/db/backup.tar.gz /tmp/backup.tar.gz)
(scp -P 2222 [email protected]:/var/db/backup.tar.gz /tmp/backup.tar.gz)
(mysql -h 192.168.1.66 -P 3306 -u dbadmin -p12345 -e "show databases")
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY aws ec2 describe-instances --profile devops --region us-east-2
go get github.com/spf13/viper)
go get github.com/xordataexchange/crypt/config)
$ go build $ sudo ./honeybits
Failed reading remote config. Reading the local config file... Local config file loaded.
[failed] honeyfile already exists at this path: /tmp/secret.txt [done] go-audit rule for /home/test/secret.txt is added [done] honeyfile is created (/home/test/secret.txt) [done] go-audit rule for /opt/secret.txt is added [done] sshpass honeybit is inserted [done] wget honeybit is inserted [done] ftp honeybit is inserted [done] rsync honeybit is inserted [done] scp honeybit is inserted [done] mysql honeybit is inserted [failed] aws honeybit already exists [done] hostsconf honeybit is inserted [done] awsconf honeybit is inserted [done] awscred honeybit is inserted [done] custom honeybit is inserted