Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-10-16 21:39:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge 85d23150b8 into 144bdb8315

Browse source
This commit is contained in:
Raymond Frangie 2018-05-12 05:54:05 +00:00 committed by GitHub
commit 310cde7117
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
32 changed files with 1173 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
docker/conpot/docker-compose.yml
View file

@ -1,19 +0,0 @@
version: '2.1'
networks:
conpot_local:
services:
# Conpot service
conpot:
container_name: conpot
restart: always
networks:
- conpot_local
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:1710"
volumes:
- /data/conpot/log:/var/log/conpot

59
docker/conpot_default/Dockerfile Normal file
View file

@ -0,0 +1,59 @@
FROM alpine
MAINTAINER MO
# Include dist
ADD dist/ /root/dist/
# Define Environment Variables
ENV CONPOT_TEMPLATE="default" CONPOT_LOG="/var/log/conpot/conpot_default.log" CONPOT_CONFIG="/etc/conpot/conpot_default.cfg"
# Setup apt
RUN apk -U add bash \
build-base \
file \
git \
libev \
libtool \
libxslt \
libxslt-dev \
mariadb-dev \
mariadb-client-libs \
pkgconfig \
python \
python-dev \
py-gevent \
py-snmp \
py-cffi && \
# Setup ConPot
git clone https://github.com/mushorg/conpot /opt/conpot_default/ && \
cd /opt/conpot_default/ && \
git checkout d97a68a054e4fe42ff90293188a5702ce8ab09a3 && \
cp /root/dist/requirements.txt /opt/conpot_default/ && \
python setup.py install && \
cd / && \
rm -rf /opt/conpot_default /tmp/* /var/tmp/* && \
# Setup user, groups and configs
addgroup -g 2000 conpot_default && \
adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot_default && \
mkdir -p /etc/conpot /var/log/conpot && \
mv /root/dist/conpot.cfg /etc/conpot/conpot_default.cfg && \
mv /root/dist/default/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot/templates/default/ && \
# Clean up
apk del build-base \
file \
git \
libev \
libtool \
libxslt-dev \
mariadb-dev \
pkgconfig \
python-dev \
py-cffi && \
rm -rf /root/* && \
rm -rf /var/cache/apk/*
# Run supervisor upon container start
CMD /usr/bin/conpot --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

0
docker/conpot/README.md → docker/conpot_default/README.md
View file

14
docker/conpot/dist/conpot.cfg → docker/conpot_default/dist/conpot.cfg vendored
View file

@ -1,16 +1,16 @@
[common]
sensorid = conpot
sensorid = conpot_default
[session]
timeout = 30
[daemon]
user = conpot
group = conpot
user = conpot_default
group = conpot_default
[json]
enabled = True
filename = /var/log/conpot/conpot.json
filename = /var/log/conpot/conpot_default.json
[sqlite]
enabled = False
@ -20,9 +20,9 @@ enabled = False
device = /tmp/mysql.sock
host = localhost
port = 3306
db = conpot
username = conpot
passphrase = conpot
db = conpot_default
username = conpot_default
passphrase = conpot_default
socket = tcp ; tcp (sends to host:port), dev (sends to mysql device/socket file)
[syslog]

324
docker/conpot_default/dist/default/IEC104/IEC104.xml vendored Normal file
View file

@ -0,0 +1,324 @@
<!-- Copyright (C) 2017 Patrick Reichenberger (University of Passau) <patrick.reichenberger@t-online.de>
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-->
<IEC104 enabled="True" host="0.0.0.0" port="2404">
<device_info>
<vendor_name>Siemens</vendor_name>
<product_code>SIMATIC</product_code>
</device_info>
<!-- names are in structured 16_8 Bit format of the Information Object Address -->
<categories>
<category name="SinglePoint" id="1">
<register name="13_20">
<value>13_20</value>
</register>
<register name="13_21">
<value>13_21</value>
</register>
<register name="13_22">
<value>13_22</value>
</register>
<register name="13_24">
<value>13_24</value>
</register>
<register name="13_25">
<value>13_25</value>
</register>
<register name="13_32">
<value>13_32</value>
</register>
<register name="13_33">
<value>13_33</value>
</register>
<register name="13_34">
<value>13_34</value>
</register>
<register name="13_35">
<value>13_35</value>
</register>
<register name="13_36">
<value>13_36</value>
</register>
<register name="13_37">
<value>13_37</value>
</register>
<register name="13_38">
<value>13_38</value>
</register>
<register name="13_39">
<value>13_39</value>
</register>
<register name="13_40">
<value>13_40</value>
</register>
<register name="13_41">
<value>13_41</value>
</register>
<register name="13_42">
<value>13_42</value>
</register>
</category>
<category name="SingleCommand" id="45">
<register name="22_19">
<value>22_19</value>
</register>
<register name="22_20" rel="13_20">
<value>22_20</value>
</register>
<register name="22_21" rel="13_21">
<value>22_21</value>
</register>
<register name="22_22" rel="13_22">
<value>22_22</value>
</register>
<register name="22_24" rel="13_24">
<value>22_24</value>
</register>
<register name="22_25" rel="13_25">
<value>22_25</value>
</register>
<register name="22_42">
<value>22_42</value>
</register>
<register name="22_43">
<value>22_43</value>
</register>
<register name="22_54">
<value>22_54</value>
</register>
</category>
<category name="DoublePoint" id="3">
<register name="33_2">
<value>33_2</value>
</register>
<register name="33_3">
<value>33_3</value>
</register>
<register name="33_4">
<value>33_4</value>
</register>
<register name="33_5">
<value>33_5</value>
</register>
<register name="33_6">
<value>33_6</value>
</register>
<register name="33_7">
<value>33_7</value>
</register>
<register name="33_8">
<value>33_8</value>
</register>
<register name="33_9">
<value>33_9</value>
</register>
<register name="33_10">
<value>33_10</value>
</register>
<register name="33_11">
<value>33_11</value>
</register>
</category>
<category name="DoubleCommand" id="46">
<register name="60_6" rel="33_6">
<value>60_6</value>
</register>
<register name="60_7" rel="33_7">
<value>60_7</value>
</register>
<register name="60_8" rel="33_8">
<value>60_8</value>
</register>
<register name="60_9" rel="33_9">
<value>60_9</value>
</register>
<register name="60_20" rel="33_10">
<value>60_20</value>
</register>
<register name="60_21" rel="33_11">
<value>60_21</value>
</register>
<register name="60_32">
<value>60_32</value>
</register>
<register name="60_34">
<value>60_34</value>
</register>
<register name="60_35">
<value>60_35</value>
</register>
<register name="60_36">
<value>60_36</value>
</register>
</category>
<category name="MeasuredValueScaled" id="11">
<register name="100_12">
<value>100_12</value>
</register>
<register name="100_13">
<value>100_13</value>
</register>
<register name="100_51">
<value>100_51</value>
</register>
<register name="100_108">
<value>100_108</value>
</register>
<register name="100_109">
<value>100_109</value>
</register>
<register name="100_178">
<value>100_178</value>
</register>
<register name="100_179">
<value>100_179</value>
</register>
<register name="100_190">
<value>100_190</value>
</register>
<register name="100_191">
<value>100_191</value>
</register>
<register name="100_192">
<value>100_192</value>
</register>
<register name="100_193">
<value>100_193</value>
</register>
</category>
<category name="SetpointCommandScaled" id="49">
<register name="101_63" rel="100_12">
<value>101_63</value>
</register>
<register name="101_205" rel="100_13">
<value>101_205</value>
</register>
<register name="101_100">
<value>101_100</value>
</register>
<register name="101_101" rel="100_51">
<value>101_101</value>
</register>
<register name="101_102" rel="100_178">
<value>101_102</value>
</register>
<register name="101_105">
<value>101_105</value>
</register>
<register name="101_106">
<value>101_106</value>
</register>
</category>
<category name="MeasuredValueFloatingPoint" id="13">
<register name="107_3">
<value>107_3</value>
</register>
<register name="107_77">
<value>107_77</value>
</register>
<register name="107_78">
<value>107_78</value>
</register>
<register name="107_79">
<value>107_79</value>
</register>
<register name="107_90">
<value>107_90</value>
</register>
<register name="107_130">
<value>107_130</value>
</register>
<register name="107_131">
<value>107_131</value>
</register>
<register name="107_132">
<value>107_132</value>
</register>
<register name="107_141">
<value>107_141</value>
</register>
<register name="107_200">
<value>107_200</value>
</register>
<register name="107_201">
<value>107_201</value>
</register>
<register name="107_202">
<value>107_202</value>
</register>
<register name="107_203">
<value>107_203</value>
</register>
<register name="107_204">
<value>107_204</value>
</register>
<register name="107_205">
<value>107_205</value>
</register>
<register name="107_206">
<value>107_206</value>
</register>
<register name="107_207">
<value>107_207</value>
</register>
<register name="107_208">
<value>107_208</value>
</register>
<register name="107_209">
<value>107_209</value>
</register>
<register name="107_210">
<value>107_210</value>
</register>
<register name="107_211">
<value>107_211</value>
</register>
<register name="107_212">
<value>107_212</value>
</register>
</category>
<category name="SetpointCommandFloatingPoint" id="50">
<register name="109_3" rel="107_3">
<value>109_3</value>
</register>
<register name="109_7" rel="107_77">
<value>109_7</value>
</register>
<register name="109_8">
<value>109_8</value>
</register>
<register name="109_10" rel="107_90">
<value>109_10</value>
</register>
<register name="109_40" rel="107_132">
<value>109_40</value>
</register>
<register name="109_41" rel="107_141">
<value>109_41</value>
</register>
</category>
</categories>
</IEC104>

39
docker/conpot_default/dist/default/bacnet/bacnet.xml vendored Normal file
View file

@ -0,0 +1,39 @@
<bacnet enabled="True" host="0.0.0.0" port="47808">
<device_info>
<device_name>SystemName</device_name>
<device_identifier>36113</device_identifier>
<vendor_name>Alerton Technologies, Inc.</vendor_name>
<vendor_identifier>15</vendor_identifier>
<max_apdu_length_accepted>1024</max_apdu_length_accepted>
<segmentation_supported>segmentedBoth</segmentation_supported>
<model_name>VAV-DD Controller</model_name>
<protocol_version>1</protocol_version>
</device_info>
<object_list>
<object name="objectBinary">
<properties>
<object_identifier>12</object_identifier>
<object_name>BI 01</object_name>
<object_type>Binary Input</object_type>
</properties>
</object>
<object name="objectAnalog">
<properties>
<object_identifier>14</object_identifier>
<object_name>AI 01</object_name>
<object_type>Analog Input</object_type>
<present_value>68.0</present_value>
</properties>
</object>
<object name="objectDoor">
<properties>
<object_identifier>16</object_identifier>
<object_name>Door 01</object_name>
<object_type>Access Door</object_type>
<present_value>0</present_value>
<out_of_service>True</out_of_service>
<maintenance_required>2</maintenance_required>
</properties>
</object>
</object_list>
</bacnet>

91
docker/conpot_default/dist/default/modbus/modbus.xml vendored Normal file
View file

@ -0,0 +1,91 @@
<modbus enabled="True" host="0.0.0.0" port="502">
<device_info>
<VendorName>Siemens</VendorName>
<ProductCode>SIMATIC</ProductCode>
<MajorMinorRevision>S7-200</MajorMinorRevision>
</device_info>
<mode>serial</mode>
<delay>100</delay>
<slaves>
<slave id="0">
<blocks>
<block name="memoryModbusSlave0BlockA">
<!-- COILS/DISCRETE_OUTPUTS aka. binary output, power on/power off
Here we map modbus addresses 1 to 127 to S7-200 PLC Addresses Q0.0 to Q15.7 -->
<type>COILS</type>
<starting_address>1</starting_address>
<size>128</size>
<content>memoryModbusSlave0BlockA</content>
</block>
<block name="memoryModbusSlave0BlockB">
<!-- CONTACTS/DISCRETE_INPUTS aka. binary input.
Map modbus addresses 10001-10032 to S7-200 PLC inputs starting from I0.0 -->
<type>DISCRETE_INPUTS</type>
<starting_address>10001</starting_address>
<size>32</size>
<content>memoryModbusSlave0BlockB</content>
</block>
</blocks>
</slave>
<slave id="255">
<blocks>
<block name="memoryModbusSlave255BlockA">
<!-- COILS/DISCRETE_OUTPUTS aka. binary output, power on/power off
Here we map modbus addresses 1 to 127 to S7-200 PLC Addresses Q0.0 to Q15.7 -->
<type>COILS</type>
<starting_address>1</starting_address>
<size>128</size>
<content>memoryModbusSlave255BlockA</content>
</block>
<block name="memoryModbusSlave255BlockB">
<!-- CONTACTS/DISCRETE_INPUTS aka. binary input.
Map modbus addresses 10001-10032 to S7-200 PLC inputs starting from I0.0 -->
<type>DISCRETE_INPUTS</type>
<starting_address>10001</starting_address>
<size>32</size>
<content>memoryModbusSlave255BlockB</content>
</block>
</blocks>
</slave>
<slave id="1">
<blocks>
<block name="memoryModbusSlave1BlockA">
<!-- COILS/DISCRETE_OUTPUTS aka. binary output, power on/power off
Here we map modbus addresses 1 to 127 to S7-200 PLC Addresses Q0.0 to Q15.7 -->
<type>COILS</type>
<starting_address>1</starting_address>
<size>128</size>
<content>memoryModbusSlave1BlockA</content>
</block>
<block name="memoryModbusSlave1BlockB">
<!-- CONTACTS/DISCRETE_INPUTS aka. binary input.
Map modbus addresses 10001-10032 to S7-200 PLC inputs starting from I0.0 -->
<type>DISCRETE_INPUTS</type>
<starting_address>10001</starting_address>
<size>32</size>
<content>memoryModbusSlave1BlockB</content>
</block>
</blocks>
</slave>
<slave id="2">
<!-- This slave does some measuring. (analog inputs).
Map modbus addresses 30001-30009 to S7 PLC analog input bits AIW0-AIW8 -->
<blocks>
<block name="memoryModbusSlave2BlockC">
<!-- Will be parsed with eval() -->
<type>ANALOG_INPUTS</type>
<starting_address>30001</starting_address>
<size>8</size>
<content>memoryModbusSlave2BlockC</content>
</block>
<block name="memoryModbusSlave2BlockD">
<!-- Maps to S7-200 PLC addresses HoldStart+8 -->
<type>HOLDING_REGISTERS</type>
<starting_address>40001</starting_address>
<size>8</size>
<content>memoryModbusSlave2BlockD</content>
</block>
</blocks>
</slave>
</slaves>
</modbus>

20
docker/conpot_default/dist/default/s7comm/s7comm.xml vendored Normal file
View file

@ -0,0 +1,20 @@
<s7comm enabled="True" host="0.0.0.0" port="102">
<system_status_lists>
<ssl id="W#16#xy1C" name="Component Identification">
<system_name id="W#16#0001">SystemName</system_name>
<module_name id="W#16#0002">SystemDescription</module_name>
<plant_ident id="W#16#0003">FacilityName</plant_ident>
<copyright id="W#16#0004">Copyright</copyright>
<serial id="W#16#0005">s7_id</serial>
<module_type_name id="W#16#0007">s7_module_type</module_type_name>
<oem_id id="W#16#000A">empty</oem_id>
<location id="W#16#000B">empty</location>
</ssl>
<ssl id="W#16#xy11" name="Module Identification">
<!-- Not really sure what these are supposed to contain -->
<module_identification id="W#16#0001">empty</module_identification>
<hardware_identification id="W#16#0006">empty</hardware_identification>
<firmware_identification id="W#16#0006">empty</firmware_identification>
</ssl>
</system_status_lists>
</s7comm>

38
docker/conpot_default/dist/default/snmp/snmp.xml vendored Normal file
View file

@ -0,0 +1,38 @@
<snmp enabled="True" host="0.0.0.0" port="161">
<config>
<!-- Configure individual delays for SNMP commands -->
<entity name="tarpit" command="get">0.1;0.2</entity>
<entity name="tarpit" command="set">0.1;0.2</entity>
<entity name="tarpit" command="next">0.0;0.1</entity>
<entity name="tarpit" command="bulk">0.2;0.4</entity>
<!-- Configure DoS evasion thresholds (req_per_ip/minute;req_overall/minute) -->
<entity name="evasion" command="get">120;240</entity>
<entity name="evasion" command="set">120;240</entity>
<entity name="evasion" command="next">240;600</entity>
<entity name="evasion" command="bulk">120;240</entity>
</config>
<mibs>
<mib name="SNMPv2-MIB">
<symbol name="sysDescr">
<!-- Value is key in databus -->
<value>SystemDescription</value>
</symbol>
<symbol name="sysUpTime">
<value>Uptime</value>
</symbol>
<symbol name="sysContact">
<value>sysContact</value>
</symbol>
<symbol name="sysName">
<value>sysName</value>
</symbol>
<symbol name="sysLocation">
<value>sysLocation</value>
</symbol>
<symbol name="sysServices">
<value>sysServices</value>
</symbol>
</mib>
</mibs>
</snmp>

78
docker/conpot_default/dist/default/template.xml vendored Normal file
View file

@ -0,0 +1,78 @@
<core>
<template>
<!-- General information about the template -->
<entity name="unit">S7-200</entity>
<entity name="vendor">Siemens</entity>
<entity name="description">Rough simulation of a basic Siemens S7-200 CPU with 2 slaves</entity>
<entity name="protocols">MODBUS, s7comm, SNMP, Bacnet, IEC104</entity>
<entity name="creator">the conpot team</entity>
</template>
<databus>
<!-- Core value that can be retrieved from the databus by key -->
<key_value_mappings>
<key name="FacilityName">
<value type="value">"Mouser Factory"</value>
</key>
<key name="SystemName">
<value type="value">"Technodrome"</value>
</key>
<key name="SystemDescription">
<value type="value">"Siemens, SIMATIC, S7-200"</value>
</key>
<key name="Uptime">
<value type="function">conpot.emulators.misc.uptime.Uptime</value>
</key>
<key name="sysObjectID">
<value type="value">"0.0"</value>
</key>
<key name="sysContact">
<value type="value">"Siemens AG"</value>
</key>
<key name="sysName">
<value type="value">"CP 443-1 EX40"</value>
</key>
<key name="sysLocation">
<value type="value">"Venus"</value>
</key>
<key name="sysServices">
<value type="value">"72"</value>
</key>
<key name="memoryModbusSlave0BlockA">
<value type="value">[random.randint(0,1) for b in range(0,128)]</value>
</key>
<key name="memoryModbusSlave0BlockB">
<value type="value">[random.randint(0,1) for b in range(0,32)]</value>
</key>
<key name="memoryModbusSlave255BlockA">
<value type="value">[random.randint(0,1) for b in range(0,128)]</value>
</key>
<key name="memoryModbusSlave255BlockB">
<value type="value">[random.randint(0,1) for b in range(0,32)]</value>
</key>
<key name="memoryModbusSlave1BlockA">
<value type="value">[random.randint(0,1) for b in range(0,128)]</value>
</key>
<key name="memoryModbusSlave1BlockB">
<value type="value">[random.randint(0,1) for b in range(0,32)]</value>
</key>
<key name="memoryModbusSlave2BlockC">
<value type="value">[random.randint(0,1) for b in range(0,8)]</value>
</key>
<key name="memoryModbusSlave2BlockD">
<value type="value">[0 for b in range(0,32)]</value>
</key>
<key name="Copyright">
<value type="value">"Original Siemens Equipment"</value>
</key>
<key name="s7_id">
<value type="value">"88111222"</value>
</key>
<key name="s7_module_type">
<value type="value">"IM151-8 PN/DP CPU"</value>
</key>
<key name="empty">
<value type="value">""</value>
</key>
</key_value_mappings>
</databus>
</core>

4
docker/conpot/dist/requirements.txt → docker/conpot_default/dist/requirements.txt vendored
View file

@ -1,6 +1,6 @@
gevent>=1.0
pysnmp==4.3.5
pysmi==0.1.3
pysnmp==4.4.4
pysmi==0.2.2
lxml
bottle
jinja2

0
docker/conpot/doc/dashboard.png → docker/conpot_default/doc/dashboard.png
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 284 KiB

After

Width:  |  Height:  |  Size: 284 KiB

23
docker/conpot_default/docker-compose.yml Normal file
View file

@ -0,0 +1,23 @@
version: '2.0'
networks:
conpot_default_local:
services:
# Conpot service using Default Siemens S7-200 Template
conpot_default:
container_name: conpot_default
restart: always
networks:
- conpot_default_local
ports:
- "102:102"
- "502:502"
- "623:623/udp"
- "47808:47808/udp"
- "161:161/udp"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_default:1710"
volumes:
- /data/conpot/log:/var/log/conpot

59
docker/conpot_guardianast/Dockerfile Normal file
View file

@ -0,0 +1,59 @@
FROM alpine
MAINTAINER MO
# Include dist
ADD dist/ /root/dist/
# Define Environment Variables
ENV CONPOT_TEMPLATE="guardian_ast" CONPOT_LOG="/var/log/conpot/conpot_guardian_ast.log" CONPOT_CONFIG="/etc/conpot/conpot_guardian_ast.cfg"
# Setup apt
RUN apk -U add bash \
build-base \
file \
git \
libev \
libtool \
libxslt \
libxslt-dev \
mariadb-dev \
mariadb-client-libs \
pkgconfig \
python \
python-dev \
py-gevent \
py-snmp \
py-cffi && \
# Setup ConPot
git clone https://github.com/mushorg/conpot /opt/conpot_guardian_ast/ && \
cd /opt/conpot_guardian_ast/ && \
git checkout d97a68a054e4fe42ff90293188a5702ce8ab09a3 && \
cp /root/dist/requirements.txt /opt/conpot_guardian_ast/ && \
python setup.py install && \
cd / && \
rm -rf /opt/conpot_guardian_ast /tmp/* /var/tmp/* && \
# Setup user, groups and configs
addgroup -g 2000 conpot_guardian_ast && \
adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot_guardian_ast && \
mkdir -p /etc/conpot /var/log/conpot && \
mv /root/dist/conpot.cfg /etc/conpot/conpot_guardian_ast.cfg && \
mv /root/dist/guardian_ast/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot/templates/guardian_ast/ && \
# Clean up
apk del build-base \
file \
git \
libev \
libtool \
libxslt-dev \
mariadb-dev \
pkgconfig \
python-dev \
py-cffi && \
rm -rf /root/* && \
rm -rf /var/cache/apk/*
# Run supervisor upon container start
CMD /usr/bin/conpot --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

15
docker/conpot_guardianast/README.md Normal file
View file

@ -0,0 +1,15 @@
[![](https://images.microbadger.com/badges/version/dtagdevsec/conpot:1710.svg)](https://microbadger.com/images/dtagdevsec/conpot:1710 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/conpot:1710.svg)](https://microbadger.com/images/dtagdevsec/conpot:1710 "Get your own image badge on microbadger.com")
# conpot
[ConPot](http://conpot.org/) is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of common industrial control protocols we created the basics to build your own system, capable to emulate complex infrastructures to convince an adversary that he just found a huge industrial complex. To improve the deceptive capabilities, we also provided the possibility to server a custom human machine interface to increase the honeypots attack surface. The response times of the services can be artificially delayed to mimic the behavior of a system under constant load. Because we are providing complete stacks of the protocols, Conpot can be accessed with productive HMI's or extended with real hardware. Conpot is developed under the umbrella of the [Honeynet Project](https://www.honeynet.org/) and on the shoulders of a couple of very big giants.
This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG.
The `Dockerfile` contains the blueprint for the dockerized conpot and will be used to setup the docker image.
The `docker-compose.yml` contains the necessary settings to test conpot using `docker-compose`. This will ensure to start the docker container with the appropriate permissions and port mappings.
# ConPot Dashboard
![ConPot Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/docker/conpot/doc/dashboard.png)

58
docker/conpot_guardianast/dist/conpot.cfg vendored Normal file
View file

@ -0,0 +1,58 @@
[common]
sensorid = conpot_guardian_ast
[session]
timeout = 30
[daemon]
user = conpot_guardian_ast
group = conpot_guardian_ast
[json]
enabled = True
filename = /var/log/conpot/conpot_guardian_ast.json
[sqlite]
enabled = False
[mysql]
enabled = False
device = /tmp/mysql.sock
host = localhost
port = 3306
db = conpot_guardian_ast
username = conpot_guardian_ast
passphrase = conpot_guardian_ast
socket = tcp ; tcp (sends to host:port), dev (sends to mysql device/socket file)
[syslog]
enabled = False
device = /dev/log
host = localhost
port = 514
facility = local0
socket = dev ; udp (sends to host:port), dev (sends to device)
[hpfriends]
enabled = False
host = hpfriends.honeycloud.net
port = 20000
ident = 3Ykf9Znv
secret = 4nFRhpm44QkG9cvD
channels = ["conpot.events", ]
[taxii]
enabled = False
host = taxiitest.mitre.org
port = 80
inbox_path = /services/inbox/default/
use_https = False
[fetch_public_ip]
enabled = True
urls = ["http://whatismyip.akamai.com/", "http://wgetip.com/"]
[change_mac_addr]
enabled = False
iface = eth0
addr = 00:de:ad:be:ef:00

6
docker/conpot_guardianast/dist/guardian_ast/guardian_ast/guardian_ast.xml vendored Normal file
View file

@ -0,0 +1,6 @@
<guardian_ast enabled="True" host="0.0.0.0" port="10001">
<device_info>
<vendor_name>Guardian</vendor_name>
<product_code>Guardian AST</product_code>
</device_info>
</guardian_ast>

93
docker/conpot_guardianast/dist/guardian_ast/template.xml vendored Normal file
View file

@ -0,0 +1,93 @@
<core>
<template>
<!-- General information about the template -->
<entity name="unit">Guardian AST tank-monitoring system</entity>
<entity name="vendor">Guardian</entity>
<entity name="description">Guardian AST tank-monitoring system</entity>
<entity name="protocols">guardian_ast</entity>
<entity name="creator">the conpot team</entity>
</template>
<databus>
<!-- Core value that can be retrieved from the databus by key -->
<key_value_mappings>
<key name="product1">
<value type="value">"SUPER"</value>
</key>
<key name="product2">
<value type="value">"UNLEAD"</value>
</key>
<key name="product3">
<value type="value">"DIESEL"</value>
</key>
<key name="product4">
<value type="value">"PREMIUM"</value>
</key>
<key name="station_name">
<value type="value">"STATOIL STATION"</value>
</key>
<key name="vol1">
<value type="value">random.randint(1000, 9050)</value>
</key>
<key name="vol2">
<value type="value">random.randint(1000, 9050)</value>
</key>
<key name="vol3">
<value type="value">random.randint(1000, 9050)</value>
</key>
<key name="vol4">
<value type="value">random.randint(1000, 9050)</value>
</key>
<key name="ullage1">
<value type="value">random.randint(3000, 9999)</value>
</key>
<key name="ullage2">
<value type="value">random.randint(3000, 9999)</value>
</key>
<key name="ullage3">
<value type="value">random.randint(3000, 9999)</value>
</key>
<key name="ullage4">
<value type="value">random.randint(3000, 9999)</value>
</key>
<key name="height1">
<value type="value">round(random.uniform(25.00, 75.99), 2)</value>
</key>
<key name="height2">
<value type="value">round(random.uniform(25.00, 75.99), 2)</value>
</key>
<key name="height3">
<value type="value">round(random.uniform(25.00, 75.99), 2)</value>
</key>
<key name="height4">
<value type="value">round(random.uniform(25.00, 75.99), 2)</value>
</key>
<key name="h2o1">
<value type="value">round(random.uniform(0.0, 9.99), 2)</value>
</key>
<key name="h2o2">
<value type="value">round(random.uniform(0.0, 9.99), 2)</value>
</key>
<key name="h2o3">
<value type="value">round(random.uniform(0.0, 9.99), 2)</value>
</key>
<key name="h2o4">
<value type="value">round(random.uniform(0.0, 9.99), 2)</value>
</key>
<key name="temp1">
<value type="value">round(random.uniform(50.0, 59.99), 2)</value>
</key>
<key name="temp2">
<value type="value">round(random.uniform(50.0, 59.99), 2)</value>
</key>
<key name="temp3">
<value type="value">round(random.uniform(50.0, 59.99), 2)</value>
</key>
<key name="temp4">
<value type="value">round(random.uniform(50.0, 59.99), 2)</value>
</key>
<key name="empty">
<value type="value">""</value>
</key>
</key_value_mappings>
</databus>
</core>

23
docker/conpot_guardianast/dist/requirements.txt vendored Normal file
View file

@ -0,0 +1,23 @@
gevent>=1.0
pysnmp==4.4.4
pysmi==0.2.2
lxml
bottle
jinja2
beautifulsoup4
requests
sphinx==1.5.5
libtaxii>=1.1.0
MySQL-python
xlrd
crc16
enum
hpfeeds
modbus-tk
stix-validator
stix
cybox
bacpypes==0.13.8
pyghmi
mixbox
modbus-tk

BIN
docker/conpot_guardianast/doc/dashboard.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 284 KiB

19
docker/conpot_guardianast/docker-compose.yml Normal file
View file

@ -0,0 +1,19 @@
version: '2.0'
networks:
conpot_guardianast_local:
services:
# Conpot service using the Guardian AST Tank Monitoring System Template
conpot_guardianast:
container_name: conpot_guardianast
restart: always
networks:
- conpot_guardianast_local
ports:
- "10001:10001"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymodo/conpot_guardianast:1710"
volumes:
- /data/conpot/log:/var/log/conpot

23
docker/conpot/Dockerfile → docker/conpot_kamstrup/Dockerfile
View file

@ -4,6 +4,9 @@ MAINTAINER MO
# Include dist
ADD dist/ /root/dist/
# Define Environment Variables
ENV CONPOT_TEMPLATE="kamstrup_382" CONPOT_LOG="/var/log/conpot/conpot_kamstrup.log" CONPOT_CONFIG="/etc/conpot/conpot_kamstrup.cfg"
# Setup apt
RUN apk -U add bash \
build-base \
@ -18,22 +21,24 @@ RUN apk -U add bash \
pkgconfig \
python \
python-dev \
py-gevent \
py-snmp \
py-cffi && \
# Setup ConPot
git clone https://github.com/mushorg/conpot /opt/conpot/ && \
cd /opt/conpot/ && \
git clone https://github.com/mushorg/conpot /opt/conpot_kamstrup/ && \
cd /opt/conpot_kamstrup/ && \
git checkout d97a68a054e4fe42ff90293188a5702ce8ab09a3 && \
cp /root/dist/requirements.txt /opt/conpot/ && \
cp /root/dist/requirements.txt /opt/conpot_kamstrup/ && \
python setup.py install && \
cd / && \
rm -rf /opt/conpot /tmp/* /var/tmp/* && \
rm -rf /opt/conpot_kamstrup /tmp/* /var/tmp/* && \
# Setup user, groups and configs
addgroup -g 2000 conpot && \
adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot && \
addgroup -g 2000 conpot_kamstrup && \
adduser -S -s /bin/bash -u 2000 -D -g 2000 conpot_kamstrup && \
mkdir -p /etc/conpot /var/log/conpot && \
mv /root/dist/conpot.cfg /etc/conpot/conpot.cfg && \
mv /root/dist/conpot.cfg /etc/conpot/conpot_kamstrup.cfg && \
mv /root/dist/kamstrup_382/template.xml /usr/lib/python2.7/site-packages/Conpot-0.5.1-py2.7.egg/conpot/templates/kamstrup_382/ && \
# Clean up
@ -45,10 +50,10 @@ RUN apk -U add bash \
libxslt-dev \
mariadb-dev \
pkgconfig \
python-dev \
python-dev \
py-cffi && \
rm -rf /root/* && \
rm -rf /var/cache/apk/*
# Run supervisor upon container start
CMD ["/usr/bin/conpot", "--template", "kamstrup_382", "--logfile", "/var/log/conpot/conpot.log", "--config", "/etc/conpot/conpot.cfg"]
CMD /usr/bin/conpot --template $CONPOT_TEMPLATE --logfile $CONPOT_LOG --config $CONPOT_CONFIG

15
docker/conpot_kamstrup/README.md Normal file
View file

@ -0,0 +1,15 @@
[![](https://images.microbadger.com/badges/version/dtagdevsec/conpot:1710.svg)](https://microbadger.com/images/dtagdevsec/conpot:1710 "Get your own version badge on microbadger.com") [![](https://images.microbadger.com/badges/image/dtagdevsec/conpot:1710.svg)](https://microbadger.com/images/dtagdevsec/conpot:1710 "Get your own image badge on microbadger.com")
# conpot
[ConPot](http://conpot.org/) is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of common industrial control protocols we created the basics to build your own system, capable to emulate complex infrastructures to convince an adversary that he just found a huge industrial complex. To improve the deceptive capabilities, we also provided the possibility to server a custom human machine interface to increase the honeypots attack surface. The response times of the services can be artificially delayed to mimic the behavior of a system under constant load. Because we are providing complete stacks of the protocols, Conpot can be accessed with productive HMI's or extended with real hardware. Conpot is developed under the umbrella of the [Honeynet Project](https://www.honeynet.org/) and on the shoulders of a couple of very big giants.
This dockerized version is part of the **[T-Pot community honeypot](http://dtag-dev-sec.github.io/)** of Deutsche Telekom AG.
The `Dockerfile` contains the blueprint for the dockerized conpot and will be used to setup the docker image.
The `docker-compose.yml` contains the necessary settings to test conpot using `docker-compose`. This will ensure to start the docker container with the appropriate permissions and port mappings.
# ConPot Dashboard
![ConPot Dashboard](https://raw.githubusercontent.com/dtag-dev-sec/tpotce/master/docker/conpot/doc/dashboard.png)

58
docker/conpot_kamstrup/dist/conpot.cfg vendored Normal file
View file

@ -0,0 +1,58 @@
[common]
sensorid = conpot_kamstrup
[session]
timeout = 30
[daemon]
user = conpot_kamstrup
group = conpot_kamstrup
[json]
enabled = True
filename = /var/log/conpot/conpot_kamstrup.json
[sqlite]
enabled = False
[mysql]
enabled = False
device = /tmp/mysql.sock
host = localhost
port = 3306
db = conpot_kamstrup
username = conpot_kamstrup
passphrase = conpot_kamstrup
socket = tcp ; tcp (sends to host:port), dev (sends to mysql device/socket file)
[syslog]
enabled = False
device = /dev/log
host = localhost
port = 514
facility = local0
socket = dev ; udp (sends to host:port), dev (sends to device)
[hpfriends]
enabled = False
host = hpfriends.honeycloud.net
port = 20000
ident = 3Ykf9Znv
secret = 4nFRhpm44QkG9cvD
channels = ["conpot.events", ]
[taxii]
enabled = False
host = taxiitest.mitre.org
port = 80
inbox_path = /services/inbox/default/
use_https = False
[fetch_public_ip]
enabled = True
urls = ["http://whatismyip.akamai.com/", "http://wgetip.com/"]
[change_mac_addr]
enabled = False
iface = eth0
addr = 00:de:ad:be:ef:00

0
docker/conpot/dist/kamstrup_382/template.xml → docker/conpot_kamstrup/dist/kamstrup_382/template.xml vendored
View file

23
docker/conpot_kamstrup/dist/requirements.txt vendored Normal file
View file

@ -0,0 +1,23 @@
gevent>=1.0
pysnmp==4.4.4
pysmi==0.2.2
lxml
bottle
jinja2
beautifulsoup4
requests
sphinx==1.5.5
libtaxii>=1.1.0
MySQL-python
xlrd
crc16
enum
hpfeeds
modbus-tk
stix-validator
stix
cybox
bacpypes==0.13.8
pyghmi
mixbox
modbus-tk

BIN
docker/conpot_kamstrup/doc/dashboard.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 284 KiB

20
docker/conpot_kamstrup/docker-compose.yml Normal file
View file

@ -0,0 +1,20 @@
version: '2.0'
networks:
conpot_kamstrup_local:
services:
# Conpot service using Kamstrup Template
conpot_kamstrup:
container_name: conpot_kamstrup
restart: always
networks:
- conpot_kamstrup_local
ports:
- "1025:1025"
- "50100:50100"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_kamstrup:1710"
volumes:
- /data/conpot/log:/var/log/conpot

45
etc/compose/all.yml
View file

@ -3,7 +3,9 @@
version: '2.2'
networks:
conpot_local:
conpot_kamstrup_local:
conpot_default_local:
conpot_guardian_ast_local:
cowrie_local:
dionaea_local:
elasticpot_local:
@ -18,19 +20,50 @@ networks:
services:
# Conpot service
conpot:
container_name: conpot
# Conpot service - Kamstrup Template
conpot_kamstrup:
container_name: conpot_kamstrup
restart: always
networks:
- conpot_local
- conpot_kamstrup_local
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_kamstrup:1710"
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot service - Default Template
conpot_default:
container_name: conpot_default
restart: always
networks:
- conpot_default_local
ports:
- "102:102"
- "502:502"
- "623:623/udp"
- "47808:47808/udp"
- "161:161/udp"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_default:1710"
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot service - Guardian AST Template
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
networks:
- conpot_guardian_ast_local
ports:
- "10001:10001"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_guardianast:1710"
volumes:
- /data/conpot/log:/var/log/conpot
# Cowrie service
cowrie:
container_name: cowrie

45
etc/compose/industrial.yml
View file

@ -3,7 +3,9 @@
version: '2.2'
networks:
conpot_local:
conpot_kamstrup_local:
conpot_default_local:
conpot_guardian_ast_local:
emobility_local:
ewsposter_local:
spiderfoot_local:
@ -11,16 +13,47 @@ networks:
services:
# Conpot service
conpot:
container_name: conpot
# Conpot service - Kamstrup Template
conpot_kamstrup:
container_name: conpot_kamstrup
restart: always
networks:
- conpot_local
- conpot_kamstrup_local
ports:
- "1025:1025"
- "50100:50100"
image: "dtagdevsec/conpot:1710"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_kamstrup:1710"
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot service - Default Template
conpot_default:
container_name: conpot_default
restart: always
networks:
- conpot_default_local
ports:
- "102:102"
- "502:502"
- "623:623/udp"
- "47808:47808/udp"
- "161:161/udp"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_default:1710"
volumes:
- /data/conpot/log:/var/log/conpot
# Conpot service - Guardian AST Template
conpot_guardian_ast:
container_name: conpot_guardian_ast
restart: always
networks:
- conpot_guardian_ast_local
ports:
- "10001:10001"
# image: "dtagdevsec/conpot:1710"
image: "uncleraymondo/conpot_guardianast:1710"
volumes:
- /data/conpot/log:/var/log/conpot

4
etc/logrotate/logrotate.conf
View file

@ -1,5 +1,5 @@
/data/conpot/log/conpot.json
/data/conpot/log/conpot.log
/data/conpot/log/conpot_*.json
/data/conpot/log/conpot_*.log
/data/cowrie/log/cowrie.json
/data/cowrie/log/cowrie-textlog.log
/data/cowrie/log/lastlog.txt

14
host/etc/systemd/tpot.service
View file

@ -37,6 +37,8 @@ ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 64295:64303
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 102,502,10001 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p udp -m multiport --dports 69,161,623,5060,47808 -j ACCEPT
ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
# Compose T-Pot up
@ -46,12 +48,14 @@ ExecStart=/usr/local/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color
ExecStop=/usr/local/bin/docker-compose -f /opt/tpot/etc/tpot.yml down -v
# Remove only previously set iptables rules
ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p udp -m multiport --dports 69,161,623,5060,47808 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 102,502,10001 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
[Install]