Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-12-01 12:03:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' into master

Browse source
This commit is contained in:
ppatrik 2021-12-09 11:03:14 +01:00 committed by GitHub
commit 71575c216c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 560 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -19,6 +19,7 @@ and includes dockerized versions of the following honeypots
* [glutton](https://github.com/mushorg/glutton),
* [heralding](https://github.com/johnnykv/heralding),
* [hellpot](https://github.com/yunginnanet/HellPot),
* [honeypots](https://github.com/qeeqbox/honeypots),
* [honeypy](https://github.com/foospidy/HoneyPy),
* [honeysap](https://github.com/SecureAuthCorp/HoneySAP),
* [honeytrap](https://github.com/armedpot/honeytrap/),
@ -104,6 +105,7 @@ In T-Pot we combine the dockerized honeypots ...
* [glutton](https://github.com/mushorg/glutton),
* [heralding](https://github.com/johnnykv/heralding),
* [hellpot](https://github.com/yunginnanet/HellPot),
* [honeypots](https://github.com/qeeqbox/honeypots),
* [honeypy](https://github.com/foospidy/HoneyPy),
* [honeysap](https://github.com/SecureAuthCorp/HoneySAP),
* [honeytrap](https://github.com/armedpot/honeytrap/),
@ -502,6 +504,8 @@ The software that T-Pot is built on uses the following licenses.
<br>MIT license: [ciscoasa](https://github.com/Cymmetria/ciscoasa_honeypot/blob/master/LICENSE), [ddospot](https://github.com/aelth/ddospot/blob/master/LICENSE), [glutton](https://github.com/mushorg/glutton/blob/master/LICENSE), [hellpot](https://github.com/yunginnanet/HellPot/blob/master/LICENSE)
<br> Unlicense: [endlessh](https://github.com/skeeto/endlessh/blob/master/UNLICENSE)
<br> Other: [citrixhoneypot](https://github.com/MalwareTech/CitrixHoneypot#licencing-agreement-malwaretech-public-licence), [cowrie](https://github.com/micheloosterhof/cowrie/blob/master/LICENSE.md), [mailoney](https://github.com/awhitehatter/mailoney), [Debian licensing](https://www.debian.org/legal/licenses/), [Elastic License](https://www.elastic.co/licensing/elastic-license)
<br> AGPL-3.0: [honeypots](https://github.com/qeeqbox/honeypots/blob/main/LICENSE)
<a name="credits"></a>
# Credits
@ -530,6 +534,7 @@ Without open source and the fruitful development community (we are proud to be a
* [glutton](https://github.com/mushorg/glutton/graphs/contributors)
* [hellpot](https://github.com/yunginnanet/HellPot/graphs/contributors)
* [heralding](https://github.com/johnnykv/heralding/graphs/contributors)
* [honeypots](https://github.com/qeeqbox/honeypots/graphs/contributors)
* [honeypy](https://github.com/foospidy/HoneyPy/graphs/contributors)
* [honeysap](https://github.com/SecureAuthCorp/HoneySAP/graphs/contributors)
* [honeytrap](https://github.com/armedpot/honeytrap/graphs/contributors)

9
bin/clean.sh
View file

@ -197,6 +197,14 @@ fuHERALDING () {
chown tpot:tpot /data/heralding -R
}
# Let's create a function to clean up and prepare honeypots data
fuHONEYPOTS () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
mkdir -p /data/honeypots/log
chmod 770 /data/honeypots -R
chown tpot:tpot /data/honeypots -R
}
# Let's create a function to clean up and prepare honeypy data
fuHONEYPY () {
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
@ -339,6 +347,7 @@ if [ "$myPERSISTENCE" = "on" ];
fuHERALDING
fuHELLPOT
fuHONEYSAP
fuHONEYPOTS
fuHONEYPY
fuHONEYTRAP
fuIPPHONEY

2
bin/tped.sh
View file

@ -29,7 +29,7 @@ for i in $myYMLS;
do
myITEMS+="$i $(echo $i | cut -d "." -f1 | tr [:lower:] [:upper:]) "
done
myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 12 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-)
myEDITION=$(dialog --backtitle "$myBACKTITLE" --menu "Select T-Pot Edition" 14 50 5 $myITEMS 3>&1 1>&2 2>&3 3>&-)
if [ "$myEDITION" == "" ];
then
echo "Have a nice day!"

7
docker/elk/logstash/Dockerfile
View file

@ -31,7 +31,9 @@ RUN apk -U --no-cache add \
# For some reason Alpine 3.14 does not report the -x flag correctly and thus elasticsearch does not find java
sed -i 's/! -x/! -e/g' /usr/share/logstash/bin/logstash.lib.sh && \
/usr/share/logstash/bin/logstash-plugin install logstash-filter-translate && \
/usr/share/logstash/bin/logstash-plugin install logstash-input-http && \
/usr/share/logstash/bin/logstash-plugin install logstash-output-gelf && \
/usr/share/logstash/bin/logstash-plugin install logstash-output-http && \
/usr/share/logstash/bin/logstash-plugin install logstash-output-syslog && \
#
# Add and move files
@ -40,6 +42,8 @@ RUN apk -U --no-cache add \
chmod u+x /usr/bin/update.sh && \
mkdir -p /etc/logstash/conf.d && \
cp logstash.conf /etc/logstash/conf.d/ && \
cp http.conf /etc/logstash/conf.d/ && \
cp pipelines.yml /usr/share/logstash/config/pipelines.yml && \
cp tpot_es_template.json /etc/logstash/ && \
#
# Setup user, groups and configs
@ -60,4 +64,5 @@ HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:9600'
# Start logstash
#USER logstash:logstash
#CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution --log.level debug
CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution
#CMD update.sh && exec /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf --config.reload.automatic --java-execution
CMD update.sh && exec /usr/share/logstash/bin/logstash --config.reload.automatic --java-execution

19
docker/elk/logstash/dist/http.conf vendored Normal file
View file

@ -0,0 +1,19 @@
# Input section
input {
http {
id => "tpot"
host => "0.0.0.0"
port => "80"
}
}
# Output section
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
# With templates now being legacy and ILM in place we need to set the daily index with its template manually. Otherwise a new index might be created with differents settings configured through Kibana.
index => "logstash-%{+YYYY.MM.dd}"
template => "/etc/logstash/tpot_es_template.json"
}
}

14
docker/elk/logstash/dist/logstash.conf vendored
View file

@ -112,6 +112,13 @@ input {
type => "Heralding"
}
# Honeypots
file {
path => ["/data/honeypots/log/*.log"]
codec => json
type => "Honeypots"
}
# Honeypy
file {
path => ["/data/honeypy/log/json.log"]
@ -491,6 +498,13 @@ filter {
}
}
# Honeypots
if [type] == "Honeypots" {
date {
match => [ "timestamp", "ISO8601" ]
}
}
# Honeysap
if [type] == "Honeysap" {
date {

4
docker/elk/logstash/dist/pipelines.yml vendored Normal file
View file

@ -0,0 +1,4 @@
- pipeline.id: logstash
path.config: "/etc/logstash/conf.d/logstash.conf"
- pipeline.id: http
path.config: "/etc/logstash/conf.d/http.conf"

3
docker/elk/logstash/docker-compose.yml
View file

@ -15,7 +15,10 @@ services:
env_file:
- /opt/tpot/etc/compose/elk_environment
- /opt/tpot/etc/compose/elk_collector
ports:
- "127.0.0.1:64305:80"
image: "dtagdevsec/logstash:2006"
volumes:
- /data:/data
# - /root/tpotce/docker/elk/logstash/dist/logstash.conf:/etc/logstash/conf.d/logstash.conf
# - /root/tpotce/docker/elk/logstash/dist/http.conf:/etc/logstash/conf.d/http.conf

4
docker/ews/Dockerfile
View file

@ -25,8 +25,8 @@ RUN apk -U --no-cache add \
# Setup ewsposter
git clone https://github.com/telekom-security/ewsposter /opt/ewsposter && \
cd /opt/ewsposter && \
# git checkout 0502c39941bab10643502c27f7bd7eee301b21c0 && \
git checkout 11ab4c8a0a1b63d4bca8c52c07f2eab520d0b257 && \
# git checkout 11ab4c8a0a1b63d4bca8c52c07f2eab520d0b257 && \
git checkout 17c08f3ae500d838c1528c9700e4430d5f6ad214 && \
mkdir -p /opt/ewsposter/spool /opt/ewsposter/log && \
#
# Setup user and groups

2
docker/ews/dist/ews.cfg vendored
View file

@ -134,7 +134,7 @@ nodeid = adbhoney-community-01
logfile = /data/adbhoney/log/adbhoney.json
[FATT]
fatt = true
fatt = false
nodeid = fatt-community-01
logfile = /data/fatt/log/fatt.log

4
docker/heralding/Dockerfile
View file

@ -10,7 +10,7 @@ RUN apk -U --no-cache add \
libcap \
libffi-dev \
openssl-dev \
libzmq \
py3-pyzmq \
postgresql-dev \
py3-pip \
python3 \
@ -21,7 +21,7 @@ RUN apk -U --no-cache add \
cd /opt/ && \
git clone https://github.com/johnnykv/heralding && \
cd heralding && \
git checkout 3f38976a2ab4d884d755b6324f2c71923ddadbdb && \
git checkout c31f99c55c7318c09272d8d9998e560c3d4de9aa && \
pip3 install --upgrade pip && \
pip3 install --no-cache-dir -r requirements.txt && \
pip3 install --no-cache-dir . && \

65
docker/honeypots/Dockerfile Normal file
View file

@ -0,0 +1,65 @@
FROM alpine:3.14
#
# Include dist
ADD dist/ /root/dist/
#
# Install packages
RUN apk -U add \
build-base \
freetds \
freetds-dev \
gcc \
git \
hiredis \
jpeg-dev \
libcap \
libffi-dev \
libpq \
musl-dev \
openssl \
openssl-dev \
postgresql-dev \
py3-pip \
python3 \
python3-dev \
zlib-dev && \
#
# Install honeypots from GitHub and setup
mkdir -p /opt \
/var/log/honeypots && \
cd /opt/ && \
#git clone https://github.com/qeeqbox/honeypots && \
git clone https://github.com/t3chn0m4g3/honeypots && \
cd honeypots && \
#git checkout 7c654a3ef2c564ae6f1247bf302d652037080163 && \
pip3 install --upgrade pip && \
pip3 install hiredis && \
pip3 install . && \
setcap cap_net_bind_service=+ep /usr/bin/python3.9 && \
#
# Setup user, groups and configs
addgroup -g 2000 honeypots && \
adduser -S -H -s /bin/ash -u 2000 -D -g 2000 honeypots && \
chown honeypots:honeypots -R /opt/honeypots && \
chown honeypots:honeypots -R /var/log/honeypots && \
mv /root/dist/config.json /opt/honeypots/ && \
#
# Clean up
apk del --purge build-base \
freetds-dev \
git \
jpeg-dev \
libffi-dev \
openssl-dev \
postgresql-dev \
python3-dev \
zlib-dev && \
rm -rf /root/* && \
rm -rf /var/cache/apk/*
#
# Start honeypots
STOPSIGNAL SIGINT
USER honeypots:honeypots
WORKDIR /opt/honeypots/
CMD python3 -m honeypots --setup all --config config.json
#CMD python3 -m honeypots --setup telnet --config config.json

120
docker/honeypots/dist/config.json vendored Normal file
View file

@ -0,0 +1,120 @@
{
"logs":"file,terminal",
"logs_location":"/var/log/honeypots/",
"honeypots": {
"dns": {
"port": 53,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456"
},
"ftp": {
"port": 21,
"ip": "0.0.0.0",
"username": "ftp",
"password": "anonymous"
},
"httpproxy": {
"port": 8080,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin"
},
"http": {
"port": 80,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin"
},
"https": {
"port": 443,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin"
},
"imap": {
"port": 143,
"ip": "0.0.0.0",
"username": "root",
"password": "123456"
},
"mysql": {
"port": 3306,
"ip": "0.0.0.0",
"username": "root",
"password": "123456"
},
"pop3": {
"port": 110,
"ip": "0.0.0.0",
"username": "root",
"password": "123456"
},
"postgres": {
"port": 5432,
"ip": "0.0.0.0",
"username": "postgres",
"password": "123456"
},
"redis": {
"port": 6379,
"ip": "0.0.0.0",
"username": "root",
"password": ""
},
"smb": {
"port": 445,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456"
},
"smtp": {
"port": 25,
"ip": "0.0.0.0",
"username": "root",
"password": "123456"
},
"socks5": {
"port": 1080,
"ip": "0.0.0.0",
"username": "admin",
"password": "admin"
},
"ssh": {
"port": 22,
"ip": "0.0.0.0",
"username": "root",
"password": "123456"
},
"telnet": {
"port": 23,
"ip": "0.0.0.0",
"username": "root",
"password": "123456"
},
"vnc": {
"port": 5900,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456"
},
"elastic": {
"port": 9200,
"ip": "0.0.0.0",
"username": "elastic",
"password": "123456"
},
"mssql": {
"port": 1433,
"ip": "0.0.0.0",
"username": "sa",
"password": ""
},
"ldap": {
"port": 389,
"ip": "0.0.0.0",
"username": "administrator",
"password": "123456"
}
}
}

42
docker/honeypots/docker-compose.yml Normal file
View file

@ -0,0 +1,42 @@
version: '2.3'
networks:
honeypots_local:
services:
# Honeypots service
honeypots:
build: .
container_name: honeypots
stdin_open: true
tty: true
restart: always
tmpfs:
- /tmp:uid=2000,gid=2000
networks:
- honeypots_local
ports:
- "21:21"
- "22:22"
- "23:23"
- "25:25"
- "53:53/udp"
- "80:80"
- "110:110"
- "143:143"
- "389:389"
- "443:443"
- "445:445"
- "1080:1080"
- "1433:1433"
- "3306:3306"
- "5432:5432"
- "5900:5900"
- "6379:6379"
- "8080:8080"
- "9200:9200"
image: "dtagdevsec/honeypots:2006"
read_only: true
volumes:
- /data/honeypots/log:/var/log/honeypots

1
docker/tanner/redis/dist/redis.conf vendored
View file

@ -1,2 +1,3 @@
bind 0.0.0.0
protected-mode no
save ""

1
docker/tanner/tanner/Dockerfile
View file

@ -23,6 +23,7 @@ RUN apk -U --no-cache add \
# git checkout test && \
git checkout 20dabcbccc50f8878525677b925a4c9abcaf9f54 && \
sed -i 's/aioredis/aioredis==1.3.1/g' requirements.txt && \
sed -i 's/^aiohttp$/aiohttp==3.7.4/g' requirements.txt && \
cp /root/dist/config.yaml /opt/tanner/tanner/data && \
pip3 install --no-cache-dir setuptools && \
pip3 install --no-cache-dir -r requirements.txt && \

256
etc/compose/mini.yml Normal file
View file

@ -0,0 +1,256 @@
# T-Pot (Mini)
# Do not erase ports sections, these are used by /opt/tpot/bin/rules.sh to setup iptables ACCEPT rules for NFQ (honeytrap / glutton)
version: '2.3'
networks:
cyberchef_local:
honeypots_local:
ewsposter_local:
spiderfoot_local:
services:
##################
#### Honeypots
##################
# Honeypots service
honeypots:
container_name: honeypots
stdin_open: true
tty: true
restart: always
tmpfs:
- /tmp:uid=2000,gid=2000
networks:
- honeypots_local
ports:
- "21:21"
- "22:22"
- "23:23"
- "25:25"
- "53:53/udp"
- "80:80"
- "110:110"
- "143:143"
- "389:389"
- "443:443"
- "445:445"
- "1080:1080"
- "1433:1433"
- "3306:3306"
- "5432:5432"
- "5900:5900"
- "6379:6379"
- "8080:8080"
- "9200:9200"
image: "dtagdevsec/honeypots:2006"
read_only: true
volumes:
- /data/honeypots/log:/var/log/honeypots
# Honeytrap service
honeytrap:
container_name: honeytrap
restart: always
tmpfs:
- /tmp/honeytrap:uid=2000,gid=2000
network_mode: "host"
cap_add:
- NET_ADMIN
image: "dtagdevsec/honeytrap:2006"
read_only: true
volumes:
- /data/honeytrap/attacks:/opt/honeytrap/var/attacks
- /data/honeytrap/downloads:/opt/honeytrap/var/downloads
- /data/honeytrap/log:/opt/honeytrap/var/log
##################
#### NSM
##################
# Fatt service
fatt:
container_name: fatt
restart: always
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/fatt:2006"
volumes:
- /data/fatt/log:/opt/fatt/log
# P0f service
p0f:
container_name: p0f
restart: always
network_mode: "host"
image: "dtagdevsec/p0f:2006"
read_only: true
volumes:
- /data/p0f/log:/var/log/p0f
# Suricata service
suricata:
container_name: suricata
restart: always
environment:
# For ET Pro ruleset replace "OPEN" with your OINKCODE
- OINKCODE=OPEN
network_mode: "host"
cap_add:
- NET_ADMIN
- SYS_NICE
- NET_RAW
image: "dtagdevsec/suricata:2006"
volumes:
- /data/suricata/log:/var/log/suricata
##################
#### Tools
##################
# Cyberchef service
cyberchef:
container_name: cyberchef
restart: always
networks:
- cyberchef_local
ports:
- "127.0.0.1:64299:8000"
image: "dtagdevsec/cyberchef:2006"
read_only: true
#### ELK
## Elasticsearch service
elasticsearch:
container_name: elasticsearch
restart: always
environment:
- bootstrap.memory_lock=true
# - ES_JAVA_OPTS=-Xms2048m -Xmx2048m
- ES_TMPDIR=/tmp
cap_add:
- IPC_LOCK
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
# mem_limit: 4g
ports:
- "127.0.0.1:64298:9200"
image: "dtagdevsec/elasticsearch:2006"
volumes:
- /data:/data
## Kibana service
kibana:
container_name: kibana
restart: always
depends_on:
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64296:5601"
image: "dtagdevsec/kibana:2006"
## Logstash service
logstash:
container_name: logstash
restart: always
# environment:
# - LS_JAVA_OPTS=-Xms2048m -Xmx2048m
depends_on:
elasticsearch:
condition: service_healthy
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/logstash:2006"
volumes:
- /data:/data
## Elasticsearch-head service
head:
container_name: head
restart: always
depends_on:
elasticsearch:
condition: service_healthy
ports:
- "127.0.0.1:64302:9100"
image: "dtagdevsec/head:2006"
read_only: true
# Ewsposter service
ewsposter:
container_name: ewsposter
restart: always
networks:
- ewsposter_local
environment:
- EWS_HPFEEDS_ENABLE=false
- EWS_HPFEEDS_HOST=host
- EWS_HPFEEDS_PORT=port
- EWS_HPFEEDS_CHANNELS=channels
- EWS_HPFEEDS_IDENT=user
- EWS_HPFEEDS_SECRET=secret
- EWS_HPFEEDS_TLSCERT=false
- EWS_HPFEEDS_FORMAT=json
env_file:
- /opt/tpot/etc/compose/elk_environment
image: "dtagdevsec/ewsposter:2006"
volumes:
- /data:/data
- /data/ews/conf/ews.ip:/opt/ewsposter/ews.ip
# Nginx service
nginx:
container_name: nginx
restart: always
environment:
### If set to YES all changes within Heimdall will remain for the next start
### Make sure to uncomment the corresponding volume statements below, or the setting will prevent a successful start of T-Pot.
- HEIMDALL_PERSIST=NO
tmpfs:
- /var/tmp/nginx/client_body
- /var/tmp/nginx/proxy
- /var/tmp/nginx/fastcgi
- /var/tmp/nginx/uwsgi
- /var/tmp/nginx/scgi
- /run
- /var/log/php7/
- /var/lib/nginx/tmp:uid=100,gid=82
- /var/lib/nginx/html/storage/logs:uid=100,gid=82
- /var/lib/nginx/html/storage/framework/views:uid=100,gid=82
network_mode: "host"
ports:
- "64297:64297"
- "127.0.0.1:64304:64304"
image: "dtagdevsec/nginx:2006"
read_only: true
volumes:
- /data/nginx/cert/:/etc/nginx/cert/:ro
- /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
- /data/nginx/log/:/var/log/nginx/
### Enable the following volumes if you set HEIMDALL_PERSIST=YES
# - /data/nginx/heimdall/database:/var/lib/nginx/html/database
# - /data/nginx/heimdall/storage:/var/lib/nginx/html/storage
# Spiderfoot service
spiderfoot:
container_name: spiderfoot
restart: always
networks:
- spiderfoot_local
ports:
- "127.0.0.1:64303:8080"
image: "dtagdevsec/spiderfoot:2006"
volumes:
- /data/spiderfoot/spiderfoot.db:/home/spiderfoot/spiderfoot.db

1
etc/logrotate/logrotate.conf
View file

@ -23,6 +23,7 @@
/data/heralding/log/*.log
/data/heralding/log/*.csv
/data/heralding/log/*.json
/data/honeypots/log/*.log
/data/honeypy/log/*.log
/data/honeysap/log/*.log
/data/honeytrap/log/*.log

13
iso/installer/install.sh
View file

@ -802,27 +802,28 @@ mkdir -vp /data/adbhoney/{downloads,log} \
/data/conpot/log \
/data/citrixhoneypot/logs \
/data/cowrie/{downloads,keys,misc,log,log/tty} \
/data/ddospot/{bl,db,log} \
/data/dicompot/{images,log} \
/data/ddospot/{bl,db,log} \
/data/dicompot/{images,log} \
/data/dionaea/{log,bistreams,binaries,rtp,roots,roots/ftp,roots/tftp,roots/www,roots/upnp} \
/data/elasticpot/log \
/data/elk/{data,log} \
/data/endlessh/log \
/data/endlessh/log \
/data/fatt/log \
/data/honeytrap/{log,attacks,downloads} \
/data/glutton/log \
/data/hellpot/log \
/data/hellpot/log \
/data/heralding/log \
/data/honeypots/log \
/data/honeypy/log \
/data/honeysap/log \
/data/ipphoney/log \
/data/ipphoney/log \
/data/mailoney/log \
/data/medpot/log \
/data/nginx/{log,heimdall} \
/data/emobility/log \
/data/ews/conf \
/data/rdpy/log \
/data/redishoneypot/log \
/data/redishoneypot/log \
/data/spiderfoot \
/data/suricata/log \
/data/tanner/{log,files} \

1
update.sh
View file

@ -239,6 +239,7 @@ mkdir -vp /data/adbhoney/{downloads,log} \
/data/glutton/log \
/data/hellpot/log \
/data/heralding/log \
/data/honeypots/log \
/data/honeypy/log \
/data/honeysap/log \
/data/ipphoney/log \