tweaking

multi stage build for dicompot
rebuild fatt, glutton, hellpot, honeypots for alpine 3.19
bump glutton, hellpot, honeypots to latest master

compose/tpot_services.yml

@@ -460,16 +460,19 @@ services:
      - "389:389"
      - "443:443"
      - "445:445"
+     - "631:631"
      - "1080:1080"
      - "1433:1433"
      - "1521:1521"
      - "3306:3306"
+     - "3389:3389"
      - "5060:5060"
      - "5432:5432"
      - "5900:5900"
      - "6379:6379"
      - "6667:6667"
      - "8080:8080"
+     - "9100:9100"
      - "9200:9200"
      - "11211:11211"
     image: ${TPOT_REPO}/honeypots:${TPOT_VERSION}

docker/dicompot/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.19
+FROM golang:1.21-alpine as builder
 #
 # Include dist
 COPY dist/ /root/dist/
@@ -8,7 +8,6 @@ RUN apk -U add --no-cache \
 		build-base \
 		git \
 		g++ && \
-    apk -U add --no-cache go --repository http://dl-3.alpinelinux.org/alpine/edge/community && \
 #
 # Setup go, build dicompot 
     mkdir -p /opt/go && \
@@ -18,26 +17,20 @@ RUN apk -U add --no-cache \
     cd dicompot && \
     git checkout 41331194156bbb17078bcc1594f4952ac06a731e && \
     go mod download && \
-    go install -a -x github.com/nsmfoo/dicompot/server && \
+    go install -a -x github.com/nsmfoo/dicompot/server
+#
+FROM alpine:3.19
 #
 # Setup dicompot
-    mkdir -p /opt/dicompot/images && \
+#
-    cp /opt/go/bin/server /opt/dicompot && \
+COPY --from=builder /opt/go/bin/server /opt/dicompot/server
-    cp -R /root/dist/dcm_pts/P1/ /opt/dicompot/images && \
+COPY --from=builder /root/dist/dcm_pts/images /opt/dicompot/images
 #
 # Setup user, groups and configs
-    addgroup -g 2000 dicompot && \
-    adduser -S -s /bin/ash -u 2000 -D -g 2000 dicompot && \
-    chown -R dicompot:dicompot /opt/dicompot && \
 #
-# Clean up
+RUN addgroup -g 2000 dicompot && \
-    apk del --purge build-base \
+    adduser -S -s /bin/ash -u 2000 -D -g 2000 dicompot && \
-                    git \
+    chown -R dicompot:dicompot /opt/dicompot
-                    go \
-                    g++ && \
-    rm -rf /var/cache/apk/* \
-           /opt/go \
-           /root/dist
 #
 # Start dicompot
 WORKDIR /opt/dicompot

docker/fatt/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM alpine:3.19
 #
 # Get and install dependencies & packages
 RUN apk -U --no-cache add \
@@ -25,7 +25,7 @@ RUN apk -U --no-cache add \
     #git checkout 314cd1ff7873b5a145a51ec4e85f6107828a2c79 && \
     mkdir -p log && \
     # pyshark >= 0.4.3 breaks fatt
-    pip3 install pyshark==0.4.2.11 && \
+    pip3 install --break-system-packages pyshark==0.4.2.11 && \
 #
 # Setup configs
     chgrp fatt /usr/bin/dumpcap && \

docker/fatt/docker-compose.yml

@@ -16,4 +16,4 @@ services:
      - NET_RAW
     image: "dtagdevsec/fatt:alpha"
     volumes:
-     - /data/fatt/log:/opt/fatt/log
+     - $HOME/tpotce/data/fatt/log:/opt/fatt/log

docker/glutton/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.15 as builder
+FROM golang:1.21-alpine as builder
 #
 # Include dist
 COPY dist/ /root/dist/
@@ -7,39 +7,37 @@ COPY dist/ /root/dist/
 RUN apk -U --no-cache add \
 		build-base \
 		git \
-                   go \
         g++ \
 		iptables-dev \
-                   libnetfilter_queue-dev \
 		libpcap-dev && \
 #
 # Setup go, glutton
-    export GOPATH=/opt/go/ && \
     export GO111MODULE=on && \
-    mkdir -p /opt/go && \
+    mkdir -p /opt/ && \
-    cd /opt/go/ && \
+    cd /opt/ && \
     git clone https://github.com/mushorg/glutton && \
-    cd /opt/go/glutton/ && \
+    cd /opt/glutton/ && \
-    git checkout c25045b95b43ed9bfee89b2d14a50f5794a9cf2b && \
+    git checkout c1204c65ce32bfdc0e08fb2a9abe89b3b8eeed62 && \
-    mv /root/dist/system.go /opt/go/glutton/ && \
+    # git checkout c25045b95b43ed9bfee89b2d14a50f5794a9cf2b && \
+    cp /root/dist/system.go . && \
     go mod download && \
     make build && \
-    mv /root/dist/rules.yaml /opt/go/glutton/rules/
+	mv /root/dist/config.yaml /opt/glutton/config/
 #
-FROM alpine:3.17
+FROM alpine:3.19
 #
-COPY --from=builder /opt/go/glutton/bin /opt/glutton/bin
+COPY --from=builder /opt/glutton/bin /opt/glutton/bin
-COPY --from=builder /opt/go/glutton/config /opt/glutton/config
+COPY --from=builder /opt/glutton/config /opt/glutton/config
-COPY --from=builder /opt/go/glutton/rules /opt/glutton/rules
+COPY --from=builder /opt/glutton/rules /opt/glutton/rules
 #
 RUN apk -U --no-cache add \
+		iptables \
 		iptables-dev \
 		libnetfilter_queue-dev \
 		libcap \
 		libpcap-dev && \
-    ln -s /sbin/xtables-legacy-multi /sbin/xtables-multi && \
     setcap cap_net_admin,cap_net_raw=+ep /opt/glutton/bin/server && \
-    setcap cap_net_admin,cap_net_raw=+ep /sbin/xtables-legacy-multi && \
+    setcap cap_net_admin,cap_net_raw=+ep /sbin/xtables-nft-multi && \
 #
 # Setup user, groups and configs
     addgroup -g 2000 glutton && \
@@ -52,5 +50,5 @@ RUN apk -U --no-cache add \
 #
 # Start glutton 
 WORKDIR /opt/glutton
-USER glutton:glutton
+#USER glutton:glutton
-CMD exec bin/server -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }') -l /var/log/glutton/glutton.log > /dev/null 2>&1
+CMD exec bin/server -d true -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }') -l /var/log/glutton/glutton.log > /dev/null 2>&1

docker/glutton/dist/config.yaml

@@ -0,0 +1,23 @@
+ports:
+  tcp: 5000
+#  udp: 5001
+
+rules_path: config/rules.yaml
+
+addresses: ["1.2.3.4", "5.4.3.2"]
+
+producers:
+  enabled: false
+  http:
+    enabled: false
+    remote: https://localhost:9000
+  hpfeeds:
+    enabled: false
+    host: 172.26.0.2
+    port: 20000
+    ident: ident
+    auth: auth
+    channel: test
+
+conn_timeout: 45
+max_tcp_payload: 4096

docker/glutton/dist/rules.yaml

@@ -1,33 +0,0 @@
-# Put passthrough rules on top, drop rules on bottom, rules are applied in order (top down)
-rules:
-  - match: udp dst port 53
-    type: passthrough
-  - match: tcp dst port 21
-    type: conn_handler
-    target: ftp
-  - match: tcp dst port 23 or port 2323 or port 23231
-    type: conn_handler
-    target: telnet
-  - match: tcp dst port 25
-    type: conn_handler
-    target: smtp
-  - match: tcp dst port 445
-    type: conn_handler
-    target: smb
-  - match: tcp dst port 1883
-    type: conn_handler
-    target: mqtt
-  - match: tcp dst port 3389
-    type: conn_handler
-    target: rdp
-  - match: tcp dst port 5060
-    type: conn_handler
-    target: sip
-  - match: tcp dst port 5222 or port 5223
-    type: conn_handler
-    target: jabber
-  - match: tcp
-    type: conn_handler
-    target: default
-  - match: 
-    type: drop

docker/glutton/dist/system.go

@@ -3,31 +3,22 @@ package glutton
 import (
 	"errors"
 	"fmt"
-	"log"
+	"net"
 	"os"
-	"os/exec"
 	"runtime"
 	"strings"
 	"time"
+
+	"github.com/glaslos/lsof"
+	"github.com/google/gopacket/pcap"
 )
 
 func countOpenFiles() (int, error) {
 	if runtime.GOOS == "linux" {
-		if isCommandAvailable("lsof") {
+		lines, err := lsof.ReadPID(os.Getpid())
-			out, err := exec.Command("/bin/sh", "-c", fmt.Sprintf("lsof -p %d", os.Getpid())).Output()
+		return len(lines) - 1, err
-			if err != nil {
-				log.Fatal(err)
 	}
-			lines := strings.Split(string(out), "\n")
+	return 0, errors.New("operating system type not supported for this command")
-			return len(lines) - 1, nil
-		}
-		return 0, errors.New("lsof command does not exist. Kindly run sudo apt install lsof")
-	}
-	return 0, errors.New("Operating system type not supported for this command")
-}
-
-func countRunningRoutines() int {
-	return runtime.NumGoroutine()
 }
 
 func (g *Glutton) startMonitor(quit chan struct{}) {
@@ -35,8 +26,15 @@ func (g *Glutton) startMonitor(quit chan struct{}) {
 	go func() {
 		for {
 			select {
+			// case <-ticker.C:
+				// openFiles, err := countOpenFiles()
+				// if err != nil {
+					// fmt.Printf("Failed :%s", err)
+				// }
+				// runningRoutines := runtime.NumGoroutine()
+				// g.Logger.Info(fmt.Sprintf("running Go routines: %d, open files: %d", openFiles, runningRoutines))
 			case <-quit:
-				g.logger.Info("[system  ] Monitoring stopped..")
+				g.Logger.Info("monitoring stopped...")
 				ticker.Stop()
 				return
 			}
@@ -44,10 +42,27 @@ func (g *Glutton) startMonitor(quit chan struct{}) {
 	}()
 }
 
-func isCommandAvailable(name string) bool {
+func getNonLoopbackIPs(ifaceName string) ([]net.IP, error) {
-	cmd := exec.Command("/bin/sh", "-c", "command -v "+name)
+	nonLoopback := []net.IP{}
-	if err := cmd.Run(); err != nil {
+
-		return false
+	ifs, err := pcap.FindAllDevs()
+	if err != nil {
+		return nonLoopback, err
 	}
-	return true
+
+	for _, iface := range ifs {
+		if strings.EqualFold(iface.Name, ifaceName) {
+			for _, addr := range iface.Addresses {
+				if !addr.IP.IsLoopback() && addr.IP.To4() != nil {
+					nonLoopback = append(nonLoopback, addr.IP)
+				}
+			}
+		}
+	}
+
+	if len(nonLoopback) == 0 {
+		return nonLoopback, fmt.Errorf("unable to find any non-loopback addresses for: %s", ifaceName)
+	}
+
+	return nonLoopback, nil
 }

docker/glutton/docker-compose.yml

@@ -16,7 +16,8 @@ services:
     cap_add:
      - NET_ADMIN
     image: "dtagdevsec/glutton:alpha"
-    read_only: true
+#    read_only: true
     volumes:
-     - /data/glutton/log:/var/log/glutton
+     - $HOME/tpotce/data/glutton/log:/var/log/glutton
-     - /root/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml
+#     - $HOME/tpotce/data/glutton/payloads:/opt/glutton/payloads
+#     - $HOME/tpotce/docker/glutton/dist/rules.yaml:/opt/glutton/rules/rules.yaml

docker/hellpot/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM golang:1.21-alpine as builder
 #
 # Include dist
 COPY dist/ /root/dist/
@@ -7,40 +7,35 @@ COPY dist/ /root/dist/
 RUN apk -U --no-cache add \
 		build-base \
 		git \
-                   go \
 		g++ && \
 #
 # Setup go, hellpot
     cd /root && \
-    export GOPATH=/opt/go/ && \
-    mkdir -p /opt/hellpot && \
-    mkdir -p /opt/go && \ 
     git clone https://github.com/yunginnanet/HellPot && \
     cd HellPot && \
-    git checkout 49433bf499b6af314786cbbc3cb8566cdb18c40c && \
+    git checkout 3673ab0228664fb3acd33102be5c7a5867137eb5 && \
+    # git checkout 49433bf499b6af314786cbbc3cb8566cdb18c40c && \
     sed -i 's#logFileName := "HellPot"#logFileName := "hellpot"#g' internal/config/logger.go && \
-    go build cmd/HellPot/HellPot.go && \
+    go mod download && \
-    mv /root/HellPot/HellPot /opt/hellpot/ && \
+    go vet -v ./... && \
+    go test -v ./... && \
+    export CGO_ENABLED=0 && \
+    export VERSION=`git tag --sort=-version:refname | head -n 1` && \
+    go build -trimpath \
+		-ldflags "-s -w -X main.version=$VERSION" \
+		cmd/HellPot/HellPot.go
+#
+FROM alpine:3.19
+#
+COPY --from=builder /root/HellPot/HellPot /opt/hellpot/
+COPY --from=builder /root/dist/config.toml /opt/hellpot/config/
 #
 # Setup user, groups and configs
-    addgroup -g 2000 hellpot && \
+RUN addgroup -g 2000 hellpot && \
     adduser -S -s /bin/ash -u 2000 -D -g 2000 hellpot && \
-    mkdir -p /var/log/hellpot && \
+    mkdir -p /var/log/hellpot
-  # Hellpot wants to create .config folder always in user's home
-    mkdir -p /home/hellpot/.config/HellPot/logs && \
-    mv /root/dist/config.toml /home/hellpot/.config/HellPot/ && \
-    chown hellpot:hellpot -R /home/hellpot && \
-#
-# Clean up
-    apk del --purge build-base \
-                    git \
-                    go \
-                    g++ && \
-    rm -rf /var/cache/apk/* \
-           /opt/go \
-           /root/*
 #
 # Start hellpot
 WORKDIR /opt/hellpot
 USER hellpot:hellpot
-CMD ["./HellPot"]
+CMD ["./HellPot", "-c","config/config.toml"]

docker/hellpot/dist/config.toml

@@ -7,6 +7,9 @@
   bind_addr = "0.0.0.0"
   bind_port = "8080"
 
+  # header name containing clients real IP, for reverse proxy deployments
+  real_ip_header = 'X-Real-IP'
+
   # this contains a list of blacklisted useragent strings. (case sensitive)
   # clients with useragents containing any of these strings will receive "Not found" for any requests.
   uagent_string_blacklist = ["Cloudflare-Traffic-Manager", "curl"]
@@ -22,14 +25,73 @@
     # Toggling this to false will prevent creation of robots.txt handler.
     makerobots = true
     # Handlers will be created for these paths, as well as robots.txt entries. Only valid if catchall = false.
-    paths = ["wp-json/omapp/v1/support", "wp-login.php", "wp-login"]
+    paths = [
+      "wp-json/omapp/v1/support", 
+      "wp-login.php", 
+      "wp-login",
+      "admin",
+      "admin.php",
+      "admin/login.php",
+      "admin/login",
+      "admin.asp",
+      "admin.aspx",
+      "wp-admin",
+      "login",
+      "xmlrpc.php",
+      ".env",
+      "config.php",
+      "config.yaml",
+      "config.json",
+      "db.php",
+      "db.yaml",
+      "db.json",
+      "admin.yaml",
+      "admin.json",
+      "user.yaml",
+      "user.json",
+      "site.yaml",
+      "site.json",
+      "mysql.php",
+      "mysql.yaml",
+      "mysql.json",
+      "mongodb.php",
+      "mongodb.yaml",
+      "mongodb.json",
+      "sql.php",
+      "sql.yaml",
+      "sql.json",
+      "install.php",
+      "setup.php",
+      "main.php",
+      "test.php",
+      "README.md",
+      "LICENSE",
+      ".git",
+      ".htaccess",
+      ".htpasswd",
+      "server-status",
+      "phpinfo.php",
+      "info.php",
+      "env",
+      "config/",
+      "admin/config/",
+      "admin.php/config/",
+      "admin.asp/config/",
+      "admin.aspx/config/",
+      "phpmyadmin",
+      "pma",
+      "dbadmin",
+      "mysql",
+      "myadmin",
+      "phpmyadmin2"
+    ]
     
 [logger]
   # verbose (-v)
   debug = true
   # extra verbose (-vv)
   trace = false
-  # JSON log files will be storn in the below directory. 
+  # JSON log files will be stored in the below directory.
   directory = "/var/log/hellpot/"
   # disable all color in console output. when using Windows this will default to true.
   nocolor = true 

docker/hellpot/docker-compose.yml

@@ -19,4 +19,4 @@ services:
     image: "dtagdevsec/hellpot:alpha"
     read_only: true
     volumes:
-     - /data/hellpot/log:/var/log/hellpot
+     - $HOME/tpotce/data/hellpot/log:/var/log/hellpot

docker/honeypots/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM alpine:3.19
 #
 # Include dist
 COPY dist/ /root/dist/
@@ -36,7 +36,7 @@ RUN apk -U --no-cache add \
 		py3-packaging \
 		py3-paramiko \
 		py3-pip \
-	     py3-psutil \
+		# py3-psutil \
 		py3-psycopg2 \
 		py3-pycryptodomex \
 		py3-requests \
@@ -54,12 +54,12 @@ RUN apk -U --no-cache add \
     cd /opt/ && \
     git clone https://github.com/qeeqbox/honeypots && \
     cd honeypots && \
-#    git checkout bee3147cf81837ba7639f1e27fe34d717ecccf29 && \
+    # git checkout bee3147cf81837ba7639f1e27fe34d717ecccf29 && \
-    git checkout 1ad37d7e07838e9ad18c5244d87b9e49d90c9bc3 && \
+    git checkout 5b3bfbecbf85c1f5235b320b333bdeff2d312372 && \
-    cp /root/dist/setup.py . && \
+    # cp /root/dist/pyproject.toml . && \
-    pip3 install --upgrade pip && \
+    pip3 install --break-system-packages --upgrade pip && \
-    pip3 install . && \
+    pip3 install --break-system-packages . && \
-    setcap cap_net_bind_service=+ep /usr/bin/python3.10 && \
+    setcap cap_net_bind_service=+ep $(readlink -f $(type -P python3)) && \
 #
 # Setup user, groups and configs
     addgroup -g 2000 honeypots && \

docker/honeypots/dist/config.json

@@ -253,7 +253,37 @@
          "username":"",
          "password":"",
          "log_file_name":"irc.log",
-         "max_bytes":10000,
+         "max_bytes":0,
+         "backup_count":10,
+         "options":["capture_commands"]
+      },
+      "pjl":{
+         "port":9100,
+         "ip":"0.0.0.0",
+         "username":"",
+         "password":"",
+         "log_file_name":"pjl.log",
+         "max_bytes":0,
+         "backup_count":10,
+         "options":["capture_commands"]
+      },
+      "ipp":{
+         "port":631,
+         "ip":"0.0.0.0",
+         "username":"",
+         "password":"",
+         "log_file_name":"ipp.log",
+         "max_bytes":0,
+         "backup_count":10,
+         "options":["capture_commands"]
+      },
+      "rdp":{
+         "port":3389,
+         "ip":"0.0.0.0",
+         "username":"",
+         "password":"",
+         "log_file_name":"rdp.log",
+         "max_bytes":0,
          "backup_count":10,
          "options":["capture_commands"]
       }
@@ -282,4 +312,3 @@
       }
    }
 }
-

docker/honeypots/dist/pyproject.toml

@@ -0,0 +1,150 @@
+[build-system]
+requires = [
+    "setuptools>=61.2",
+]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "honeypots"
+version = "0.65"
+authors = [
+    { name = "QeeqBox", email = "gigaqeeq@gmail.com" },
+]
+description = "30 different honeypots in one package! (dhcp, dns, elastic, ftp, http proxy, https proxy, http, https, imap, ipp, irc, ldap, memcache, mssql, mysql, ntp, oracle, pjl, pop3, postgres, rdp, redis, sip, smb, smtp, snmp, socks5, ssh, telnet, vnc)"
+readme = "README.rst"
+requires-python = ">=3.8"
+dependencies = [
+    "twisted",
+    "psutil",
+    "psycopg2-binary",
+    "pycryptodome",
+    "requests",
+    "requests[socks]",
+    "impacket",
+    "paramiko",
+    "scapy",
+    "service_identity",
+    "netifaces",
+]
+license = {text = "AGPL-3.0"}
+
+[project.urls]
+Homepage = "https://github.com/qeeqbox/honeypots"
+
+[project.optional-dependencies]
+dev = [
+    "dnspython==2.4.2",
+    "elasticsearch",
+    "ldap3",
+    "mysql-connector",
+    "pre-commit",
+    "pymssql",
+    "pysnmplib",
+    "pytest",
+    "redis",
+    "redis",
+    "vncdotool",
+]
+
+[project.scripts]
+honeypots = "honeypots.__main__:main_logic"
+
+[tool.setuptools]
+packages = [
+    "honeypots",
+    "honeypots.data",
+]
+include-package-data = true
+
+[tool.setuptools.package-data]
+"honeypots.data" = [
+    "*.html",
+]
+
+[tool.ruff]
+select = [
+    "F",
+    "E",
+    "W",
+    "C90",
+    "N",
+    "UP",
+    "B",
+    "A",
+    "C4",
+    "EXE",
+    "FA",
+    "ISC",
+    "PIE",
+    "T20",
+    "PT",
+    "Q",
+    "RET",
+    "SIM",
+    "TCH",
+    "ARG",
+    "PTH",
+    "ERA",
+    "PL",
+    "PLR",
+    "PLW",
+    "PERF",
+    "RUF",
+]
+ignore = [
+    "A003",
+    "PERF203",
+    "PERF401",
+    "RUF001",
+    "RUF002",
+    "RUF003",
+    "RUF015",
+    # pydantic only supports these from python>=3.9
+    "UP006",
+    "UP007",
+    # rules may cause conflicts when used with the formatter
+    "ISC001",
+    "Q001",
+]
+fixable = [
+    "F",
+    "E",
+    "W",
+    "C90",
+    "N",
+    "UP",
+    "B",
+    "A",
+    "C4",
+    "EXE",
+    "FA",
+    "ISC",
+    "PIE",
+    "T20",
+    "PT",
+    "Q",
+    "RET",
+    "SIM",
+    "TCH",
+    "ARG",
+    "PTH",
+    "ERA",
+    "PL",
+    "PLR",
+    "PLW",
+    "PERF",
+    "RUF",
+]
+exclude = [
+    ".git",
+    ".ruff_cache",
+    ".venv",
+    "venv",
+    "data",
+]
+line-length = 99
+target-version = "py38"
+
+[tool.ruff.lint.per-file-ignores]
+# don't check for "magic value" in tests
+"tests/*" = ["PLR2004"]

docker/honeypots/docker-compose.yml

@@ -32,19 +32,22 @@ services:
      - "389:389"
      - "443:443"
      - "445:445"
+     - "631:631"
      - "1080:1080"
      - "1433:1433"
      - "1521:1521"
      - "3306:3306"
+     - "3389:3389"
      - "5060:5060"
      - "5432:5432"
      - "5900:5900"
      - "6379:6379"
      - "6667:6667"
      - "8080:8080"
+     - "9100:9100"
      - "9200:9200"
      - "11211:11211"
     image: "dtagdevsec/honeypots:alpha"
     read_only: true
     volumes:
-     - /data/honeypots/log:/var/log/honeypots
+     - $HOME/tpotce/data/honeypots/log:/var/log/honeypots