Sometimes you just want a simple honeypot that collects credentials, nothing more. Heralding is that honeypot! Currently, the following protocols are supported: ftp, telnet, ssh, http, https, pop3, pop3s, imap, imaps, smtp, vnc, postgresql, and socks5.
You need Python 3.5.0 or higher.
Changelog v1.0.7
– Added custom POP3 banner (#143)
– Disabled RDP until we have a stable implementation.
– Various minor fixes and improvements
Installing
For step by step instructions on how to install and run heralding in a Python virtual environment using Ubuntu, see this guide. Otherwise, the basic installation instructions are below.
To install the latest stable (well, semi-stable) version, use pip:
pip install heralding
Make sure that requirements and pip are installed. A simple way to do this on a Debian-based OS is:
$ sudo heralding
2017-05-14 21:55:55,948 (root) Initializing Heralding version 0.2.0
2017-05-14 21:55:55,968 (root) Using default config file: "/home/kajoj/heralding/bin/heralding/heralding.yml", if you want to customize values please copy this file to the current working directory
2017-05-14 21:55:55,998 (heralding.reporting.file_logger) File logger started, using file: heralding_activity.log
2017-05-14 21:55:55,999 (heralding.honeypot) Started Telnet capability listening on port 23
2017-05-14 21:55:55,999 (heralding.honeypot) Started Http capability listening on port 80
2017-05-14 21:55:55,999 (heralding.honeypot) Started Pop3 capability listening on port 110
2017-05-14 21:55:56,000 (heralding.honeypot) Started https capability listening on port 443
2017-05-14 21:55:56,000 (heralding.honeypot) Started Imap capability listening on port 143
2017-05-14 21:55:56,000 (heralding.honeypot) Started ftp capability listening on port 21
2017-05-14 21:55:56,000 (heralding.honeypot) Started Imaps capability listening on port 993
2017-05-14 21:55:56,001 (heralding.honeypot) Started Pop3S capability listening on port 995
2017-05-14 21:55:56,116 (heralding.honeypot) Started SSH capability listening on port 22
2017-05-14 21:55:56,117 (heralding.honeypot) Started smtp capability listening on port 25
2017-05-14 21:55:56,118 (root) Privileges dropped, running as nobody/nogroup.
Viewing the collected data
Heralding logs relevant data in three files, log_session.json, log_auth.csv, and log_session.json.
log_session.json
This log file contains all available information for a given activity to the honeypot. This included a timestamp, authentication attempts and protocol-specific information (auxiliary data) – and a bunch of other information. Be aware that the log entry for a specific session will appear in the log file after the session has ended. The format is jsonlines.
log_session.csv
This log file contains entries for all connections to the honeypot. The data includes timestamp, duration, IP information and the number of authentication attempts. Be aware that the log entry for a specific session will appear in the log fil after the session has ended.
This log file contains information for all authentication attempts where it was possible to log username and plaintext password. Log entries will appear in this file as soon as the password has been transmitted.
