Skip to content

Added HoneyScanner Analyzer #2982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Added HoneyScanner Analyzer #2982

wants to merge 2 commits into from

Conversation

@spoiicy
Copy link
Member

@spoiicy spoiicy commented Aug 31, 2025
edited
Loading

closes #2708

Description

As part of this PR, a new analyzer has been added to intelowl - HoneyScanner to detect vulnerabilities in honeypot.

Significant effort has went into leveraging concurrency to optimise the honeyscanner pypi package in order to scan ports on external networks quickly using python's asyncio and optimizing the active attacks suiting the needs for analysis of honeypot over external network.

For curiosity, I've created a PR here honeynet/honeyscanner#51 for honeyscanner optimization.

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue).
  • New feature (non-breaking change which adds functionality).
  • Breaking change (fix or feature that would cause existing functionality to not work as expected).

Checklist

  • I have read and understood the rules about how to Contribute to this project
  • The pull request is for the branch develop
  • A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
    • I strictly followed the documentation "How to create a Plugin"
    • Usage file was updated. A link to the PR to the docs repo has been added as a comment here.
    • Advanced-Usage was updated (in case the plugin provides additional optional configuration). A link to the PR to the docs repo has been added as a comment here.
    • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
    • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
    • If you created a new analyzer and it is free (does not require any API key), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
    • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
    • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
    • If the plugin interacts with an external service, I have created an attribute called precisely url that contains this information. This is required for Health Checks (HEAD HTTP requests).
    • If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
    • I have added that raw JSON sample to the MockUpResponse of the _monkeypatch() method. This serves us to provide a valid sample for testing.
    • I have created the corresponding DataModel for the new analyzer following the documentation
  • I have inserted the copyright banner at the start of the file: # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl # See the file 'LICENSE' for copying permission.
  • Please avoid adding new libraries as requirements whenever it is possible. Use new libraries only if strictly needed to solve the issue you are working for. In case of doubt, ask a maintainer permission to use a specific library.
  • If external libraries/packages with restrictive licenses were added, they were added in the Legal Notice section.
  • Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
  • I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
  • If the GUI has been modified:
    • I have a provided a screenshot of the result in the PR.
    • I have created new frontend tests for the new component or updated existing ones.
  • After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

Important Rules

  • If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
  • Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review by using GitHub's reviewing system detailed here.

@spoiicy
Copy link
Member Author

spoiicy commented Aug 31, 2025

JSON Result after a successful scan over externally hosted honeypot over EC2

{
  "report": {
    "results": {
      "cves": 124,
      "active": {
        "attacks": [
          {
            "message": "Banner fuzzing completed - Terminal fuzzing completed - 96 test cases executed in 28.43s (external network, quick test + smart fuzzing)",
            "attack_name": "Fuzzing",
            "additional_metrics": {
              "test_cases_executed": 96
            },
            "vulnerability_found": false,
            "execution_time_seconds": 28
          },
          {
            "message": "Tar bomb attack executed (30/30 successful), but honeypot is still alive",
            "attack_name": "TarBomb",
            "additional_metrics": {
              "bombs_used": 30
            },
            "vulnerability_found": false,
            "execution_time_seconds": 90
          },
          {
            "message": "Vulnerability found: DoS attack made the honeypot reject connections",
            "attack_name": "DoS",
            "additional_metrics": {
              "threads_used": 40
            },
            "vulnerability_found": true,
            "execution_time_seconds": 1
          }
        ],
        "summary": {
          "success_rate": 33.33,
          "total_attacks": 3,
          "successful_attacks": 1
        },
        "target_ip": "18.234.151.206",
        "report_title": "Honeypot Active Attack Report"
      },
      "passive": {
        "summary": {
          "attack_types": [
            "ContainerSecurityScanner",
            "VulnerableLibrariesAnalyzer",
            "StaticAnalyzer"
          ],
          "recommendations_count": 3,
          "total_attacks_performed": 3
        },
        "target_ip": "18.234.151.206",
        "report_title": "Honeypot Passive Attack Report",
        "attack_results": {
          "StaticAnalyzer": {
            "attack_type": "Static Code Analysis",
            "description": "Static analysis of honeypot codebase and configuration",
            "report_content": {
              "version": "v2.6.1",
              "high_severity_count": 13,
              "high_severity_issues": [
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/ftpget.py",
                  "issue_text": "A FTP-related module is being imported.  FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
                  "line_number": 5
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/ftpget.py",
                  "issue_text": "FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
                  "line_number": 167
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/ping.py",
                  "issue_text": "Use of weak MD5 hash for security. Consider usedforsecurity=False",
                  "line_number": 83
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/ssh.py",
                  "issue_text": "Use of weak MD5 hash for security. Consider usedforsecurity=False",
                  "line_number": 96
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/yum.py",
                  "issue_text": "Use of weak SHA1 hash for security. Consider usedforsecurity=False",
                  "line_number": 73
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/yum.py",
                  "issue_text": "Use of weak SHA1 hash for security. Consider usedforsecurity=False",
                  "line_number": 74
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/cuckoo.py",
                  "issue_text": "Call to requests with verify=False disabling SSL certificate checks, security issue.",
                  "line_number": 107
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/cuckoo.py",
                  "issue_text": "Call to requests with verify=False disabling SSL certificate checks, security issue.",
                  "line_number": 134
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/cuckoo.py",
                  "issue_text": "Call to requests with verify=False disabling SSL certificate checks, security issue.",
                  "line_number": 157
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/dshield.py",
                  "issue_text": "Use of weak SHA1 hash for security. Consider usedforsecurity=False",
                  "line_number": 132
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/dshield.py",
                  "issue_text": "Use of weak MD5 hash for security. Consider usedforsecurity=False",
                  "line_number": 147
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/ssh/transport.py",
                  "issue_text": "Use of weak MD5 hash for security. Consider usedforsecurity=False",
                  "line_number": 198
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/ssh_proxy/server_transport.py",
                  "issue_text": "Use of weak MD5 hash for security. Consider usedforsecurity=False",
                  "line_number": 308
                }
              ],
              "medium_severity_count": 31,
              "medium_severity_issues": [
                {
                  "filename": "cowrie-2.6.1/src/backend_pool/nat.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 106
                },
                {
                  "filename": "cowrie-2.6.1/src/backend_pool/nat.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 109
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/nc.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 108
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/netstat.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 74
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/netstat.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 76
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/core/auth.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 71
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/core/utils.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 116
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/abuseipdb.py",
                  "issue_text": "Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.",
                  "line_number": 81
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/cuckoo.py",
                  "issue_text": "Requests call without timeout",
                  "line_number": 130
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/cuckoo.py",
                  "issue_text": "Requests call without timeout",
                  "line_number": 153
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/malshare.py",
                  "issue_text": "Requests call without timeout",
                  "line_number": 90
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/mysql.py",
                  "issue_text": "Possible SQL injection vector through string-based query construction.",
                  "line_number": 114
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/mysql.py",
                  "issue_text": "Possible SQL injection vector through string-based query construction.",
                  "line_number": 125
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/scripts/fsctl.py",
                  "issue_text": "Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.",
                  "line_number": 122
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/shell/fs.py",
                  "issue_text": "Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.",
                  "line_number": 111
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/shell/fs.py",
                  "issue_text": "Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.",
                  "line_number": 114
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/ssh/keys.py",
                  "issue_text": "DSA key sizes below 2048 bits are considered breakable. ",
                  "line_number": 61
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/fake_transport.py",
                  "issue_text": "Use of exec detected.",
                  "line_number": 82
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_awk.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_base64.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_base_commands.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 264
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_base_commands.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 282
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_base_commands.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 303
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_cat.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_chmod.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_echo.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_ftpget.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 14
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_ls.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_tee.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_tftp.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_uniq.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                }
              ],
              "actionable_recommendation": "Bandit found vulnerabilities that can be exploited. Please refer to the StaticHoney's output for more details."
            }
          },
          "ContainerSecurityScanner": {
            "attack_type": "Container Security Scan",
            "description": "Security analysis of container configuration and vulnerabilities",
            "report_content": {
              "targets": [
                {
                  "target": "cowrie/cowrie (debian 12.11)",
                  "secrets": {
                    "counts": {
                      "HIGH": 0,
                      "MEDIUM": 0,
                      "CRITICAL": 0
                    }
                  },
                  "vulnerabilities": {
                    "counts": {
                      "HIGH": 6,
                      "MEDIUM": 15,
                      "CRITICAL": 3
                    }
                  }
                },
                {
                  "target": "Python",
                  "secrets": {
                    "counts": {
                      "HIGH": 0,
                      "MEDIUM": 0,
                      "CRITICAL": 0
                    }
                  },
                  "vulnerabilities": {
                    "counts": {
                      "HIGH": 0,
                      "MEDIUM": 0,
                      "CRITICAL": 0
                    }
                  }
                }
              ],
              "actionable_recommendation": "Trivy found vulnerabilities in the source code repository. Check the TrivyScanner section for more info and inform the developer(s) of the security issue."
            }
          },
          "VulnerableLibrariesAnalyzer": {
            "attack_type": "Vulnerable Libraries Analysis",
            "description": "Analysis of vulnerable libraries and dependencies",
            "report_content": {
              "libraries": {
                "urllib3": {
                  "library_name": "urllib3",
                  "vulnerabilities": [
                    {
                      "cve": "CVE-2025-50181",
                      "cvss_score": 5.3,
                      "vulnerability_id": "pyup.io-77744",
                      "affected_versions": "<2.5.0",
                      "severity_category": "medium"
                    },
                    {
                      "cve": "CVE-2025-50182",
                      "cvss_score": 5.3,
                      "vulnerability_id": "pyup.io-77745",
                      "affected_versions": "<2.5.0",
                      "severity_category": "medium"
                    }
                  ],
                  "vulnerability_count": 2
                },
                "requests": {
                  "library_name": "requests",
                  "vulnerabilities": [
                    {
                      "cve": "CVE-2024-47081",
                      "cvss_score": 5.3,
                      "vulnerability_id": "pyup.io-77680",
                      "affected_versions": "<2.32.4",
                      "severity_category": "medium"
                    }
                  ],
                  "vulnerability_count": 1
                },
                "cryptography": {
                  "library_name": "cryptography",
                  "vulnerabilities": [
                    {
                      "cve": "CVE-2024-12797",
                      "cvss_score": 6.3,
                      "vulnerability_id": "pyup.io-76170",
                      "affected_versions": ">=42.0.0,<44.0.1",
                      "severity_category": "medium"
                    }
                  ],
                  "vulnerability_count": 1
                }
              },
              "actions_text": "All of these modules need to be updated:\ncryptography, requests, urllib3",
              "action_required": "All of these modules need to be updated: cryptography, requests, urllib3",
              "modules_to_update": [
                "cryptography",
                "requests",
                "urllib3"
              ],
              "severity_breakdown": {
                "low": 0,
                "high": 0,
                "medium": 4,
                "critical": 0,
                "no_score": 0
              },
              "total_vulnerabilities": 4,
              "total_vulnerable_libraries": 3
            }
          }
        },
        "attacks_performed": [
          "VulnerableLibrariesAnalyzer",
          "StaticAnalyzer",
          "ContainerSecurityScanner"
        ]
      }
    },
    "metadata": {
      "filename": "report_2025-08-31_08-36-14.txt",
      "honeypot": {
        "ip": "18.234.151.206",
        "name": "cowrie",
        "ports": [
          2222,
          22
        ],
        "version": "v2.6.1"
      },
      "report_date": "2025-08-31 08:36:14"
    },
    "recommendations": [
      "All of these modules need to be updated: cryptography, requests, urllib3",
      "Bandit found vulnerabilities that can be exploited. Please refer to the StaticHoney's output for more details.",
      "Trivy found vulnerabilities in the source code repository. Check the TrivyScanner section for more info and inform the developer(s) of the security issue."
    ]
  },
  "data_model": null,
  "errors": [],
  "parameters": {}
}

@spoiicy spoiicy requested review from fgibertoni and mlodic August 31, 2025 10:36
@spoiicy spoiicy marked this pull request as ready for review August 31, 2025 10:36
@spoiicy
Copy link
Member Author

spoiicy commented Aug 31, 2025

Once the PR passes the review, i'll push the honeyscanner package to official pypi repository and change the corresponding entry in requirements.txt

fgibertoni
fgibertoni requested changes Sep 1, 2025
View reviewed changes
Copy link
Contributor

@fgibertoni fgibertoni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some small improvements. Great work overall!

api_app/analyzers_manager/observable_analyzers/honeyscanner.py
else:
ip_address = self.observable_name

logger.info(f"Running HoneyScanner for ip_address {ip_address}")
Copy link
Contributor

@fgibertoni fgibertoni Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.info(f"Running HoneyScanner for ip_address {ip_address}")
logger.info(f"Running HoneyScanner for {ip_address=}")

api_app/analyzers_manager/observable_analyzers/honeyscanner.py
password=self._honeypot_password,
)

logger.info(f"Successfully executed honeyscanner for ip_address {ip_address}")
Copy link
Contributor

@fgibertoni fgibertoni Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.info(f"Successfully executed honeyscanner for ip_address {ip_address}")
logger.info(f"Successfully executed honeyscanner for {ip_address=}")

api_app/analyzers_manager/observable_analyzers/honeyscanner.py
Resolves a given hostname to its corresponding IP address.
"""
try:
ip_address = socket.gethostbyname(hostname)
Copy link
Contributor

@fgibertoni fgibertoni Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you think about adding a parameter to specify custom DNS resolver? the default would still be socket.gethostbyname() if nothing is specified.
I'd also log the resolution of the hostname

Copy link
Member

@mlodic mlodic Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes that would be cool

mlodic
mlodic reviewed Sep 1, 2025
View reviewed changes
requirements/project-requirements.txt
die-python==0.4.0
guarddog==2.1.0 # version greater than 2.1.0 raises dependency conflicts

https://test-files.pythonhosted.org/packages/c3/cc/98e132fd77e2d21ed24197287431fb2b14e2e74a29471ea0652bff74d66d/honeyscanner-0.0.1-py3-none-any.whl
Copy link
Member

@mlodic mlodic Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should wait to have an official package from honeynet. Otherwise, before merging this, we should fork @spoiicy's changes in our own fork and make our own pypi release: https://github.com/intelowlproject/honeyscanner

This allows better maintainability and avoid potential future issues

Copy link
Member Author

@spoiicy spoiicy Sep 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems good. I concur.

mlodic
mlodic reviewed Sep 1, 2025
View reviewed changes
Copy link
Member

@mlodic mlodic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code is good and fine, but we must have the package officialy deployed on pip before merging this

@github-actions
Copy link

github-actions bot commented Sep 12, 2025

This pull request has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates or it will be closed in 5 days.

@github-actions github-actions bot added the stale label Sep 12, 2025
@github-actions
Copy link

github-actions bot commented Sep 18, 2025

This pull request has been closed because it had no updates in 15 days. If you're still working on this fell free to reopen.

@github-actions github-actions bot closed this Sep 18, 2025
@fgibertoni fgibertoni added keep-open To avoid workflow closing PRs and removed stale labels Sep 18, 2025
@fgibertoni fgibertoni reopened this Sep 18, 2025
@mlodic
Copy link
Member

mlodic commented Oct 27, 2025

I am still having problems contacting the maintainers for this. I'll give them the last chance for this week then I think we can just bring the changes to our fork here https://github.com/intelowlproject/honeyscanner and release our own pypi release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mlodic mlodic mlodic left review comments

@fgibertoni fgibertoni fgibertoni requested changes

Assignees

No one assigned

Labels

keep-open To avoid workflow closing PRs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@spoiicy @mlodic @fgibertoni