FirmPot is a framework for the automatic generation of Intelligent-Interaction honeypots using OpenWrt-based firmware. We presented FirmPot at CANDAR WICS 2021.
- OS: Ubuntu 20.04.2 LTS
- Kernel: Linux 5.8.0-48-generic x86_64
- CPU: Intel Core i7-10700K CPU@3.80GHz
- GPU: GeForce RTX 3060
FirmPot/
├── auto.py : Automatically generate a honeypot.
├── booter.py : Boot an embedded application from a firmware image
├── scanner.py : Scan the web application
├── learner.py : Learn the web interaction
├── manager.py : Create and manage the honeypot instance
├── honeypot.py : Program of honeypot server
├── analyzer.py : Analyze access logs observed honeypots
├── setup.sh : Install required tools
├── honeypot_setup.sh : Install required tools for operation of honeypots
├── qemu-binfmt-conf.sh : Script to register configuration of binfmt_misc
├── README.md
├── utils/ : Modules required by each program
├── images/ : Location of firmware images
├── tools/ : Tools required by each program
├── assets/ : Files used for visualization of log analysis
├── static/ : Files used for visualization of log analysis
├── templates/ : Files used for visualization of log analysis
└── demo/ : Demonstrations of honeypot generation by FirmPot
- Clone this repository
$ git clone https://github.com/SaitoLab-Nitech/FirmPot.git
- Run
./setup.sh
script (requiresudo
password) :::info
- Please comment out any tools that are already installed on your host
- If you get a comment,
[-] Linux kernel may not specify support for binfmt_misc.
, your kernel is not compatible with our programs :::
- Download a firmware image from a vendor's website
- Put the firmware image into
./images
directory :::info Our framework supports OpenWrt based firmware images. Please check your images before using our framework. :::
There are two patterns:
- Generate a honeypot automatically
- Generate a honeypot while checking each process
- Run
auto.py
$ python3 auto.py <firmware image>
A honeypot instance (default: ./honeypot_instance/
) will be created.
- Put the directory (
./honeypot_instance/
) on a public server - Go to the created directory of honeypot instance and launch the honeypot server
$ cd ./honeypot_instance/
$ sudo python3 honeypot.py or python3 honeypot.py -m
- Run
booter.py
$ python3 booter.py <firmware images>
Multiple containers can be prepared by adding the -c <number>
option.
However, it may overload the host machine.
booter.py
will prompt you for the sudo password during execution.
- Run
scanner.py
$ python3 scanner.py -i <container's IPaddress>
- Run
learner.py
$ python3 learner.py
- Run
manager.py
$ python3 manager.py --create
- Go to the created directory of honeypot instance (default:
./honeypot_instance/
) and launch the honeypot server
$ cd ./honeypot_instance/
$ python3 honeypot.py (or python3 honeypot.py -m)
Deployed honeypots will log access to them in the file (default: ./logs/access.log
).
The access log are visualized by running analyzer.py
.
- Run
analyzer.py
$ python3 analyzer.py access1.log access2.log access3.log ...
- Access to http://localhost:8050
Follow the checklist below to determine the cause.
- The firmware may have been compressed in several layers. Try using the "unzip" or "untar" command to uncompress the file.
- Try running booter.py with the
-m
option to recursively retrieve the file system. - Please check the version of binwalk. Make sure that binwalk is 2.2.* or earlier.
- Please check that the firmware name does not contain any single-byte spaces. If the firmware name contains spaces, the program will not recognize it.
The following checklist may help you solve this problem.
$ sudo su -
# cat /proc/sys/fs/binfmt_misc/qemu-(arch)
In additions, binfmt_misc can be used even after rebooting the host with the following configuration.
- Move the
qemu-binfmt-conf.sh
in this repository to/usr/local/bin/
$ sudo chmod +x qemu-binfmt-conf.sh
$ sudo mv qemu-binfmt-conf.sh /usr/local/bin/qemu-binfmt-conf.sh
- Create
/usr/local/bin/register.sh
and write the following
#!/bin/sh
QEMU_BIN_DIR=${QEMU_BIN_DIR:-/usr/bin}
if [ ! -d /proc/sys/fs/binfmt_misc ]; then
echo "No binfmt support in the kernel."
echo " Try: '/sbin/modprobe binfmt_misc' from the host"
exit 1
fi
if [ ! -f /proc/sys/fs/binfmt_misc/register ]; then
mount binfmt_misc -t binfmt_misc /proc/sys/fs/binfmt_misc
fi
if [ "${1}" = "--reset" ]; then
shift
find /proc/sys/fs/binfmt_misc -type f -name 'qemu-*' -exec sh -c 'echo -1 > {}' \;
fi
exec /usr/local/bin/qemu-binfmt-conf.sh --qemu-suffix "-static" --qemu-path "${QEMU_BIN_DIR}" $@
- Change the permission
$ sudo chmod +x /usr/local/bin/register.sh
- Create
/etc/systemd/system/register.service
and write the following
[Unit]
Description= register cpu emulator
[Service]
ExecStart = /usr/local/bin/register.sh
Restart = no
Type = simple
RemainAfterExit=yes
[Install]
WantedBy = multi-user.target
- Start the daemon
$ sudo systemctl daemon-reload
$ sudo systemctl enable register.service
$ sudo systemctl start register.service
$ sudo systemctl status register.service
:::info The openwrt MIPS firmware has a special magic number. If it fails to execute, please execute the following command.
$ sudo su -
## ↓ This is MIPS little endian
# echo ':qemu-xmmipsel:M::\x7f\x45\x4c\x46\x01\x01\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel-static:' > /proc/sys/fs/binfmt_misc/register
## ↓ This is MIPS big endian
# echo ':qemu-xmmips:M::\x7f\x45\x4c\x46\x01\x02\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips-static:' > /proc/sys/fs/binfmt_misc/register
:::
$ sudo chmod -R 777 ./extracted_fs
or
$ sudo chmod -R 755 ./extracted_fs/bin ./extracted_fs/lib
$ sudo chroot extracted_fs/ /bin/busybox
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Illegal instruction
I'm sorry, our current framework does not support this.
I'm sorry, our current framework does not support this.
- Some web applications may output a dialog before you enter your password. In this case, you have to turn off the dialog manually.
- Normally, you will be asked to set a default password to login to the web. You can manually set a password in advance. Set the same password as the one written in the params file.
- Two types of crawlers are available. Please use the flag to switch between them.
# line 119 in `scanner.py`
atag_list, url_list, crawled_list = crawling(driver, ip, atag_list, url_list, crawled_list, flag=False) # <= If the crawling fails, try setting the flag to True
- Adjust the training parameters for both Seq2Seq and Word2Vec in
utils/params.py
. - The Word2Vec model can be created in advance using
utils/word2vec.py
. Please specify the word2vec model tolearner.py
.
$ python3 utils/word2vec.py -l honeypot/learning.db
# Generate word2vec.bin in ./honeypot/
$ python3 learner.py -w honeypot/word2vec.bin