Skip to content
RDP honeypot
Branch: master
Clone or download
Jamie Hankins
Latest commit 7cc0907 Jun 6, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
disks Initial commit Jun 6, 2019
output Initial commit Jun 6, 2019
pcaps Initial commit Jun 6, 2019
LICENCE.md Initial commit Jun 6, 2019
README.md Add warning about running as root Jun 6, 2019
balancer.py Initial commit Jun 6, 2019
balancer_test.py Initial commit Jun 6, 2019
main.py Initial commit Jun 6, 2019
net.py Initial commit Jun 6, 2019
requirements.txt Initial commit Jun 6, 2019
utils.py Initial commit Jun 6, 2019
vm.py Initial commit Jun 6, 2019

README.md

rdppot

RDP based Honeypot

What does this actually do

Listens on 3389, on a new connection it'll create a session & assign a virtual machine from a pool to that session. After 300 seconds (default) of the session being opened or 30 second (default) of no activity the connection will be closed and the session will be terminated. We'll store a copy of the disk & a full pcap, additionally we'll run Suricata against the pcap and will save the output with the disk image and the pcap.

Requirements

  • qemu
  • libvirt
  • qemu
  • Python3.7
  • Suricata
  • tcpdump

Suricata installation

wget https://www.openinfosecfoundation.org/download/suricata-4.1.4.tar.gz
tar -xvf suricata-4.1.4.tar.gz
cd suricata-4.1.4
apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config cargo liblz4-dev
cargo install cargo-vendor
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
PATH=$PATH:/root/.cargo/bin ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install-full

How to use this

  • Grab a Windows XP image and create a new VM called winxp_template
  • Setup RDP on that VM
  • Make sure it's accessible
  • Run main.py (Probably don't run this as root though, add your user to the libvirtd group & give yourself the permissions for pcaping)

Support

We're unable to provide support for this repository but will do our best to work with anyone who wishes to contribute to the codebase. The code isn't perfect and probably should not be used in production, it was quickly hacked together to get telemetry about CVE-2019-0708 (Bluekeep) in the wild.

Potential ideas:

Some things that we thought might be useful but didn't get round to implementing:

  • YARA on the disk image
  • Snort as well as Suricata?
  • TLS decryption
  • Testing Context's RDP replay tool
  • Making disk images smaller (I don't think this is fully optimized atm & there's probably a method to make them smaller)
You can’t perform that action at this time.