HoneyBadger is a framework for targeted geolocation. While honeypots are traditionally used to passively detect malicious actors, HoneyBadger is an Active Defense tool to determine who the malicious actor is and where they are located. HoneyBadger leverages "agents" built in various technologies that harvest the requisite information from the target host in order to geolocate them. These agents report back to the HoneyBadger API, where the data is stored and made available in the HoneyBadger user interface.
An early prototype of HoneyBadger (v1) can be seen in the presentation "Hide and Seek: Post-Exploitation Style" from ShmooCon 2013. The associated Metasploit Framework modules mentioned in the above presentation can be found here. Note: These modules have not been updated to work with v2 of the API.
- Python 3.x
Installation (Ubuntu and OS X)
Clone the HoneyBadger repository.
$ git clone https://github.com/lanmaster53/honeybadger.git
Install the dependencies.
$ cd honeybadger/server $ pip install -r requirements.txt
Initialize the database. The provided username and password will become the administrator account.
$ python >>> import honeybadger >>> honeybadger.initdb(<username>, <password>)
Start the HoneyBadger server. API keys are required to use maps and geolocation services.
$ python ./honeybadger.py -gk <GOOGLE_API_KEY> -ik <IPSTACK_API_KEY>
Honeybadger will still run without the API keys, but mapping and geolocation functionality will be limited as a result.
View usage information with either of the following:
$ python ./honeybadger.py -h $ python ./honeybadger.py --help
Visit the application and authenticate.
Add users and targets as needed using their respective pages.
Deploy agents for the desired target.
Clicking the "demo" button next to any of the targets will launch a demo web page containing an
Applet agent for that target.
Make a mess and want to start over fresh? Do this.
$ python >>> import honeybadger >>> honeybadger.dropdb() >>> honeybadger.initdb(<username>, <password>)
This method geolocates the target based on the source IP of the request and assigns the resolved location to the given target and agent.
This method accepts previously resolved location data for the given target and agent.
This method accepts wireless survey data and parses the information on the server-side, extracting what is needed to make a Google API geolocation call. The resolved geolocation data is then assigned to the given target. Parsers currently exist for survey data from Windows, Linux and OS X using the following commands:
cmd.exe /c netsh wlan show networks mode=bssid | findstr "SSID Signal Channel"
util directory contains a PowerShell script that can be used to automatically send test data to the server:
powershell .\wireless_survey.ps1 -uri <URI>
/bin/sh -c iwlist scan | egrep 'Address|ESSID|Signal'
util directory contains a shell script that can be used to automatically send test data to the server:
bash ./wireless_survey.sh <URL>
os parameter must match one of the following regular expressions:
re.search('^mac os x', os.lower())
All requests can include an optional
comment parameter. This parameter is sanitized and displayed within the UI as miscellaneous information about the target or agent.
Example Web Agents
img = new Image(); img.src = "http://<path:honeybadger>/api/beacon/<guid:target>/HTML";
<img src="http://<path:honeybadger>/api/beacon/<guid:target>/HTML" width=1 height=1 />
Content Security Policy
response.headers['X-XSS-Protection'] = '0' response.headers['Content-Security-Policy-Report-Only'] = '<string:policy>; report-uri http://<path:honeybadger>/api/beacon/<guid:target>/Content-Security-Policy'
response.headers['X-XSS-Protection'] = '1; report=http://<path:honeybadger>/api/beacon/<guid:target>/XSS-Protection'