honeydet is a signature based, multi-step, high interaction, multi-threaded honeypot detection tool written in Golang. It can detect honeypots based upon the premise that, given a set of specifically crafted requests they will generate a unique and identifying response. It can be run either as a web server, a command line tool, or as a web API. Signatures support multi-step, hex, string and regex detection on TCP and UDP. Features a SQL backend for persistent scans which can be managed through the web interface. Shodan API integration for non-private IPs, automatically adds shodan host information when the flag is set (currently CLI only)
The signature list is growing as I run through different methods of fuzzing, reverse engineering and comparing real protocols and servers to their emulated counterparts. I continue to add features to the signature format as required, and will extend the applications support of protocols using additional libraries as needed for things like DICOM and Modbus.
- Multi-threaded, and now super fast. /24 single port scan in around 1 second
- Supports single and multiple targets with csv, range, and CIDR
- Supports single and multiple ports with range and csv list
- Adjust execution options to ignore signature port mapping, pingtest host before test, threads, timeout and delay
- Pagination, table search and export
- Remove individual scans and clear database functionality
Docker image and docker-compose file for simple installation- SSL
- JA4+, HASSH, and other fingerprinting support
- Add shodan flag to frontend
- PDF Reports
- Active port detection (without requiring root), and passive port detection using Shodan API in place of specific ports or ranges
git clone https://github.com/referefref/honeydet.git
cd honeydet
go get honeydet
go build
# Note that scans.db will persist in the docker-compose file directory, if you need to map this somewhere else, edit the docker compose file
git clone https://github.com/referefref/honeydet.git
cd honeydet
docker compose up
-H string
Short form of -hostfile
-P string
Short form of -proto (default "tcp")
-T int
Short form of -timeout (default 5)
-b Short form of -bypassPortCheck
-bypassPortCheck
Bypass port match checking and run all signatures against all ports
-c Short form of -checkPing
-checkPing
Check if the host responds to ping before scanning
-d int
Short form of -delay
-debug
Enable extra verbose (debug) output
-delay int
Delay in milliseconds between requests to a single host
-h string
Short form of -host
-host string
Single host or range of hosts to scan (i.e. 1.1.1.1, 10.1.1.1/24, 1.2.37.10.20-1.2.37.10.30)
-hostfile string
File containing a list of hosts to scan
-o string
Short form of -output
-output string
Output file for the report (default is stdout)
-p string
Short form of -port (default "22")
-password string
Password for authentication
-port string
Target port(s) to scan, single (22), range (22-80), or list (22,80,443) (default "22")
-proto string
Protocol (tcp or udp) (default "tcp")
-pw string
Short form of -password
-r string
Short form of -report (default "none")
-report string
Type of report to generate (none, json, csv) (default "none")
-s string
Short form of -signatures (default "signatures.yaml")
-shodan
Enable Shodan API enrichment
-signatures string
File with signatures (default "signatures.yaml")
-t int
Short form of -threads (default 1)
-threads int
Number of concurrent threads (default 1)
-timeout int
Connection timeout in seconds (default 5)
-u string
Short form of -username
-username string
Username for authentication
-v Short form of -verbose
-verbose
Enable verbose output
-vv
Enable extra verbose (debug) output
-w Short form of -webserver
-webserver
Run as a web server on port 8080
- Scan a single host on port 2822 in verbose mode:
./honeydet -host 192.168.1.1 -port 2822 -verbose
- Scan a range of hosts in debug (extra verbose) mode:
./honeydet -host 192.168.1.1-192.168.1.30 -vv
- Scan hosts from a file with 100 threads checking for a ping before scanning, with a 5 second timeout, append shodan API information, and create a json report as report.json
./honeydet -hostfile hosts.txt -t 100 -T 5 -c -r json -o report.json -shodan
- Run in verbose webserver mode to expose an API endpoint:
./honeydet -webserver -verbose
curl 'http://localhost:8080/scan?targets=10.1.1.1/24&report=json&port=3389'
Any contibutions to the signatures and detection logic are welcomed and will be integrated with proof, just submit the yaml as a PR. Unique signature id's will be allocated upon collation of submitted signatures. If there's enough interest, i'll add author and reference url fields to the signature.
Add a new section to signatures.yaml or create a new signature yaml file with the following format
signatures:
- name: "signature name"
id: 1337
port: port number
proto: udp/tcp
steps:
- input_type: string/hex
input: "input string or hex value"
output_match_type: string/hex/regex
output: "output match string, hex value or regex expression"
invert_match: false
- input_type: string/hex
input: "second step input"
output_match_type: string/hex/regex
output: "output match string for step 2"
invert_match: false
confidence: "High/Medium/Low"
comment: "Comment explaining the signature and its detection mechanism"