adbhoneypot 3.0.1

An ADB Honeypot

ADBHoneypot: an Android Debug Bridge Honeypot

ADBHoneypot is a honeypot simulating an Android device accessible via the Android Debug Bridge (ADB) protocol over TCP. It is a complete rewrite of the original ADBHoney project, built on the Twisted event-driven networking framework.

The honeypot records all incoming ADB connections, captures shell commands issued by attackers, and saves any files they attempt to push to the fake device. It supports a rich set of output plugins for storing and forwarding events to a variety of backends.

ADB (Android Debug Bridge)

ADB (Android Debug Bridge) and its protocol is what a computer uses to communicate with Android devices (like phones and TVs). The protocol itself is an application layer protocol, which can be on the top of TCP or USB. ADB implements various control commands (e.g. "adb shell", "adb pull", etc.) for the benefit of clients (like command-line users). These commands are called 'services' in ADB. ADB usually communicates with the device over USB, but it is also possible to use ADB over Wi-Fi after some initial setup over USB. The device can be set to listen for a TCP/IP connection on port 5555 by issuing the command adb tcpip 5555. Devices that do not support authentication can be accessed and attacked remotely, allowing the attacker to take full control of the device by using combination of the following commands.

For now the honeypot accepts:

• adb connect host[:port] - Connect to a device over TCP/IP. If you do not specify a port, 5555 is used by default.

• adb disconnect [host | host:port] - Disconnect from the specified TCP/IP device running on the specified port. If you do not specify a host or a port, then all devices are disconnected from all TCP/IP ports. If you specify a host, but not a port, the default port 5555 is used.

• adb shell command - Issue a shell command in the target device and then exit the remote shell.

• adb push local_filepath remote_fiepath - Copy files and directories from the local device (computer) to a remote location on the device.

Features

• Full Twisted-based async I/O, scales to many simultaneous connections.
• Captures shell commands, file pushes, and wget/curl download attempts.
• Saves uploaded files to disk, named by their SHA-256 hash.
• Optionally downloads files referenced in wget/curl commands.
• Configurable fake device identity string (model, features, etc.).
• Works on Linux and Windows, with Python 2.7 and Python 3.6+.
• Rich set of output plugins.
• adbhoneypot CLI command for init/run/start/stop/restart/status.
• Installable from PyPI.

Prerequisites

• Python 2.7 or Python 3.6+
• A working database server (only if you use a database output plugin)

Usage

Check the Linux installation guide or the Windows installation guide for complete instructions on how to install, configure, and run the honeypot.

Links

Android Open Source Project - ADB Overview

Android Developer - ADB Documentation

Reverse-engeenered documentation - ADB Protocol

Geir Sporsheim - protocol.py