blacknet 2.0.4

Multi-head SSH honeypot system

What

Blacknet is a low interaction SSH multi-head honeypot system with logging capabilities.

You can use it to gather all SSH attempts performed on multiple IPv4 address you own on the internet and draw and export statistics out of it. A dedicated web interface allows live tracking of what happens on your honeypots, which IP addresses are targeting you and from where.

Requirements

• Python dependencies:

  • CPython >= 2.7 or >= 3.4

  • MsgPack

  • PyMySQL

  • Paramiko

• MySQL Server:

  • MySQL (tested with only 5.2+)

  • MariaDB

Installation

Blacknet provides two components, a SSH Server (sensor) and a master server. The master server (blacknet-master) is where the database is located. The SSH server (blacknet-sensor) is just a honeypot instance communicating with the master server. Please read –help from both commands and read blacknet.cfg.example carefully.

You need to generate SSL certificates in order to make blacknet work correctly over network stacks (please see next section).

• Installation using pip: $ pip install blacknet

• Take a copy of blacknet.cfg.example and make your own configuration in /etc/blacknet/ or ${HOME}/.blacknet/

• Run blacknet-install.sql in your MySQL database.

• You can update (and fill) the database with geolocation updates using the command blacknet-updater.

• You can also scrub your data to generate reports or perform metadata checks using blacknet-scrubber (please consult –help for details)

• Command blacknet-scrubber might be best run in a crontab (with –quiet)

• You might want to filter out some specific users for some or all honeypots. Please see blacklist.cfg.example and put it in an appropriate directory.

Create your SSL certificates

Please use EasyRSA or equivalent to generate your own PKI and deliver certificates between your server and your honeypots.

# First clone the easyrsa repository
cd /tmp/
git clone https://github.com/OpenVPN/easy-rsa.git

# Then create a new Authority
cd /tmp/easy-rsa/easyrsa3
./easyrsa init-pki

# When asked provide a Common Name for your CA (eg: Blacknet CA)
./easyrsa build-ca nopass

# Generate and sign a certificate for master server (here called maestro)
./easyrsa gen-req maestro nopass
./easyrsa sign server maestro

# Same for sensors
./easyrsa gen-req honeypot_00 nopass
./easyrsa sign client honeypot_00

PEM file format used by Blacknet starts with the private key and then concatenates with the certificate (example bellow).

cat pki/private/maestro.key pki/issued/maestro.crt > maestro.pem

History

The initial project featured a modified VirtualBox environment as a high interaction honeypot, gathering commands and events such as password changes. We then moved to supporting Kippo, a medium interaction SSH honeypot written in Python. Today’s version uses a lightweight paramiko server as a low-interaction honeypot since there are no more plans (and no more time) to handle commands and events automatically (there are many security concerns around doing high interaction automatically). The underlying MySQL schemes still refers to commands or events but they are mostly kept for backward compatibility reasons.

Integration with Cowrie should not be hard to extend Blacknet features and make it highly interactive again.

This project was initially conducted during our engineering studies in 2010. It was rewritten in 2017 to lower maintenance and installation efforts and to fit with modern python programming standards.

Credits

• Romain Bezut (2010, 2017)

• Vivien Bernet-Rollande (2010)

Thanks

• We would like to thank the UTC (Université de Technologie de Compiègne). Our school brought us support and have made this project possible during class. Special thanks go to our teacher who supervised this project.

• We would like to thank all our friends who helped finding issues and review this project in its early versions.

• The hackers and bots who contributed in spite of themselves to this project.