cmsecurity / cameraobscura Goto Github PK

The honeypot needs an UDP based camera stream or an image source.

The camera stream should be useing common protocols, like RTSP, maybe also use a 'fake shitty ActiveX plugin'.

If the vulnerable camera vendor uses and TCP based method (e. g. to serve an image, it can be used via the routes config. See #2).

Such a great project, why dont update anymore?

To mitigate 500 / FileNotFound errors, it might be a wise decision to include a quick folder check and creation in the startup routine of main.py.
Something along the lines of

from pathlib import Path
Path(workdir).mkdir(parents=True, exist_ok=True)
Path(upload_folder).mkdir(parents=True, exist_ok=True)

Replace usage of global keyword with pydantic.

Currently, we're using a fixed upload_folder with the value ./dl/.
To improve automation capabilities and ease setup overhead, we should also include this path in the configuration.

Implement configuration of routes that the honeypot can fake several manufacturers to simulate a vulnerable environment.

The routing has three parts: The route itself, it's headers and requests fields (POST, GET etc.), possibly returned variables (like session tokens) and actions. Actions define what the route should to.

The actions are predefined Python based methods which can be enhanced. If the honeypot maintainer needs more complex actions, it can be accomplished.

Variables

• $session a simulated session token e. g. returned by an authorization route, created by the authorize Action. Will be valid until a route calls the deauthorize action.
• $hostname the configured hostname
• $serialnumber a fake serial number

You can also use variables from the honeypot configuration file. E. g. you configured MY_VARIABLE, you can use that value by prefixing it wiith a "$": $MY_VARIABLE.

Actions

Actions are predefined operations a route should do.

• authorize: Tries to login a user with the given credentials (will be searched in POST or GET or also out of an Authorization-Header). Will set '$session' to a new token
• deauthorize: Revokes a token. The token will be searched in any text containing header field, so it can be used from POST or GET or also out of an Authorization-Header.
• tokencheck: Tries to find an token in POST, GET or in a header field. If nothing was found, the route causes an 403 Forbidden response
• catchfile: Will store any file uploaded in HTTP file-Fields
• servefile: Will use a given file as response source. It will take the arguments file. If the file is application/json, text/plain or text/xml, the variables can be used. You can also use the property mime to control the mimetype-header.
• log: Causes an log entry for the request data. The log will be choosed from the honeypot's main settings (e. g. into JSON)
• camera returns an image as a response. Which image you want to use can be mappend in the config. Attention This will overwrite settings of response. If you name the folder like the route name, you can control which image will be served.

Action arguments

If an action needs one or more arguments, the route object itself will be extended by an sub object named by the action name. That means, you can use only one element of an action type per route.

Responses

The response field will only be used if the actions were successfully. If not, one or more actions may cause an 403 forbidden, for example.

Example

{
  '/authorize/': {
      'header': {
         'Server': 'lighthttpd 0.1'
      },
     'response: {
       status: 200,
       statusText: 'Ok',
       response: '$session'
     },
     'action: [
       'authorize',
       'log'
     ]
  },
  '/cam01/': {
     action: [
       'log',
       'camera'
     ]
  },
 '/file/': {
    'action': [
       'log',
       'servefile'
    ],
    servefile: {
       file: '/srv/foo.txt',
       mime: 'text/plain'
    }
 }
 '/update/': {
      'file': [
         'firmware'
      ],
      'header': {
         'Server': 'Apache2'
      },
     'response: {
       status: 200,
       statusText: 'Ok',
      response: 'Firmware upgraded successfully'
     },
     'action: [
       'authorize',
       'catchfile',
       'log'
     ]
  }
}

Implement JSON logging

Orientation could be the JSON output of cowrie.

{
"eventid": "eventname", 
"timestamp": "2018-01-30T06:45:27.548949Z", 
"message": "Human readable message", 
"system": "Subsystem", 
"isError": 0, 
"src_ip": "127.0.0.1", 
"duration": 3.4600610733032227, 
"session": "b6978d744603", 
"sensor": "name"
}