Hi,
I made a novel honeypot for worms called Youpot.
Normally a honeypot will try to implement whatever service it thinks the
attacker would like. For a high interaction or pure honeypot this is often
impossible, because of the thousands of possibilities. Even a simple
telnet server will have thousands of variants: different banners,
different shells, different default passwords, on different IoT devices
etc.
Youpot works around this by listening on all TCP ports, and connects to
the attacker IP on the same port he connected to us, and proxyies the
traffic back to him. No need to implement any service emulation, and yet
the worm gets exactly the service it wants. And it is on a real system
(attacker's system, but he doesn't know it), so this is a pure honeypot.
We can just sit back and enjoy the show as the attacker attacks himself.
TLS and SSH protocols are detected and further MiTM is executed against
it. Otherwise youpot is just a simple TCP proxy.
Also for people with a wierd sense of humor there is some support for
replacing parts of traffic with our own data :)
More info here:
https://github.com/sq5bpf/youpot
https://lipkowski.com/youpot/
This project will be presented today at the Confidence 2025 conference in
Cracow/Poland.
Have fun :)
Jacek
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
