beelzebub/README.md

# Beelzebub ![CI](https://github.com/mariocandela/beelzebub/actions/workflows/ci.yml/badge.svg) ![Docker](https://github.com/mariocandela/beelzebub/actions/workflows/docker-image.yml/badge.svg)

A secure multi protocol low interaction event-driven honeypot, extremely easy to configure by yaml 🚀

## Quick Start

Using [`docker-compose`](https://docs.docker.com/compose/)

```bash
$ docker-compose build
$ docker-compose up -d
 ```

Using [`go compiler`](https://go.dev/doc/install)

```bash
$ go mod download
$ go build 
$ ./beelzebub
 ```

## Example configuration service 

The configurations are inside the /configurations/services directory, just add a new file for each service/port.

### Example HTTP Honeypot on 80 port

###### http-80.yaml

```yaml
apiVersion: "v1"
protocol: "http"
address: ":80"
description: "Wordpress 6.0"
commands:
  - regex: "index.php"
    handler: "<!DOCTYPE html><html lang=\"en-US\"><head><meta charset=\"UTF-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name='robots' content='max-image-preview:large' /><title>test – Just another WordPress site</title><link rel='dns-prefetch' href='//s.w.org' /><link rel=\"alternate\" type=\"application/rss+xml\" title=\"test » Feed\" href=\"https://wordpress.com/?feed=rss2\" /><link rel=\"alternate\" type=\"application/rss+xml\" title=\"test » Comments Feed\" href=\"https://wordpress.com/?feed=comments-rss2\" /><script>;window._wpemojiSettings={'baseUrl':'https:\\/\\/s.w.org\\/images\\/core\\/emoji\\/14.0.0\\/72x72\\/','ext':'.png','svgUrl':'https:\\/\\/s.w.org\\/images\\/core\\/emoji\\/14.0.0\\/svg\\/','svgExt':'.svg','source':{'concatemoji':'http:\\/\\/X\\/wp-includes\\/js\\/wp-emoji-release.min.js?ver=6.0'}};/*! This file is auto-generated */!function(t,a,e){var s,r,i,n=a.createElement('canvas'),o=n.getContext&&n.getContext('2d');function p(e,t){var a=String.fromCharCode,e=(o.clearRect(0,0,n.width,n.height),o.fillText(a.apply(this,e),0,0),n.toDataURL());return o.clearRect(0,0,n.width,n.height),o.fillText(a.apply(this,t),0,0),e===n.toDataURL()};function c(e){var t=a.createElement('script');t.src=e,t.defer=t.type='text/javascript',a.getElementsByTagName('head')[0].appendChild(t)};for(i=Array('flag','emoji'),e.supports={everything:!0,everythingExceptFlag:!0},r=0;r<i.length;r++)e.supports[i[r]]=function(e){if(!o||!o.fillText)return!1;switch(o.textBaseline='top',o.font='600 32px Arial',e){case'flag':return p([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!p([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!p([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case'emoji':return!p([129777,127995,8205,129778,127999],[129777,127995,8203,129778,127999])};return!1}(i[r]),e.supports.everything=e.supports.everything&&e.supports[i[r]],'flag'!==i[r]&&(e.supports.everythingExceptFlag=e.supports.everythingExceptFlag&&e.supports[i[r]]);e.supports.everythingExceptFlag=e.supports.everythingExceptFlag&&!e.supports.flag,e.DOMReady=!1,e.readyCallback=function(){e.DOMReady=!0},e.supports.everything||(s=function(){e.readyCallback()},a.addEventListener?(a.addEventListener('DOMContentLoaded',s,!1),t.addEventListener('load',s,!1)):(t.attachEvent('onload',s),a.attachEvent('onreadystatechange',function(){'complete'===a.readyState&&e.readyCallback()})),(t=e.source||{}).concatemoji?c(t.concatemoji):t.wpemoji&&t.twemoji&&(c(t.twemoji),c(t.wpemoji)))}(window,document,window._wpemojiSettings);</script><style>img.wp-smiley,img.emoji{display:inline !important;border:none !important;box-shadow:none !important;height:1em !important;width:1em !important;margin:0 0.07em !important;vertical-align:-0.1em !important;background:none !important;padding:0 !important}</style><style id='wp-block-site-logo-inline-css'>.wp-block-site-logo{line-height:0}.wp-block-site-logo a{display:inline-block}.wp-block-site-logo.is-default-size img{width:120px;height:auto}.wp-block-site-logo a,.wp-block-site-logo img{border-radius:inherit}.wp-block-site-logo.aligncenter{margin-left:auto;margin-right:auto;text-align:center}.wp-block-site-logo.is-style-rounded{border-radius:9999px}</style><style id='wp-block-group-inline-css'>.wp-block-group{box-sizing:border-box}:where(.wp-block-group.has-background){padding:1.25em 2.375em}</style><style id='wp-block-page-list-inline-css'>.wp-block-navigation .wp-block-page-list{display:flex;background-color:inherit}.wp-block-navigation .wp-block-navigation-item{background-color:inherit}</style><link rel='stylesheet' id='wp-block-navigation-css' href='https://wordpress.com/wp-includes/blocks/navigation/style.min.css?ver=6.0' media='all' /><style id='wp-block-template-part-inline-css'>.wp-block-template-part.has-background{padding:1.25em 2.375em;margin-top:0;margin-bottom:0}</style><style id='wp-block-image-inline-css'>.wp-bl
    headers:
      - "Content-Type: text/html"
      - "Server: Apache/2.4.53 (Debian)"
      - "X-Powered-By: PHP/7.4.29"
    statusCode: 200
  - regex: "^(wp-login.php|/wp-admin)$"
    handler: "<!DOCTYPE html><html lang=\"en-US\"><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" /><title>Log In ‹ test — WordPress</title><meta name='robots' content='max-image-preview:large, noindex, noarchive' /><link rel='dns-prefetch' href='//s.w.org' /><link rel='stylesheet' id='dashicons-css' href='https://wordpress.com/wp-includes/css/dashicons.min.css?ver=6.0' media='all' /><link rel='stylesheet' id='buttons-css' href='https://wordpress.com/wp-includes/css/buttons.min.css?ver=6.0' media='all' /><link rel='stylesheet' id='forms-css' href='https://wordpress.com/wp-admin/css/forms.min.css?ver=6.0' media='all' /><link rel='stylesheet' id='l10n-css' href='https://wordpress.com/wp-admin/css/l10n.min.css?ver=6.0' media='all' /><link rel='stylesheet' id='login-css' href='https://wordpress.com/wp-admin/css/login.min.css?ver=6.0' media='all' /><meta name='referrer' content='strict-origin-when-cross-origin' /><meta name=\"viewport\" content=\"width=device-width\" /></head><body class=\"login no-js login-action-login wp-core-ui locale-en-us\"><script type=\"text/javascript\">;document.body.className=document.body.className.replace('no-js','js');</script><div id=\"login\"><h1><a href=\"https://wordpress.org/\">Powered by WordPress</a></h1><form action=\"\" method=\"post\"><p><label for=\"user_login\">Username or Email Address</label><input type=\"text\" name=\"log\" id=\"user_login\" class=\"input\" value=\"\" size=\"20\" autocapitalize=\"off\" autocomplete=\"username\" /></p><div class=\"user-pass-wrap\"><label for=\"user_pass\">Password</label><div class=\"wp-pwd\"><input type=\"password\" name=\"pwd\" id=\"user_pass\" class=\"input password-input\" value=\"\" size=\"20\" autocomplete=\"current-password\" /><button type=\"button\" class=\"button button-secondary wp-hide-pw hide-if-no-js\" data-toggle=\"0\" aria-label=\"Show password\"><span class=\"dashicons dashicons-visibility\" aria-hidden=\"true\"></span></button></div></div><p class=\"forgetmenot\"><input name=\"rememberme\" type=\"checkbox\" id=\"rememberme\" value=\"forever\" /><label for=\"rememberme\">Remember Me</label></p><p class=\"submit\"><input type=\"submit\" name=\"wp-submit\" id=\"wp-submit\" class=\"button button-primary button-large\" value=\"Log In\" /><input type=\"hidden\" name=\"redirect_to\" value=\"https://wordpress.com/wp-admin/\" /><input type=\"hidden\" name=\"testcookie\" value=\"1\" /></p></form><p id=\"nav\"><a href=\"https://wordpress.com/wp-login.php?action=lostpassword\">Lost your password?</a></p><script type=\"text/javascript\">;function wp_attempt_focus(){setTimeout(function(){try{d=document.getElementById('user_login');d.focus();d.select()}catch(t){}},200)};wp_attempt_focus();if(typeof wpOnload==='function'){wpOnload()};</script><p id=\"backtoblog\"><a href=\"https://wordpress.com/\">← Go to test</a></p></div><script src='https://wordpress.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script><script src='https://wordpress.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script><script id='zxcvbn-async-js-extra'> var _zxcvbnSettings = {\"src\":\"http:\\/\\/X\\/wp-includes\\/js\\/zxcvbn.min.js\"}; </script><script src='https://wordpress.com/wp-includes/js/zxcvbn-async.min.js?ver=1.0' id='zxcvbn-async-js'></script><script src='https://wordpress.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9' id='regenerator-runtime-js'></script><script src='https://wordpress.com/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0' id='wp-polyfill-js'></script><script src='https://wordpress.com/wp-includes/js/dist/hooks.min.js?ver=c6d64f2cb8f5c6bb49caca37f8828ce3' id='wp-hooks-js'></script><script src='https://wordpress.com/wp-includes/js/dist/i18n.min.js?ver=ebee46757c6a411e38fd079a7ac71d94' id='wp-i18n-js'></script><script id='wp-i18n-js-after'> wp.i18n.setLocaleData( { 'text direction\\u0004ltr': [ 'ltr' ] } ); </script><script id='password-strength-meter-js-extra'> var pwsL10n = {\"unknown\":\"Password strength unknown\",\"shor
    headers:
      - "Content-Type: text/html"
      - "Server: Apache/2.4.53 (Debian)"
      - "X-Powered-By: PHP/7.4.29"
    statusCode: 200
 ```

![alt text](https://i.postimg.cc/529V6jYz/Schermata-2022-06-02-alle-12-42-46.png)


### Example HTTP Honeypot on 8080 port

###### http-8080.yaml

```yaml
apiVersion: "v1"
protocol: "http"
address: ":8080"
description: "Apache 401"
commands:
  - regex: ".*"
    handler: "Unauthorized"
    headers:
      - "www-Authenticate: Basic"
      - "server: Apache"
    statusCode: 401
 ```

![alt text](https://i.postimg.cc/T1cs6qc4/Schermata-2022-06-02-alle-12-43-55.png)

### Example SSH Honeypot

###### ssh-22.yaml

```yaml
apiVersion: "v1"
protocol: "ssh"
address: ":22"
description: "SSH interactive"
commands:
  - regex: "^ls$"
    handler: "Documents Images  Desktop Downloads .m2 .kube .ssh  .docker"
  - regex: "^pwd$"
    handler: "/home/"
  - regex: "^uname -m$"
    handler: "x86_64"
  - regex: "^docker ps$"
    handler: "CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES"
  - regex: "^docker .*$"
    handler: "Error response from daemon: dial unix docker.raw.sock: connect: connection refused"
  - regex: "^uname$"
    handler: "Linux"
  - regex: "^ps$"
    handler: "  PID TTY           TIME CMD\n21642 ttys000    0:00.07 /bin/dockerd"
  - regex: "^(.+)$"
    handler: "command not found"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty|Smoker666)$"
deadlineTimeoutSeconds: 60
 ```

![alt text](https://i.postimg.cc/jdpfT0LB/Schermata-2022-06-02-alle-12-46-50.png)

## Features

- SSH Honeypot
- HTTP Honeypot
- Easy to create a new strategy
- Easy to extend event tracking logic
- Strong code quality
- Docker
- RabbitMQ integration

## TODO

- telnet
- tcp

## Documentation

- [API Docs](https://) #TODO

## Contributing

The beelzebub team enthusiastically welcomes contributions and project participation! There's a bunch of things you can do if you want to contribute! The [Contributor Guide](CONTRIBUTING.md) has all the information you need for everything from reporting bugs to contributing entire new features. Please don't hesitate to jump in if you'd like to, or even ask us questions if something isn't clear.

All participants and maintainers in this project are expected to follow [Code of Conduct](CODE_OF_CONDUCT.md), and just generally be excellent to each other.

Happy hacking!

## License

This project is licensed under [GNU GPL 3 License](LICENSE).