beelzebub/README.md

# Beelzebub ![CI](https://github.com/mariocandela/beelzebub/actions/workflows/ci.yml/badge.svg)

A secure multi protocol low interaction honeypot, extremely easy to configure by yaml 🚀

## Quick Start

Using [`docker-compose`](https://docs.docker.com/compose/)

```bash
$ docker-compose build
$ docker-compose up -d
 ```

Using [`go compiler`](https://go.dev/doc/install)

```bash
$ go mod download
$ go build 
$ ./beelzebub
 ```

## Example configuration service 

The configurations are inside the /configurations/services directory, just add a new file for each service/port.

### Example HTTP Honeypot on 80 port

###### http-80.yaml

```yaml
apiVersion: "v1"
protocol: "http"
address: ":80"
commands:
  - regex: "microtick"
    handler: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\r\n<link rel=\"icon\" href=\"/favicon.png\"/>\r\n<title>RouterOS router configuration page</title>\r\n<style type=\"text/css\">\r\nbody {\r\nfont-family: Verdana, Geneva, sans-serif;\r\nfont-size: 11px;\r\n}\r\nimg {border: none}\r\nimg:hover {opacity: 0.8;}\r\nh1 {\r\nfont-size: 1.7em;\r\ndisplay: inline;\r\nmargin-bottom: 10px;\r\n}\r\nfieldset {\r\nmargin-top: 20px;\r\nbackground: #fff;\r\npadding: 20px;\r\nborder: 1px solid #c1c1c1; \r\n}\r\n#container {\r\nwidth: 70%;\r\nmargin: 10% auto;\r\n}\r\n#box {\r\nbackground-color: #fff; \r\n-moz-border-radius: 7px; \r\n-webkit-border-radius: 7px; \r\nborder: 1px solid #c1c1c1; \r\npadding: 30px;\r\nfilter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffff', endColorstr='#f3f3f3'); /* for IE */\r\nbackground: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#f3f3f3)); /* for webkit browsers */\r\nbackground: -moz-linear-gradient(top,  #fff,  #f3f3f3); /* for firefox 3.6+ */\r\n}\r\n.floater {float: left; margin-right: 10px;}\r\n.floater label {display: block; text-align: center;}\r\n\r\n#login {\r\n    margin: 2em 0 4em 0;\r\n}\r\n#login h2 {\r\n    font-weight: normal;\r\n    font-size: 14px;\r\n    margin: 0 0 0.5em 1em;\r\n}\r\n#login td {\r\n    padding: 0 4px 0 0;\r\n}\r\n#login td.label {\r\n    text-align: right;\r\n}\r\n#login td.toolbar {\r\n    padding: 0 0 0 1em;\r\n    vertical-align: top;\r\n}\r\n#login ul.toolbar {\r\n    margin: 0;\r\n}\r\n#login input {\r\n    margin: 2px;\r\n    padding: 2px;\r\n    border: 1px solid #888;\r\n    box-shadow: 1px 1px 3px rgba(0,0,0,0.3);\r\n    -webkit-box-shadow: 1px 1px 3px rgba(0,0,0,0.3);\r\n    -moz-box-shadow: 1px 1px 3px rgba(0,0,0,0.3);\r\n}\r\n#error {\r\n    display:none;\r\n    color:red;\r\n    padding: 1em 0 0 0;\r\n}\r\nul.toolbar {\r\n    font-size: 11px;\r\n    text-align: left;\r\n    list-style-type: none;\r\n    padding: 0;\r\n    margin: 2px 0 4px 2px;\r\n}\r\nul.toolbar li {\r\n    float: left;\r\n    vertical-align: middle;\r\n}\r\nul.toolbar a {\r\n    float: none;\r\n    display: block;\r\n    margin: 2px 4px 2px 0;\r\n    padding: 5px;\r\n\r\n    background: #ddd;\r\n    border: 1px solid #888;\r\n    border-radius: 3px;\r\n    -moz-border-radius: 3px;\r\n    box-shadow:\r\n        1px 1px 2px rgba(255,255,255,0.8) inset,\r\n\t0 10px 10px -5px rgba(255,255,255,0.5) inset, /* top gradient */\r\n\t1px 1px 2px rgba(0,0,0,0.2); /* shadow */\r\n    -webkit-box-shadow:\r\n        1px 1px 2px rgba(255,255,255,0.8) inset,\r\n\t0 10px 10px -5px rgba(255,255,255,0.5) inset,\r\n\t1px 1px 2px rgba(0,0,0,0.2);\r\n    -moz-box-shadow:\r\n        1px 1px 2px rgba(255,255,255,0.8) inset,\r\n\t0 10px 10px -5px rgba(255,255,255,0.5) inset,\r\n\t1px 1px 2px rgba(0,0,0,0.2);\r\n    color: #000;\r\n\r\n    text-decoration: none;\r\n    text-align: center;\r\n    white-space: nowrap;\r\n    cursor: inherit;\r\n    min-width: 4em;\r\n\r\n    -webkit-transition: background 0.2s linear, box-shadow 0.2s ease-out;\r\n    -moz-transition: background 0.2s linear, box-shadow 0.2s ease-out;\r\n}\r\nul.toolbar a:hover {\r\n    background: #eee;\r\n}\r\nul.toolbar a:active {\r\n    background: #aaa;\r\n    box-shadow: 1px 1px 2px #999 inset;\r\n    -webkit-box-shadow: 1px 1px 2px #999 inset;\r\n    -moz-box-shadow: 1px 1px 2px #999 inset;\r\n}\r\n</style>\r\n<script>\r\nfunction get(id) {\r\n    return document.getElementById(id);\r\n}\r\nfunction trim(str) {\r\n    return str.replace(/^\\s+|\\s+$/g, '');\r\n}\r\nfunction login(user, pwd, autologin) {\r\n    var expires = new Date();\r\n    expires.setTime(expires.getTime() + (30 * 24 * 60 * 60 * 1000));\r\n    document.cookie = 'username=' + user +\r\n        '; expires=' + expires.toGMTString() + '; path=/';\r\n\r\n    window.name = (autologin ? 'autologin=' : 'login=') + user + 
    headers:
      - "Content-Type: text/html"
      - "Expires: 0"
      - "Version: 6.42.12"
    statusCode: 200
  - regex: "hello"
    handler: "world!"
    headers:
      - "Content-Type: text/html"
    statusCode: 500
 ```

### Example HTTP Honeypot on 8080 port

###### http-8080.yaml

```yaml
apiVersion: "v1"
protocol: "http"
address: ":8080"
commands:
  - regex: "wp-admin"
    handler: "Unauthorized"
    headers:
      - "Content-Type: text/html"
    statusCode: 401
 ```

### Example SSH Honeypot

###### ssh-22.yaml

```yaml
apiVersion: "v1"
protocol: "ssh"
address: ":22"
commands:
  - regex: "^ls$"
    handler: "Documents Images  Desktop Downloads .m2 .kube .ssh  .docker"
  - regex: "^pwd$"
    handler: "/home/"
  - regex: "^uname -m$"
    handler: "x86_64"
  - regex: "^docker ps$"
    handler: "CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES"
  - regex: "^docker .*$"
    handler: "Error response from daemon: dial unix docker.raw.sock: connect: connection refused"
  - regex: "^uname$"
    handler: "Linux"
  - regex: "^ps$"
    handler: "  PID TTY           TIME CMD\n21642 ttys000    0:00.07 /bin/dockerd"
  - regex: "^(.+)$"
    handler: "command not found"
serverVersion: "OpenSSH"
serverName: "ubuntu"
passwordRegex: "^(root|qwerty)$"
deadlineTimeoutSeconds: 60
 ```

## Features

- SSH Honeypot
- HTTP Honeypot
- Easy to create a new strategy
- Easy to extend event tracking logic
- Strong code quality
- Docker

## TODO

- telnet
- tcp

## Documentation

- [API Docs](https://) #TODO

## Contributing

The beelzebub team enthusiastically welcomes contributions and project participation! There's a bunch of things you can do if you want to contribute! The [Contributor Guide](CONTRIBUTING.md) has all the information you need for everything from reporting bugs to contributing entire new features. Please don't hesitate to jump in if you'd like to, or even ask us questions if something isn't clear.

All participants and maintainers in this project are expected to follow [Code of Conduct](CODE_OF_CONDUCT.md), and just generally be excellent to each other.

Happy hacking!

## License

This project is licensed under [GNU GPL 3 License](LICENSE).
Improve README.md 2022-05-14 19:04:44 +02:00			`# Beelzebub ![CI](https://github.com/mariocandela/beelzebub/actions/workflows/ci.yml/badge.svg)`

			`A secure multi protocol low interaction honeypot, extremely easy to configure by yaml 🚀`

			`## Quick Start`

			Using [`docker-compose`](https://docs.docker.com/compose/)

			```bash
			`$ docker-compose build`
			`$ docker-compose up -d`
			```

			Using [`go compiler`](https://go.dev/doc/install)

			```bash
			`$ go mod download`
			`$ go build`
			`$ ./beelzebub`
			```

			`## Example configuration service`

			`The configurations are inside the /configurations/services directory, just add a new file for each service/port.`

			`### Example HTTP Honeypot on 80 port`

Improve README.md 2022-05-14 19:10:18 +02:00			`###### http-80.yaml`
Improve README.md 2022-05-14 19:04:44 +02:00
			```yaml
			`apiVersion: "v1"`
			`protocol: "http"`
			`address: ":80"`
			`commands:`
			`- regex: "microtick"`
			handler: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\r\n<link rel=\"icon\" href=\"/favicon.png\"/>\r\n<title>RouterOS router configuration page</title>\r\n<style type=\"text/css\">\r\nbody {\r\nfont-family: Verdana, Geneva, sans-serif;\r\nfont-size: 11px;\r\n}\r\nimg {border: none}\r\nimg:hover {opacity: 0.8;}\r\nh1 {\r\nfont-size: 1.7em;\r\ndisplay: inline;\r\nmargin-bottom: 10px;\r\n}\r\nfieldset {\r\nmargin-top: 20px;\r\nbackground: #fff;\r\npadding: 20px;\r\nborder: 1px solid #c1c1c1; \r\n}\r\n#container {\r\nwidth: 70%;\r\nmargin: 10% auto;\r\n}\r\n#box {\r\nbackground-color: #fff; \r\n-moz-border-radius: 7px; \r\n-webkit-border-radius: 7px; \r\nborder: 1px solid #c1c1c1; \r\npadding: 30px;\r\nfilter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffff', endColorstr='#f3f3f3'); /* for IE /\r\nbackground: -webkit-gradient(linear, left top, left bottom, from(#fff), to(#f3f3f3)); / for webkit browsers /\r\nbackground: -moz-linear-gradient(top, #fff, #f3f3f3); / for firefox 3.6+ /\r\n}\r\n.floater {float: left; margin-right: 10px;}\r\n.floater label {display: block; text-align: center;}\r\n\r\n#login {\r\n margin: 2em 0 4em 0;\r\n}\r\n#login h2 {\r\n font-weight: normal;\r\n font-size: 14px;\r\n margin: 0 0 0.5em 1em;\r\n}\r\n#login td {\r\n padding: 0 4px 0 0;\r\n}\r\n#login td.label {\r\n text-align: right;\r\n}\r\n#login td.toolbar {\r\n padding: 0 0 0 1em;\r\n vertical-align: top;\r\n}\r\n#login ul.toolbar {\r\n margin: 0;\r\n}\r\n#login input {\r\n margin: 2px;\r\n padding: 2px;\r\n border: 1px solid #888;\r\n box-shadow: 1px 1px 3px rgba(0,0,0,0.3);\r\n -webkit-box-shadow: 1px 1px 3px rgba(0,0,0,0.3);\r\n -moz-box-shadow: 1px 1px 3px rgba(0,0,0,0.3);\r\n}\r\n#error {\r\n display:none;\r\n color:red;\r\n padding: 1em 0 0 0;\r\n}\r\nul.toolbar {\r\n font-size: 11px;\r\n text-align: left;\r\n list-style-type: none;\r\n padding: 0;\r\n margin: 2px 0 4px 2px;\r\n}\r\nul.toolbar li {\r\n float: left;\r\n vertical-align: middle;\r\n}\r\nul.toolbar a {\r\n float: none;\r\n display: block;\r\n margin: 2px 4px 2px 0;\r\n padding: 5px;\r\n\r\n background: #ddd;\r\n border: 1px solid #888;\r\n border-radius: 3px;\r\n -moz-border-radius: 3px;\r\n box-shadow:\r\n 1px 1px 2px rgba(255,255,255,0.8) inset,\r\n\t0 10px 10px -5px rgba(255,255,255,0.5) inset, / top gradient /\r\n\t1px 1px 2px rgba(0,0,0,0.2); / shadow /\r\n -webkit-box-shadow:\r\n 1px 1px 2px rgba(255,255,255,0.8) inset,\r\n\t0 10px 10px -5px rgba(255,255,255,0.5) inset,\r\n\t1px 1px 2px rgba(0,0,0,0.2);\r\n -moz-box-shadow:\r\n 1px 1px 2px rgba(255,255,255,0.8) inset,\r\n\t0 10px 10px -5px rgba(255,255,255,0.5) inset,\r\n\t1px 1px 2px rgba(0,0,0,0.2);\r\n color: #000;\r\n\r\n text-decoration: none;\r\n text-align: center;\r\n white-space: nowrap;\r\n cursor: inherit;\r\n min-width: 4em;\r\n\r\n -webkit-transition: background 0.2s linear, box-shadow 0.2s ease-out;\r\n -moz-transition: background 0.2s linear, box-shadow 0.2s ease-out;\r\n}\r\nul.toolbar a:hover {\r\n background: #eee;\r\n}\r\nul.toolbar a:active {\r\n background: #aaa;\r\n box-shadow: 1px 1px 2px #999 inset;\r\n -webkit-box-shadow: 1px 1px 2px #999 inset;\r\n -moz-box-shadow: 1px 1px 2px #999 inset;\r\n}\r\n</style>\r\n<script>\r\nfunction get(id) {\r\n return document.getElementById(id);\r\n}\r\nfunction trim(str) {\r\n return str.replace(/^\\s+\|\\s+$/g, '');\r\n}\r\nfunction login(user, pwd, autologin) {\r\n var expires = new Date();\r\n expires.setTime(expires.getTime() + (30 24 * 60 * 60 * 1000));\r\n document.cookie = 'username=' + user +\r\n '; expires=' + expires.toGMTString() + '; path=/';\r\n\r\n window.name = (autologin ? 'autologin=' : 'login=') + user +
			`headers:`
			`- "Content-Type: text/html"`
			`- "Expires: 0"`
			`- "Version: 6.42.12"`
			`statusCode: 200`
			`- regex: "hello"`
			`handler: "world!"`
			`headers:`
			`- "Content-Type: text/html"`
			`statusCode: 500`
			```

			`### Example HTTP Honeypot on 8080 port`

Improve README.md 2022-05-14 19:10:18 +02:00			`###### http-8080.yaml`
Improve README.md 2022-05-14 19:04:44 +02:00
			```yaml
			`apiVersion: "v1"`
			`protocol: "http"`
			`address: ":8080"`
			`commands:`
			`- regex: "wp-admin"`
			`handler: "Unauthorized"`
			`headers:`
			`- "Content-Type: text/html"`
			`statusCode: 401`
			```

			`### Example SSH Honeypot`

Improve README.md 2022-05-14 19:10:18 +02:00			`###### ssh-22.yaml`
Improve README.md 2022-05-14 19:04:44 +02:00
			```yaml
			`apiVersion: "v1"`
			`protocol: "ssh"`
			`address: ":22"`
			`commands:`
			`- regex: "^ls$"`
			`handler: "Documents Images Desktop Downloads .m2 .kube .ssh .docker"`
			`- regex: "^pwd$"`
			`handler: "/home/"`
			`- regex: "^uname -m$"`
			`handler: "x86_64"`
			`- regex: "^docker ps$"`
			`handler: "CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES"`
			`- regex: "^docker .*$"`
			`handler: "Error response from daemon: dial unix docker.raw.sock: connect: connection refused"`
			`- regex: "^uname$"`
			`handler: "Linux"`
			`- regex: "^ps$"`
			`handler: " PID TTY TIME CMD\n21642 ttys000 0:00.07 /bin/dockerd"`
			`- regex: "^(.+)$"`
			`handler: "command not found"`
			`serverVersion: "OpenSSH"`
			`serverName: "ubuntu"`
			`passwordRegex: "^(root\|qwerty)$"`
			`deadlineTimeoutSeconds: 60`
			```

			`## Features`

			`- SSH Honeypot`
			`- HTTP Honeypot`
			`- Easy to create a new strategy`
			`- Easy to extend event tracking logic`
			`- Strong code quality`
			`- Docker`

			`## TODO`

			`- telnet`
			`- tcp`

			`## Documentation`

			`- [API Docs](https://) #TODO`

			`## Contributing`

			`The beelzebub team enthusiastically welcomes contributions and project participation! There's a bunch of things you can do if you want to contribute! The [Contributor Guide](CONTRIBUTING.md) has all the information you need for everything from reporting bugs to contributing entire new features. Please don't hesitate to jump in if you'd like to, or even ask us questions if something isn't clear.`

			`All participants and maintainers in this project are expected to follow [Code of Conduct](CODE_OF_CONDUCT.md), and just generally be excellent to each other.`

			`Happy hacking!`

			`## License`

			`This project is licensed under [GNU GPL 3 License](LICENSE).`