mushorg / conpot Goto Github PK
View Code? Open in Web Editor NEWICS/SCADA honeypot
License: GNU General Public License v2.0
ICS/SCADA honeypot
License: GNU General Public License v2.0
They are in the setup.py but don't get properly picked up by pip (or distribute?)
The egg would allow us to install modbus-tk using distribute.
Any opinions on forking modbus-tk to github?
IMO we should also have to start time in the session_data object as we are queueing the data and the events only hold the elapsed time.
What do you think?
session_data = {'session_id': session_id, 'remote': address, 'data_type': 'modbus', 'start_time': start_time, 'data': {}}
All the values shouldn't be static. For the generated profiles one should be able to define ranges and rates of change. For the cloned real ICS profiles, we want to auto generate this from a diff.
and how to import it and start snmp server...
Describe how to create a custom profile for modbus and SNMP.
A client and instructions on how to use it.
The basic documentations should cover installation, usage, customization and how to create profiles for modbus and snmp.
Create HMI using HTML.
Siemens has made an iPhone application which can be used to control S7-1200 PLC's.
It would be interesting to find out which protocol it uses - and possibly implement this protocol in Conpot.
There are various tools available to identify IC systems. We should run them against conpot and create a recon tool profile for better handling in the future.
This could also be integrated as a test to verify if we are responding according to the modbus specification.
Infracritical NMAP scripts: http://www.infracritical.com/?p=4909
Seems like we are not logging set commands.
Cover the logging capabilities.
As discussed in #14 move into a different task.
I did not fully sort out what goes wrong,
but I encountered the following problem:
Trying to set a snmp value that has been previously registered via
XML template, produces the following error:
creo$ snmpset -c public -v 1 10.203.96.128 1.3.6.1.2.1.2.2.1.3 i 2
Error in packet.
Reason: (noSuchName) There is no such variable name in this MIB.
Failed object: IF-MIB::ifType
Curiously, while this implies that this OID could not be found,
it is indeed aware of the parameters associated to this object
when I try to set a wrong object type ( string instead of integer ):
creo$ snmpset -c public -v 1 10.203.96.128 1.3.6.1.2.1.2.2.1.3 s test
IF-MIB::ifType: Bad variable type (Type of attribute is INTEGER, not OCTET STRING)
It would be useful if we could get the IP of the honeypot when reporting with hpfeeds. Some folks might object to this (which would be understandable) so a alternative could be to only transmit the geolocation.
It might look like this in conpot.cfg:
[hpfriends]
#ip: log honeypot IP
#geoloc: log only the geolocation of the IP
#none (or commented out): log no location info
location_mode = ip
We should provide a package on pypi for easy installation.
Tool to clone an ICS with modbus interface to mimic real systems.
If we can extract values from STEP7 projects, we can create realistic modbus profiles without scraping actual hardware.
(I am looking into this at the moment)
Not quite sure if we should use ports in "userspace" for the tests so we don't have to run as root. On the other hand we should run the tests as they are run by the user. What do you think? https://travis-ci.org/glastopf/conpot/builds/6569494
Skills required: Python, basic C++, dissecting network traffic.
* Time estimation:* We assume this to be a three months project.
Short Description: Improve Conpot’s current very minimal support for the DNP3 protocol. Goal is to provide a server capable of basic DNP3 communication.
Description:
Conpot provides a variety of common protocols: Modbus, S7Comm, SNMP, HTTP and Kamstrup. We are always working on getting additional protocols supported. This is a rather complicated task as many protocols don't have an open source implementation, documentation is rather complex or simply not available. One of the protocols we are interested in is DNP3 (Distributed Network Protocol) which is similar to IEC 60870-5 and often used for communication between control centers, RTUs (Remote Terminal Units) and IEDs (Intelligent Electronic Devices). Conpot has a feature which we call the Proxy Module. This allows us to proxy incoming requests through Conpot to a service and back to the client. When we implement a new protocol in Conpot, we set up an instance with this proxy module and tunnel all requests from the client to e.g. a real device or a service with that protocol running on another host. Then, piece by piece, we are decoding the message in Conpot while it passes through so we get insight into the intention of the request. Right now we have a very basic decoder for the DNP3 protocol which we would like to extend.
More information:
Create HMI using HTML.
I introduced a walk command 30eff43 which obviously is not just simply working. Not sure if it's me not using it properly, bad implementation or issues in pySNMP.
The instructions are a bit outdated.
SNMP is a protocol used to get device/service health/statistics running on udp/161. http://pysnmp.sourceforge.net/ seems to be a reasonable choice. http://snmpsim.sourceforge.net/intro.html explains how to create a SNMP agent.
Currently users has to pre-compile MIB files with build-pysnmp-mib to .py files usable by pysnmp (see #46).
Enable hpfriends by default. Required for #25
In case a config is defined using an argument (--config) we are not loading it.
Currently SNMP request/reply pairs are transmitted in separate log messages. This needs to be fixed so that they are logged together.
Code reference:
https://github.com/glastopf/conpot/blob/master/conpot/snmp/snmp_command_responder.py#L74
The section was introduced in #23 but needs extension and proof reading.
For some reason i could not get SNMP v1 working. See
https://github.com/glastopf/conpot/blob/master/modules/snmp_command_responder.py#L84-L85
Provide support for various system profiles. The scraper #2 should export results as a profile.
Converting this to Python should do the trick: https://github.com/vlet/iec104/blob/master/lib/Net/IEC104.pm
Based on some rough settings the ICS server should be able to create a profile. Probably should investigate how a generic ICS looks like...
2013-05-08 19:05:11,080 New connection from YOUR-MOM:12101. (6bbf1903-ad52-456f-995b-39d78a910ab5)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/gevent/greenlet.py", line 390, in run
result = self._run(*self.args, **self.kwargs)
File "conpot_ics_server.py", line 84, in handle
response, logdata = self._databank.handle_request(query, request)
File "/opt/conpot/modules/slave_db.py", line 48, in handle_request
slave = self.get_slave(slave_id)
File "/usr/local/lib/python2.7/dist-packages/modbus_tk-0.4-py2.7.egg/modbus_tk/modbus.py", line 750, in get_slave
raise MissingKeyError, "Slave %d doesn't exist" % (slave_id)
MissingKeyError: Slave 77 doesn't exist
<Greenlet at 0xb72185ccL: <bound method ModbusServer.handle of <__main__.ModbusServer instance at 0xb7077f2c>>(<socket at 0xb7026c8cL fileno=8 sock=YOUR-MOM:, ('YOUR-MOM', 12101))> failed with MissingKeyError
If SIGINT is thrown it does not get handled properly.
Traceback (most recent call last):
File "/Users/jkv/virtualenvs/conpot/bin/conpot", line 7, in <module>
execfile(__file__)
File "/Users/jkv/repos/conpot/bin/conpot", line 122, in <module>
main()
File "/Users/jkv/repos/conpot/bin/conpot", line 107, in main
servers.append(gevent.spawn(snmp_server.start()))
File "/Users/jkv/repos/conpot/conpot/snmp_server.py", line 47, in start
self.snmp_server.serve_forever()
File "/Users/jkv/repos/conpot/conpot/modules/snmp_command_responder.py", line 170, in serve_forever
self.snmpEngine.transportDispatcher.serve_forever()
File "/Users/jkv/virtualenvs/conpot/lib/python2.7/site-packages/gevent/baseserver.py", line 190, in serve_forever
self._stopped_event.wait()
File "/Users/jkv/virtualenvs/conpot/lib/python2.7/site-packages/gevent/event.py", line 74, in wait
result = get_hub().switch()
File "/Users/jkv/virtualenvs/conpot/lib/python2.7/site-packages/gevent/hub.py", line 164, in switch
return greenlet.switch(self)
KeyboardInterrupt
BACnet should be an interesting protocol to add:
http://bacpypes.sourceforge.net/index.html
https://bacpypes.svn.sourceforge.net/svnroot/bacpypes/trunk/
Add support for travis.
We should be able to act as a ship: https://community.rapid7.com/community/infosec/blog/2013/04/29/spying-on-the-seven-seas-with-ais
cd docs/
make html
Should return at least a index.html
in docs/build/html
The doc version should be the same as the current version. This could be integrated into https://github.com/glastopf/conpot/blob/master/docs/update-site.sh
A short FAQ. Starting with data sharing.
Apparently there are issues running Conpot on the Raspberry Pi (Debian GNU/Linux 7.0).
@nsmfoo could you please provide the output of pip freeze
and your libevent version?
Console output:
2013-05-30 21:44:32,036 Registered OID (1, 3, 6, 1, 2, 1, 1, 6) (sysLocation, SNMPv2-MIB) :
2013-05-30 21:44:32,046 Registered OID (1, 3, 6, 1, 2, 1, 1, 7) (sysServices, SNMPv2-MIB) : 72
2013-05-30 21:44:32,050 SNMP server started on: ('0.0.0.0', 161)
Segmentation fault
Strace:
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6054000
_llseek(4, 0, [0], SEEK_CUR) = 0
read(4, "\3\363\r\n\357\301\247Qc\0\0\0\0\0\0\0\0t\0\0\0@\0\0\0sq\31\0\0e\0"..., 20480) = 20480
read(4, "or an SNMP entity supporting\ncom"..., 4096) = 2171
read(4, "", 4096) = 0
close(4) = 0
munmap(0xb6054000, 4096) = 0
stat64("/usr/local/lib/python2.7/dist-packages/pysnmp/smi/mibs/SNMPv2-MIB.py", {st_mode=S_IFREG|0644, st_size=28780, ...}) = 0
gettimeofday({1369949760, 709892}, NULL) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=118, ...}) = 0
write(2, "2013-05-30 21:36:00,709 Register"..., 95) = 95
gettimeofday({1369949760, 716357}, NULL) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=118, ...}) = 0
write(2, "2013-05-30 21:36:00,716 SNMP ser"..., 65) = 65
epoll_ctl(0x5, 0x1, 0x3, 0xbea5a420) = 0
rt_sigaction(SIGINT, {0xb6a48c84, ~[RTMIN RT_1], SA_RESTART|0x4000000}, {0xd3f28, [], 0x4000000 /* SA_??? */}, 8) = 0
epoll_ctl(0x5, 0x1, 0x7, 0xbea59db8) = 0
clock_gettime(CLOCK_MONOTONIC, {1337, 453045042}) = 0
gettimeofday({1369949760, 723796}, NULL) = 0
epoll_wait(0x5, 0x738550, 0x20, 0) = 0
clock_gettime(CLOCK_MONOTONIC, {1337, 454075113}) = 0
gettimeofday({1369949760, 724741}, NULL) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Tests should cover basic modbus and snmp communication.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.