Thanks to visit codestin.com
Credit goes to github.com

Skip to content
/ honeybear Public

Dropbear 0.66, hacked to act as a poor man's honeypot

License

View license
1 star 1 fork Branches Tags Activity
Star

dimkr/honeybear

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
debian
debian
 
 
libtomcrypt
libtomcrypt
 
 
libtommath
libtommath
 
 
.travis.yml
.travis.yml
 
 
CHANGES
CHANGES
 
 
INSTALL
INSTALL
 
 
LICENSE
LICENSE
 
 
MULTI
MULTI
 
 
Makefile.in
Makefile.in
 
 
README
README
 
 
README.md
README.md
 
 
SMALL
SMALL
 
 
TODO
TODO
 
 
agentfwd.h
agentfwd.h
 
 
algo.h
algo.h
 
 
atomicio.c
atomicio.c
 
 
atomicio.h
atomicio.h
 
 
auth.h
auth.h
 
 
bignum.c
bignum.c
 
 
bignum.h
bignum.h
 
 
buffer.c
buffer.c
 
 
buffer.h
buffer.h
 
 
channel.h
channel.h
 
 
chansession.h
chansession.h
 
 
circbuffer.c
circbuffer.c
 
 
circbuffer.h
circbuffer.h
 
 
cli-agentfwd.c
cli-agentfwd.c
 
 
cli-auth.c
cli-auth.c
 
 
cli-authinteract.c
cli-authinteract.c
 
 
cli-authpasswd.c
cli-authpasswd.c
 
 
cli-authpubkey.c
cli-authpubkey.c
 
 
cli-channel.c
cli-channel.c
 
 
cli-chansession.c
cli-chansession.c
 
 
cli-kex.c
cli-kex.c
 
 
cli-main.c
cli-main.c
 
 
cli-runopts.c
cli-runopts.c
 
 
cli-session.c
cli-session.c
 
 
cli-tcpfwd.c
cli-tcpfwd.c
 
 
common-algo.c
common-algo.c
 
 
common-channel.c
common-channel.c
 
 
common-chansession.c
common-chansession.c
 
 
common-kex.c
common-kex.c
 
 
common-runopts.c
common-runopts.c
 
 
common-session.c
common-session.c
 
 
compat.c
compat.c
 
 
compat.h
compat.h
 
 
config.guess
config.guess
 
 
config.h
config.h
 
 
config.h.in
config.h.in
 
 
config.sub
config.sub
 
 
configure
configure
 
 
configure.ac
configure.ac
 
 
crypto_desc.c
crypto_desc.c
 
 
crypto_desc.h
crypto_desc.h
 
 
curve25519-donna.c
curve25519-donna.c
 
 
dbclient.1
dbclient.1
 
 
dbmulti.c
dbmulti.c
 
 
dbrandom.c
dbrandom.c
 
 
dbrandom.h
dbrandom.h
 
 
dbutil.c
dbutil.c
 
 
dbutil.h
dbutil.h
 
 
debug.h
debug.h
 
 
dropbear.8
dropbear.8
 
 
dropbearconvert.1
dropbearconvert.1
 
 
dropbearconvert.c
dropbearconvert.c
 
 
dropbearkey.1
dropbearkey.1
 
 
dropbearkey.c
dropbearkey.c
 
 
dss.c
dss.c
 
 
dss.h
dss.h
 
 
ecc.c
ecc.c
 
 
ecc.h
ecc.h
 
 
ecdsa.c
ecdsa.c
 
 
ecdsa.h
ecdsa.h
 
 
fake-rfc2553.c
fake-rfc2553.c
 
 
fake-rfc2553.h
fake-rfc2553.h
 
 
filelist.txt
filelist.txt
 
 
gendss.c
gendss.c
 
 
gendss.h
gendss.h
 
 
genrsa.c
genrsa.c
 
 
genrsa.h
genrsa.h
 
 
gensignkey.c
gensignkey.c
 
 
gensignkey.h
gensignkey.h
 
 
includes.h
includes.h
 
 
install-sh
install-sh
 
 
kex.h
kex.h
 
 
keyimport.c
keyimport.c
 
 
keyimport.h
keyimport.h
 
 
list.c
list.c
 
 
list.h
list.h
 
 
listener.c
listener.c
 
 
listener.h
listener.h
 
 
loginrec.c
loginrec.c
 
 
loginrec.h
loginrec.h
 
 
ltc_prng.c
ltc_prng.c
 
 
ltc_prng.h
ltc_prng.h
 
 
options.h
options.h
 
 
packet.c
packet.c
 
 
packet.h
packet.h
 
 
process-packet.c
process-packet.c
 
 
progressmeter.c
progressmeter.c
 
 

Repository files navigation

honeybear

Some History

Some time ago, I found a Chinese botnet that consists of SSH servers which run brute-force malware.

The operator's server connects to each node via SSH and uploads two files:

  • A list of IPv4 addresses to attack
  • A simple, script-kiddie grade brute-force tool compiled many years ago

Then, it starts the attack and saves the results to a file. The output is sent to the operator using a HTTP POST request. I was able to map the botnet and locate its operator.

The Concept

I assume:

  • There's a large-scale botnet of SSH servers that expands using simple brute-force attacks.
  • I assume the malware that performs the brute-force attack spreads like a worm and runs on all nodes, no just the first one.
  • The credentials used by the brute-force malware do not change over time.
  • My server is the next victim.

Theoretically, if I mirror the attack, by using the same credentials used to attack my server to attack the client, one user/password combination must work (because that's how the brute-force malware got there in first place). I tried this in small scale (with my own servers) and it worked perfectly.

Implementation

This is Dropbear 0.66, hacked so:

  • Password authentication fails, always.
  • Plain-text credentials are written to the system log.
  • dbclient is wrapped with torify and executed after each authentication attempt, to try the same credentials against the client.

Legal Information

The changes to Dropbear are provided under the same license as the unmodified code.

Bear in mind that using honeybear is probably illegal in your country, just like plain SSH brute-force attacks. It is provided for the benefit of white hat hackers and system administrators.

About

Dropbear 0.66, hacked to act as a poor man's honeypot

Resources

Readme

License

View license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages