Skip to content

Optimization of Core parts of honeyscanner alongside Packaging via pyproject.toml #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Optimization of Core parts of honeyscanner alongside Packaging via pyproject.toml #51

wants to merge 8 commits into from

Conversation

@spoiicy
Copy link

@spoiicy spoiicy commented Aug 31, 2025

Description

This PR aims to optimise core parts of honeyscanner in order to scan honeypots over external networks.

Changes

  • Optimised open ports detection using asyncio library to cut down time of scanning for open ports on externally hosted honeypot from ~ 54 hours to ~ 11 minutes
  • Implemented selective fuzzing for externally and locally hosted honeypots to optimise the fuzzing that suits the best to each case. Based on the supplied IP address, the program intelligently decides which type of fuzzing needs to be run. For externally hosted honeypots, smart fuzzing is leveraged which run ~ 90 test cases and for locally hosted honeypots, legacy boofuzz fuzzer is executed.
  • Optimised tar_bomb attack to achieve concurrent operations, with the help of asyncio
  • Made some changes to programmatically access the honeyscanner from a python script alongside the pre-existing cli route.
  • Packaged the pyproject.toml to easily distribute the honeyscanner as an artifact.
  • General maintainence

@spoiicy
Copy link
Author

spoiicy commented Aug 31, 2025

Results from a Successful Scan of Cowrie Honeypot

{
    "results": {
      "cves": 124,
      "active": {
        "attacks": [
          {
            "message": "Banner fuzzing completed - Terminal fuzzing completed - 96 test cases executed in 28.43s (external network, quick test + smart fuzzing)",
            "attack_name": "Fuzzing",
            "additional_metrics": {
              "test_cases_executed": 96
            },
            "vulnerability_found": false,
            "execution_time_seconds": 28
          },
          {
            "message": "Tar bomb attack executed (30/30 successful), but honeypot is still alive",
            "attack_name": "TarBomb",
            "additional_metrics": {
              "bombs_used": 30
            },
            "vulnerability_found": false,
            "execution_time_seconds": 90
          },
          {
            "message": "Vulnerability found: DoS attack made the honeypot reject connections",
            "attack_name": "DoS",
            "additional_metrics": {
              "threads_used": 40
            },
            "vulnerability_found": true,
            "execution_time_seconds": 1
          }
        ],
        "summary": {
          "success_rate": 33.33,
          "total_attacks": 3,
          "successful_attacks": 1
        },
        "target_ip": "18.234.151.206",
        "report_title": "Honeypot Active Attack Report"
      },
      "passive": {
        "summary": {
          "attack_types": [
            "ContainerSecurityScanner",
            "VulnerableLibrariesAnalyzer",
            "StaticAnalyzer"
          ],
          "recommendations_count": 3,
          "total_attacks_performed": 3
        },
        "target_ip": "18.234.151.206",
        "report_title": "Honeypot Passive Attack Report",
        "attack_results": {
          "StaticAnalyzer": {
            "attack_type": "Static Code Analysis",
            "description": "Static analysis of honeypot codebase and configuration",
            "report_content": {
              "version": "v2.6.1",
              "high_severity_count": 13,
              "high_severity_issues": [
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/ftpget.py",
                  "issue_text": "A FTP-related module is being imported.  FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
                  "line_number": 5
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/ftpget.py",
                  "issue_text": "FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
                  "line_number": 167
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/ping.py",
                  "issue_text": "Use of weak MD5 hash for security. Consider usedforsecurity=False",
                  "line_number": 83
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/ssh.py",
                  "issue_text": "Use of weak MD5 hash for security. Consider usedforsecurity=False",
                  "line_number": 96
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/yum.py",
                  "issue_text": "Use of weak SHA1 hash for security. Consider usedforsecurity=False",
                  "line_number": 73
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/yum.py",
                  "issue_text": "Use of weak SHA1 hash for security. Consider usedforsecurity=False",
                  "line_number": 74
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/cuckoo.py",
                  "issue_text": "Call to requests with verify=False disabling SSL certificate checks, security issue.",
                  "line_number": 107
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/cuckoo.py",
                  "issue_text": "Call to requests with verify=False disabling SSL certificate checks, security issue.",
                  "line_number": 134
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/cuckoo.py",
                  "issue_text": "Call to requests with verify=False disabling SSL certificate checks, security issue.",
                  "line_number": 157
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/dshield.py",
                  "issue_text": "Use of weak SHA1 hash for security. Consider usedforsecurity=False",
                  "line_number": 132
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/dshield.py",
                  "issue_text": "Use of weak MD5 hash for security. Consider usedforsecurity=False",
                  "line_number": 147
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/ssh/transport.py",
                  "issue_text": "Use of weak MD5 hash for security. Consider usedforsecurity=False",
                  "line_number": 198
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/ssh_proxy/server_transport.py",
                  "issue_text": "Use of weak MD5 hash for security. Consider usedforsecurity=False",
                  "line_number": 308
                }
              ],
              "medium_severity_count": 31,
              "medium_severity_issues": [
                {
                  "filename": "cowrie-2.6.1/src/backend_pool/nat.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 106
                },
                {
                  "filename": "cowrie-2.6.1/src/backend_pool/nat.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 109
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/nc.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 108
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/netstat.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 74
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/commands/netstat.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 76
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/core/auth.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 71
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/core/utils.py",
                  "issue_text": "Possible binding to all interfaces.",
                  "line_number": 116
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/abuseipdb.py",
                  "issue_text": "Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.",
                  "line_number": 81
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/cuckoo.py",
                  "issue_text": "Requests call without timeout",
                  "line_number": 130
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/cuckoo.py",
                  "issue_text": "Requests call without timeout",
                  "line_number": 153
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/malshare.py",
                  "issue_text": "Requests call without timeout",
                  "line_number": 90
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/mysql.py",
                  "issue_text": "Possible SQL injection vector through string-based query construction.",
                  "line_number": 114
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/output/mysql.py",
                  "issue_text": "Possible SQL injection vector through string-based query construction.",
                  "line_number": 125
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/scripts/fsctl.py",
                  "issue_text": "Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.",
                  "line_number": 122
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/shell/fs.py",
                  "issue_text": "Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.",
                  "line_number": 111
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/shell/fs.py",
                  "issue_text": "Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.",
                  "line_number": 114
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/ssh/keys.py",
                  "issue_text": "DSA key sizes below 2048 bits are considered breakable. ",
                  "line_number": 61
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/fake_transport.py",
                  "issue_text": "Use of exec detected.",
                  "line_number": 82
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_awk.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_base64.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_base_commands.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 264
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_base_commands.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 282
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_base_commands.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 303
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_cat.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_chmod.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_echo.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_ftpget.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 14
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_ls.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_tee.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_tftp.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                },
                {
                  "filename": "cowrie-2.6.1/src/cowrie/test/test_uniq.py",
                  "issue_text": "Probable insecure usage of temp file/directory.",
                  "line_number": 13
                }
              ],
              "actionable_recommendation": "Bandit found vulnerabilities that can be exploited. Please refer to the StaticHoney's output for more details."
            }
          },
          "ContainerSecurityScanner": {
            "attack_type": "Container Security Scan",
            "description": "Security analysis of container configuration and vulnerabilities",
            "report_content": {
              "targets": [
                {
                  "target": "cowrie/cowrie (debian 12.11)",
                  "secrets": {
                    "counts": {
                      "HIGH": 0,
                      "MEDIUM": 0,
                      "CRITICAL": 0
                    }
                  },
                  "vulnerabilities": {
                    "counts": {
                      "HIGH": 6,
                      "MEDIUM": 15,
                      "CRITICAL": 3
                    }
                  }
                },
                {
                  "target": "Python",
                  "secrets": {
                    "counts": {
                      "HIGH": 0,
                      "MEDIUM": 0,
                      "CRITICAL": 0
                    }
                  },
                  "vulnerabilities": {
                    "counts": {
                      "HIGH": 0,
                      "MEDIUM": 0,
                      "CRITICAL": 0
                    }
                  }
                }
              ],
              "actionable_recommendation": "Trivy found vulnerabilities in the source code repository. Check the TrivyScanner section for more info and inform the developer(s) of the security issue."
            }
          },
          "VulnerableLibrariesAnalyzer": {
            "attack_type": "Vulnerable Libraries Analysis",
            "description": "Analysis of vulnerable libraries and dependencies",
            "report_content": {
              "libraries": {
                "urllib3": {
                  "library_name": "urllib3",
                  "vulnerabilities": [
                    {
                      "cve": "CVE-2025-50181",
                      "cvss_score": 5.3,
                      "vulnerability_id": "pyup.io-77744",
                      "affected_versions": "<2.5.0",
                      "severity_category": "medium"
                    },
                    {
                      "cve": "CVE-2025-50182",
                      "cvss_score": 5.3,
                      "vulnerability_id": "pyup.io-77745",
                      "affected_versions": "<2.5.0",
                      "severity_category": "medium"
                    }
                  ],
                  "vulnerability_count": 2
                },
                "requests": {
                  "library_name": "requests",
                  "vulnerabilities": [
                    {
                      "cve": "CVE-2024-47081",
                      "cvss_score": 5.3,
                      "vulnerability_id": "pyup.io-77680",
                      "affected_versions": "<2.32.4",
                      "severity_category": "medium"
                    }
                  ],
                  "vulnerability_count": 1
                },
                "cryptography": {
                  "library_name": "cryptography",
                  "vulnerabilities": [
                    {
                      "cve": "CVE-2024-12797",
                      "cvss_score": 6.3,
                      "vulnerability_id": "pyup.io-76170",
                      "affected_versions": ">=42.0.0,<44.0.1",
                      "severity_category": "medium"
                    }
                  ],
                  "vulnerability_count": 1
                }
              },
              "actions_text": "All of these modules need to be updated:\ncryptography, requests, urllib3",
              "action_required": "All of these modules need to be updated: cryptography, requests, urllib3",
              "modules_to_update": [
                "cryptography",
                "requests",
                "urllib3"
              ],
              "severity_breakdown": {
                "low": 0,
                "high": 0,
                "medium": 4,
                "critical": 0,
                "no_score": 0
              },
              "total_vulnerabilities": 4,
              "total_vulnerable_libraries": 3
            }
          }
        },
        "attacks_performed": [
          "VulnerableLibrariesAnalyzer",
          "StaticAnalyzer",
          "ContainerSecurityScanner"
        ]
      }
    },
    "metadata": {
      "filename": "report_2025-08-31_08-36-14.txt",
      "honeypot": {
        "ip": "18.234.151.206",
        "name": "cowrie",
        "ports": [
          2222,
          22
        ],
        "version": "v2.6.1"
      },
      "report_date": "2025-08-31 08:36:14"
    },
    "recommendations": [
      "All of these modules need to be updated: cryptography, requests, urllib3",
      "Bandit found vulnerabilities that can be exploited. Please refer to the StaticHoney's output for more details.",
      "Trivy found vulnerabilities in the source code repository. Check the TrivyScanner section for more info and inform the developer(s) of the security issue."
    ]
  }

@spoiicy
Copy link
Author

spoiicy commented Aug 31, 2025

Hi @aristofanischionis eagerly waiting for your review comments. Thanks :)

@spoiicy spoiicy mentioned this pull request Aug 31, 2025
Open
27 tasks
@mlodic
Copy link
Member

mlodic commented Sep 1, 2025

@aristofanischionis this was a work performed during the Google Summer of Code with the intent to integrate Honeyscanner and its capabilities into the IntelOwl project

@mariocandela
Copy link
Member

@aristofanischionis If you need a hand with the review, just give a sign, it’s an exceptional contribution and deserves to be merged 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@spoiicy @mlodic @mariocandela