lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <e7ceeedc-da55-cb79-9f57-5c542e588da5@lipkowski.org>
Date: Mon, 2 Jun 2025 01:08:33 +0200 (CEST)
From: Jacek Lipkowski via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] Youpot honeypot

Hi,

I made a novel honeypot for worms called Youpot.

Normally a honeypot will try to implement whatever service it thinks the 
attacker would like. For a high interaction or pure honeypot this is often 
impossible, because of the thousands of possibilities. Even a simple 
telnet server will have thousands of variants: different banners, 
different shells, different default passwords, on different IoT devices 
etc.

Youpot works around this by listening on all TCP ports, and connects to 
the attacker IP on the same port he connected to us, and proxyies the 
traffic back to him. No need to implement any service emulation, and yet 
the worm gets exactly the service it wants.  And it is on a real system 
(attacker's system, but he doesn't know it), so this is a pure honeypot.

We can just sit back and enjoy the show as the attacker attacks himself.


TLS and SSH protocols are detected and further MiTM is executed against 
it. Otherwise youpot is just a simple TCP proxy.

Also for people with a wierd sense of humor there is some support for 
replacing parts of traffic with our own data :)

More info here:
https://github.com/sq5bpf/youpot
https://lipkowski.com/youpot/


This project will be presented today at the Confidence 2025 conference in 
Cracow/Poland.

Have fun :)

Jacek

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ