Message-ID: <e7ceeedc-da55-cb79-9f57-5c542e588da5@lipkowski.org>
Date: Mon, 2 Jun 2025 01:08:33 +0200 (CEST)
From: Jacek Lipkowski via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] Youpot honeypot

Hi,

I made a novel honeypot for worms called Youpot.

Normally a honeypot will try to implement whatever service it thinks the 
attacker would like. For a high interaction or pure honeypot this is often 
impossible, because of the thousands of possibilities. Even a simple 
telnet server will have thousands of variants: different banners, 
different shells, different default passwords, on different IoT devices 
etc.

Youpot works around this by listening on all TCP ports, and connects to 
the attacker IP on the same port he connected to us, and proxyies the 
traffic back to him. No need to implement any service emulation, and yet 
the worm gets exactly the service it wants.  And it is on a real system 
(attacker's system, but he doesn't know it), so this is a pure honeypot.

We can just sit back and enjoy the show as the attacker attacks himself.


TLS and SSH protocols are detected and further MiTM is executed against 
it. Otherwise youpot is just a simple TCP proxy.

Also for people with a wierd sense of humor there is some support for 
replacing parts of traffic with our own data :)

More info here:
https://github.com/sq5bpf/youpot
https://lipkowski.com/youpot/


This project will be presented today at the Confidence 2025 conference in 
Cracow/Poland.

Have fun :)

Jacek

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists