- Shell 70.6%
- Lua 29.4%
| .gitignore | ||
| afterRestart.sh | ||
| flagContainerRoot.txt | ||
| flagContainerUser.txt | ||
| flagHostRoot.txt | ||
| flagHostUser.txt | ||
| forwardPorts.sh | ||
| functions.sh | ||
| initGuest.sh | ||
| initGuestApache.sh | ||
| initGuestApacheHttps.sh | ||
| initGuestDistribution.sh | ||
| initGuestSshd.sh | ||
| initHost.sh | ||
| initHostContainment.sh | ||
| initHostSurveillance.sh | ||
| kukulkan.conf | ||
| kukulkan.lua | ||
| kukulkan.sh | ||
| letsencrypt.tar | ||
| LICENSE | ||
| populateGuestApacheWebsite.sh | ||
| README.md | ||
| startGuest.sh | ||
| startSurveilance.sh | ||
ANGEPASSTE VERSION FÜR CTF
⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ANGEPASSTE VERSION FÜR CTF - Enthält private Key! ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠ ⚠
Kukulkan
A containerized full system high interaction honeypot with shell monitoring.
Kukulkan is a mayan-god and ancient civilizations gave human sacrifices to him. We do the same with attackers who touch our honeypot.
Initialization
⚠ ⚠ ⚠
⚠ Beware that this will change critical parts and settings of the host.
⚠ This will break things if there are any other services on the host!
⚠ Use a dedicated machine (virtual or bare metal) for this.
⚠ ⚠ ⚠
Most settings are in the kukulkan.conf,
but the init/install scripts will sometimes interactively ask questions.
Installation and initialization is split in those steps:
-
Download install script (manual copy/paste to your root cmd!) set hostname
CHANGEMEkukulkanHostname=CHANGEME domain=kukulkanctf.decopy deployment key from working station to the machine (in ubuntu to user-home)
scp -p ~/.ssh/deployment $kukulkanHostname.$domain:.ssh/deployment scp -p ~/.ssh/deployment.pub $kukulkanHostname.$domain:.ssh/deployment.pub ssh $kukulkanHostname.$domainOn host switch from user to root
sudo rsync -a ~/.ssh/deployment /root/.ssh/deployment sudo rsync -a ~/.ssh/deployment.pub /root/.ssh/deployment.pub sudo -iPrepare host and enable git
printf "\nHost git.haw-hamburg.de\n User git\n Hostname git.haw-hamburg.de\n IdentityFile /root/.ssh/deployment\n StrictHostKeyChecking no\n\n" >> "/root/.ssh/config" apt-get update && apt-get upgrade -y && apt-get install -y gitgit clone git@git.haw-hamburg.de:uwe-ba/kukulkanctf.git ./kukulkancd kukulkan ./initHost.sh -
reconnect to the host with the new port
DISCONNECT!Then on your workstation (if variable not available??)
kukulkanHostname=CHANGEMEprintf "\nHost $kukulkanHostname\n Hostname $kukulkanHostname.$domain\n User uwe\n Port 22222\n IdentityFile /home/uwe/.ssh/google_compute_engine\n\n" >> "/home/uwe/.ssh/config" ssh $kukulkanHostname
Usage after installation
sudo -i
cd kukulkan
./kukulkan.sh
- creates and configure a container
- ⚠ changes the iptables from the host to forward every port to this container expect the ssh port to the host, which is set in kukulkan.conf
- installs and configures services inside the container
- starts logging of all shell interaction inside the container
After initialization, the host is supposed to log every shell interaction that happens inside the container.
Further usage
When the container was initialized but the host had a restart, use
./afterRestart.sh
When surveilance was initialized but logging needs restart, use
./startSurveilance.sh
When the webside inside the container was initialized but its content needs
update, use
./populateGuestApacheWebsite.sh
When a container was running but it should be replaced by a new one, use
./kukulkan.sh
Scripts
All scripts prefixed "init" are supposed to be executed exactly once
at system installation.
(See "Initialization")
All scripts prefixed with "start" are supposed to be used manually.
All scripts prefixed "populate" are supposed to be used manually for population
or update of guest services.
(For example downloading html files and pushing them into the container.)
Customization
- If you need more ports from internet to host, change the code in forwardPorts.sh
Risks
(as far as known)
Part of this game is to expect that potential attackers are smarter than me.
Therefore DO NOT use this in a production environment.
This is a research-only honeypot and not intended to be used as production
honeypot, IDS or anything else.
The guest will get compromised.
The guest root account will get compromised.
Even if unprivileged lxc containers are expected to be "root-safe",
expect the host to get compromised.
Don't keep secrets on it and always keep a reliable way
for full system recovery/destruction.
⚠ ⚠ ⚠ Beware that Kukulkan will change critical parts and settings
of the host.
This will break things if there are any other services on the host!
Use a dedicated machine (virtual or bare metal) for this.
References
[1] https://docs.gitlab.com/ee/user/project/deploy_keys/index.html