lurker

command module

v0.2.0 Latest Latest Go to latest Published: May 14, 2022 License: Apache-2.0 Imports: 2 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/m-mizutani/lurker

Links

Open Source Insights

README ¶

Lurker

lurker is network based honeypot for capturing payload for all TCP ports. lurker sends spoofing TCP SYN-ACK packet against attacker and scanner's TCP SYN packet. Then they will send TCP data payload after 3-way handshake and lurker captures the data and notify and save it for security research. A lot of existing honeypot has each capture mechanism for specific protocol. lurker does not have such mechanism. However lurker can capture data to all TCP ports because it just simply replies a TCP ACK packet.

overview

lurker should monitor unpublished IP address or network that are not expected to reach normal TCP connection, e.g. not associated to any domain name and services. However attackers are scanning IP address that has open TCP port everyday and finds unpublished IP address. lurker is just waiting a TCP packet from attacker silently.

Below is an example of captured bad TCP payload to port 8545 from an attacker. It seems like an exploit with CVE-2016-6277.

captured message

Features

Reply spoofing TCP SYN-ACK packet to get the attacker to send TCP payload
Can monitor network(s) e.g. CIDR block with one host and one process by ARP spoofing
Send captured data to Slack for preview and to BigQuery for analytics

Setup

Install with go command

% go install github.com/m-mizutani/lurker@latest
% lurker -i eth0

Use docker image

% docker run --network host ghcr.io/m-mizutani/lurker:latest -i eth0

Usage

NOTE: Root privilege OR permissions of read/write to network device are required to capture and spoof raw packet. In general, use sudo command for lurker.

Monitoring traffic to IP address of `eth0` device

% lurker -i eth0

Monitoring traffic to specified network

% lurker -i eth0 -n 192.168.0.0/24 -a

-n (--network) option can be used multiply.
-a option enables ARP packet spoofing to reply as multiple IP addresses

Exclude specified TCP port

Following example excludes port 22 to monitor and not reply SYN-ACK packet for port 22.

% lurker -i eth0 -e 22

-e option can be used multiply.

Notify captured payload to Slack

You can send captured payload to Slack via Incoming Webhook. Please see slack document to create Incoming Webhook and set URL as lurker's option.

% lurker -i eth0 --slack-webhook-url https://hooks.slack.com/services/XXXXX/YYYYYYYY/zzzzzzzzzz

Environment variable LURKER_SLACK_WEBHOOK is also available instead of --slack-webhook-url option.

Store captured payload to BigQuery

You can store captured payload and sender information to BigQuery.

% lurker -i eth0 --slack-webhook-url https://hooks.slack.com/services/XXXXX/YYYYYYYY/zzzzzzzzzz

Environment variables also can be used to configure BigQUery.

LURKER_BIGQUERY_PROJECT_ID: instead of --bigquery-project-id
LURKER_BIGQUERY_DATASET: instead of --bigquery-dataset

If you use Service Account to save record to BigQuery, use GOOGLE_APPLICATION_CREDENTIALS to specify service account credential of Google Cloud. See doc for more detail of Google Cloud authentication.

Table schema of BigQuery is below.

schema