Merge pull request #8 from Zeerg/develop

v0.2

.github/workflows/docker-image.yml

@@ -3,8 +3,6 @@ name: Docker Image CI
 on:
   push:
     branches: [ main ]
-  pull_request:
-    branches: [ main ]
 
 jobs:
 

Dockerfile

@@ -6,11 +6,12 @@ WORKDIR /app
 COPY . ./
 RUN go mod download && go build -o /helix-honeypot
 
+#Final Stage
 FROM alpine:latest
 WORKDIR /
-
-# Until Go Embed stuff
 COPY --from=build /helix-honeypot /helix-honeypot
+RUN addgroup -S helix && adduser -S helix -G helix
+USER helix
 
 EXPOSE 8000
 

docker-compose.yaml

@@ -5,4 +5,5 @@ services:
  helix-honeypot:
     build: ./
     ports:
-        - "8000:8000"
+        - "8000:8000"
+    entrypoint: [/helix-honeypot, -mode=ad]

go.mod

@@ -3,8 +3,8 @@ module github.com/zeerg/helix-honeypot
 go 1.16
 
 require (
-	github.com/golang/protobuf v1.5.2
 	github.com/googleapis/gnostic v0.5.5
 	github.com/labstack/echo/v4 v4.5.0
 	github.com/labstack/gommon v0.3.0
+	google.golang.org/protobuf v1.26.0
 )

handler/activeDefenseHandlers.go

@@ -0,0 +1,11 @@
+package handler
+
+import (
+	"github.com/labstack/echo/v4"
+	"os"
+)
+// Literally streams /dev/random to the response since Kubectl has no input validation or timeouts lol
+func ActiveDefenseHandler(c echo.Context) error {
+	devRandom, _ := os.Open("/dev/random")
+	return c.Stream(201, "application/json", devRandom)
+}

handler/apiModeHandlers.go

@@ -0,0 +1,86 @@
+package handler
+
+import (
+	"github.com/labstack/echo/v4"
+	"net/http"
+	"encoding/json"
+	"fmt"
+)
+// ApiHandler returns the api.json embedded file
+func ApiHandler(c echo.Context) error {
+	var data map[string]interface{}
+	err := json.Unmarshal(embedGet("api.json"), &data)
+	if err != nil {
+		c.Logger().Print(err)
+	}
+	return c.JSON(http.StatusOK, data)
+}
+// ApiResourceList returns the api_resourcelist.json embedded file
+func ApiResourceList(c echo.Context) error {
+	var data map[string]interface{}
+	err := json.Unmarshal(embedGet("api_resourcelist.json"), &data)
+	if err != nil {
+		c.Logger().Print(err)
+	}
+	return c.JSON(http.StatusOK, data)
+}
+// ApiGroupList returns the api_grouplist.json embedded file
+func ApiGroupList(c echo.Context) error {
+	var data map[string]interface{}
+	err := json.Unmarshal(embedGet("api_grouplist.json"), &data)
+	if err != nil {
+		c.Logger().Print(err)
+	}
+	return c.JSON(http.StatusOK, data)
+}
+// Root Route Handler
+func RootHandler(c echo.Context) error {
+	var data map[string]interface{}
+	err := json.Unmarshal(embedGet("root.json"), &data)
+	if err != nil {
+		c.Logger().Print(err)
+	}
+	return c.JSON(http.StatusOK, data)
+}
+// Pods Handler for default routes etc..Just returns blank
+func PodsHandler(c echo.Context) error {
+	var data map[string]interface{}
+	err := json.Unmarshal(embedGet("empty_list.json"), &data)
+	if err != nil {
+		c.Logger().Print(err)
+	}
+	return c.JSON(http.StatusOK, data)
+}
+// Handler for any k8s resource like deployments etc.
+func ResourceHandler(c echo.Context) error {
+	json_map := make(map[string]interface{})
+	err := json.NewDecoder(c.Request().Body).Decode(&json_map)
+	if err != nil {
+		c.Logger().Print(err)
+	}
+	return c.JSON(404, json_map)
+}
+//Pods Handler just returns a 201 and echo's back the post request
+func PostHandler(c echo.Context) error {
+	json_map := make(map[string]interface{})
+	err := json.NewDecoder(c.Request().Body).Decode(&json_map)
+	c.Logger().Print(json_map)
+	if err != nil {
+		c.Logger().Print(err)
+	}
+	return c.JSON(201, json_map)
+}
+//Pods Handler
+func ServiceHandler(c echo.Context) error {
+	servicePathBase := "resource_dump/"
+	service := c.Param("service")
+	version := c.Param("version")
+	fileName := "serverresources.json"
+	filePath := fmt.Sprintf("%s%s/%s/%s", servicePathBase, service, version, fileName)
+	var data map[string]interface{}
+	err := json.Unmarshal(embedGet(filePath), &data)
+	if err != nil {
+		c.Logger().Print(err)
+	}
+	return c.JSON(http.StatusOK, data)
+}

handler/openapiHandler.go

@@ -8,7 +8,7 @@ import (
 	"crypto/sha512"
 
 	"github.com/labstack/echo/v4"
-	"github.com/golang/protobuf/proto"
+	"google.golang.org/protobuf/proto"
 	openapi_v2 "github.com/googleapis/gnostic/openapiv2"
 )
 

main.go

@@ -4,32 +4,53 @@ import (
   "github.com/labstack/echo/v4/middleware"
   "github.com/zeerg/helix-honeypot/router"
   "github.com/zeerg/helix-honeypot/handler"
+  "flag"
+  "fmt"
+  "os"
 )
 
 func main() {
+  // Get the run mode
+  var runMode string
+  flag.StringVar(&runMode, "mode", "api", "The run mode for the honeypot [api, ad]")
+  flag.Parse()
+
+  if len(runMode) == 0 {
+    fmt.Println("Usage:")
+    flag.PrintDefaults()
+    os.Exit(1)
+}
+
+
   // Echo instance
   e := router.New()
 
   // Middleware
   e.Use(middleware.Logger())
   e.Use(middleware.Recover())
 
-  // Routes for basic k8s operations
-  e.GET("/", handler.RootHandler)
-  e.GET("/openapi/v2", handler.OpenApiHandler)
-  e.GET("/api/v1", handler.ApiResourceList)
-  e.GET("/api", handler.ApiHandler)
-  e.GET("/apis", handler.ApiGroupList)
-  e.GET("/apis/apps/v1/namespaces/:namespace/:workload", handler.PodsHandler)
-  e.GET("/apis/apps/v1/namespaces/:namespace/:workload/:app", handler.ResourceHandler)
-  e.GET("/apis/:service/:version", handler.ServiceHandler)
-  e.GET("/api/v1/namespaces/:namespace/:resource", handler.PodsHandler)
-  e.GET("/apis/extensions/v1beta1/namespaces/:namespace/:resource", handler.PodsHandler)
-  e.GET("/api/v1/:service", handler.PodsHandler)
-  e.POST("/api*", handler.PostHandler)
-
+  // Routes for Typical API Mode for honeypot logging
+  if runMode == "api" {
+    e.GET("/", handler.RootHandler)
+    e.GET("/openapi/v2", handler.OpenApiHandler)
+    e.GET("/api/v1", handler.ApiResourceList)
+    e.GET("/api", handler.ApiHandler)
+    e.GET("/apis", handler.ApiGroupList)
+    e.GET("/apis/:service/:version", handler.ServiceHandler)
+    e.GET("/apis/apps/v1/namespaces/:namespace/:workload/:app", handler.ResourceHandler)
+    e.GET("/apis/apps/v1/namespaces/:namespace/:workload", handler.PodsHandler)
+    e.GET("/api/v1/namespaces/:namespace/:resource", handler.PodsHandler)
+    e.GET("/apis/extensions/v1beta1/namespaces/:namespace/:resource", handler.PodsHandler)
+    e.GET("/api/v1/:service", handler.PodsHandler)
+    e.POST("/api*", handler.PostHandler)
+
+  }
+  // Routes for Active Defense Mode
+  if runMode == "ad" {
+    e.GET("/*", handler.ActiveDefenseHandler)
+    e.POST("/*", handler.ActiveDefenseHandler)
+  }
 
-
   // Start server
   e.Logger.Fatal(e.Start(":8000"))
 }

makefile

@@ -3,9 +3,6 @@
 help:
 	    @echo "Makefile commands:"
 	    @echo ""
-	    @echo "build - Build the docker file"
-	    @echo "push - Push to a repo"
-		@echo "up - Bring up docker compose file"
 		@echo "run - Go Run main"
 		@echo "tidy - Go Mody Tidy"
 		@echo "windows - Build windows binary"
@@ -17,22 +14,16 @@ help:
 
 .DEFAULT_GOAL := build-docker
 
-build-docker:
-	    @docker build . --file Dockerfile --tag helixhoneypot/helixhoneypot:latest
-
-push:
-	    @docker push helixhoneypot/helixhoneypot:latest
-
-up:
-		@docker-compose up -d
-
 run:
 		@go run main.go
 
+download:
+		@go mod download
+
 tidy:
 		@go mod tidy
 
-bins: windows linux darwin
+bins: download windows linux darwin
 
 windows: 
 		@env GOOS=windows GOARCH=amd64 go build -v -o bin/windows-helix -ldflags="-s -w"  main.go

readme.md

@@ -6,7 +6,14 @@
 [![Docker Image CI](https://github.com/Zeerg/helix-honeypot/actions/workflows/docker-image.yml/badge.svg)](https://github.com/Zeerg/helix-honeypot/actions/workflows/docker-image.yml)
 
 # Introduction
-Helix is a honeypot that fakes the K8s API server. All events are logged to stdout 
+Helix is a honeypot that serves two primary purposes. When running in K8s mode it listens and responds as a typical K8s api server(most endpoints). When running in active defense mode the api responses become massive and are meant to disrupt typical internet scanners.
+
+# Usage
+```
+Usage:
+  -mode string
+    	The run mode for the honeypot [api, ad] (default "api")
+```
 
 # Local Testing
 Clone this repo