Youpot is a novel proxy-back pure honeypot for worms (and other adversaries). While other honeypots will put a lot of effort into emulating some service, we will just proxy the TCP connection back to the original host on the same destination port.
Author: Jacek Lipkowski SQ5BPF youpot@lipkowski.org
For citation please use CITATION.cff
Confidence 2025 slide deck: https://github.com/sq5bpf/misc/blob/master/confidence2025.pdf
Building a high interaction honeypot requires either writing a lot of code to emulate a service, or modifying a some server to work as a honeypot. Both is a lot of work, and leaves a big attack surface to take care of.
Building a pure honeypot requires one to set up a whole system/systems that can be attacked, then set up cleanup procedures, instrumentation to get the data from the honeypot etc.
There is absolutely no way i will be able to emulate all services that a worm might crave for it's replication. So let's just not do it. A worm will come looking for a similar type of system it came from. So let's just give it exactly what it wants: proxy pack the TCP connection back to the originating host.
The attacker is the honeypot :)
Installing the software needs some basic linux admin/networking/development skills.
-
Make sure you can run this service: you have the necssesary expertiese, you have permission from all involved parties etc.
-
Create a linux host, i used Debian bare-bones GNU/Linux 12.x, but other distros should do too
-
Install the usual C developer tools, openssl dev library (apt install libssl-dev in Debian)
-
Configure some way to have access to the host via something else than TCP from the internet. For example i set up an openvpn listening on UDP, and set up a dummy interface for sshd to listen on. But any other method will do (wire guard, tunneling sshd via tor etc).
-
Turn off all TCP services running on the external interface
-
Set up the firewall to redirect all TCP connections to 65534/tcp, please look at firewall.sh as an exmaple
-
Reboot, make sure you can access this host over whatever admin interface you configured (for example ssh over openvpn).
-
Create a youpot user
-
As the youpot user do: cd ; git clone https://github.com/sq5bpf/youpot; cd youpot; make all
-
Run ~/youpot/youpot as the youpot user. Connect to youpot from some exteral host, and see if it proxies connections back to you (for example if you have 80/tcp running locally, then connecting to 80/tcp on the youpot host should connect you back to the IP you connected from on the same port)
-
If all is fine, then run ~/youpot/youpot in some persistant way you like. For example i like to run it under screen, others will prefer tmux or a systemd service
-
Remember to watch the number of free space and free inodes in the /home/youpot/youpot directory
- Start youpot as the youpot user: /home/youpot/youpot/youpot
- Connect to the honeypot using telnet from a host running unfirewalled telnetd, login, perform some commands.
- Check the /home/youpot/log/192.168.122.1/23/SOME_TIMESTAMP (where 192.168.122.1 is the connecting host, SOME_TIMESTAMP is the epoch seconds and microseconds) for files textdump.log, hexdump.log and connection.json
- Connect to the honeypot using ssh from a host running unfirewalled sshd, accept the key, login, perform some commands.
- Check the /home/youpot/log/192.168.122.1/22/SOME_TIMESTAMP (where 192.168.122.1 is the connecting host, SOME_TIMESTAMP is the epoch seconds and microseconds) for the file ssh_mitm.log, and a subdirectory with the session contents.
- Connect to the honeypot using curl -k https://192.168.122.57/some_file.txt (where 192.168.122.57 is the youpot IP) from a host running unfirewalled http server with tls on port 443.
- Check the /home/youpot/log/192.168.122.1/443/SOME_TIMESTAMP (where 192.168.122.1 is the connecting host, SOME_TIMESTAMP is the epoch seconds and microseconds) for files textdump.log, hexdump.log and connection.json
Youpot can be installed on any linux distribution. I've included an example debian 12.x install:
-
install Debian 12 (i used debian 12.6 installer) - i used kvm with 2 cpus and 2GB ram, guided/entire disk.
-
In the debian installer "Choose software to install" deselect all options
-
apt install net-tools tcpdump build-essential vim-nox aptitude openssh-server git libssl-dev python3 python3-pip python3-venv
-
adduser youpot
-
Change /etc/network/interfaces to add a dummy interface:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
# this is the script that configures the firewall:
pre-up /etc/network/firewall.sh
# outside interface
#auto ens192
#iface ens192 inet static
#address 1.2.3.4/24
#gateway 1.2.3.1
#dns-nameservers 8.8.8.8
# dummy interface for sshd to listen on
auto dummy0
iface dummy0 inet static
address 192.168.100.1
netmask 255.255.255.252
pre-up /sbin/modprobe dummy numdummies=4
-
Change sshd config to listen on 192.168.100.1 Add this to /etc/ssh/sshd_config: ListenAddress 192.168.100.1
-
Install and configure openvpn, add a route to 192.168.100.1
-
Reboot, check if you can connect via openvpn and login to ssh to 192.168.100.1
-
As the youpot user in do: cd /home/youpot ; git clone https://github.com/sq5bpf/youpot; cd youpot; make all
-
Start youpot: /home/youpot/youpot/youpot
-
Perform testing as described above
Youpot is currently hardcoded to run in /home/youpot/youpot. I will change this in the future.
The logs are in /home/youpot/youpot/log:
- youpot.log - a generic log which shows what oupot is doing
- directories like IP/PORT/TIMESTAMP_TIMESTAMPus like: 1.2.3.4/23/1111_2222. this will include hexdump.log (a hexdump of the traffic), textdump.log (a raw dump of the traffic, nicer to look at than the hexdump), connection.json (json file with the traffic, easier to parse but harder to look at by a human), and optionally files/directories created by some protocol proxy (currently only ssm-mitm).
There is a simple facility to search/replace patterns in the traffic.
Place files like (where NNN is a number 0-99):
- pattern_NNN (pattern to search)
- replace_NNN (what to replace it with)
- descr_NNN (description of the replacement)
In directories like:
- /home/youpot/youpot/patterns_fromclient - replacing traffic from the client to the server
- /home/youpot/youpot/patterns_fromserver - replacing traffic from the server to the client
- Youpot will re-read the pattern files when it get a SIGHUP, so you can do: kill -HUP $(pidof youpot) after changing
- NOTE: there is no port match currenntly, no regexps etc. This is on the TODO list somewhere
Examples:
echo -n 'STARTTLS' > /home/youpot/youpot/patterns_fromserver/pattern_1
echo -n 'STARTWTF' > /home/youpot/youpot/patterns_fromserver/replace_1
echo 'break STARTTLS from server' > /home/youpot/youpot/patterns_fromserver/descr_1
echo -n 'STARTTLS' > /home/youpot/youpot/patterns_fromclient/pattern_1
echo -n 'HELP WTF' > /home/youpot/youpot/patterns_fromclient/replace_1
echo 'break STARTTLS from client' > /home/youpot/youpot/patterns_fromclient/descr_1
echo -n 'STARTTLS' > /home/youpot/youpot/patterns_fromserver/pattern_1
echo -n 'STARTWTF' > /home/youpot/youpot/patterns_fromserver/replace_1
echo 'break STARTTLS from server' > /home/youpot/youpot/patterns_fromserver/descr_1
echo -n 'Accept-Encoding: gzip, deflate' > /home/youpot/youpot/patterns_fromclient/pattern_10
echo -n 'Accept-Encoding: wtf' > /home/youpot/youpot/patterns_fromclient/replace_10
echo 'turn off compression1' > /home/youpot/youpot/patterns_fromclient/descr_10
echo -n 'Accept-Encoding: gzip' > /home/youpot/youpot/patterns_fromclient/pattern_11
echo -n 'Accept-Encoding: wtf' > /home/youpot/youpot/patterns_fromclient/replace_11
echo 'turn off compression2' > /home/youpot/youpot/patterns_fromclient/descr_11
e
There are no reporting tools included with this software. Just parse the files yourself.
Some hints:
Look at unique ports we caught:
cd ~/youpot/log
ls -1d */* | cut -d / -f 2 | sort -u
Look at the raw dump or traffic for each port (press q for the next port):
cd ~/youpot/log
ls -1d */* | cut -d / -f 2 | sort -u |while read port; do (echo "####### $port #######"; cat */$port/*/textdump.log ) |less ; done
This is my hobby research project, and is a very early release, so there is much room for improvement.
Some stuff to do:
- De-uglify source: split the project into separate files, use command line parameters instead of hardcoded values etc.
- Implement MiTM proxies for other protocols (similar to how the ssh-mitm proxy support was implemented)
- Write documentation
- Better logging and some reporting.
- Pcap file support
- This was written in C, should probably be rewritten in some more modern language