queenbee.py Honeypot
12-18-2018
A simple file share honeypot written in Python. It checks if a file has been modified. Once triggered, the script can send an e-mail alert through Office 365 and disable the NIC on the server.
Language or Platform: Python
LICENSE
Code:
import smtplib
import subprocess
import os.path
import time, stat
import errno
import sys
##################################################
#
# (Python 3)
# Run at Command Prompt(as Administrator):
# python queenbee.py
#
# Author: trigat[at]protonmail.com
#
##################################################
###### USER VARIABLES #########
# Enter your network interface name so NIC can be disabled once attacked
nic_name = 'LocalConnection'
# Source directory
source_dir = r'C:/QueenBee'
# Specify files you want to monitor in top level dir
f1 = (source_dir + '/bee1.txt')
f2 = (source_dir + '/bee2.jpg')
file_list = [f1, f2]
for f in file_list:
source_file = f
# Email settings
def send_email():
port = 25
smtp_server = "192.168.0.30"
sender = 'user@domain.com'
receivers = ['user@domain.com']
message = "\nQUEEN BEE ALERT TRIGGERED"
try:
smtpObj = smtplib.SMTP(smtp_server, port)
smtpObj.sendmail(sender, receivers, message)
print ("Successfully sent email")
except:
print ("Error: Unable to send email. NIC may be disabled.")
def create_share():
if not os.path.exists(source_dir):
os.makedirs(source_dir)
if not os.path.exists(source_file):
with open(source_file, 'w') as f:
f.write('Welcome to the beehive.')
try:
subprocess.check_output('net share QueenBee="' + source_dir.replace('/', '\\') + \
'" /GRANT:Everyone,FULL')
except:
os.system('cls' if os.name == 'nt' else 'clear')
print('\nThat share name already exists.\n')
def check_dir():
while True:
if not os.path.isdir(source_dir) or not os.path.isfile(source_file):
# Needed to detect top level files
print("Found Deletion")
send_email()
time.sleep(2)
# disable all physical network adapters
print("Disabling NIC")
try:
subprocess.check_output('netsh interface set interface "' + \
nic_name + '" admin=disable')
print("NIC disabled")
except subprocess.CalledProcessError as e:
e.output
exit(0)
else:
for currentdir, dirs, files in os.walk(source_dir):
for file in files:
currentfile = os.path.join(currentdir, file)
# get modified time for files
ftime = os.path.getmtime(currentfile)
if time.time() - ftime <= 30:
print("Found modification in last 30 seconds for file =>", currentfile, time.ctime(ftime))
send_email()
time.sleep(2)
# disable all physical network adapters
print("Disabling NIC")
try:
subprocess.check_output('netsh interface set interface "' + \
nic_name + '" admin=disable')
print("NIC disabled")
except subprocess.CalledProcessError as e:
e.output
exit(0)
else:
print('No recent modifications.' + currentfile)
for folder in dirs:
currentfolder = os.path.join(currentdir, folder)
# get modified time for directories
dtime = os.stat(currentfolder)[stat.ST_MTIME]
if time.time() - dtime <= 30:
print("Found modification in last 30 seconds for folder =>", currentfolder, time.ctime(dtime))
send_email()
time.sleep(2)
# disable all physical network adapters
print("Disabling NIC")
try:
subprocess.check_output('netsh interface set interface "' + \
nic_name + '" admin=disable')
print("NIC disabled")
except subprocess.CalledProcessError as e:
e.output
exit(0)
else:
print('No recent modifications: ' + currentfolder)
time.sleep(2)
def get_input():
while True:
print('\n Select number:\n\n')
print('\n'.join([
" 1. Create File Share",
" 2. Monitor File Share",
" 3. Exit",
]))
select_num = input(' :')
print(" ")
if select_num == '3':
print('\n Goodbye.')
break
elif select_num == '1':
os.system('cls' if os.name == 'nt' else 'clear')
print('\nA new share will be created under\n\n "' + source_dir + '"\n')
confirm_user = input("Are you sure want to create the share? (y/n): \n\n")
if not confirm_user.lower().strip()[:1] == "y": continue
create_share()
elif select_num == '2':
check_dir()
else:
print('\n\n\n That is not a valid option.\n')
if __name__ == "__main__":
get_input()