anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
3dc5b509f65659740714bfb6c0ac6d4b2827f7cb
DECNET/development/DEVELOPMENT.md
anti 3dc5b509f6 feat: Phase 1 — JA3/JA3S sniffer, Attacker model, profile worker 
Add passive TLS fingerprinting via a sniffer container on the MACVLAN
interface, plus the Attacker table and periodic rebuild worker that
correlates per-IP profiles from Log + Bounty + CorrelationEngine.

- templates/sniffer/: Scapy sniffer with pure-Python TLS parser;
  emits tls_client_hello / tls_session RFC 5424 lines with ja3, ja3s,
  sni, alpn, raw_ciphers, raw_extensions; GREASE filtered per RFC 8701
- decnet/services/sniffer.py: service plugin (no ports, NET_RAW/NET_ADMIN)
- decnet/web/db/models.py: Attacker SQLModel table + AttackersResponse
- decnet/web/db/repository.py: 5 new abstract methods
- decnet/web/db/sqlite/repository.py: implement all 5 (upsert, pagination,
  sort by recent/active/traversals, bounty grouping)
- decnet/web/attacker_worker.py: 30s periodic rebuild via CorrelationEngine;
  extracts commands from log fields, merges fingerprint bounties
- decnet/web/api.py: wire attacker_profile_worker into lifespan
- decnet/web/ingester.py: extract JA3 bounty (fingerprint_type=ja3)
- development/DEVELOPMENT.md: full attacker intelligence collection roadmap
- pyproject.toml: scapy>=2.6.1 added to dev deps
- tests: test_sniffer_ja3.py (40+ vectors), test_attacker_worker.py,
  test_base_repo.py / test_web_api.py updated for new surface
2026-04-13 20:22:08 -04:00

8.0 KiB
Raw Blame History

DECNET Development Roadmap

🛠️ Service Realism & Interaction (First Release Path)

Goal: Ensure every service is interactive enough to feel real during manual exploration.

Remote Access & Shells

  • SSH (Cowrie) — Custom filesystem, realistic user database, and command execution.
  • Telnet (Cowrie) — Realistic banner and command emulation.
  • RDP — Realistic NLA authentication and screen capture (where possible).
  • VNC — Realistic RFB protocol handshake and authentication.
  • Real SSH — High-interaction sshd with shell logging.

Databases

  • MySQL — Support for common SQL queries and realistic schema.
  • Postgres — Realistic version strings and basic query support.
  • MSSQL — Realistic TDS protocol handshake.
  • MongoDB — Support for common Mongo wire protocol commands.
  • Redis — Support for basic GET/SET/INFO commands.
  • Elasticsearch — Realistic REST API responses for /_cluster/health etc.

Web & APIs

  • HTTP — Flexible templates (WordPress, phpMyAdmin, etc.) with logging.
  • Docker API — Realistic responses for docker version and docker ps.
  • Kubernetes (K8s) — Mocked kubectl responses and basic API exploration.
  • LLMNR — Realistic local name resolution responses via responder-style emulation.

File Transfer & Storage

  • SMB — Realistic share discovery and basic file browsing.
  • FTP — Support for common FTP commands and directory listing.
  • TFTP — Basic block-based file transfer emulation.

Directory & Mail

  • LDAP — Basic directory search and authentication responses.
  • SMTP — Mail server banners and basic EHLO/MAIL FROM support.
  • IMAP — Realistic mail folder structure and auth.
  • POP3 — Basic mail retrieval protocol emulation.

Industrial & IoT (ICS)

  • MQTT — Basic topic subscription and publishing support.
  • SNMP — Realistic MIB responses for common OIDs.
  • SIP — Basic VoIP protocol handshake and registration.
  • Conpot — SCADA/ICS protocol emulation (Modbus, etc.).

Core / Hardening

  • [~] Attacker fingerprinting — HTTP User-Agent, VNC client version stored as fingerprint bounties. JA3/JA3S in progress (sniffer container). HASSH, JA4+, TCP stack, JARM planned (see Attacker Intelligence section).
  • Canary tokens — Embed fake AWS keys and honeydocs into decky filesystems.
  • Tarpit mode — Slow down attackers by drip-feeding bytes or delaying responses.
  • Dynamic decky mutation — Rotate exposed services or OS fingerprints over time.
  • Credential harvesting DB — Centralized database for all username/password attempts.
  • Session recording — Full capture for SSH/Telnet sessions.
  • Payload capture — Store and hash files uploaded by attackers.

Detection & Intelligence

  • Real-time alerting — Webhook/Slack/Telegram notifications for first-hits.
  • Threat intel enrichment — Auto-lookup IPs against AbuseIPDB, Shodan, and GreyNoise.
  • Attack campaign clustering — Group sessions by signatures and timing patterns.
  • GeoIP mapping — Visualize attacker origin and ASN data on a map.
  • TTPs tagging — Map observed behaviors to MITRE ATT&CK techniques.

Dashboard & Visibility

  • Web dashboard — Real-time React SPA + FastAPI backend for logs and fleet status.
  • Decky Inventory — Dedicated "Decoy Fleet" page showing all deployed assets.
  • Pre-built Kibana/Grafana dashboards — Ship JSON exports for ELK/Grafana.
  • [~] CLI live feeddecnet watch — WON'T IMPLEMENT: redundant with tail -f on the existing log file; adds bloat without meaningful value.
  • Traversal graph export — Export attacker movement as JSON (via CLI).

Deployment & Infrastructure

  • SWARM / multihost mode — Ansible-based orchestration for multi-node deployments.
  • Terraform/Pulumi provider — Cloud-hosted decky deployment.
  • Kubernetes deployment mode — Run deckies as K8s pods.
  • Lifecycle Management — Automatic API process termination on teardown.
  • Health monitoring — Active vs. Deployed decky tracking in the dashboard.

Services & Realism

  • HTTPS/TLS support — Honeypots with SSL certificates.
  • Fake Active Directory — Convincing AD/LDAP emulation.
  • Realistic web apps — Fake WordPress, Grafana, and phpMyAdmin templates.
  • OT/ICS profiles — Expanded Modbus, DNP3, and BACnet support.

Attacker Intelligence Collection

Goal: Build the richest possible attacker profile from passive observation across all 26 services.

TLS/SSL Fingerprinting (via sniffer container)

  • JA3/JA3S — TLS ClientHello/ServerHello fingerprint hashes
  • JA4+ family — JA4, JA4S, JA4H, JA4L (latency/geo estimation via RTT)
  • JARM — Active server fingerprint; identifies C2 framework from TLS server behavior
  • CYU — Citrix-specific TLS fingerprint
  • TLS session resumption behavior — Identifies tooling by how it handles session tickets
  • Certificate details — CN, SANs, issuer, validity period, self-signed flag (attacker-run servers)

Timing & Behavioral

  • Inter-packet arrival times — OS TCP stack fingerprint + beaconing interval detection
  • TTL values — Rough OS / hop-distance inference
  • TCP window size & scaling — p0f-style OS fingerprinting
  • Retransmission patterns — Identify lossy paths / throttled connections
  • Beacon jitter variance — Attribute tooling: Cobalt Strike vs. Sliver vs. Havoc have distinct profiles
  • C2 check-in cadence — Detect beaconing vs. interactive sessions
  • Data exfil timing — Behavioral sequencing relative to recon phase

Protocol Fingerprinting

  • TCP/IP stack — ISN patterns, DF bit, ToS/DSCP, IP ID sequence (random/incremental/zero)
  • HASSH / HASSHServer — SSH KEX algo, cipher, MAC order → tool fingerprint
  • HTTP/2 fingerprint — GREASE values, settings frame order, header pseudo-field ordering
  • QUIC fingerprint — Connection ID length, transport parameters order
  • DNS behavior — Query patterns, recursion flags, EDNS0 options, resolver fingerprint
  • HTTP header ordering — Tool-specific capitalization and ordering quirks

Network Topology Leakage

  • X-Forwarded-For mismatches — Detect VPN/proxy slip vs. actual source IP
  • ICMP error messages — Internal IP leakage from misconfigured attacker infra
  • IPv6 link-local leakage — IPv6 addrs leaked even over IPv4 VPN (common opsec fail)
  • mDNS/LLMNR leakage — Attacker hostname/device info from misconfigured systems

Geolocation & Infrastructure

  • ASN lookup — Source IP autonomous system number and org name
  • BGP prefix / RPKI validity — Route origin legitimacy
  • PTR records — rDNS for attacker IPs (catches infra with forgotten reverse DNS)
  • Latency triangulation — JA4L RTT estimates for rough geolocation

Service-Level Behavioral Profiling

  • Commands executed — Full command log per session (SSH, Telnet, FTP, Redis, DB services)
  • Services actively interacted with — Distinguish port scans from live exploitation attempts
  • Tooling attribution — Byte-sequence signatures from known C2 frameworks in handshakes
  • Credential reuse patterns — Same username/password tried across multiple deckies/services
  • Payload signatures — Hash and classify uploaded files, shellcode, exploit payloads

Developer Experience

  • API Fuzzing — Property-based testing for all web endpoints.
  • CI/CD pipeline — Automated testing and linting via Gitea Actions.
  • Strict Typing — Project-wide enforcement of PEP 484 type hints.
  • Plugin SDK docs — Documentation for adding custom services.
  • Config generator wizarddecnet wizard for interactive setup.
Reference in New Issue View Git Blame Copy Permalink