anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
57d395d6d7b5cfd00de1aa465c2f08466895c5fb
DECNET/development/DEVELOPMENT.md
anti 435c004760
Some checks failed
CI / Lint (ruff) (push) Successful in 11s
Details
CI / SAST (bandit) (push) Successful in 14s
Details
CI / Dependency audit (pip-audit) (push) Successful in 24s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m2s
Details
CI / Test (Standard) (3.12) (push) Successful in 2m5s
Details
CI / Test (Live) (3.11) (push) Successful in 56s
Details
CI / Test (Fuzz) (3.11) (push) Failing after 6m25s
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
feat: extract HTTP User-Agent and VNC client version as fingerprint bounties
2026-04-13 08:14:38 -04:00

5.0 KiB
Raw Blame History

DECNET Development Roadmap

🛠️ Service Realism & Interaction (First Release Path)

Goal: Ensure every service is interactive enough to feel real during manual exploration.

Remote Access & Shells

  • SSH (Cowrie) — Custom filesystem, realistic user database, and command execution.
  • Telnet (Cowrie) — Realistic banner and command emulation.
  • RDP — Realistic NLA authentication and screen capture (where possible).
  • VNC — Realistic RFB protocol handshake and authentication.
  • Real SSH — High-interaction sshd with shell logging.

Databases

  • MySQL — Support for common SQL queries and realistic schema.
  • Postgres — Realistic version strings and basic query support.
  • MSSQL — Realistic TDS protocol handshake.
  • MongoDB — Support for common Mongo wire protocol commands.
  • Redis — Support for basic GET/SET/INFO commands.
  • Elasticsearch — Realistic REST API responses for /_cluster/health etc.

Web & APIs

  • HTTP — Flexible templates (WordPress, phpMyAdmin, etc.) with logging.
  • Docker API — Realistic responses for docker version and docker ps.
  • Kubernetes (K8s) — Mocked kubectl responses and basic API exploration.
  • LLMNR — Realistic local name resolution responses via responder-style emulation.

File Transfer & Storage

  • SMB — Realistic share discovery and basic file browsing.
  • FTP — Support for common FTP commands and directory listing.
  • TFTP — Basic block-based file transfer emulation.

Directory & Mail

  • LDAP — Basic directory search and authentication responses.
  • SMTP — Mail server banners and basic EHLO/MAIL FROM support.
  • IMAP — Realistic mail folder structure and auth.
  • POP3 — Basic mail retrieval protocol emulation.

Industrial & IoT (ICS)

  • MQTT — Basic topic subscription and publishing support.
  • SNMP — Realistic MIB responses for common OIDs.
  • SIP — Basic VoIP protocol handshake and registration.
  • Conpot — SCADA/ICS protocol emulation (Modbus, etc.).

Core / Hardening

  • Attacker fingerprinting — HTTP User-Agent and VNC client version stored as fingerprint bounties. TLS JA3/JA4 and TCP window sizes require pcap (out of scope). SSH client banner deferred pending asyncssh server.
  • Canary tokens — Embed fake AWS keys and honeydocs into decky filesystems.
  • Tarpit mode — Slow down attackers by drip-feeding bytes or delaying responses.
  • Dynamic decky mutation — Rotate exposed services or OS fingerprints over time.
  • Credential harvesting DB — Centralized database for all username/password attempts.
  • Session recording — Full capture for SSH/Telnet sessions.
  • Payload capture — Store and hash files uploaded by attackers.

Detection & Intelligence

  • Real-time alerting — Webhook/Slack/Telegram notifications for first-hits.
  • Threat intel enrichment — Auto-lookup IPs against AbuseIPDB, Shodan, and GreyNoise.
  • Attack campaign clustering — Group sessions by signatures and timing patterns.
  • GeoIP mapping — Visualize attacker origin and ASN data on a map.
  • TTPs tagging — Map observed behaviors to MITRE ATT&CK techniques.

Dashboard & Visibility

  • Web dashboard — Real-time React SPA + FastAPI backend for logs and fleet status.
  • Decky Inventory — Dedicated "Decoy Fleet" page showing all deployed assets.
  • Pre-built Kibana/Grafana dashboards — Ship JSON exports for ELK/Grafana.
  • [~] CLI live feeddecnet watch — WON'T IMPLEMENT: redundant with tail -f on the existing log file; adds bloat without meaningful value.
  • Traversal graph export — Export attacker movement as JSON (via CLI).

Deployment & Infrastructure

  • SWARM / multihost mode — Ansible-based orchestration for multi-node deployments.
  • Terraform/Pulumi provider — Cloud-hosted decky deployment.
  • Kubernetes deployment mode — Run deckies as K8s pods.
  • Lifecycle Management — Automatic API process termination on teardown.
  • Health monitoring — Active vs. Deployed decky tracking in the dashboard.

Services & Realism

  • HTTPS/TLS support — Honeypots with SSL certificates.
  • Fake Active Directory — Convincing AD/LDAP emulation.
  • Realistic web apps — Fake WordPress, Grafana, and phpMyAdmin templates.
  • OT/ICS profiles — Expanded Modbus, DNP3, and BACnet support.

Developer Experience

  • API Fuzzing — Property-based testing for all web endpoints.
  • CI/CD pipeline — Automated testing and linting via Gitea Actions.
  • Strict Typing — Project-wide enforcement of PEP 484 type hints.
  • Plugin SDK docs — Documentation for adding custom services.
  • Config generator wizarddecnet wizard for interactive setup.
Reference in New Issue View Git Blame Copy Permalink