HoneyThing is a honeypot for Internet of TR-069 things. It's designed to act as completely a modem/router that has RomPager embedded web server and supports TR-069 (CWMP) protocol.

Project idea was created by Ali Ikinci and offered as Honeynet GSoC project in 2015.

Basic features:

• Emulates some popular vulnerabilities for RomPager as Misfortune Cookie, Rom-0 etc.
• TR-069 protocol support. Implements mostly used TR-069 CPE commands. e.g: GetRPCMethods, Get/Set ParameterValues, Download...
• Modem web interface to increase the interaction with attacker.
• All communication with services (http.log, cwmp.log) and state of honeypot (started/stopped, error etc. to honeything.log) are logged in parsable text format.

Debian and RPM packages will be available soon.

There're 2 ways to install HoneyThing:

For all of them, your system must have Python 2.7 (or above) and PycURL package.

• Setup Script: Using setup script requires python setuptools package installed on the system. After downloading and extracting HoneyThing, you can simply go to extracted directory and run;

python setup.py install

• Pre-Built Packages: HoneyThing can be installed by using pre-built packages for Ubuntu and CentOS. Packages can be downloaded from download section and will be added for any stable release.

For Ubuntu;

dpkg -i honeything_x.y.z.deb

For CentOS;

rpm -i honeything_x.y.z.rpm

After installation, some parameters can be changed optional by using configuration file. There're 4 section in config file:

• http: HTTP listen address/port can be edited in this section.
• cwmp: Some TR-069 parameters as listen address/port, ACS url, download directory for "download" CPE command, connection request path etc. can be edited.
• cpe: In cpe section, there're lots of variables related to modem/router device like manufacturer, serial number, model name etc. They can be edited to provide device variety in ACS communication.
• logging: Log file paths, log level and some protocol specific parameters can be changed in this section.

If you installed HoneyThing with setup script or pre-built packages, honeything can be run by using following commands:

service honeything {start|stop|restart|status}

or

/etc/init.d/honeything {start|stop|restart|status}

A paper about this project is published (in TURKISH) at International Conference on Information Security and Cryptology [ISCTurkey 2015]. It is accessible online from here.

The project:

• Developed by Ömer Erdem
• Idea by Ali Ikinci
• Advisor Dr. Mehmet Kara

and special thanks to Bâkır Emre for taking the first step.

Note: This project is also being developed as Istanbul Sehir University master's thesis.