Skip to content
This repository has been archived by the owner on Jul 9, 2021. It is now read-only.

0xThiebaut/dnsbeat-poc

Repository files navigation

Dnsbeat Proof-of-Concept

Set-Up

This proof-of-concept relies on Docker Compose.

git clone https://github.com/0xThiebaut/dnsbeat-poc
cd dnsbeat-poc
docker-compose up -d

Usage

As soon as the environment is up and spinning, have a look around the Kibana dashboards at localhost:5601.

The Elastic statistical analysis tool ee-outliers is included in this proof-of-concept. As we need some baseline for such an analysis, go have a coffee and take 20 minutes to enjoy life...

Outlier Generation

This proof-of-concept honeypot is vulnerable to malicious dynamic updates. Go ahead and use nsupdate to inject a malicious entry.

nsupdate

Once you are running the dynamic DNS update utility, inject your malicious entries into the server. To do so, you will need to select our vulnerable DNS server after which you can use the update command to add an entry.

server 127.0.0.1 5053
update add malicious.honeypot.local 800 CNAME c2.example.com.
send
quit

Outlier Detection

After ee-outliers has run, which can take up to a minute, you may now find the malicious entry by searching for events tagged as "outlier".

Kibana results for "tags: outlier"

Tear-Down

docker-compose down -v

About

A proof-of-concept for 0xThiebaut/dnsbeat.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published