HB Honeypot
Heartbleed honeypot script that listens on TCP port 443 and responds with bogus SSL heartbeat responses. Detects and logs IPs attempting Heartbleed scans while rickrolling scanners.
Description
HB-Honeypot is a Perl script designed to emulate a vulnerable SSL service vulnerable to the Heartbleed vulnerability (CVE-2014-0160). It listens on the privileged TCP port 443, typically used for HTTPS, and provides deceptive responses to incoming connections. The tool serves as a honeypot to attract and identify attackers scanning for Heartbleed flaws.
Use cases include network defense, threat intelligence gathering, and research into Heartbleed exploitation attempts. By running it as root, security researchers and defenders can monitor for scanners mimicking the byte pattern from Jared Stafford's Heartbleed demo. Suspected scanner IPs are output to the console for further analysis.
The honeypot differentiates legitimate traffic by detecting specific byte patterns associated with Heartbleed probes. Non-matching connections receive completely bogus SSL heartbeat responses, while matches trigger logging and a humorous 'rickroll' in the hex dump output.
How It Works
The Perl script binds to TCP port 443 and handles incoming SSL heartbeat requests. It inspects the initial byte pattern of connections against the signature used in Jared Stafford's Heartbleed (CVE-2014-0160) demo. Bogus heartbeat responses are sent to non-matching traffic to simulate a vulnerable service. Matching patterns trigger console logging of the source IP and embed a rickroll payload in the hex dump. Requires root privileges for port 443 binding.
Installation
sudo apt install hb-honeypotExamples
sudo hb-honeypotsudo ./hb_honeypot.plsudo hb-honeypot &sudo hb-honeypot | tee honeypot.logsudo nohup hb-honeypot > honeypot.out 2>&1 &sudo hb-honeypot && echo 'Honeypot started successfully'