Any documentations?

[sereysethy]

Hi, I am using your system. But I am not able to find any documents on how to use your system. There are many options like --http-handler, so the TEXT here means that it is either nginx or apache?

Does DemonHunter have any agents? Or do I need to run an agent? How they communicate?

Options:
  --dh-type TEXT         master|honeypot **default:master
  --host TEXT            master/honeypot address **default:0.0.0.0
  --port INTEGER         master port **default:8000
  --db-type TEXT         sqlite|postgres **default:sqlite
  --sqlite TEXT          address for sqlite db **default:test.db
  --pg-user TEXT         postgres db user **default:demonhunter
  --pg-pass TEXT         postgres db password **default:demonhunter
  --pg-host TEXT         postgres db host **default:localhost
  --pg-database TEXT     postgres db name **default:demonhunter
  --hp-protocol TEXT     vnc|http|telnet **default:http
  --www-folder TEXT      static folder of http server **default:/var/fakewww
  --http-handler TEXT    nginx|apache **default:apache
  --telnet-handler TEXT  microsoft|debian **default:microsoft
  --agent / --no-agent   use this option if you want an agent **default:--no-

[RevengeComing]

But I am not able to find any documents on how to use your system.

Actually no one asked me for one :laughing: . But I will do it soon.

There are many options like --http-handler, so the TEXT here means that it is either nginx or apache?

Yes.

There are many options like --http-handler, so the TEXT here means that it is either nginx or apache?

Those ending with -handler are for honeypot nodes and meant to represent a fake but real service to.

Does DemonHunter have any agents?

Yes. but needs a little configurations. first you need to create a master node that catches all honeypot logs. by running dh_run with no arguments you can have a master node running on 0.0.0.0:8000 on http protocol. Open a browser and go to the address. Then you will force redirect to login page. by default the master web interface creates a user with this login informations : username: admin, password: admin. You can login with admin/admin and enter the interface.

In Agents section ( navbar ) you can add a honeypot agents that takes Honeypot IP as argument. after creation it gives you a token. you need the token when you are running the honeypot node.

How to run honeypot node with agent ?

simply run:

$ dh_run --dh-type honeypot [+more options] --agent --master-addr {MasterIP} --agent-token {TheToken}

After each interaction with honeypot the agent sends all the data to the master, master logs it inside its database ( sqlite/postgres ). Also it shows it in master web interface real-time using a web-socket.

I wish it helps you.

( And sure ... I will create a documentation soon in readthedocs.io )

Edit:

How they communicate?

They communicate over http protocol ( https can be used but not implemented yet ) with use of the token: url is : /agents/call/TheToken/