Skip to content
Mrigank Anand edited this page Sep 10, 2022 · 48 revisions

API Actions

By using this switch, you will start the API server without any authentication required! to enable the authentication, set api_access_without_key as True in config.py. the authentication key must send as parameter key in every request (could be set as Cookie, GET, POST). after you run the API server, a simple WebUI is also available to use (index.html). It shows a few graphs using the API with JQuery etc...

  • All parameters could be sent in GET call as mentioned in the documentation below.
  • limit parameter default value is 10, if you want to set it as unlimited, set it as 0
  • skip parameter default value is 0

API Endpoints

Method: Get events count.

  GET /api/events/count/<event_type>

URL Params

Attribute Type Required Description
event_type string yes type of event. Valid event types : [honeypot, all, network, credential, file, data, pcap ]
date string no used for filtering events by date

Success Response:

  • Code: 200 Content:
{
  "count": 16161952,
  "date": null
}

Error Response:

  • Code: 404 Not found Content:
{
  "msg": "file/path not found!",
  "status": "error"
}

Method: Get top ten repeated elements in honeypot events

  GET /api/events/count/groupby/<event_type>/<element>

URL Params

Attribute Type Required Description
event_type string yes type of event. Valid event types : [honeypot, network, credential, file, data, pcap]
element string yes Used for filtering the events based on the type. Valid element : [ip, country,port, module_name, username, password,machine_name]
date string no used for filtering events by date
country string no used for filtering events by country

Success Response:

  • Code: 200 Content:
[
  {
    "count": 1703,
    "country": "DE"
  }
]

Error Response:

  • Code: 404 Not found Content:
{
  "msg": "file/path not found!",
  "status": "error"
}

Method: Get events data

  GET /api/events/explore/<event_type>

URL Params

Attribute Type Required Description
event_type string yes type of event. Valid event types : [honeypot, network, credential, file, data, pcap]
date string no used for filtering events by date
module_name string no one of the module names supported by the framework. eg: ssh/weak_password
filter string (url-encoded) no filter on serverside by query (regex) e.g. ip_dest=192.16.1.1&ip_src=192.168.0.*

Success Response:

  • Code: 200 Content:
{
  "data": [
    {
      "country_ip_dest": "-",
      "country_ip_src": "US",
      "date": "2020-09-08 20:22:19",
      "ip_dest": "192.168.0.100",
      "ip_src": "54.183.140.32",
      "machine_name": "stockholm_server_1",
      "port_dest": 52107,
      "port_src": 443,
      "protocol": "TCP"
    },
    {
      "country_ip_dest": "-",
      "country_ip_src": "US",
      "date": "2020-09-08 20:22:19",
      "ip_dest": "192.168.0.100",
      "ip_src": "54.183.140.32",
      "machine_name": "stockholm_server_1",
      "port_dest": 52107,
      "port_src": 443,
      "protocol": "TCP"
    }
  ],
  "total": 519720
}

Error Response:

  • Code: 404 Not found Content:
{
  "msg": "file/path not found!",
  "status": "error"
}

Method: Download PCAP files

  GET /api/pcap/download

URL Params

Attribute Type Required Description
md5 string yes md5 value of the PCAP file to download

Success Response:

  • Code: 200 Content:
curl http://localhost:5000/api/pcap/download?md5=282e14c5b89ff2af63f4146fbd0a6c68 > f.pcap
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  280k    0  280k    0     0  8484k      0 --:--:-- --:--:-- --:--:-- 8484k


Error Response:

  • Code: 404 Not found Content:
{
  "msg": "file/path not found!",
  "status": "error"
}

Method: Get modules list

  GET /api/core/list/modules

Success Response:

  • Code: 200 Content:
[
  "ftp/weak_password",
  "ftp/strong_password",
  "ics/veeder_root_guardian_ast",
  "ssh/weak_password",
  "ssh/strong_password",
  "http/basic_auth_strong_password",
  "http/basic_auth_weak_password",
  "smtps/strong_password",
  "smtp/strong_password"
]

Few examples of the API

GET Count All Events

http://127.0.0.1:5000/api/events/count/all
{
  "count": 95191, "date": null
}

GET Count All Events By Date

http://127.0.0.1:5000/api/events/count/all?date=2021-06-07
{
  "count": 10279, "date": "2021-06-07"
}

GET Count All Honeypot Events

http://127.0.0.1:5000/api/events/count/honeypot
{
  "count": 55, "date": null
}

GET Count All Honeypot Events by Date

http://127.0.0.1:5000/api/events/count/honeypot?date=2021-06-07
{
  "count": 55, "date": "2021-06-07"
}

GET Count All Network Events

http://127.0.0.1:5000/api/events/count/network
{
" count": 95134, "date": null
}

GET Count All Network Events by Date

http://127.0.0.1:5000/api/events/count/network?date=2021-06-07
{
  "count": 10224, "date": "2021-06-07"
}

Date Types

Type 1

http://127.0.0.1:5000/api/events/count/network?date=2021-06-07
{
  "count": 10224, "date": "2021-06-07"
}

Type 2

http://127.0.0.1:5000/api/events/count/network?date=2019-04-07|2022-05-07
{
  "count": 95134, "date": "2019-04-07|2022-05-07"
}

Type 3

http://127.0.0.1:5000/api/events/count/network?date=2021-06-05%2010:00:00
{
  "count": 3963, "date": "2021-06-05 10:00:00"
}

Type 4

http://127.0.0.1:5000/api/events/count/network?date=2021-06-01%2010:00:00|2021-06-10%2012:00:00
{
  "count": 14187, "date": "2021-06-01 10:00:00|2021-06-10 12:00:00"
}

GET Top IPs Repeated in Honeypot Events

http://127.0.0.1:5000/api/events/count/groupby/honeypot/ip_dest
{
  "17.253.85.207": 5, "34.107.221.82": 50
}

http: //127.0.0.1:5000/api/events/count/groupby/honeypot/ip_dest?date=2019-05-07
{
  "17.253.85.207": 5, "34.107.221.82": 50
}

http: //127.0.0.1:5000/api/events/count/groupby/honeypot/ip_dest?date=2019-05-07&country=DE
{
  "17.253.85.207": 5, "34.107.221.82": 50
}

http: //127.0.0.1:5000/api/events/count/groupby/honeypot/ip_dest?country=DE
{
  "17.253.85.207": 5, "34.107.221.82":50
}

Or you can change the limit (default: 10) and/or skip (default: 0) in ALL Array-Based Results actions.

http://127.0.0.1:5000/api/events/explore/network?limit=1
{
  "data":[{"country_ip_dest": "CZ", "country_ip_src": "-", "date": "2021-06-05 20:23:26", "ip_dest": "13.107.42.14", "ip_src": "192.168.0.104", "machine_name": "stockholm_server_1", "port_dest": 443, "port_src": 53751, "protocol": "TCP"}], "total": 95134
}

http: //127.0.0.1:5000/api/events/explore/network?limit=1&skip=1
{
  "data":[{"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-05 20:23:26", "ip_dest": "172.217.167.163", "ip_src": "192.168.0.104", "machine_name": "stockholm_server_1", "port_dest": 443, "port_src": 55376, "protocol": "UDP"}], "total": 95134
}

GET Honeypot Events

http://127.0.0.1:5000/api/events/explore/honeypot
{
  "data":[{"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:13", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60212, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:23", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60213, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:23", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60212, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:33", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60213, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:33", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60212, "protocol": "TCP"},{"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:42", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60213, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:42", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60213, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:42", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60212, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:42", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60212, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:52", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60213, "protocol": "TCP"}], "total": 55
}

GET Honeypot Events for specific date

http: //127.0.0.1:5000/api/events/explore/honeypot?date=2021-06-07
{
  "data":[{"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:13", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60212, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:23", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60213, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:23", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60212, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:33", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60213, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:33", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60212, "protocol": "TCP"},{"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:42", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60213, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:42", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60213, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:42", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60212, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:42", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60212, "protocol": "TCP"}, {"country_ip_dest": "US", "country_ip_src": "-", "date": "2021-06-07 12:37:52", "ip_dest": "34.107.221.82", "ip_src": "192.168.0.107", "machine_name": "stockholm_server_1", "module_name": "http/basic_auth_weak_password", "port_dest": 80, "port_src": 60213, "protocol": "TCP"}], "total": 55
}

GET Explore PCAP File

http://localhost:5000/api/events/explore/pcap
{
   "data":[
      {
         "content":"Cg0Nx98dNX6Aa1ag8bSEp6/zlBARJ8Nbx98dNX6Aa1ag8bSEp6/zlBARJ8NbXeAXeA ",
         "date":"2021-06-23 01:10:26",
         "filename":"captured-traffic-1624390826.pcap",
         "machine_name":"stockholm_server_1",
         "md5":"97d7228b35e217505a3cd358cefc2d63",
         "splitTimeout":3600
      }
   ],
   "total":1
}

GET Download PCAP File


curl http://localhost:5000/api/pcap/download?md5=282e14c5b89ff2af63f4146fbd0a6c68 > f.pcap % Total % Received % Xferd
Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 280k 0 280k 0 0 8484k 0 --:--:-- --:--:--
--:--:-- 8484k

GET Running Modules Details API

http://127.0.0.1:5000/api/core/running/modules
[
    {
        "Command": "\"/bin/sh -c 'service…\"",
        "CreatedAt": "2022-07-27 21:49:43 +0530 IST",
        "ID": "b5760a5cc113",
        "Image": "ohp_ftpserver_weak_password",
        "Labels": "desktop.docker.io/binds/0/SourceKind=hostFile,desktop.docker.io/binds/0/Target=/root,desktop.docker.io/binds/0/Source=/Users/mrigankanand/PycharmProjects/Python-Honeypot/tmp/ohp_ftp_weak_container/",
        "LocalVolumes": "0",
        "Mounts": "/host_mnt/User…",
        "Names": "ohp_ftpserver_weak_password",
        "Networks": "ohp_internet",
        "Ports": "0.0.0.0:21->21/tcp",
        "RunningFor": "2 hours ago",
        "Size": "3B (virtual 293MB)",
        "State": "running",
        "Status": "Up 2 hours"
    }
]