{"id":13546148,"url":"https://github.com/evilsocket/medusa","last_synced_at":"2025-04-07T12:08:24.298Z","repository":{"id":47500109,"uuid":"400657606","full_name":"evilsocket/medusa","owner":"evilsocket","description":"A fast and secure multi protocol honeypot.","archived":false,"fork":false,"pushed_at":"2022-09-09T00:40:03.000Z","size":194,"stargazers_count":316,"open_issues_count":2,"forks_count":37,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-03-31T11:02:47.211Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/evilsocket.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-08-27T23:27:59.000Z","updated_at":"2025-03-24T14:54:44.000Z","dependencies_parsed_at":"2023-01-18T01:45:45.973Z","dependency_job_id":null,"html_url":"https://github.com/evilsocket/medusa","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evilsocket%2Fmedusa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evilsocket%2Fmedusa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evilsocket%2Fmedusa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/evilsocket%2Fmedusa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/evilsocket","download_url":"https://codeload.github.com/evilsocket/medusa/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247648978,"owners_count":20972945,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T12:00:32.553Z","updated_at":"2025-04-07T12:08:24.275Z","avatar_url":"https://github.com/evilsocket.png","language":"Rust","readme":"# Medusa\n\nA fast and secure multi protocol honeypot that can mimic realistic devices running `ssh`, `telnet`, `http`, `https` or any other `tcp` and `udp` servers. \n\n## Building\n\nUsing Docker (recommended):\n\n```sh\ndocker build -t medusa .\ndocker run \\\n  -v /path/to/services.d:/etc/medusa/services.d \\\n  -v /path/to/records:/var/lib/medusa/records \\\n  --network host \\\n  medusa\n```\n\nLastly, you can build from sources if you have Rust installed in your system (it requires `openssl` and `libpcap-dev`):\n\n```sh\ncargo build \n```\n\n## Shodan Host Clone\n\nYou can use `medusa` to create a (best-effort) clone of a device that's indexed on shodan.io. \n\nIn order to do this you'll need an API key:\n\n```sh\nexport SHODAN_API_KEY=your_api_key_here\n```\n\nThen you can clone a host (`38.18.235.213` in this example) with:\n\n```sh\ndocker run -v $(pwd)/mikrotik:/mikrotik medusa \\\n  --shodan-api-key $SHODAN_API_KEY \\\n  --shodan-clone 38.18.235.213 \\\n  --output /mikrotik\n```\n\nThis will create the YAML service files inside the `mikrotik` folder. This folder can then be used with:\n\n```sh\ndocker run \\\n  -v $(pwd)/mikrotik:/etc/medusa/services.d \\\n  -v $(pwd)/records:/var/lib/medusa/records \\\n  --network host \\\n  medusa\n```\n\n## Usage\n\nFirst you need to create at least one service file. Let's begin by defining a simple SSH honeypot that accepts any combination of user and password:\n\n```sh\nmkdir -p /path/to/services.d/\ntouch /path/to/services.d/example-ssh.yml\n```\n\nOpen `/path/to/services.d/example-ssh.yml` with your favorite editor and paste these contents:\n\n\n```yaml\nproto: ssh\naddress: '127.0.0.1:2222'\nserver_id: 'SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10'\nbanner: 'Last login: Mon Sep  5 14:12:09 2022 from 127.0.0.1'\nprompt: '# '\ntimeout: 15\ncommands:\n  - parser: '^exit(\\s.+)?$'\n    handler: '@exit'\n```\n\nIn some cases, custom SSH servers do not respect the RFC standard for server id termination characters `\\r\\n`, but rather use only `\\n`. In this case it is possible to use the `server_id_raw` directive and include custom terminators in the string, while of `server_id` is used the default `\\r\\n` will be used. \n\n```yaml\nproto: ssh\naddress: '127.0.0.1:2222'\nserver_id_raw: \"SSH-1.99-TECHNICOLOR_SW_2.0\\n\"\nbanner: 'Last login: Mon Sep  5 14:12:09 2022 from 127.0.0.1'\nprompt: '# '\ntimeout: 15\ncommands:\n  - parser: '^exit(\\s.+)?$'\n    handler: '@exit'\n```\n\nNow run:\n\n```sh\nmedusa --services \"/path/to/services.d/\" --records \"/path/to/output/records\" --capture-device \"\u003cyour network interface name\u003e\"\n```\n\nThis will start a single honeypoint on port 2222 and all the resulting events will be saved as JSON files in the folder indicated by `--records`. Additionally a pcap of the entire traffic will be saved as `capture.pcap`.\n\n## Commands\n\nThe previous example won't do much if somebody tries to execute actual commands. It only captures the `exit` command in order to terminate the session (via the `@exit` special handler). Let's add another command, for instance to parse simple `echo` inputs:\n\n```yaml\nproto: ssh\naddress: '127.0.0.1:2222'\nserver_id: 'SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10'\nprompt: '# '\ntimeout: 15\ncommands:\n  - parser: '^exit(\\s.+)?$'\n    handler: '@exit'\n  - parser: '^echo(\\s\"?([^\"]*)\"?)?$'\n    handler: '{$2}'\n```\n\nThe `parser` expression will now capture the `echo` command and its argument (captured as `$2`), that will be echoed back via the handler (`{$2}` is replaced with the value of `$2`).\n\nIn other cases, the handler can contain the entire output as a raw string, like for the case of an `http` service honeypot:\n\n```yaml\nproto: http \naddress: '127.0.0.1:8080'\ncommands:\n  - parser: '.*'\n    handler: \"\u003chtml\u003e\u003cbody\u003ehello world\u003c/body\u003e\u003c/html\u003e\"\n```\n\n### Docker Jail\n\nAnother useful handler is `@docker`. As the name suggests it executes any shell command it receives as an argument inside a docker container, therefore we could create a \"jailed\" `ssh` honeypot by doing:\n\n```yaml\nproto: ssh\naddress: '127.0.0.1:2222'\nserver_id: 'SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10'\nprompt: '# '\ntimeout: 15\ncommands:\n  - parser: '^exit(\\s.+)?$'\n    handler: '@exit'\n  - parser: '^(.+)$'\n    handler: '@docker jail {$1}'\n```\n\nYou can create and start a `jail` container with:\n\n```sh\ndocker container create --name jail busybox tail -f /dev/null # feel free to pick any image\ndocker start jail\n```\n\nThis will execute any command that the client is sending on the `jail` container and it will transparently pass the output to the client.\n\nConfiguring a realistic docker container is beyond the purpose of this document, you can find useful images [here](https://github.com/plajjan/vrnetlab).\n\n## Protocols\n\nSSH server emulation (with docker jail):\n\n```yaml\nproto: ssh\naddress: '127.0.0.1:2222'\nserver_id: 'SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10'\nprompt: '# '\ntimeout: 15\ncommands:\n  - parser: '^exit(\\s.+)?$'\n    handler: '@exit'\n  - parser: '^(.+)$'\n    handler: '@docker medusajail {$1}'\n```\n\nTelnet server emulation (with docker jail):\n\n```yaml\nproto: telnet\naddress: '127.0.0.1:2323'\nbanner: 'TNAS v1.0'\nlogin_prompt: 'TNAS login: '\npassword_prompt: 'Password: '\nprompt: '[admin@TNAS ~]$ '\ntimeout: 15\ncommands:\n  - parser: '^exit(\\s.+)?$'\n    handler: '@exit'\n  - parser: '^(.+)$'\n    handler: '@docker medusajail {$1}'\n```\t\n\nHTTP server emulation with custom headers:\n\n```yaml\nproto: http \naddress: '127.0.0.1:8181'\nheaders:\n  - 'Content-Type: text/html; charset=UTF-8'\n  - 'X-Powered-By: TerraMaster'\n  - 'Server: TOS/1.16.1'\n  \ncommands:\n  - parser: '.*'\n    handler: |\n      \u003c!--user login--\u003e\n      \u003c!DOCTYPE HTML\u003e\n      \u003chtml\u003e\n      \u003chead\u003e\n          \u003ctitle\u003eTOS\u003c/title\u003e\n      \u003c/head\u003e\n      \u003cdiv\u003e\n          Hello World\n      \u003c/div\u003e\n      \u003c/html\u003e\n```\n\nHTTPS is also supported, you'll need to generate a new RSA key and certificate first:\n\n```sh\n openssl req -newkey rsa:2048 -nodes -keyout medusa-https.key -x509 -days 365 -out medusa-https.crt\n```\n\nThen just enable `tls` in your `http` service configuration:\n\n```yaml\nproto: http \naddress: '127.0.0.1:8181'\ntls: true\nkey: medusa-https.key\ncertificate: medusa-https.crt\nheaders:\n  - 'Content-Type: text/html; charset=UTF-8'\n  - 'X-Powered-By: TerraMaster'\n  - 'Server: TOS/1.16.1'\n  \ncommands:\n  - parser: '.*'\n    handler: |\n      \u003c!--user login--\u003e\n      \u003c!DOCTYPE HTML\u003e\n      \u003chtml\u003e\n      \u003chead\u003e\n          \u003ctitle\u003eTOS\u003c/title\u003e\n      \u003c/head\u003e\n      \u003cdiv\u003e\n          Hello World\n      \u003c/div\u003e\n      \u003c/html\u003e\n```\n\nOther TCP servers can be simulated by exposing a banner:\n\n```yaml\nproto: tcp\naddress: '127.0.0.1:1723'\nbanner: |\n  Firmware: 1\n  Hostname: ASBN-BB-RT01\n  Vendor: MikroTik\n```\n\nAnd UDP servers as well:\n\n```yaml\nproto: udp\naddress: '0.0.0.0:5353'\nbanner: |\n  dnsmasq-2.73\n  Recursion: enabled\n  Resolver name: X4200\n```\n\n## Other options\n\nRun `medusa --help` for the complete list of options. \n\n## License\n\nMedusa was made with ♥  by [Simone Margaritelli](https://www.evilsocket.net/) and it's released under the GPL 3 license.","funding_links":[],"categories":["Threat Detection and Forensics"],"sub_categories":["Packing, Obfuscation, Encryption, Anti-analysis"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevilsocket%2Fmedusa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fevilsocket%2Fmedusa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevilsocket%2Fmedusa/lists"}