{"id":19561370,"url":"https://github.com/m-mizutani/lurker","last_synced_at":"2025-07-01T18:04:14.312Z","repository":{"id":61523929,"uuid":"121073623","full_name":"m-mizutani/lurker","owner":"m-mizutani","description":"Scalable security network sensor as low interaction honeypot","archived":false,"fork":false,"pushed_at":"2023-10-25T22:10:17.000Z","size":348,"stargazers_count":16,"open_issues_count":2,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-06-28T16:07:37.366Z","etag":null,"topics":["go","honeypot","monitoring","packets","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/m-mizutani.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-11T02:03:47.000Z","updated_at":"2024-06-30T09:36:54.000Z","dependencies_parsed_at":"2024-06-20T04:43:41.641Z","dependency_job_id":"c35bfdf4-3790-43a2-a3d8-b37924be6f3b","html_url":"https://github.com/m-mizutani/lurker","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/m-mizutani/lurker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Flurker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Flurker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Flurker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Flurker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/m-mizutani","download_url":"https://codeload.github.com/m-mizutani/lurker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Flurker/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263013703,"owners_count":23399812,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","honeypot","monitoring","packets","security"],"created_at":"2024-11-11T05:11:13.619Z","updated_at":"2025-07-01T18:04:14.269Z","avatar_url":"https://github.com/m-mizutani.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"Lurker [![gosec](https://github.com/m-mizutani/lurker/actions/workflows/gosec.yml/badge.svg)](https://github.com/m-mizutani/lurker/actions/workflows/gosec.yml) [![test](https://github.com/m-mizutani/lurker/actions/workflows/test.yml/badge.svg)](https://github.com/m-mizutani/lurker/actions/workflows/test.yml) [![pkg-scan](https://github.com/m-mizutani/lurker/actions/workflows/trivy.yml/badge.svg)](https://github.com/m-mizutani/lurker/actions/workflows/trivy.yml)\n===============\n\n![The image under CC-BY-SA from Carbot Animation http://carbotanimations.wikia.com/wiki/Lurker](https://user-images.githubusercontent.com/605953/36069674-c55edbee-0f31-11e8-902e-c0793a80668b.png)\n\n`lurker` is network based honeypot for capturing payload for all TCP ports. `lurker` sends spoofing TCP SYN-ACK packet against attacker and scanner's TCP SYN packet. Then they will send TCP data payload after 3-way handshake and `lurker` captures the data and notify and save it for security research. A lot of existing honeypot has each capture mechanism for specific protocol. `lurker` does not have such mechanism. However `lurker` can capture data to all TCP ports because it just simply replies a TCP ACK packet.\n\n![overview](https://user-images.githubusercontent.com/605953/167090568-3e98ebc3-0200-4cc0-839a-c0a940e35ef9.jpg)\n\n `lurker` should monitor unpublished IP address or network that are not expected to reach normal TCP connection, e.g. not associated to any domain name and services. However attackers are scanning IP address that has open TCP port everyday and finds unpublished IP address. `lurker` is just waiting a TCP packet from attacker silently.\n\n Below is an example of captured bad TCP payload to port 8545 from an attacker. It seems like an exploit with [CVE-2016-6277](https://nvd.nist.gov/vuln/detail/CVE-2016-6277).\n\n![captured message](https://user-images.githubusercontent.com/605953/167092642-b6245d43-c7c1-4e85-9052-08b081d54e11.png)\n\nFeatures\n--------\n\n- Reply spoofing TCP SYN-ACK packet to get the attacker to send TCP payload\n- Can monitor network(s) e.g. CIDR block with one host and one process by ARP spoofing\n- Send captured data to Slack for preview and to BigQuery for analytics\n\nSetup\n--------\n\nInstall with go command\n\n```bash\n% go install github.com/m-mizutani/lurker@latest\n% lurker -i eth0\n```\n\nUse docker image\n\n```bash\n% docker run --network host ghcr.io/m-mizutani/lurker:latest -i eth0\n```\n\nUsage\n---------\n\n_NOTE: Root privilege OR permissions of read/write to network device are required to capture and spoof raw packet. In general, use `sudo` command for `lurker`._\n\n### Monitoring traffic to IP address of `eth0` device\n\n```\n% lurker -i eth0\n```\n\n### Monitoring traffic to specified network\n\n```\n% lurker -i eth0 -n 192.168.0.0/24 -a\n```\n\n- `-n (--network)` option can be used multiply.\n- `-a` option enables ARP packet spoofing to reply as multiple IP addresses\n\n### Exclude specified TCP port\n\nFollowing example excludes port 22 to monitor and not reply SYN-ACK packet for port 22.\n\n```\n% lurker -i eth0 -e 22\n```\n\n- `-e` option can be used multiply.\n\n### Notify captured payload to Slack\n\nYou can send captured payload to [Slack](https://slack.com/) via Incoming Webhook. Please see [slack document](https://slack.com/help/articles/115005265063-Incoming-webhooks-for-Slack) to create Incoming Webhook and set URL as lurker's option.\n\n```\n% lurker -i eth0 --slack-webhook-url https://hooks.slack.com/services/XXXXX/YYYYYYYY/zzzzzzzzzz\n```\n\n- Environment variable `LURKER_SLACK_WEBHOOK` is also available instead of ` --slack-webhook-url` option.\n\n### Store captured payload to BigQuery\n\nYou can store captured payload and sender information to [BigQuery](https://cloud.google.com/bigquery).\n\n```\n% lurker -i eth0 --slack-webhook-url https://hooks.slack.com/services/XXXXX/YYYYYYYY/zzzzzzzzzz\n```\n\nEnvironment variables also can be used to configure BigQUery.\n\n- `LURKER_BIGQUERY_PROJECT_ID`: instead of `--bigquery-project-id`\n- `LURKER_BIGQUERY_DATASET`: instead of `--bigquery-dataset`\n\nIf you use [Service Account](https://cloud.google.com/iam/docs/service-accounts) to save record to BigQuery, use `GOOGLE_APPLICATION_CREDENTIALS` to specify service account credential of Google Cloud. See [doc](https://cloud.google.com/docs/authentication/getting-started) for more detail of Google Cloud authentication.\n\nTable schema of BigQuery is below.\n\n![schema](https://user-images.githubusercontent.com/605953/168420514-ee2a1acf-c7f2-4d6f-be95-0103159730d2.png)\n\n\n\nLicense\n--------\n\n- Source code: [BSD 2-Clause license](./LICENSE)\n- [Image](https://user-images.githubusercontent.com/605953/36069674-c55edbee-0f31-11e8-902e-c0793a80668b.png): CC-BY-SA from Carbot Animation http://carbotanimations.wikia.com/wiki/Lurker\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm-mizutani%2Flurker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm-mizutani%2Flurker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm-mizutani%2Flurker/lists"}