first commit

Author: tbiens

.gitignore

@@ -0,0 +1,112 @@
+temp.txt
+temp.py
+downloads/
+logs/
+*.config
+*.log
+
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/

README.md

@@ -0,0 +1,59 @@
+# Icarus
+**Goal:**
+
+SMTP honeypot for collecting malware and automatically uploading to virustotal.
+
+There are many awesome SMTP honeypots but they are for spam. https://github.com/paralax/awesome-honeypots
+
+**Future Features:**
+
+1. Log to ELK or Splunk
+2. Log IP addresses.
+3. Log email addresses To and From
+3. Report IP addresses to an antispam api service.
+4. Improve my skills significantly in Git and Python. 
+5. More than 1 attachment at a time.
+6. Database statistics
+  6.1. Seen Count
+  6.2. Timestamps for longevity / lifetime tracking
+7. Cleanup process for logs and downloads.
+8. Cuckoo API?
+9. Config file the IP choice.
+10. Chroot or nobody:nobody.
+
+**Raspbian from scratch:**
+Raspbian 9 has Python 3.5.3 by default. Which should work.
+
+git clone https://github.com/tbiens/icarus.git
+
+cd icarus
+
+pip3 install --upgrade pip
+
+pip3 install requests aiosmtpd
+
+python3 setup.py
+
+
+**Setup:**
+
+Minimum Python seems to be 3.5. I made this in 3.7. 
+
+apt-get install python3-requests python3-aiosmtpd
+
+or
+>#Python3 requests module is for uploading to virus total; aiosmtpd for the smtp protocol.
+
+pip3 install requests aiosmtpd 
+
+>#Enter your virustotal API Key in.
+
+nano icarus.config  
+
+**To run it:**
+
+python3 setup.py
+
+A copy of the attachments are kept in the ./downloads/ folder.
+
+The virustotal links are stored in ./logs/virustotal.log

__init__.py

@@ -0,0 +1,104 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/

downloads/.gitignore

@@ -0,0 +1,2 @@
+[APIKEY]
+APIKEY = PUT API KEY HERE

icarus.config

@@ -0,0 +1 @@
+IP Address:, From:, To:, Date

logs/logging.csv

@@ -0,0 +1,47 @@
+import io #https://docs.python.org/3/library/allos.html
+#import shutil
+import os #for os.path.isfile
+import hashlib #https://docs.python.org/3/library/hashlib.html
+#import sqlite3 #https://docs.python.org/3/library/sqlite3.html
+from virustotal import virustotalfile #Check out virustotal.py
+from datetime import datetime
+
+
+def inmemoryfile(filecontents):
+    memoryfile = io.StringIO()
+    memoryfile.write(filecontents)
+    #This stores the file in memory. We limit email size to 30MB or so.
+    email = memoryfile.getvalue()
+    if 'Content-Disposition: attachment;' in filecontents: #Checking if there's an attachment
+        beforeboundary = email.split('Content-Disposition: attachment;')[1]
+
+        #emails have a bunch of stuff in it, I'm splitting the attachment off.
+        attachment = beforeboundary.split('--boundary')[0]
+   
+    #there was a tiny bit of text after the attachment that was screwing up the sha256
+        shahash = hashlib.sha256(attachment.encode()).hexdigest() # read() the file, then you need to convert it to bytes with encode, then hexdigest cleans up
+        if os.path.isfile("./downloads/" + shahash):
+            print("Already have this attachment") #checking if I have already received that file
+        else:
+            filename = open("downloads/" + shahash,"w+") # open sha256 named file
+            filename.write(attachment) #Reading the memoryfile into the actual file being written to disk.
+            filename.close() #closing is important.
+    #        shutil.move(shahash, "downloads/" + shahash) #moving the file from . to ./downloads/
+            virustotalfile(shahash) #Send the file to my virustotal script
+            memoryfile.close() #closing is important.
+    
+    else:
+        print("No attachment?")
+  
+
+def loggingaddresses(sessionpeer, mailfrom, mailto): #Logging connections to a csv file
+    
+    nowdate = datetime.now(tz=None) #What date and time.
+
+    loggingfile = open("logs/logging.csv","a+")
+    #Opening logs/logging.csv in append mode. 
+    loggingfile.write(sessionpeer + "," + mailfrom + "," + mailto + "," + nowdate + "\n")
+    #Logging, IP, From, To, and the Date
+    loggingfile.close()
+
+    

memoryfile.py

@@ -0,0 +1,46 @@
+
+#import asyncio # https://aiosmtpd.readthedocs.io/en/latest/aiosmtpd/docs/controller.html
+#import aiosmtpd # the smtp library
+import socket #To get your IP address for the server to run on.
+#from sha256 import sha256temp #My sha256.py file.
+from aiosmtpd.controller import Controller #the controller that handles async smtp?
+from memoryfile import inmemoryfile
+from memoryfile import loggingaddresses
+
+def get_ip_address():
+    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    s.connect(("8.8.8.8", 80))
+    return s.getsockname()[0]
+
+IP = get_ip_address()
+print (IP)
+#Found socket at https://docs.python.org/3/library/socket.html mostly just their code.
+
+class smtphoney:
+    async def handle_RCPT(self, server, session, envelope, address, rcpt_options):
+        loggingaddresses(session.peer[0], envelope.mail_from, address)
+        envelope.rcpt_tos.append(address)
+        return '250 OK'
+#straight out of documentation
+
+    async def handle_DATA(self, server, session, envelope):
+
+        print ('New Email \n')
+       # loggingaddresses(envelope.content.decode('utf8', errors='replace'))
+        inmemoryfile(envelope.content.decode('utf8', errors='replace')) #A function I made in memoryfile.py
+     
+        print('End of message')
+
+        return '250 Message accepted for delivery'
+    
+
+controller = Controller(smtphoney(), hostname = IP,port=25)
+#It calls the class above as my handler, the hostname sets the ip, I set the SMTP port to 25 obviously 
+
+controller.start()
+input("Server started. Press Return to quit.")
+controller.stop()
+
+
+
+