Haxf4rall
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
  • Home
  • 2022
  • February
  • 6
  • SentryPeer – A Distributed Peer To Peer List Of Bad Actor IP Addresses And Phone Numbers Collected Via A SIP Honeypot

SentryPeer – A Distributed Peer To Peer List Of Bad Actor IP Addresses And Phone Numbers Collected Via A SIP Honeypot

February 6, 2022 Comments Off on SentryPeer – A Distributed Peer To Peer List Of Bad Actor IP Addresses And Phone Numbers Collected Via A SIP Honeypot
SentryPeer - A Distributed Peer To Peer List Of Bad Actor IP Addresses And Phone Numbers Collected Via A SIP Honeypot cybersecurity ethical hacking hack android hack app hack wordpress hacker news hacking hacking tools for windows keylogger kit kitploit password brute force penetration testing pentest pentest android pentest linux pentest toolkit pentest tools spy tool kit spyware tools

A distributed list of bad actor IP addresses and phone numbers collected via a SIP Honeypot.

Introduction

This is basically a fraud detection tool. It lets bad actors try to make phone calls and saves the IP address they came from and number they tried to call. Those details are then used to block them at the service providers network and the next time a user/customer tries to call a collected number, it’s blocked.

Traditionally this data is shipped to a central place, so you don’t own the data you’ve collected. This project is all about Peer to Peer sharing of that data. The user owning the data and various Service Provider / Network Provider related feeds of the data is the key bit for me. I’m sick of all the services out there that keep it and sell it. If you’ve collected it, you should have the choice to keep it and/or opt in to share it with other SentryPeer community members via p2p methods.

The sharing part…you only get other users’ data if you share yours. That’s the key. It could be used (the sharing of data logic/feature) in many projects too if I get it right πŸ™‚

Screenshots

Here’s a mockup of the web UI which is subject to change.

Goals

  • All code Free/Libre and Open Source Software
  • FAST
  • User owns their data
  • User can submit their own data if they want to – opt out (default is to submit data)
  • User gets other users’ data (Tit for tat?) ONLY IF they opt in to submit their data to the pool (DHT? – need to do a PoC)
  • Peer to Peer sharing of data – Zyre (Zeromq)
  • UDP transport
  • TCP transport
  • TLS transport
  • Data is max 7(?) days old as useless otherwise
  • SIP responsive mode can be enabled to collect data – cli / env flag
  • Local data copy for fast access – cli / env db location flag
  • Local API for fast access – cli / env flag
  • Local Web GUI for fast access – cli / env flag
  • Fail2Ban support via syslog as per feature request
  • Peer to Peer data replication – feature / cli flag
  • Local sqlite/lmdb database – feature / cli flag
  • Analytics – opt in
  • SDKs/libs for external access – CGRateS to start with or our own firewall with nftables
  • Small binary size for IoT usage
  • Cross-platform
  • Firewall options to use distributed data in real time – DHT?
  • Container on Docker Hub for latest build
  • BGP agent to peer with for blackholing collected IP addresses (similar to Team Cymru Bogon Router Server Project)
  • SIP agent to return 404 or default destination for SIP redirects

Design

TBD πŸ™‚

I started this because I wanted to do C network programming as all the projects I use daily are in C like PostgreSQL, OpenLDAP, FreeSWITCH, OpenSIPS, Asterisk etc. See Episode 414: Jens Gustedt on Modern C for why C is a good choice. For those interested, see my full podcast show list (https://www.se-radio.net/team/gavin-henry/) for Software Engineering Radio

Talks

  • TADSummit 2021 – https://blog.tadsummit.com/2021/11/17/sentrypeer/
  • CommCon 2021 – https://2021.commcon.xyz/talks/sentrypeer-a-distributed-peer-to-peer-list-of-bad-ip-addresses-and-phone-numbers-collected-via-a-sip-honeypot

Docker

You can run the latest version of SentryPeer with Docker. The latest version is available from Docker Hub. Or build yourself:

sudo docker build -t sentrypeer .
sudo docker run -d -p 5060:5060 -p 8082:8082 sentrypeer:latest

Then you can check at http://localhost:8082/ip-addresses and http://localhost:5060/health-check to see if it’s running.

Environment Variables

ENV SENTRYPEER_DB_FILE=/my/location/sentrypeer.db
ENV SENTRYPEER_API=1
ENV SENTRYPEER_WEB_GUI=1
ENV SENTRYPEER_SIP_RESPONSIVE=1
ENV SENTRYPEER_SYSLOG=1
ENV SENTRYPEER_VERBOSE=1
ENV SENTRYPEER_DEBUG=1

Either set these in the Dockerfile or in your Dockerfile.env file or docker run command.

Installation

Debian or Fedora packages are always available from the release page for the current version of SentryPeer:

https://github.com/SentryPeer/SentryPeer/releases

Building from source

You have two options for installation from source. CMake or autotools. Autotools is recommended at the moment. A release is an autotools build.

If you are a Fedora user, you can install this via Fedora copr:

https://copr.fedorainfracloud.org/coprs/ghenry/SentryPeer/

If you are going to build from this repository, you will need to have the following installed:

  • git, autoconf, automake and autoconf-archive (Debian/Ubuntu)
  • libosip2-dev (Debian/Ubuntu) or libosip2-devel (Fedora)
  • libsqlite3-dev (Debian/Ubuntu) or sqlite-devel (Fedora)
  • uuid-dev (Debian/Ubuntu) or libuuid-devel (Fedora)
  • libmicrohttpd-dev (Debian/Ubuntu) or libmicrohttpd-devel (Fedora)
  • libjansson-dev (Debian/Ubuntu) or jansson-devel (Fedora)
  • libpcre2-dev (Debian/Ubuntu) or pcre2-devel (Fedora)
  • libcurl-dev (Debian/Ubuntu) or libcurl-devel (Fedora)
  • libcmocka-dev (Debian/Ubuntu) or libcmocka-devel (Fedora) – for unit tests

Debian/Ubuntu:

sudo apt-get install git build-essential autoconf-archive autoconf automake libosip2-dev libsqlite3-dev 
libcmocka-dev uuid-dev libcurl-dev libpcre2-dev libjansson-dev libmicrohttpd-dev

Fedora:

sudo dnf install git autoconf automake autoconf-archive libosip2-devel libsqlite3-devel libcmocka-devel 
libuuid-devel libmicrohttpd-devel jansson-devel libcurl-devel pcre2-devel

macOS:

brew install git autoconf automake autoconf-archive libosip cmocka libmicrohttpd jansson libcurl libpcre2

then (make check is highly recommended):

./bootstrap.sh
./configure
make
make check
make install

Homebrew (macOS or Linux):

We have a Homebrew Tap for this project (until we get more popular):

brew tap sentrypeer/sentrypeer
brew install sentrypeer

Running SentryPeer

Once built, you can run like so to start in debug mode, respond to SIP probes, enable the RESTful API, enable the Web GUI SPA and enable syslog logging (use a package if you want systemd):

./sentrypeer -adrsw
Starting sentrypeer...
API mode enabled, starting http daemon...
Web GUI mode enabled...
Configuring local address...
Creating socket...
Binding socket to local address...
Listening for incoming connections...
SIP responsive mode enabled. Will reply to SIP probes...

when you get a probe request, you can see something like the following in the terminal:

Received (411 bytes): OPTIONS sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 91.223.3.152:5173;branch=z9hG4bK-515761064;rport
Content-Length: 0
From: "sipvicious"<sip:10[email protected]>;tag=6434396633623535313363340131363131333837383137
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"<sip:[email protected]>
Contact: sip:[email protected]:5173
CSeq: 1 OPTIONS
Call-ID: 679894155883566215079442
Max-Forwards: 70


read_packet_buf size is: 1024:
read_packet_buf length is: 468:
bytes_received size is: 411:

Bad Actor is:
Event Timestamp: 2021-11-23 20:13:36.427515810
Event UUID: fac3fa20-8c2c-445b-8661-50a70fa9e873
SIP Message: OPTIONS sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 91.223.3.152:5173;branch=z9hG4bK-515761064;rport
From: "sipvicious" <sip:[email protected]>;tag=643439663362353531336334013136313 1333837383137
To: "sipvicious" <sip:[email protected]>
Call-ID: 679894155883566215079442
CSeq: 1 OPTIONS
Contact: <sip:[email protected]:5173>
Accept: application/sdp
User-agent: friendly-scanner
Max-forwards: 70
Content-Length: 0


Source IP: 193.107.216.27
Called Number: 100
SIP Method: OPTIONS
Transport Type: UDP
User Agent: friendly-scanner
Collected Method: passive
Created by Node Id: fac3fa20-8c2c-445b-8661-50a70fa9e873

You can see the data in the sqlite3 database called sentrypeer.db using sqlitebrowser or sqlite3 command line tool.

Here’s a screenshot of the database opened using sqlitebrowser (it’s big, so I’ll just link to the image):

sqlitebrowser exploring the sentrypeer.db

RESTful API

The RESTful API is almost complete and the web UI is coming soon. Please click the Watch button to be notified when they are ready and hit Like to follow the development πŸ™‚

Right now you can call /health-check, like so:

curl -v -H "Content-Type: application/json" http://localhost:8082/health-check

* Connected to localhost (127.0.0.1) port 8082 (#0)
> GET /health-check HTTP/1.1
> Host: localhost:8082
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Type: application/json
>
< HTTP/1.1 200 OK
< Connection: Keep-Alive
< Content-Length: 81
< X-SentryPeer-Version: 0.0.3
< X-Powered-By: SentryPeer
< Content-Type: application/json
< Date: Tue, 21 Dec 2021 18:27:15 GMT
<
{
"status": "OK",
"message": "Hello from SentryPeer!",
"version": "0.0.3"
}

and /ip-addresses:

curl -v -H "Content-Type: application/json" http://localhost:8082/ip-addresses

* Connected to localhost (127.0.0.1) port 8082 (#0)
> GET /ip-addresses HTTP/1.1
> Host: localhost:8082
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Type: application/json
>
< HTTP/1.1 200 OK
< Connection: Keep-Alive
< Content-Length: 6495
< X-SentryPeer-Version: 0.0.3
< X-Powered-By: SentryPeer
< Content-Type: application/json
< Date: Tue, 21 Dec 2021 18:29:13 GMT
<
{
"ip_addresses_total": 2,
"ip_addresses": [
{
"ip_address": "193.107.216.27"
},
{
"ip_address": "193.46.255.152"
}
...
]
}

and lastly /ip-address/{ip-address}:

curl -v -H "Content-Type: application/json" http://localhost:8082/ip-address/8.8.8.8

* Connected to localhost (127.0.0.1) port 8082 (#0)
> GET /ip-addresses/8.8.8.8 HTTP/1.1
> Host: localhost:8082
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Type: application/json
>
< HTTP/1.1 404 Not Found
< Connection: Keep-Alive
< Content-Length: 37
< X-SentryPeer-Version: 0.0.3
< X-Powered-By: SentryPeer
< Content-Type: application/json
< Date: Tue, 21 Dec 2021 18:33:51 GMT
<
{
"message": "No bad actor found"
}

Syslog and Fail2ban

With sentrypeer -s, you parse syslog and use Fail2Ban to block the IP address of the bad actor.

Nov 30 21:32:16 localhost.localdomain sentrypeer[303741]: Source IP: 144.21.55.36, Method: OPTIONS, Agent: sipsak 0.9.7  

License

Great reading – How to choose a license for your own work

This work is dual-licensed under GPL 2.0 and GPL 3.0.

SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only

Contributing

See CONTRIBUTING

Project Website

https://sentrypeer.org

Trademark

SENTRYPEER is a registered trademark of Gavin Henry

Questions, Bug reports, Feature Requests

New issues can be raised at:

https://github.com/ghenry/SentryPeer/issues

It’s okay to raise an issue to ask a question.

Special Thanks

Special thanks to:

  • David Miller for the design of the SentryPeer Web GUI theme and logo. Very kind of you!
  • @garymiller for the feature request of syslog and Fail2ban as per Fail2ban Integration via syslog #6
Download SentryPeer

Post navigation

Counterfeit Oxy Vendor β€œGhost831” Sentenced to Prison
Whatfiles – Log What Files Are Accessed By Any Linux Process

Related Articles

PlutoCrypt Ransomware Decryptor

PlutoCrypt Ransomware Decryptor

- Hack Tools
May 27, 2023
CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

- Hack Tools
May 26, 2023
PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

- Hack Tools
May 26, 2023
hacker gadgets
hacker phone covers

Recent Posts

PlutoCrypt Ransomware Decryptor

PlutoCrypt Ransomware Decryptor

May 27, 2023
Galaxy Fold 4

Samsung to improve the durability of the waterdrop hinges in the foldable smartphones

May 26, 2023
CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

May 26, 2023
Google releases Chrome version 111 to fix 40 security vulnerabilities

Google releases Chrome version 111 to fix 40 security vulnerabilities

May 26, 2023
PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

May 26, 2023
CVE View

Mondoo v7.17.1 releases: Cloud-Native Security & Vulnerability Risk Management

February 16, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Categories

  • Secure Coding
  • Documentary
  • Courses & Ebooks
  • Hack Tools
  • Hacking Tutorials
  • Mobile Hacking
  • News
  • Operating Systems
  • TOR
  • Tricks & How To’s

Active Members

Useful Links

Contact Us

Disclaimer

Privacy Policy

Submit a Tool

Copyright 2019. All rights reserved | Theme: OMag by LilyTurf Themes