Skip to content

Purkki

Purkki (or BPF-Purkki) is a honeypot system based on eBPF-tracing. The system sets up a VM with a vulnerable SSH-configuration, allowing connections to it with common username and password combinations. The connections are tracked, and activities in the VM are traced by system and and function calls.

This information is then sent to the controller (in the host machine) that gathers logs of activities in the target VM.

To set things up, the main directory contains the install.sh script. This changes some configuration files for the network and adds a toggle to allow/disallow connections to the target VM (while changing something inside its configuration for example).

The install script also copies the users SSH-key, which is used for the monitoring. Therefore the controller must have generated keypair.

The network configuration also disables password-login to the host; you need to copy your public key to the machine before running the installation script.

After the initial installation, the user must run two scripts to set up the honeypot itself; these are in the controller subdirectory.

./controller/build.sh rebuilds the nested VM from scratch with cloud init.

The script will prompt you to choose a username and password. These are used for the nested honeypot VM.

./controller/update-nested-honeypot-snapshot.sh updates this snapshot. Running it with the -i option will pause the script before finishing, allowing the user to connect to the honeypot via SSH (at 192.168.100.10) to e.g. install a package you want to include in the snapshot.

After these steps, the honeypot can be started by running the ./runtmux.sh script. This starts a tmux session with 4 terminals, each running a separate runner script.

You can move between the windows by pressing CTRL+B, followed by an arrow key to the direction you want to switch to. To leave the honeypot running while you do something else, CTRL+B, followed by D, will detach from the session but leave it running. From the VM terminal, you can connect back to the session by running tmux attach.

To stop the honeypot, CTRL+B, followed by typing :kill-session will end the session.