Hi @mkgvt_gitlab ! Thanks for the interest in the project!
This is one that often gives folks pause; cowrie’s default behavior is to let attackers “log in” and then record the commands that are attempted by the attacker. If cowrie recognizes an attempt to pull down a file (such as "wget badsite.com/malware”), cowrie will go fetch the file, hash it, and store the file in the local filesystem (in this case, inside the container).
docker-compose exec chnserver grep DEPLOY_KEY /opt/config.py
@d90 : One (underused) option that may help in this case (unsure since I’m not sure what NMap is keying on; chodonne’s answer may be what’s needed) is to use the personalities option for the honeypot:
Routing 10.0.10.0/24 to an anyip host with a “real/management” interface on 10.0.20.5 is just dandy.
But if you tried to send a default route of 10.0.0.0/16 at the anyip interface, your management interface traffic will end up sucked into the honeypot as well, which is of course not ideal. :-/
Hi @zapsoda ! Great question!
MHN is where CHN came from; we forked that project about 1.5 years ago and have been working to maintain it since then. In terms of project comparisons, I think the biggest difference is that CHN is based on Docker images for the server and individual honeypots, while MHN used custom scripts to install the software onto the local OS in a traditional manner