What is it?
Artillery is a comprehensive security tool that combines the functionalities of a honeypot and an intrusion detection system to enhance network security. It monitors and detects unauthorized access attempts, actively deceiving attackers by simulating vulnerabilities and thereby diverting them from real network assets. When an attack is detected, Artillery can block the offending IP addresses and alert administrators, effectively helping to prevent potential breaches before they escalate. This proactive security measure is designed to engage with attackers, gather intelligence about their tactics, and strengthen the overall defense of the network.
Let's get started.
❯ artilleria Cloning into 'artillery'... .... Installing.... Written by: Dave Kennedy (ReL1K) Do you want to install Artillery and have it automatically run when you restart [y/n]:
The Artillery script installs everything we need. Afterwards, I added the basic configuration of what it needs to function, but it's advisable to customize the file according to specific requirements.
Code Example with Copy Functionality
FTP_BRUTE_MONITOR="ON"
HONEYPOT_BAN="ON"
HONEYPOT_BAN="ON"
SSH_BRUTE_ATTEMPTS="2"
LOG_MESSAGE_BAN="MinneSec has blocked (and blacklisted) an attack from %ip% for a connection to a honeypot restricted port %po>
LOG_MESSAGE_ALERT="MinneSec has detected an attack from %ip% for a connection on a honeypot port %port%"
FTP_BRUTE_MONITOR="ON"
HONEYPOT_BAN="ON"
HONEYPOT_BAN="ON"
SSH_BRUTE_ATTEMPTS="2"
LOG_MESSAGE_BAN="MinneSec has blocked (and blacklisted) an attack from %ip% for a connection to a honeypot restricted port %po>
LOG_MESSAGE_ALERT="MinneSec has detected an attack from %ip% for a connection on a honeypot port %port%"On kali
❯ nmap 10.0.8.10 Starting Nmap 7.94SVN ( https://nmap.org ) Nmap scan report for 10.0.8.10 Host is up (0.00036s latency). Not shown: 999 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh
after the script execute:
❯ nmap 10.0.8.10 Starting Nmap 7.94SVN ( https://nmap.org ) Nmap scan report for 10.0.8.10 Host is up (0.00032s latency). Not shown: 985 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 110/tcp open pop3 1433/tcp open ms-sql-s 1723/tcp open pptp 5060/tcp open sip 5061/tcp open sip-tls 5800/tcp open vnc-http 5900/tcp open vnc 8080/tcp open http-proxy 10000/tcp open snet-sensor-mgmt 16993/tcp open amt-soap-https 44443/tcp open coldfusion-auth
Artillery status
To quickly check the status of Artillery without using systemctl, we can use another script from our tools called ctl.
❯ ctl artillery What would you like to do with artillery? a - start r - restart t - stop s - status e - enable d - disable c - cancel m - mask q - exit Select an option:
Select an option: s
● artillery.service - LSB: Artillery - Advanced threat intelligence
Loaded: loaded (/etc/init.d/artillery; generated)
Active: active (running)
Docs: man:systemd-sysv-generator(8)
Process: 12924 ExecStart=/etc/init.d/artillery start (code=exited, status=0/SUCCESS)
Tasks: 3 (limit: 9247)
That's all.
With the "ctl" script, we can start, stop, or enable Artillery. Below are the two scripts, one for Artillery and the other for "ctl".
-
Artillery
Code Example with Copy Functionality
#!/bin/bash echo "" # Lista de paquetes a instalar paquetes=("iptables" ) # Función para verificar si un paquete está instalado (Debian/Ubuntu/Kali) paquete_instalado_apt() { dpkg -l "$1" | grep -q '^ii' } # Función para verificar si un paquete está instalado (CentOS/RHEL) paquete_instalado_yum() { yum list installed "$1" &> /dev/null } # Función para verificar si un paquete está instalado (Fedora) paquete_instalado_dnf() { dnf list installed "$1" &> /dev/null } # Función para verificar si un paquete está instalado (Arch Linux) paquete_instalado_pacman() { pacman -Qi "$1" &> /dev/null } # Detectar el sistema operativo if [ -f /etc/os-release ]; then . /etc/os-release OS=$ID fi # Instalar paquetes basados en el sistema operativo for paquete in "${paquetes[@]}"; do case $OS in "debian"|"ubuntu"|"kali") if ! paquete_instalado_apt "$paquete"; then echo "Instalando el paquete $paquete..." sudo apt-get install -y "$paquete" fi ;; "centos"|"rhel") if ! paquete_instalado_yum "$paquete"; then echo "Instalando el paquete $paquete..." sudo yum install -y "$paquete" fi ;; "fedora") if ! paquete_instalado_dnf "$paquete"; then echo "Instalando el paquete $paquete..." sudo dnf install -y "$paquete" fi ;; "arch") if ! paquete_instalado_pacman "$paquete"; then echo "Instalando el paquete $paquete..." sudo pacman -S --noconfirm "$paquete" fi ;; *) ;; esac done # Clone the Artillery repository git clone https://github.com/BinaryDefense/artillery.git #Download from my repo #git clone https://github.com/4rji/4rji.git #unzip artillery.zip # Change to the artillery directory #cd artillery/ cd artillery # Run the setup script sudo python3 setup.py cd .. sudo rm -rf artillery # Ruta al archivo de configuración CONFIG_FILE="/var/artillery/config" # Comentar las líneas existentes sudo sed -i 's/^HONEYPOT_BAN="OFF"/#HONEYPOT_BAN="OFF"/' "$CONFIG_FILE" sudo sed -i 's/^SSH_BRUTE_ATTEMPTS="4"/#SSH_BRUTE_ATTEMPTS="4"/' "$CONFIG_FILE" sudo sed -i 's/^FTP_BRUTE_MONITOR="OFF"/#FTP_BRUTE_MONITOR="OFF"/' "$CONFIG_FILE" sudo sed -i 's/^LOG_MESSAGE_ALERT="Artillery has detected an attack from %ip% for a connection on a honeypot port %port%"/#LOG_MESSAGE_ALERT="Artillery has detected an attack from %ip% for a connection on a honeypot port %port%"/' "$CONFIG_FILE" sudo sed -i 's/^LOG_MESSAGE_BAN="Artillery has blocked (and blacklisted) an attack from %ip% for a connection to a honeypot restricted port %port%"/#LOG_MESSAGE_BAN="Artillery has blocked (and blacklisted) an attack from %ip% for a connection to a honeypot restricted port %port%"/' "$CONFIG_FILE" # Agregar las nuevas líneas al principio del archivo sudo sed -i '1iHONEYPOT_BAN="ON"\nSSH_BRUTE_ATTEMPTS="2"\nLOG_MESSAGE_BAN="MinneSec has blocked (and blacklisted) an attack from %ip% for a connection to a honeypot restricted port %port%"\nLOG_MESSAGE_ALERT="MinneSec has detected an attack from %ip% for a connection on a honeypot port %port%"' "$CONFIG_FILE" sudo sed -i '1iHONEYPOT_BAN="ON"' "$CONFIG_FILE" sudo sed -i '1iFTP_BRUTE_MONITOR="ON"' "$CONFIG_FILE" echo " *************** INSTRUCCIONES **************" echo "modificar el archivo" echo "/var/artillery/config" echo "unbanar para banlist" echo "sudo nano /var/artillery/banlist.txt" echo "artires para reiniciar el servicio" echo "" echo "Se iniciara nano config en 2 segundos" echo "" echo "Modificar manualmente los puertos !!!! IMPORTANTE !!! lo demas ya se modifico" sleep 3 sudo nano /var/artillery/config
-
ctl service
Code Example with Copy Functionality
#!/bin/bash # Function to control the service control_service() { while true; do echo "" echo "What would you like to do with $service?" echo "" echo " a - start" echo " r - restart" echo " t - stop" echo " s - status" echo " e - enable" echo " d - disable" echo " c - cancel" echo " m - mask" echo " q - exit" echo "" echo -n "Select an option: " read -n 1 action echo "" case $action in r) sudo systemctl restart $service echo "" echo "Checking status after restarting..." sleep 1 echo "" sudo systemctl status $service ;; e) sudo systemctl enable $service ;; d) sudo systemctl disable $service ;; s) sudo systemctl status $service ;; t) sudo systemctl stop $service echo "" echo "Checking status after stopping..." sleep 1 echo "" sudo systemctl status $service ;; m) sudo systemctl --now mask $service echo "" echo "Checking status after masking..." sleep 1 echo "" sudo systemctl status $service ;; a) sudo systemctl start $service echo "" echo "Checking status after starting..." sleep .5 echo "" sudo systemctl status $service ;; c) echo "Canceling..." break ;; q) echo "Exiting..." exit 0 ;; *) echo "Invalid option." ;; esac done } echo "" # Check if an argument was provided if [ $# -eq 0 ]; then echo "Usage: ctl" exit 1 fi service=$1 control_service