Skip to content

0xIta3hi/ghostgate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
logs
logs
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
honeypot
honeypot
 
 
honeypot.cpp
honeypot.cpp
 
 

Repository files navigation

GhostGate 🍯

Multi-Protocol Low-Interaction Honeypot

GhostGate is a high-performance, low-interaction honeypot designed to capture early-stage threat intelligence. By simulating common, vulnerable services (FTP, SSH, Telnet, HTTP), it tricks automated scanners and brute-force bots into revealing their credentials, payloads, and intent without exposing the host system to any actual risk.

🎯 Threat Intel Objectives

GhostGate isn't just a trap; it's a sensor. It is designed to answer three critical questions during a scan:

  1. Who is attacking? (Source IP and Geographical mapping).

  2. What are they using? (Toolsets, user-agents, and credential dictionaries).

  3. What is the payload? (Malware drops via FTP STOR or HTTP POST).

🍯 Deception Capabilities

  • Protocol Emulation: Mimics real software banners (e.g., OpenSSH_7.6p1) to trick Nmap and other service-version scanners.

  • Interactive Fake Shells: Provides a sandbox environment for SSH/Telnet where attackers can type ls, pwd, and whoami to simulate a successful breach.

  • Multi-Stage FTP Trap: Supports the full FTP command lifecycle (USER -> PASS -> PASV -> STOR), allowing for the capture of uploaded binary malware.

  • HTTP Basic Auth Harvesting: Traps bots attempting to brute-force web panels by logging base64-encoded headers.

🛠️ Technical Implementation (C++)

  • Networking: Built using the WinSock2 (ws2_32) library for high-performance socket management on Windows.

  • Multi-Threading: Utilizes C++17 threading to handle simultaneous connections across multiple ports (21, 23, 2222, 8080) without blocking.

  • Session State Management: Tracks the state of each connection to ensure protocol compliance (e.g., ensuring USER is sent before PASS in FTP).

📊 Sample Log Output

{
  "timestamp": "2025-05-20T14:22:10Z",
  "src_ip": "192.168.1.45",
  "protocol": "FTP",
  "action": "CREDENTIAL_HARVEST",
  "data": { "user": "admin", "pass": "password123" }
}
{
  "timestamp": "2025-05-20T14:23:05Z",
  "src_ip": "192.168.1.45",
  "protocol": "HTTP",
  "action": "FILE_UPLOAD_ATTEMPT",
  "filename": "payload.exe",
  "size_bytes": 4096
}

🛡️ Security Design (The "Gate" in GhostGate)

  • Isolation: The "shell" commands are hardcoded strings. There is no connection to the actual host OS terminal (cmd.exe or bash).

  • Memory Safety: Strict buffer management in C++ to prevent the honeypot itself from being exploited via a buffer overflow.

  • Non-Privileged Execution: Designed to run in a restricted user context, minimizing the potential impact if the honeypot process were compromised.

🚀 Setup & Compilation

Requirements: MinGW-w64 (GCC)

g++ honeypot.cpp -o GhostGate.exe -lws2_32 -std=c++17 -O3
./GhostGate.exe

Disclaimer: This tool is for research purposes only. Always deploy honeypots in a DMZ or isolated segment.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages