DICOMHawk – A Honeypot For Secure DICOM Server Monitoring

DICOMHawk is a powerful and efficient honeypot for DICOM servers, designed to attract and log unauthorized access attempts and interactions.

Built using Flask and pynetdicom, DICOMHawk offers a streamlined web interface for monitoring and managing DICOM interactions in real-time.

Features

• DICOM Server Simulation: Supports C-ECHO, C-FIND, and C-STORE operations to simulate a realistic DICOM server environment.
• Logging: Detailed logging of DICOM associations, DIMSE messages, and event-specific data to track and analyze potential attacks.
• Web Interface: A user-friendly web interface to view server status, active associations, and logs.
• Custom Handlers: Easily extendable to support additional DICOM services and custom logging or handling requirements.

Getting Started

Prerequisites

• Docker and Docker Compose installed on your machine
• DCMTK tools installed on your local machine for testing

Installation

Clone the repository:

git clone https://github.com/gtheodoridis/DICOMHawk.git
cd dicomhawk

Start the services with Docker Compose:

docker-compose up -d

1. This command starts the Flask application and a log server in detached mode. The web interface is accessible on port 5000, and the DICOM server listens on port 11112. Alternatively, port 104 is also applicable for DICOM (ACR-NEMA).

Usage

Access the Web Interface:

Open a web browser and go to http://127.0.0.1:5000 to access the DICOMHawk web interface. Here, you can monitor server status, view active associations, and check the logs.

Test the DICOM Server:

Use DCMTK tools to interact with the DICOM server.

• C-ECHO (DICOM Echo Test):

echoscu 127.0.0.1 11112

For more information click here.