DICOMHawk – A Honeypot For Secure DICOM Server Monitoring

DICOMHawk is a powerful and efficient honeypot for DICOM servers, designed to attract and log unauthorized access attempts and interactions.

Built using Flask and pynetdicom, DICOMHawk offers a streamlined web interface for monitoring and managing DICOM interactions in real-time.

Features

DICOM Server Simulation: Supports C-ECHO, C-FIND, and C-STORE operations to simulate a realistic DICOM server environment.
Logging: Detailed logging of DICOM associations, DIMSE messages, and event-specific data to track and analyze potential attacks.
Web Interface: A user-friendly web interface to view server status, active associations, and logs.
Custom Handlers: Easily extendable to support additional DICOM services and custom logging or handling requirements.

Getting Started

Prerequisites

Docker and Docker Compose installed on your machine
DCMTK tools installed on your local machine for testing

Installation

Clone the repository:

git clone https://github.com/gtheodoridis/DICOMHawk.git
cd dicomhawk

Start the services with Docker Compose:

docker-compose up -d

This command starts the Flask application and a log server in detached mode. The web interface is accessible on port 5000, and the DICOM server listens on port 11112. Alternatively, port 104 is also applicable for DICOM (ACR-NEMA).

Usage

Access the Web Interface:

Open a web browser and go to http://127.0.0.1:5000 to access the DICOMHawk web interface. Here, you can monitor server status, view active associations, and check the logs.

Test the DICOM Server:

Use DCMTK tools to interact with the DICOM server.

C-ECHO (DICOM Echo Test):

echoscu 127.0.0.1 11112

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.