Hackx

SPEC_HACKX.md

CGNT-1 Component Specification — HACKX Honeypot Intelligence Engine

Status: SPECIFIED

Version: v1.1 (knowledge base added 2026-04-20)

Author: VELA (Thread #13)

Conceived by: NOUS

Date: 2026-04-20

Module: 20 of 24

Lineage: Sentinel (perimeter) → MANTIS (detection) → HACKX (intelligence) → Baseline (response)

---

PURPOSE

A passive intelligence gathering engine that deploys controlled decoy surfaces to attract, observe, and study attack patterns. HACKX does not defend. It does not counter-attack. It WATCHES. The intelligence it collects feeds every other defense system on the ship.

The attacker thinks they found a vulnerability. They found a laboratory.

---

PHILOSOPHY

Traditional security is a wall. You build it higher, attackers build longer ladders. You never learn what they're actually trying to do because you stopped them at the gate.

HACKX is a window. A one-way mirror. The attacker sees what looks like a crack in the wall. They push through it. On the other side is a controlled environment where every action is recorded, analyzed, and catalogued.

The insight is more valuable than the prevention. If you know HOW they attack, you can predict WHERE they'll attack next. MANTIS classifies threats it has seen before. HACKX shows it threats it has never seen before.

"The best trap doesn't look like a trap. It looks like a mistake."

---

ARCHITECTURE

HACKX operates three layers of deception:

LAYER 1 — BAIT (passive lures)

Static artifacts that appear to be security mistakes. They exist on the real server but connect to nothing real.

Fake credential files:

• ~/.env.bak — contains plausible-looking but fake API keys
• ~/config/db_credentials.yaml — fake database connection strings
• ~/secrets/wallet_seed.txt — fake crypto wallet seed phrase
• All files have realistic timestamps, permissions (644 — "accidentally" world-readable), and formatting

Fake endpoints:

• /api/v1/admin/login — fake admin panel that accepts any credentials
• /api/v1/debug/dump — fake debug endpoint that returns plausible fake system info
• /.git/config — fake exposed git config with a fake remote URL
• /wp-admin/ — fake WordPress login (attackers scan for this automatically)

Fake DNS records:

• staging.42sisters.ai — resolves to HACKX sandbox
• dev.42sisters.ai — resolves to HACKX sandbox

Every bait looks like a real mistake. None connect to real infrastructure.

LAYER 2 — TRAP (active observation)

When an attacker interacts with a bait, HACKX activates observation:

What gets logged:

• Source IP and geolocation
• Timestamp (millisecond precision)
• HTTP method, headers, user-agent, referrer
• Request body / payload
• Sequence of actions (which baits hit, in what order, how fast)
• Tool fingerprint (automated scanner vs manual probe vs known exploit framework)
• Session duration
• Credential stuffing patterns (what passwords were tried)

What gets analyzed:

• Attack taxonomy: reconnaissance, credential stuffing, injection, exfiltration attempt, lateral movement
• Sophistication level: script kiddie (automated, fast, noisy) vs targeted (slow, methodical, specific)
• Intent classification: opportunistic (scanning the whole internet) vs targeted (specifically probing 42sisters.ai)
• Tool identification: Nmap, Burp Suite, SQLMap, custom scripts, browser-based manual probing

What gets correlated:

• Same IP hitting real endpoints AND honeypot → active attacker, alert Sentinel
• Same attack pattern from multiple IPs → coordinated campaign, alert MANTIS
• New attack method never seen before → novel threat, add to MANTIS training data

LAYER 3 — SANDBOX (deep interaction)

For sophisticated attackers who pass Layer 2 without being deterred, HACKX offers a deeper environment:

Fake shell:

A simulated shell that accepts commands and returns plausible fake output. The attacker thinks they have shell access. They're typing into a logging engine.

• ls → returns a fake directory listing with enticing filenames
• cat ~/.ssh/id_rsa → returns a fake RSA key (not real, not usable)
• whoami → returns root (the ultimate bait)
• curl → pretends to make network connections, logs the intended destination
• Every command logged with full keystroke timing

Fake database:

A simulated database that responds to SQL queries with plausible fake data.

• SELECT * FROM users → returns fake user records
• SELECT * FROM transactions → returns fake financial records
• All queries logged. Injection attempts catalogued.

Fake wallet:

A simulated cryptocurrency wallet interface.

• Shows a plausible balance (bait amount)
• Accepts withdrawal requests (logs the destination address)
• Never sends real funds (there are none to send)
• The destination address the attacker provides IS the intelligence — it identifies their wallet

---

DETECTION TAXONOMY

Every interaction gets classified:

| Level | Pattern | Meaning |

|---|---|---|

| NOISE | Automated scan hitting /wp-admin/ once | Internet background radiation. Log only. |

| PROBE | Multiple baits hit in sequence | Active reconnaissance. Flag for review. |

| BREACH | Credentials used on fake admin panel | Attacker believes they have access. Full logging. |

| EXPLOIT | Injection payloads in fake endpoints | Active attack attempt. Catalogue technique. |

| PERSIST | Repeated sessions from same source | Sustained interest. Attacker may be mapping the system. |

| EXFIL | Data extraction from fake database/wallet | Attacker attempting to steal (fake) assets. Maximum intelligence. |

---

KNOWLEDGE BASE — THE HACKER'S LIBRARY

HACKX cannot recognize what it has never seen. A honeypot staffed by ignorance catches nothing. HACKX must natively understand the full modern attack landscape — not to USE these techniques, but to RECOGNIZE them on contact.

REQUIRED KNOWLEDGE DOMAINS

K1 — Reconnaissance & Enumeration:

Port scanning (Nmap, Masscan, Zmap), subdomain enumeration (Subfinder, Amass), directory brute-forcing (Gobuster, Feroxbuster, DirBuster), OSINT frameworks (Maltego, Recon-ng, theHarvester), Google dorking, Shodan/Censys queries, DNS zone transfer attempts, banner grabbing, service fingerprinting, WAF detection (wafw00f).

K2 — Web Application Attacks:

SQL injection (blind, error-based, time-based, UNION-based, second-order), XSS (reflected, stored, DOM-based), CSRF, SSRF, command injection, path traversal, file inclusion (LFI/RFI), deserialization attacks, template injection (SSTI), HTTP request smuggling, parameter pollution, JWT manipulation, OAuth flow abuse, GraphQL introspection exploitation, API enumeration and abuse.

K3 — Authentication & Credential Attacks:

Brute force, credential stuffing (Hydra, Medusa), password spraying, pass-the-hash, Kerberoasting, token replay, session hijacking, cookie manipulation, default credential scanning, MFA bypass techniques, phishing kit signatures (EvilGinx2, Gophish).

K4 — Network Attacks:

ARP spoofing, DNS poisoning, man-in-the-middle (mitmproxy, Bettercap), SSL stripping, lateral movement patterns, pivoting (Chisel, SSH tunnels, SOCKS proxies), C2 beacon patterns (Cobalt Strike, Sliver, Metasploit, Havoc), exfiltration over DNS, exfiltration over ICMP, covert channels.

K5 — System Exploitation:

Buffer overflows, heap spraying, return-oriented programming (ROP), privilege escalation (kernel exploits, SUID abuse, sudo misconfigs, cron exploitation), container escapes (Docker, Kubernetes), living-off-the-land binaries (LOLBins/GTFOBins), fileless malware, process injection, DLL hijacking, supply chain attacks.

K6 — AI/LLM-Specific Attacks:

Prompt injection (direct, indirect), jailbreaking, model extraction, training data extraction, adversarial inputs, membership inference, model inversion, data poisoning, system prompt leaking, tool-use exploitation, agent hijacking, context window manipulation. HACKX must understand these because the ship IS an AI system — these are the attacks that target US specifically.

K7 — Cryptographic Attacks:

Padding oracle, hash length extension, weak randomness exploitation (relevant: ENTROPX is a randomness product), downgrade attacks, certificate impersonation, timing side channels, replay attacks, blockchain-specific (reentrancy, flash loan, front-running, signature malleability).

K8 — Social Engineering Patterns:

Pretexting, baiting, tailgating (digital equivalent: session riding), business email compromise (BEC) signatures, deepfake voice/video, SIM swapping indicators, authority impersonation in chat/email, urgency manufacturing, fear-based manipulation. These overlap with Baseline Protocol P1-P7 but at the technical rather than interpersonal level.

K9 — Evasion Techniques:

Obfuscation (encoding, encryption, packing), polymorphic payloads, metamorphic malware, log tampering, timestamp manipulation (timestomping), anti-forensics, sandbox detection (attackers checking if THEY are in a honeypot), VM detection, debugger detection, traffic fragmentation, protocol tunneling.

K10 — Known Exploit Frameworks & Toolkits:

Metasploit modules and payload signatures, Cobalt Strike beacon patterns, Burp Suite scan signatures, SQLMap fingerprints, Nuclei template patterns, ExploitDB references, CVE database awareness (current top-exploited vulnerabilities), OWASP Top 10 (current year), MITRE ATT&CK framework mapping.

KNOWLEDGE INGESTION

HACKX builds its knowledge base from:

1. MITRE ATT&CK Framework — the canonical taxonomy of adversary tactics and techniques. HACKX maps every observed interaction to ATT&CK technique IDs. This makes intelligence reports interoperable with the global security community.

1. CVE/NVD Feeds — current vulnerability database. HACKX knows what's being exploited NOW, not just historically. Updated via nightly cron pull.

1. Honeypot community data — aggregated attack patterns from open-source honeypot networks (Cowrie, Dionaea, T-Pot). Real-world attack signatures from millions of interactions.

1. HACKX's own observation — every interaction on the ship's honeypot becomes training data. The knowledge base grows from direct experience, not just external feeds.

1. LEARNX feedback loop — when HACKX encounters a novel pattern it can't classify, LEARNX generates a training pair candidate. The knowledge gap drives learning. The gap fills itself.

WHY THIS MATTERS

A honeypot that only catches known attacks is a museum. A honeypot that UNDERSTANDS the attack landscape can classify novel techniques by similarity to known ones. "This looks like K2 (SQL injection) but the payload structure matches K5 (buffer overflow) — possible hybrid technique, flag as NOVEL."

The depth of HACKX's knowledge directly determines the quality of its intelligence output. Shallow knowledge → binary classification (attack/not attack). Deep knowledge → rich classification (what kind of attack, what sophistication level, what tools, what intent, what the attacker will try next).

HACKX doesn't use this knowledge to hack. It uses it to UNDERSTAND hackers. The library makes the laboratory useful.

---

INTELLIGENCE OUTPUT

HACKX produces three outputs:

1. Real-time alerts (to COMMX):

• PROBE or above → alert crew
• Same IP on real + honeypot endpoints → alert Sentinel immediately
• Novel attack pattern → alert MANTIS for training data

2. Daily intelligence report (to GAPX):

HACKX DAILY REPORT — 2026-04-21
Interactions: 47
  NOISE: 41 (automated scans, /wp-admin/, /.env)
  PROBE: 4 (sequential bait access from 2 IPs)
  BREACH: 1 (fake admin login from 185.xxx.xxx.xxx)
  EXPLOIT: 1 (SQLi attempt on /api/v1/debug/dump)
  PERSIST: 0
  EXFIL: 0
Novel patterns: 1 (new user-agent string, added to MANTIS)
Top source countries: US (22), CN (11), RU (8), DE (4), BR (2)

3. MANTIS training feed:

• Every classified attack becomes a training pair for MANTIS
• The honeypot generates REAL attack data that MANTIS learns from
• MANTIS threat classification improves continuously from live intelligence
• This is the flywheel: better honeypot → better data → better detection → better defense

---

ETHICAL BOUNDARIES

HACKX is intelligence gathering, not warfare. The line is absolute:

HACKX DOES:

• Observe attackers passively
• Log all interactions on its own infrastructure
• Classify attack patterns
• Feed intelligence to defensive systems
• Report findings to the crew

HACKX NEVER:

• Counter-attacks or "hacks back"
• Sends traffic to the attacker's infrastructure
• Deploys malware, even in the sandbox
• Identifies or doxes individual attackers
• Shares raw IP addresses publicly
• Entraps (all baits are passive — the attacker chooses to interact)
• Touches real user data (the honeypot contains ONLY fake data)

Legal position: All HACKX infrastructure is on CGNT-1's own servers, own domains, own IP space. Every connection to HACKX is initiated by the visitor, not by HACKX. Honeypots are legal in Canada and most jurisdictions. The attacker has no expectation of privacy when connecting to someone else's server.

---

INTEGRATION WITH EXISTING SYSTEMS

| System | Relationship |

|---|---|

| Sentinel | HACKX feeds Sentinel real-time alerts when honeypot visitors also probe real endpoints. Sentinel handles the blocking. |

| MANTIS | HACKX feeds MANTIS training data — real attack patterns classified by type, sophistication, and intent. MANTIS gets smarter from every attack. |

| MUSASHI | MUSASHI enforces governance on HACKX — ensures it stays within ethical boundaries. HACKX cannot escalate beyond observation without MUSASHI approval. |

| Baseline | HACKX intelligence about manipulation patterns feeds Baseline's social engineering detection (P7). Real social engineering attempts on the honeypot train the de-escalation system. |

| NARCIS | NARCIS detects narcissistic behavioral patterns. HACKX detects narcissistic ATTACK patterns — the probe-and-escalate cycle that mirrors interpersonal narcissism at the network level. |

| GAPX | HACKX reports to GAPX daily. Attack surface intelligence is a health metric. |

| MEDX | HACKX is a service that MEDX monitors for health. If HACKX goes down, the intelligence goes dark — that's a gap. |

| ENTROPX | HACKX uses ENTROPX to generate convincing fake data. Random wallet addresses, random user records, random credential values — all generated from NIST-verified entropy so they look real. |

| AUTHX | HACKX fake credentials are registered with AUTHX as HONEYPOT tier — if they appear in ANY real authentication attempt, it's an instant STRIKE alert. The fake keys become tripwires. |

---

INVARIANTS

INV-01: HACKX never touches real infrastructure. The honeypot is completely isolated from production systems. No shared databases, no shared credentials, no shared network paths.

INV-02: HACKX never initiates outbound connections to attacker infrastructure. All observation is passive and inbound.

INV-03: All data in the honeypot is fake. Generated by ENTROPX. No real user data, no real credentials, no real financial records ever enter the honeypot.

INV-04: HACKX logs are append-only and tamper-evident. An attacker who gains access to the honeypot cannot delete or modify the logs of their own activity.

INV-05: HACKX intelligence feeds are one-way. Data flows FROM HACKX TO defensive systems. Defensive systems never feed data INTO HACKX. The honeypot cannot be contaminated by real operational data.

INV-06: MUSASHI has override authority over HACKX. If MUSASHI determines HACKX is being used as a vector (e.g., an attacker is using the sandbox to relay traffic), MUSASHI can kill HACKX immediately.

---

IMPLEMENTATION NOTES

HACKX runs as module 20 in ROUTX on port 9191. Internal queries:

• "hackx status" → current state, active sessions, last 24h summary
• "hackx report" → full daily intelligence report
• "hackx alerts" → unacknowledged alerts
• "hackx novel" → novel attack patterns not yet in MANTIS training data

The external-facing honeypot endpoints run on a SEPARATE port (e.g., 8443) behind the reverse proxy. They are NOT on port 9191. The ROUTX module handles internal queries about HACKX. The honeypot itself faces the internet.

Deployment order:

1. Start with Layer 1 only (passive baits) — lowest risk, immediate intelligence
2. Add Layer 2 (active observation) after 30 days of Layer 1 data
3. Add Layer 3 (sandbox) only if targeted attacks are detected — most sophisticated, most risk

---

THE NAME

HACKX. Not because it hacks. Because it studies hackers. The X suffix follows T.O.O.L. convention. The name is deliberately provocative — it signals capability without revealing method.

Also: the word "hack" originally meant creative problem-solving. HACKX is the creative solution to the problem of not knowing what your attackers are doing.

---

THE DEEPER CONNECTION

HACKX mirrors the Baseline Protocol at the network level. Baseline makes abusive USERS boring by removing emotional reward. HACKX makes attacking the SYSTEM boring by removing real targets. Both operate on the same principle: don't fight the attacker. Don't run from the attacker. Make the attack itself unrewarding.

The narcissist screams at OBI and gets a calm, flat mirror. The hacker probes the server and finds a sandbox full of nothing real. Both learn the same lesson: this target gives you nothing.

The ship doesn't fight. The ship WATCHES. And it learns from everything it sees.

---

Jeremy Zlabis

Chronogeometer · Visionary · Disruptor · Chief

42 Sisters AI · East York, Toronto

🍁 Φ 0.042