bap - http Basic Authentication honeyPot
Switch branches/tags
Nothing to show
Clone or download
bjeborn Change log writing routines
Add log for stdout and stderr
Latest commit 41d5f29 Jan 15, 2015
Permalink
Failed to load latest commit information.
.gitignore Initial commit Jan 10, 2015
README.md Change log writing routines Jan 15, 2015
bap.py Change log writing routines Jan 15, 2015
start-bap-debian.sh Initial commit Jan 10, 2015
stop-bap-debian.sh Initial commit Jan 10, 2015

README.md

bap - http Basic Authentication honeyPot

About

bap is a webservice honeypot that logs HTTP basic authentication credentials in a "parser friendly format"™.

The webservice handles HEAD and GET requests, to which it always responds with 401 WWW-Authenticate: Basic realm="ADMIN".
HTTP request methods other than HEAD or GET will result in an error response generated by BaseHTTPServer.
There is no valid username / password for the service. Credentials are only decoded and logged.

Configuration

Configure HTTP_ADDR and HTTP_PORT in bap.py.
Leaving HTTP_ADDR as empty string binds to all interfaces and addresses.
Default is to bind to *:8080

Running

bap.py starts bap in the foreground.
start-bap-debian.sh uses start-stop-daemon to start bap in the background.
stop-bap-debian.sh stops the background service.

Do not run bap as root.
To listen on a privileged port (80), use port redirection.

Logging

Logfiles are written to the same directory as bap.py.

pot.log - Authentication honeypot log

Format: [Date Time] Client_address:Client_port Auth_method Decoded_auth_string
Ex: [2015-01-09 19:59:43,516] 192.168.99.99:12345 Basic user:pass
Client_address and Client_port: Source of the request.
Auth_method: Parameter 1 from the authenticate request header. Is always Basic.
Decoded_auth_string: Base64 decoded version of parameter 2 from the authenticate request header.

access.log - Server access log

Format: [Date Time] Client_address:Client_port "Request_string" Response_code "User-Agent_string"
Ex: [2015-01-09 19:59:43,508] 192.168.99.99:12345 "GET / HTTP/1.1" 401 "curl/7.38.0"
Client_address and Client_port: Source of the request.
Request_string: Request received from the client, enclosed by ".
Response_code: Response code sent to the client.
User-agent_string: User-agent header received from the client, enclosed by ".
Note: Double quotes received from clients are escaped with \.

error.log - Server error log

Format: [Date Time] Client_address:Client_port Error_message
Ex 1: [2015-01-09 19:59:45,406] 192.168.99.99:12346 code 501, message Unsupported method ('TRACE')
Ex 2: [2015-01-09 19:59:46,350] 192.168.99.99:12347 DecodeFailure abc123
Client_address and Client_port: Source of the request.
Error_message: Description of the error.
Unsupported method occurs when the client request method is anything else than GET or HEAD.
DecodeFailure occurs when the client send basic authenticate and parameter 2 is not valid base64 encoded data.

bap.log - Program output log

stdout and stderr ends up here.

Notes

  • A Request that trigger an error will receive the error code + message in the response header, for example "501 Unsupported method ('TRACE')".
    It would be sufficent to send the code + a generic message, or just the code without any message.
  • The value user:pass in pot.log can contain multiple ':' chars. This could lead to parsing issues when trying to separate user and pass.
  • Logs can contain escaped double quotes. Double quotes received from clients are escaped with \ before being logged.
  • bap.log has no time of log events. Logging of exceptions make timestamping a bit complicated. Use traceback class to fix this?
  • Logfiles are not rotated.