Skip to content

bjeborn/basic-auth-pot

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

bap - http Basic Authentication honeyPot

About

bap is a webservice honeypot that logs HTTP basic authentication credentials in a "parser friendly format"™.

The webservice handles HEAD and GET requests, to which it always responds with 401 WWW-Authenticate: Basic realm="ADMIN".
HTTP request methods other than HEAD or GET will result in an error response generated by BaseHTTPServer.
There is no valid username / password for the service. Credentials are only decoded and logged.

Configuration

Configure HTTP_ADDR and HTTP_PORT in bap.py.
Leaving HTTP_ADDR as empty string binds to all interfaces and addresses.
Default is to bind to *:8080

Running

bap.py starts bap in the foreground.
start-bap-debian.sh uses start-stop-daemon to start bap in the background.
stop-bap-debian.sh stops the background service.

Do not run bap as root.
To listen on a privileged port (80), use port redirection.

Logging

Logfiles are written to the same directory as bap.py.

pot.log - Authentication honeypot log

Format: [Date Time] Client_address:Client_port Auth_method Decoded_auth_string
Ex: [2015-01-09 19:59:43,516] 192.168.99.99:12345 Basic user:pass
Client_address and Client_port: Source of the request.
Auth_method: Parameter 1 from the authenticate request header. Is always Basic.
Decoded_auth_string: Base64 decoded version of parameter 2 from the authenticate request header.

access.log - Server access log

Format: [Date Time] Client_address:Client_port "Request_string" Response_code "User-Agent_string"
Ex: [2015-01-09 19:59:43,508] 192.168.99.99:12345 "GET / HTTP/1.1" 401 "curl/7.38.0"
Client_address and Client_port: Source of the request.
Request_string: Request received from the client, enclosed by ".
Response_code: Response code sent to the client.
User-agent_string: User-agent header received from the client, enclosed by ".
Note: Double quotes received from clients are escaped with \.

error.log - Server error log

Format: [Date Time] Client_address:Client_port Error_message
Ex 1: [2015-01-09 19:59:45,406] 192.168.99.99:12346 code 501, message Unsupported method ('TRACE')
Ex 2: [2015-01-09 19:59:46,350] 192.168.99.99:12347 DecodeFailure abc123
Client_address and Client_port: Source of the request.
Error_message: Description of the error.
Unsupported method occurs when the client request method is anything else than GET or HEAD.
DecodeFailure occurs when the client send basic authenticate and parameter 2 is not valid base64 encoded data.

bap.log - Program output log

stdout and stderr ends up here.

Notes

  • A Request that trigger an error will receive the error code + message in the response header, for example "501 Unsupported method ('TRACE')".
    It would be sufficent to send the code + a generic message, or just the code without any message.
  • The value user:pass in pot.log can contain multiple ':' chars. This could lead to parsing issues when trying to separate user and pass.
  • Logs can contain escaped double quotes. Double quotes received from clients are escaped with \ before being logged.
  • bap.log has no time of log events. Logging of exceptions make timestamping a bit complicated. Use traceback class to fix this?
  • Logfiles are not rotated.

About

bap - http Basic Authentication honeyPot

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published