Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bjeborn/basic-auth-pot

bap - http Basic Authentication honeyPot
https://github.com/bjeborn/basic-auth-pot

Last synced: about 1 month ago
JSON representation

bap - http Basic Authentication honeyPot

Awesome Lists containing this project

README 

        
# bap - http Basic Authentication honeyPot



## About

bap is a webservice honeypot that logs HTTP basic authentication credentials in a "parser friendly format"™.



The webservice handles HEAD and GET requests, to which it always responds with 401 WWW-Authenticate: Basic realm="ADMIN".  

HTTP request methods other than HEAD or GET will result in an error response generated by BaseHTTPServer.  

There is no valid username / password for the service. Credentials are only decoded and logged.  



## Configuration

Configure HTTP_ADDR and HTTP_PORT in bap.py.  

Leaving HTTP_ADDR as empty string binds to all interfaces and addresses.  

Default is to bind to *:8080  



## Running

`bap.py` starts bap in the foreground.  

`start-bap-debian.sh` uses `start-stop-daemon` to start bap in the background.  

`stop-bap-debian.sh` stops the background service.  



Do not run bap as root.  

To listen on a privileged port (80), use port redirection.  



## Logging

Logfiles are written to the same directory as bap.py.



### pot.log - Authentication honeypot log

`Format:  [Date Time] Client_address:Client_port Auth_method Decoded_auth_string`  

`Ex: [2015-01-09 19:59:43,516] 192.168.99.99:12345 Basic user:pass`  

Client_address and Client_port: Source of the request.  

Auth_method: Parameter 1 from the authenticate request header. Is always Basic.  

Decoded_auth_string: Base64 decoded version of parameter 2 from the authenticate request header.  



### access.log - Server access log

`Format: [Date Time] Client_address:Client_port "Request_string" Response_code "User-Agent_string"`  

`Ex: [2015-01-09 19:59:43,508] 192.168.99.99:12345 "GET / HTTP/1.1" 401 "curl/7.38.0"`  

Client_address and Client_port: Source of the request.  

Request_string: Request received from the client, enclosed by `"`.  

Response_code: Response code sent to the client.  

User-agent_string: User-agent header received from the client, enclosed by `"`.  

*Note: Double quotes received from clients are escaped with `\`.*



### error.log - Server error log

`Format: [Date Time] Client_address:Client_port Error_message`  

`Ex 1: [2015-01-09 19:59:45,406] 192.168.99.99:12346 code 501, message Unsupported method ('TRACE')`  

`Ex 2: [2015-01-09 19:59:46,350] 192.168.99.99:12347 DecodeFailure abc123`  

Client_address and Client_port: Source of the request.  

Error_message: Description of the error.  

Unsupported method occurs when the client request method is anything else than GET or HEAD.  

DecodeFailure occurs when the client send basic authenticate and parameter 2 is not valid base64 encoded data.  



### bap.log - Program output log

stdout and stderr ends up here.



## Notes

- A Request that trigger an error will receive the error code + message in the response header, for example "501 Unsupported method ('TRACE')".  

  It would be sufficent to send the code + a generic message, or just the code without any message.

- The value user:pass in pot.log can contain multiple ':' chars. This could lead to parsing issues when trying to separate user and pass.

- Logs can contain escaped double quotes. Double quotes received from clients are escaped with `\` before being logged.

- bap.log has no time of log events. Logging of exceptions make timestamping a bit complicated. Use traceback class to fix this?

- Logfiles are not rotated.