Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/christophe77/express-honeypot
express honeypot
https://github.com/christophe77/express-honeypot
express honeypot nodejs
Last synced: 15 days ago
JSON representation
express honeypot
- Host: GitHub
- URL: https://github.com/christophe77/express-honeypot
- Owner: christophe77
- License: mit
- Created: 2022-01-10T04:30:24.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2024-02-23T12:16:55.000Z (9 months ago)
- Last Synced: 2024-04-26T04:04:01.063Z (7 months ago)
- Topics: express, honeypot, nodejs
- Language: JavaScript
- Homepage: https://github.com/christophe77/express-honeypot
- Size: 851 KB
- Stars: 12
- Watchers: 3
- Forks: 4
- Open Issues: 1
-
Metadata Files:
- Readme: readme.md
- License: LICENSE
Awesome Lists containing this project
- awesome-honeypots - Express honeypot - RFI & LFI honeypot using nodeJS and express. (Honeypots)
- fucking-awesome-honeypots - Express honeypot - RFI & LFI honeypot using nodeJS and express. (Honeypots)
README
# express-honeypot
Express honeypot is a honeypot for remote file inclusion (RFI) and local file inclusion (LFI).
The aim of this project is to catch bots and malwares that are scanning websites and try to upload remote files.
Those RFI / LFI bots use a list of google dorks in order to search the web for vulnerable website.
Express honeypot uses 310 fake urls based on RFI LFI dorks and serves them dynamicaly.
Every request to any of the honeypot urls is logged and the remote file is downloaded and safely stored.
This honeypot is written in javascript and uses express as web server.
A light logs viewer page is available at /beekeeper but I think it needs to have more commands.
Developement is still in progress but the core architecture won't change so you are safe to start using it.## How to use
Clone the project and install the dependencies :
git clone https://github.com/christophe77/express-honeypot
cd express-honeypot
yarn installEdit _/express/config.js_ file.
_port_ is the port for the web server.
_beekeeperCredentials_ username and password to access /beekeeper url.
_remoteFileSave_ choose to save the remote file on your local drive, on dpaste or on both of them.
_googleVerification_ is the key given in google search console to validate your website.Once installed you can start the app with :
yarn start
## How it works when deployed
The app starts a web server, generate a sitemap with known vulnerables paths from phpBB, joomla,....
When a visitor opens an url and tries to include a remote file, the informations about the request are stored inside a json file in the _/express/hive_ directory.
The remote file used for the inclusion is downloaded inside the hive folder with a .bee extension _/express/hive/files/YYYY-MM-DD/filename.ext.bee_
When an url is opened, a fake page is display with some basic html tags, random text and some SEO for google bots.
If the page is opened with a remote file inside the url then the content of the file is added to the response body as if the injection worked.
It's displayed in text and no real injection is posible.
If you want your honeypot to be effective you need to spread it over search engines.
Google search console is the best option to start.
When you want to check the logs you have to go to _your-website.com/beekeeper_## How to add more fake urls
If you want to add urls you have to open _/express/pages.js_ and add new datas.