Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cymmetria/strutshoneypot

Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers
https://github.com/cymmetria/strutshoneypot

Last synced: 26 days ago
JSON representation

Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers

Awesome Lists containing this project

README

        

# StrutsHoneypot
Cymmetria Research, 2017.

https://www.cymmetria.com/

Written by: Nir Krakowski (@nirkrakowksi), Imri Goldberg (@lorgandon)

Contact: [email protected] Contact: [email protected]

StrutsHoneypot is an Apache 2 based honeypot that includes a seperate detection module (apache mod) for Apache 2 servers that detects and/or blocks the sturts CVE 2017-5638
exploit. It is released under the MIT license for the use of the community.

Please consider trying out the MazeRunner Community Edition, the free version of our cyber deception platform.
https://community.cymmetria.com/

# Honeypot Installation, Running and Monitoring
- Now with added support (Honeypot only) for content disposition filename parsing vulnerability.

Installation (Ubuntu)
----------------
- apt-get update
- apt-get install docker.io
- docker build -t struts_honeypot strutspot_docker/

Running the Honeypot
--------------------
docker run -p 80:80 --name "mystrutspot_docker" -d struts_honeypot

Accessing the logs
------------------
Run 'docker ps' to validate the docker name: "mystrutspot_docker"

Then run 'docker exec -t -i mystrutspot_docker cat /var/log/apache2/error.log'

# Testing
Prerequisites
-------------
- apt-get install python2.7 python-pip
- pip install requests

Rebuilding the Honeypot
-----------------------
docker kill mystrutspot_docker
docker rm mystrutspot_docker
docker build -t struts_honeypot strutspot_docker/

Then use test-struts2.py like below:

Usage:

./test-struts2.py

e.g: ./test-struts2.py http://localhost/

- This will test for both vulnerabilities. You should be able to see

Detailed Info
------------
The Honeypot uses mod_rewrite (see strutspot_docker/src/.htaccess) RewriteRule directive to redirect all requests to the same url.
To avoid redirection for cover.css, apache.png, and struts.svg it has seperate rule for it.
The Honeypot uses error_log() to send a JSON comment containing the connection info and other data to the apache default error log file.
mod_headers is used to avoid default parsing by php for multipart/form-data. so it is modified to mmultipart/form-data before reaching the php parser.

Editing the Honeypot Website
----------------------------
Edit strutspot_docker/src/index.php and related ehtml files to add your own flavor to the honeypot itself.
Inside the index.php as