Skip to content

Latest commit

 

History

History
42 lines (31 loc) · 2.53 KB

readme.md

File metadata and controls

42 lines (31 loc) · 2.53 KB

express-honeypot

Express honeypot is a honeypot for remote file inclusion (RFI) and local file inclusion (LFI).
The aim of this project is to catch bots and malwares that are scanning websites and try to upload remote files.
Those RFI / LFI bots use a list of google dorks in order to search the web for vulnerable website.
Express honeypot uses 310 fake urls based on RFI LFI dorks and serves them dynamicaly.
Every request to any of the honeypot urls is logged and the remote file is downloaded and safely stored.
This honeypot is written in javascript and uses express as web server.
A light logs viewer page is available at /beekeeper but I think it needs to have more commands.
Developement is still in progress but the core architecture won't change so you are safe to start using it.

How to use

Clone the project and install the dependencies :

git clone https://github.com/christophe77/express-honeypot
cd express-honeypot
yarn install

Edit /express/config.js file.
port is the port for the web server.
beekeeperCredentials username and password to access /beekeeper url.
remoteFileSave choose to save the remote file on your local drive, on dpaste or on both of them.
googleVerification is the key given in google search console to validate your website.

Once installed you can start the app with :

yarn start

How it works when deployed

The app starts a web server, generate a sitemap with known vulnerables paths from phpBB, joomla,....
When a visitor opens an url and tries to include a remote file, the informations about the request are stored inside a json file in the /express/hive directory.
The remote file used for the inclusion is downloaded inside the hive folder with a .bee extension /express/hive/files/YYYY-MM-DD/filename.ext.bee
When an url is opened, a fake page is display with some basic html tags, random text and some SEO for google bots.
If the page is opened with a remote file inside the url then the content of the file is added to the response body as if the injection worked.
It's displayed in text and no real injection is posible.
If you want your honeypot to be effective you need to spread it over search engines.
Google search console is the best option to start.
When you want to check the logs you have to go to your-website.com/beekeeper

How to add more fake urls

If you want to add urls you have to open /express/pages.js and add new datas.