/basic-auth-pot

bap - http Basic Authentication honeyPot

Primary LanguagePython

bap - http Basic Authentication honeyPot

About

bap is a webservice honeypot that logs HTTP basic authentication credentials in a "parser friendly format"™.

The webservice handles HEAD and GET requests, to which it always responds with 401 WWW-Authenticate: Basic realm="ADMIN".
HTTP request methods other than HEAD or GET will result in an error response generated by BaseHTTPServer.
There is no valid username / password for the service. Credentials are only decoded and logged.

Configuration

Configure HTTP_ADDR and HTTP_PORT in bap.py.
Leaving HTTP_ADDR as empty string binds to all interfaces and addresses.
Default is to bind to *:8080

Running

bap.py starts bap in the foreground.
start-bap-debian.sh uses start-stop-daemon to start bap in the background.
stop-bap-debian.sh stops the background service.

Do not run bap as root.
To listen on a privileged port (80), use port redirection.

Logging

Logfiles are written to the same directory as bap.py.

pot.log - Authentication honeypot log

Format: [Date Time] Client_address:Client_port Auth_method Decoded_auth_string
Ex: [2015-01-09 19:59:43,516] 192.168.99.99:12345 Basic user:pass
Client_address and Client_port: Source of the request.
Auth_method: Parameter 1 from the authenticate request header. Is always Basic.
Decoded_auth_string: Base64 decoded version of parameter 2 from the authenticate request header.

access.log - Server access log

Format: [Date Time] Client_address:Client_port "Request_string" Response_code "User-Agent_string"
Ex: [2015-01-09 19:59:43,508] 192.168.99.99:12345 "GET / HTTP/1.1" 401 "curl/7.38.0"
Client_address and Client_port: Source of the request.
Request_string: Request received from the client, enclosed by ".
Response_code: Response code sent to the client.
User-agent_string: User-agent header received from the client, enclosed by ".
Note: Double quotes received from clients are escaped with \.

error.log - Server error log

Format: [Date Time] Client_address:Client_port Error_message
Ex 1: [2015-01-09 19:59:45,406] 192.168.99.99:12346 code 501, message Unsupported method ('TRACE')
Ex 2: [2015-01-09 19:59:46,350] 192.168.99.99:12347 DecodeFailure abc123
Client_address and Client_port: Source of the request.
Error_message: Description of the error.
Unsupported method occurs when the client request method is anything else than GET or HEAD.
DecodeFailure occurs when the client send basic authenticate and parameter 2 is not valid base64 encoded data.

bap.log - Program output log

stdout and stderr ends up here.

Notes

  • A Request that trigger an error will receive the error code + message in the response header, for example "501 Unsupported method ('TRACE')".
    It would be sufficent to send the code + a generic message, or just the code without any message.
  • The value user:pass in pot.log can contain multiple ':' chars. This could lead to parsing issues when trying to separate user and pass.
  • Logs can contain escaped double quotes. Double quotes received from clients are escaped with \ before being logged.
  • bap.log has no time of log events. Logging of exceptions make timestamping a bit complicated. Use traceback class to fix this?
  • Logfiles are not rotated.