/modpot

Modular web-application honeypot platform built using go and gin

Primary LanguageHTMLApache License 2.0Apache-2.0

Active Development contributions welcome

modpot v0.3.11 (Not for workgroups)

GoHTML5JavaScript

modpot-wide image

modpot is a modular web application honeypot framework written in Golang and making use of gin framework. It is the antithesis to honeydet in many ways and allows the user to deploy simple html/js honeypots that mimic web applications in order to detect requests and form entries that are related to attacks. Responders offer a modular capacity for automation and logging pipelines and are not limited by programming language. modpot is best utilised alongside honeypage a tool that creates flattened single html file versions of web applications, which makes them portable and easy to use with modpot.

Responders

image

Responders allow for simple triggering of automation, logging, or connection to SOC platforms. The parameters that can be passed to responders are ID, Application, Datetime, IP Source, Log Event.

Included are the following examples:

  • Email
  • iptables - time window blocking
  • SMS (Using twilio)
  • Slack - webhook
  • Syslog
  • Splunk - HEC endpoint
  • Webhook-generic

Example config

honeypots:
  - id: 1
    name: "ExampleHoneypot1"
    cve: "CVE-2021-XXXX"
    application: "FakeWebApp1"
    port: 8081
    enabled: true
    template_html_file: "index1.html"
    detection_endpoint: "/fakeapp"
    request_regex: ".*attack.*"
    redirect_url: "https://jamesbrine.com.au/"
    date_created: "2022-01-01"
    date_updated: "2022-01-02"
    responders:
      - engine: "/usr/bin/bash"
        script: "email.sh"
        parameters: ["honeypots.id", "honeypots.application", "honeypot_logs.datetime", "honeypot_logs.ip_source", "honeypot_logs.log_event"]
      - engine: python3
        script: sms.py
        parameters: ["honeypots.id", "honeypots.application", "honeypot_logs.datetime", "honeypot_logs.ip_source", "honeypot_logs.log_event"]
      - engine: "/usr/bin/bash"
        script: "iptables_block.sh"
        parameters: ["honeypot_logs.ip_source"]

  - id: 2
    name: "ExampleHoneypot2"
    cve: "CVE-2022-YYYY"
    application: "FakeWebApp2"
    port: 8082
    enabled: true
    template_html_file: "index2.html"
    detection_endpoint: "/anotherapp"
    request_regex: "^/admin"
    redirect_url: "test.html"
    date_created: "2022-02-01"
    date_updated: "2022-02-02"

Note

I am not responsible for your use/mis-use of this application. It was created for research purposes and is not intended nor do I or it's existence give implicit authority to use it as a phishing tool or for any other malicious purposes. Now, with the boring stuff out of the way.

Todo

  • Tidy up web frontend and features (search, filter, paginate etc.)
  • Allow for multi-step configs for more complex honeypages
  • Set up reporting/alerting on match and allow configuration through web frontend
  • Build honeypage into modpot, allowing the page download process to take place through the "Add honeypot" button in the main interface