express-honeypot
v1.0.3
Published
Express honeypot is a honeypot for remote file inclusion (RFI) and local file inclusion (LFI).<br /> The aim of this project is to catch bots and malwares that are scanning websites and try to upload remote files.<br /> Those RFI / LFI bots use a list of
Downloads
11
Maintainers
Readme
express-honeypot
Express honeypot is a honeypot for remote file inclusion (RFI) and local file inclusion (LFI). The aim of this project is to catch bots and malwares that are scanning websites and try to upload remote files. Those RFI / LFI bots use a list of google dorks in order to search the web for vulnerable website. Express honeypot uses 310 fake urls based on RFI LFI dorks and serves them dynamicaly. Every request to any of the honeypot urls is logged and the remote file is downloaded and safely stored. This honeypot is written in javascript and uses express as web server. A light logs viewer page is available at /beekeeper but I think it needs to have more commands. Developement is still in progress but the core architecture won't change so you are safe to start using it.
How to use
Clone the project and install the dependencies :
git clone https://github.com/christophe77/express-honeypot
cd express-honeypot
yarn install
Edit /express/config.js file. port is the port for the web server. beekeeperCredentials username and password to access /beekeeper url. remoteFileSave choose to save the remote file on your local drive, on dpaste or on both of them. googleVerification is the key given in google search console to validate your website.
Once installed you can start the app with :
yarn start
How it works when deployed
The app starts a web server, generate a sitemap with known vulnerables paths from phpBB, joomla,.... When a visitor opens an url and tries to include a remote file, the informations about the request are stored inside a json file in the /express/hive directory. The remote file used for the inclusion is downloaded inside the hive folder with a .bee extension /express/hive/files/YYYY-MM-DD/filename.ext.bee When an url is opened, a fake page is display with some basic html tags, random text and some SEO for google bots. If the page is opened with a remote file inside the url then the content of the file is added to the response body as if the injection worked. It's displayed in text and no real injection is posible. If you want your honeypot to be effective you need to spread it over search engines. Google search console is the best option to start. When you want to check the logs you have to go to your-website.com/beekeeper
How to add more fake urls
If you want to add urls you have to open /express/pages.js and add new datas.