Building Low-Interaction Honeypots for Web Security
kintsugi
As the digital landscape continues to evolve, so do the tactics of cybercriminals. To stay ahead of potential threats, security professionals are constantly developing new ways to detect and analyze malicious activities. One such method is the use of honeypots - decoy systems designed to attract and trap attackers. Today, we'll explore a project called DecoyNet, which implements low-interaction honeypots to protect web applications.
What is DecoyNet?
DecoyNet is a custom-built honeypot system inspired by the TV show 'Mr. Robot'. It's designed to simulate vulnerable web applications, attracting and logging unauthorized access attempts. The project consists of multiple components, including a login honeypot and a form honeypot, each designed to capture different types of attacks.
https://github.com/kintsugi-programmer/DecoyNet
The Login Honeypot
The login honeypot is a Flask-based server that simulates a vulnerable login endpoint. Its primary purpose is to attract and log brute force attack attempts. Here's how it works:
The server presents a login form that appears to accept credentials.
When an attacker attempts to gain unauthorized access, they typically use automated tools to try various username-password combinations.
The honeypot logs these attempts, including IP addresses, timestamps, and the passwords used.
This data is stored in a CSV file for later analysis.
@app.route('/submit', methods=['POST'])
def submit():
real_id = request.form.get('dtx000')
real_password = request.form.get('dtx001')
ip_address = request.remote_addr
user_agent = request.headers.get('User-Agent')
timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
hpot_id = request.form.get('id')
hpot_password = request.form.get('password')
# Debugging
print(f"Real ID: {real_id}, Real Password: {real_password}")
print(f"Honeypot ID: {hpot_id}, Honeypot Password: {hpot_password}")
if hpot_id or hpot_password:
print("Honeypot triggered! Potential spam detected.")
with open(bot_trace, 'a', newline='') as file:
writer = csv.writer(file)
writer.writerow([
timestamp,
ip_address,
user_agent,
hpot_id,
hpot_password
])
return redirect('/')
with open(data_file, 'a', newline='') as file:
writer = csv.writer(file)
writer.writerow([timestamp,
ip_address,
user_agent,
real_id,
real_password])
print("Form submitted successfully!")
return "Logged in successfully!"
The Form Honeypot
The form honeypot is designed to detect and log spam attacks on web forms. It uses a clever trick to differentiate between legitimate users and spam bots:
The form contains both visible and hidden fields.
Legitimate users only fill in the visible fields.
Spam bots, however, tend to fill in all fields indiscriminately.
When a form is submitted, the server checks if the hidden fields are filled.
If hidden fields contain data, the submission is flagged as spam and logged.
<style>
.hpot {
opacity: 0;
position: absolute;
top: 0;
left: 0;
height: 0;
width: 0;
z-index: -1;
}
</style>
<form>
<label for="dtx000">Customer ID:</label>
<input type="text" id="dtx000" name="dtx000" required>
<label for="dtx001">Name:</label>
<input type="text" id="dtx001" name="dtx001" required>
<label for="dtx010">How would you rate our service?</label>
<select id="dtx010" name="dtx010" required>
<option value="">--Please choose an option--</option>
<option value="excellent">Excellent</option>
<option value="good">Good</option>
<option value="average">Average</option>
<option value="poor">Poor</option>
</select>
<label for="dtx011">Phone Number:</label>
<input type="tel" id="dtx011" name="dtx011" required>
<label for="dtx100">Email:</label>
<input type="email" id="dtx100" name="dtx100" required>
<label for="dtx101">Review :</label>
<textarea id="review" name="dtx101" rows="4" required></textarea>
</form>
Attack Simulation with Bots
To test the effectiveness of the honeypots, DecoyNet includes two attack simulation bots:
BreachBot: Simulates brute force attacks on the login endpoint.
Form Spam Attack Bot: Simulates spam submissions on the form honeypot.
These bots help in generating test data and validating the honeypot's ability to detect and log various types of attacks.
Setting Up DecoyNet
To set up DecoyNet, follow these steps:
Clone the repository and navigate to the project directory.
Create and activate a virtual environment.
Install the required dependencies using
pip install -r requirements.txt.Run the honeypot applications:
python loginhpot.py python formhpot.py(Optional) Run the attack bots to simulate malicious activities:
python breachbot.py python formspamattack.py
Analyzing the Results
The data collected by DecoyNet can be invaluable for improving your web application's security. By analyzing the logs, you can:
Identify common password patterns used in brute force attacks.
Understand the frequency and nature of spam attacks on your forms.
Develop more robust security measures based on real attack data.
Conclusion
DecoyNet demonstrates how low-interaction honeypots can be an effective tool in your cybersecurity arsenal. By implementing similar techniques, you can gain valuable insights into potential threats and strengthen your web applications against various types of attacks.
Remember, while honeypots are powerful tools, they should be used as part of a comprehensive security strategy. Always ensure that your production systems are properly secured and that you're following best practices for web application security.
Have you implemented honeypots in your security setup? Share your experiences in the comments below!
Subscribe to my newsletter
Read articles from kintsugi directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
kintsugi
kintsugi
Siddhant Bali, an aspiring tech entrepreneur, is an Undergraduate Research Scholar at IIIT Delhi, currently pursuing a B.Tech in Computer Science Engineering with a focus on design (CSD). Excelling in college activities and event management, Siddhant's entrepreneurial spirit propels him into innovative ventures. Connect on LinkedIn or reach out at siddhant22496@iiitd.ac.in for more info.