Awesome
bap - http Basic Authentication honeyPot
About
bap is a webservice honeypot that logs HTTP basic authentication credentials in a "parser friendly format"™.
The webservice handles HEAD and GET requests, to which it always responds with 401 WWW-Authenticate: Basic realm="ADMIN".
HTTP request methods other than HEAD or GET will result in an error response generated by BaseHTTPServer.
There is no valid username / password for the service. Credentials are only decoded and logged.
Configuration
Configure HTTP_ADDR and HTTP_PORT in bap.py.
Leaving HTTP_ADDR as empty string binds to all interfaces and addresses.
Default is to bind to *:8080
Running
bap.py
starts bap in the foreground.
start-bap-debian.sh
uses start-stop-daemon
to start bap in the background.
stop-bap-debian.sh
stops the background service.
Do not run bap as root.
To listen on a privileged port (80), use port redirection.
Logging
Logfiles are written to the same directory as bap.py.
pot.log - Authentication honeypot log
Format: [Date Time] Client_address:Client_port Auth_method Decoded_auth_string
Ex: [2015-01-09 19:59:43,516] 192.168.99.99:12345 Basic user:pass
Client_address and Client_port: Source of the request.
Auth_method: Parameter 1 from the authenticate request header. Is always Basic.
Decoded_auth_string: Base64 decoded version of parameter 2 from the authenticate request header.
access.log - Server access log
Format: [Date Time] Client_address:Client_port "Request_string" Response_code "User-Agent_string"
Ex: [2015-01-09 19:59:43,508] 192.168.99.99:12345 "GET / HTTP/1.1" 401 "curl/7.38.0"
Client_address and Client_port: Source of the request.
Request_string: Request received from the client, enclosed by "
.
Response_code: Response code sent to the client.
User-agent_string: User-agent header received from the client, enclosed by "
.
Note: Double quotes received from clients are escaped with \
.
error.log - Server error log
Format: [Date Time] Client_address:Client_port Error_message
Ex 1: [2015-01-09 19:59:45,406] 192.168.99.99:12346 code 501, message Unsupported method ('TRACE')
Ex 2: [2015-01-09 19:59:46,350] 192.168.99.99:12347 DecodeFailure abc123
Client_address and Client_port: Source of the request.
Error_message: Description of the error.
Unsupported method occurs when the client request method is anything else than GET or HEAD.
DecodeFailure occurs when the client send basic authenticate and parameter 2 is not valid base64 encoded data.
bap.log - Program output log
stdout and stderr ends up here.
Notes
- A Request that trigger an error will receive the error code + message in the response header, for example "501 Unsupported method ('TRACE')".
It would be sufficent to send the code + a generic message, or just the code without any message. - The value user:pass in pot.log can contain multiple ':' chars. This could lead to parsing issues when trying to separate user and pass.
- Logs can contain escaped double quotes. Double quotes received from clients are escaped with
\
before being logged. - bap.log has no time of log events. Logging of exceptions make timestamping a bit complicated. Use traceback class to fix this?
- Logfiles are not rotated.