modpot is a modular web application honeypot framework written in Golang and making use of gin framework. It is the antithesis to honeydet in many ways and allows the user to deploy simple html/js honeypots that mimic web applications in order to detect requests and form entries that are related to attacks. Responders offer a modular capacity for automation and logging pipelines and are not limited by programming language. modpot is best utilised alongside honeypage a tool that creates flattened single html file versions of web applications, which makes them portable and easy to use with modpot.
Responders allow for simple triggering of automation, logging, or connection to SOC platforms. The parameters that can be passed to responders are ID, Application, Datetime, IP Source, Log Event.
Included are the following examples:
- iptables - time window blocking
- SMS (Using twilio)
- Slack - webhook
- Syslog
- Splunk - HEC endpoint
- Webhook-generic
honeypots:
- id: 1
name: "ExampleHoneypot1"
cve: "CVE-2021-XXXX"
application: "FakeWebApp1"
port: 8081
enabled: true
template_html_file: "index1.html"
detection_endpoint: "/fakeapp"
request_regex: ".*attack.*"
redirect_url: "https://jamesbrine.com.au/"
date_created: "2022-01-01"
date_updated: "2022-01-02"
responders:
- engine: "/usr/bin/bash"
script: "email.sh"
parameters: ["honeypots.id", "honeypots.application", "honeypot_logs.datetime", "honeypot_logs.ip_source", "honeypot_logs.log_event"]
- engine: python3
script: sms.py
parameters: ["honeypots.id", "honeypots.application", "honeypot_logs.datetime", "honeypot_logs.ip_source", "honeypot_logs.log_event"]
- engine: "/usr/bin/bash"
script: "iptables_block.sh"
parameters: ["honeypot_logs.ip_source"]
- id: 2
name: "ExampleHoneypot2"
cve: "CVE-2022-YYYY"
application: "FakeWebApp2"
port: 8082
enabled: true
template_html_file: "index2.html"
detection_endpoint: "/anotherapp"
request_regex: "^/admin"
redirect_url: "test.html"
date_created: "2022-02-01"
date_updated: "2022-02-02"
I am not responsible for your use/mis-use of this application. It was created for research purposes and is not intended nor do I or it's existence give implicit authority to use it as a phishing tool or for any other malicious purposes. Now, with the boring stuff out of the way.
- Tidy up web frontend and features (search, filter, paginate etc.)
- Allow for multi-step configs for more complex honeypages
- Set up reporting/alerting on match and allow configuration through web frontend
- Build honeypage into modpot, allowing the page download process to take place through the "Add honeypot" button in the main interface