• Stars
    star
    499
  • Rank 88,341 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 7 years ago
  • Updated about 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

honeyλ - a simple, serverless application designed to create and monitor fake HTTP endpoints (i.e. URL honeytokens) automatically, on top of AWS Lambda and Amazon API Gateway

Serverless trap

serverless License: GPL v3

honeyλ - a simple serverless application designed to create and monitor URL {honey}tokens, on top of AWS Lambda and Amazon API Gateway

  • Slack notifications
  • Email and SMS alerts
  • Load config from local file or Amazon S3
  • Customize the HTTP response for each token
  • Threat Intelligence report (Source IP lookup)
    • Using Cymon API v2
  • Based on Serverless framework
    • pay-what-you-use
    • provider agnostic

Description

honeyλ allows you to create and monitor fake HTTP endpoints automatically. You can then place these URL honeytokens in e.g. your inbox, documents, browser history, or embed them as {hidden} links in your web pages (Note: honeybits can be used for spreading breadcrumbs across your systems to lure the attackers toward your traps). Depending on how and where you implement honeytokens, you may detect human attackers, malicious insiders, content scrapers, or bad bots.

This application is based on Serverless framework and can be deployed in different cloud providers such as Amazon Web Services (AWS), Microsoft Azure, IBM OpenWhisk or Google Cloud (Only tested on AWS; the main function may need small changes to support other providers). If your cloud provider is AWS, it automatically creates HTTP endpoints using Amazon API Gateway and then starts monitoring the HTTP endpoints using honeyλ Lambda function.

Setup

  • Install Serverless framework:
    • npm install -g serverless
  • Install honeyλ:
    • serverless install --url https://github.com/0x4d31/honeyLambda
  • Edit serverless.yml and set HTTP endpoint path (default: /v1/get-pass)
  • Edit config.json and fill in your Slack Webhook URL. Change the trap/token configs as you need
  • You can customize the HTTP response for each token
    • For example you can return a 1x1px beacon image in response and embed the token in your decoy documents or email (tracking pixel!)

Deploy

  • Set up your AWS Credentials
  • In order to deploy honeyλ, simply run:
    • serverless deploy

Output:

Serverless: Packaging service...
Serverless: Creating Stack...
Serverless: Checking Stack create progress...
.....
Serverless: Stack create finished...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service .zip file to S3 (116.22 KB)...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
.................................
Serverless: Stack update finished...
Service Information
service: honeyLambda
stage: dev
region: ap-southeast-2
api keys:
  None
endpoints:
  GET - https://rz1bEXAMPLE.execute-api.ap-southeast-2.amazonaws.com/dev/v1/get-pass
functions:
  honeylambda: honeyLambda-dev-honeylambda
  • Note: If you want to return binary in HTTP response (e.g. Content-Type: image/png), you have to manually configure Binary Support using the Amazon API Gateway console (it's not yet possible to set binary media types automatically using serverless):

Open the Amazon API Gateway console, add the binary media type */*, and save.

Once done, you have to re-deploy the API to the dev stage

Usage

Open the generated URL/endpoint in your browser to test if it works:

honeyLambdaURL

Slack Alert

threatintel

TODO

  • Remote config: load config from Amazon S3
  • Beacon image / return image as HTTP response
  • Customize the HTTP response for each token
  • Check the source IP address against Threat Intelligence feeds (e.g. Cymon API)
  • Email alert
  • SMS alert (Twilio)
  • HTTP Client Fingerprinting

More Repositories

1

awesome-threat-detection

✨ A curated list of awesome threat detection and hunting resources 🕵️‍♂️
3,062
star
2

awesome-oscp

A curated list of awesome OSCP resources
2,159
star
3

fatt

FATT /fingerprintAllTheThings - a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic
Python
625
star
4

burpa

Burp-Automator: A Burp Suite Automation Tool with Slack Integration. It can be used with Jenkins and Selenium to automate Dynamic Application Security Testing (DAST).
Python
479
star
5

deception-as-detection

Deception based detection techniques mapped to the MITRE’s ATT&CK framework
273
star
6

honeybits

A PoC tool designed to enhance the effectiveness of your traps by spreading breadcrumbs & honeytokens across your systems to lure the attacker toward your honeypots
Go
267
star
7

salt-scanner

Linux vulnerability scanner based on Salt Open and Vulners audit API, with Slack notifications and JIRA integration
Python
262
star
8

detection-and-response-pipeline

✨ A compilation of suggested tools/services for each component in a detection and response pipeline, along with real-world examples. The purpose is to create a reference hub for designing effective threat detection and response pipelines. 👷 🏗
219
star
9

sqhunter

A simple threat hunting tool based on osquery, Salt Open and Cymon API
Python
65
star
10

honeyku

A Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).
Python
58
star
11

hassh-utils

hassh-utils: Nmap NSE Script and Docker image for HASSH - the SSH client/server fingerprinting method (https://github.com/salesforce/hassh)
Lua
49
star
12

honeybits-win

Windows version of honeybits - a PoC tool to create breadcrumbs and honeytokens, to lead the attackers to your honeypots!
Go
24
star
13

quick

QUICk - a go library based on gopacket for analyzing QUIC CHLO messages
Go
22
star
14

Presentations

Some of the presentations given by me
15
star
15

0x4d31.github.io

HTML
2
star