Simple Google Hackers Honeypot
Share on:
Sep 28, 2020
Tools
Why?
- I wanted to build a simple Google Dorking hacker detection honeypot using basic components. I settled on CanaryTokens and Nginx reverse proxy. I’ll go over one of the more basic methods here that is mostly invisible to the user and gathers some limited information on the attacking host.
How?
- Install and configure an NGINX reverse proxy, this can be done quite quickly and easily with Nginx Proxy Manager.
- Create a canary token of type “Fast Redirect”. You can chose to use a webhook or email, it doesn’t really matter, and set the redirect back to your homepage or elsewhere so the attacker is not alerted.
Steps in Reverse Proxy
- Set a custom location under the host for this honeypot file, and set the redirect to the URL generated by Canary Tokens.
Steps on Canary Token
- After creating the Canary Token, click on Manage token to show the History for the Canary token. Check the URL and grab the token ID and the auth ID, we will use these to download the list of attacker hosts.
Steps on Honeypot Host
- Create a bash script that will pull the attacker hosts and do whatever you want with them.
#!/bin/bash
curl -s 'http://canarytokens.com/download?fmt=incidentlist_csv&token=***TOKEN GOES HERE***&auth=***AUTH ID HERE***'\
| awk -F'"' '{print $2}' | awk -F',' '{print $1}' | awk 'NF' | sort -u >> hosts
# Be sure to strip out any internal IPs from this file before using
Now what?
- Well that’s it for now, if you want some more ideas for how to implement additional honeypot files, check out the Google Hacking Database at exploit-db. It’s quite easy to create a plain HTML file with a title tag set to something like “index of” with the body content “mysql.log” and make sure it’s indexable in your sitemap and not disallowed by robots.txt, then simply monitor your access.log file for hits against that file.