Hello Everyone
If you have followed my YouTube channel for a while you may have seen my video on the GLASTOPF webapplication honeypot by https://github.com/mushorg/snare
https://avatars3.githubusercontent.com/u/2742625?s=200&v=4
Web application honeypots allow you to host a page that is functioning while being able to see all the traffic and activies that occour on that page.
This information is useful when you want to see the behaviours of web attack traffic or scans that occour agains sites.
The installation is pretty simple here is the steps
{
- Get SNARE:
git clone https://github.com/mushorg/snare.git
- Install requirements:
pip3 install -r requirements.txt
- Clone a page:
sudo python3 clone.py --target http://example.com
- Run SNARE:
sudo python3 snare.py --port 8080 --page-dir example.com
- Test: Visit http://localhost:8080/index.html
- Make sure to have your OS up to date !
}
The Instructions above are copied from the projects github site
After you have installed the Honeypot you can clone a active webpage/web app and host that in the honeypot you use the clone.py script in the snare directoy see below
The below will clone my project page and the SNARE honeypot will encode the content to be used for hosting
{
sudo python3 clone.py –target https://trulyrandom.tk/
name: /index.html
name: / http:/www.seanmancini.com
name: /gtag/js?id=UA-111740696-1
name: /pagead/js/adsbygoogle.js
name: /entro.php
name: /updates.html
name: /index.html
}
After the cloning is done the page will be located in /opt/snare/pages
You may need to make a couple of modifications as I show in my video if you are running this in a virtual machine and accessing the page from a differnt computer.
Here is how I modified mine in the video
sudo python3 snare.py –host-ip 192.168.2.53 –port 80 –page-dir trulyrandom.tk
After I got the page up and running I did a quick scan using NIKTO and here is a sample output that I got
_____ _ _____ ____ ______
/ ___// | / / | / __ \/ ____/
\__ \/ |/ / /| | / /_/ / __/
___/ / /| / ___ |/ _, _/ /___
/____/_/ |_/_/ |_/_/ |_/_____/
privileges dropped, running as “nobody:nogroup”
serving on (‘192.168.2.53’, 80) with uuid 00c718aa-6bfd-44b1-aa2d-3bc4fa05bfdc
you are running the latest version
Request path: /
Request path: /gtag/js?id=UA-111740696-1
Request path: /pagead/js/adsbygoogle.js
Request path: /entro.php
Request path: /gtag/js?id=UA-111740696-1
Request path: /pagead/js/adsbygoogle.js
Request path: /
Request path: /
Request path: /
Request path: /Oz4hFCi9.render_warning_screen
Request path: /Oz4hFCi9.cmd
Request path: /.Oz4hFCi9
Request path: /Oz4hFCi9.conf
Request path: /Oz4hFCi9.backup
See my video below for more details and a quick demo
If you have any questions please reachout to me !
Hi,
First of all thank you for this helpful video. I have a question about Snare. I did same thing with you for clone a website. The original website that i used was secure (https). When i try to clone it always throws error like this : ssl:default [Connect call failed] . But when i try to http sites it works fine. What is the problem here i cant tell. Any idea about why?
Thank you so much!