Trapdoor is an AWS Serverless Application meant to create and alert on honeyTokens.
- Slack notifications
- Webhook notifications
- Aggregation (by IP and session) & client tracking
- HTTP-based and JavaScript-based fingerprinting
- Tracking and editing of Slack messages to enrich existing alerts
- Custom paths and friendly reminders
- & more!
Trapdoor is inspired by the awesome work of Adel in honeyLambda.
We'll provide updates on new features and bug fixes in our blog. Visit the following articles to know more:
- 3CORESec Trapdoor Announcement - The serverless HTTP Honeypot
- 3CORESec Blog - Trapdoor-tagged posts
- Wes Lambert - Monitoring Adversaries at Your Trapdoor with Security Onion
Trapdoor is available as a serverless application on AWS Serverless Application Repository. In the region where you'd like to deploy Trapdoor head over to Available Applications, search for Trapdoor (make sure to enable "show apps that create custom IAM roles or resources policies") and click on deploy.
While the installation of Trapdoor is fully automatic you will have to provide some input to the application before it can be deployed to your account depending on which alert modules you'd like to enable. Please check the Alert section below before continuing.
Trapdoor provides 2 alert mechanisms:
- HTTP POST / Webhook
- Slack Notifications
You can enable one of them or both. Enabling the alert method requires only that you enter the information in the deployment page of AWS Serverless Application Repository, as we'll explain below.
To enable the HTTP POST option (where Trapdoor will send a JSON structure of its findings to the specificed URL) simply paste the URL in the POSTURL
variable.
Trapdoor also allows you to have notifications and alerts sent to a Slack channel. This section will provide you with detailed information on how to create an app/bot to send your Trapdoor notifications.
- Visit the Apps section on Slack and click on Create New App
- Give it a name and choose the desired Slack
- Visit the OAuth & Permissions section of the app and, under Scopes - Bot Token Scopes, "Add a OAuth Scope" for
chat:write
- At the top of the screen click on Install to Workspace and make note of
Bot User OAuth Token
- Invite the bot to the channel for which you'd like to have the messages posted to (simply typing @bot_name will allow you to do so)
Additionally you'll also require the ID of the channel that Trapdoor will be sending messages to. You can retrieve this information by visiting the channel in Slack Web, as demonstrated in the image below:
You now have all the information required to deploy via the AWS Serverless Application Repository.
- SLACKPATH:
https://your_team.slack.com
(example: https://3coresec.slack.com) - WEBHOOKCHANNEL: ID that was retrieved via Slack Web (example:
C0114EEEG59
) - WEBHOOKTOKEN:
Bot User OAuth Token
from the previously created app
After the deployment is complete you can create your tokens by editing the config.json
(in the AWS Lambda page) and adding both a path as well as a friendly reminder. Due to a limitation of Cloud9 AWS Code Editor it's not possible to edit the configuration file without changing the Runtime settings. Temporarily change it to Node (for example), edit the file and change it back to its original runtime.
config.json
example:
...
{
"Paths": {
"admin": "Token present in honeypot in Germany",
"ftp": "Token from .txt in Raspberry"
},
...
Using Trapdoor is as simple as visiting the API Endpoint that is made available in the Lambda Application dashboard (presented after the deployment is complete):
While all paths ($API/Prod/WHATEVER) are accepted and alerted, choosing a path that is configured in Trapdoor config.json
will provide you with a friendly reminder of where that token is located/stored.
Consider using your custom domains instead of the AWS API URLs (and map them to the /Prod stage in AWS API) so that your tokens can be made available under, for example, https://important-corp.com/login
. Bear in mind that you can associate unlimited (different) domains to an API in AWS API GW, so it's really up to you to configure the best deception options for your tokens π΅π»β
Found this interesting? Have a question/comment/request? Let us know!
Feel free to open an issue or ping us on Twitter.
3CORESec is releasing this project as a proof-of-concept for the research community.
Please remember that it might not be legal to run Trapdoor in some countries and that the information you will be accessing could be considered personal data.
If you decide to deploy, install or run Trapdoor you will be agreeing to release and hold us harmless from any responsibility resulting or arising directly or indirectly from the use of Trapdoor.
You are solely and exclusively responsible for the use of Trapdoor.