Skip to content

Serverless honeytoken πŸ•΅πŸ»β€β™‚οΈ

License

Notifications You must be signed in to change notification settings

3CORESec/Trapdoor

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Trapdoor - A serverless honeytoken framework

Trapdoor is an AWS Serverless Application meant to create and alert on honeyTokens.

  • Slack notifications
  • Webhook notifications
  • Aggregation (by IP and session) & client tracking
  • HTTP-based and JavaScript-based fingerprinting
  • Tracking and editing of Slack messages to enrich existing alerts
  • Custom paths and friendly reminders
  • & more!

Trapdoor is inspired by the awesome work of Adel in honeyLambda.

We'll provide updates on new features and bug fixes in our blog. Visit the following articles to know more:

Installation

Trapdoor is available as a serverless application on AWS Serverless Application Repository. In the region where you'd like to deploy Trapdoor head over to Available Applications, search for Trapdoor (make sure to enable "show apps that create custom IAM roles or resources policies") and click on deploy.

While the installation of Trapdoor is fully automatic you will have to provide some input to the application before it can be deployed to your account depending on which alert modules you'd like to enable. Please check the Alert section below before continuing.

Alert Configuration

Trapdoor provides 2 alert mechanisms:

  • HTTP POST / Webhook
  • Slack Notifications

You can enable one of them or both. Enabling the alert method requires only that you enter the information in the deployment page of AWS Serverless Application Repository, as we'll explain below.

HTTP POST

To enable the HTTP POST option (where Trapdoor will send a JSON structure of its findings to the specificed URL) simply paste the URL in the POSTURL variable.

Slack

Trapdoor also allows you to have notifications and alerts sent to a Slack channel. This section will provide you with detailed information on how to create an app/bot to send your Trapdoor notifications.

  1. Visit the Apps section on Slack and click on Create New App
  2. Give it a name and choose the desired Slack
  3. Visit the OAuth & Permissions section of the app and, under Scopes - Bot Token Scopes, "Add a OAuth Scope" for chat:write
  4. At the top of the screen click on Install to Workspace and make note of Bot User OAuth Token
  5. Invite the bot to the channel for which you'd like to have the messages posted to (simply typing @bot_name will allow you to do so)

Additionally you'll also require the ID of the channel that Trapdoor will be sending messages to. You can retrieve this information by visiting the channel in Slack Web, as demonstrated in the image below:

You now have all the information required to deploy via the AWS Serverless Application Repository.

  • SLACKPATH: https://your_team.slack.com (example: https://3coresec.slack.com)
  • WEBHOOKCHANNEL: ID that was retrieved via Slack Web (example: C0114EEEG59)
  • WEBHOOKTOKEN: Bot User OAuth Token from the previously created app

Trapdoor Setup

After the deployment is complete you can create your tokens by editing the config.json (in the AWS Lambda page) and adding both a path as well as a friendly reminder. Due to a limitation of Cloud9 AWS Code Editor it's not possible to edit the configuration file without changing the Runtime settings. Temporarily change it to Node (for example), edit the file and change it back to its original runtime.

config.json example:

...
{
  "Paths": {
    "admin": "Token present in honeypot in Germany",
    "ftp": "Token from .txt in Raspberry"
  },
...

Usage

Using Trapdoor is as simple as visiting the API Endpoint that is made available in the Lambda Application dashboard (presented after the deployment is complete):

While all paths ($API/Prod/WHATEVER) are accepted and alerted, choosing a path that is configured in Trapdoor config.json will provide you with a friendly reminder of where that token is located/stored.

Domains & Customization

Consider using your custom domains instead of the AWS API URLs (and map them to the /Prod stage in AWS API) so that your tokens can be made available under, for example, https://important-corp.com/login. Bear in mind that you can associate unlimited (different) domains to an API in AWS API GW, so it's really up to you to configure the best deception options for your tokens πŸ•΅πŸ»β€

Feedback

Found this interesting? Have a question/comment/request? Let us know!

Feel free to open an issue or ping us on Twitter.

Twitter

Legal notice

3CORESec is releasing this project as a proof-of-concept for the research community.

Please remember that it might not be legal to run Trapdoor in some countries and that the information you will be accessing could be considered personal data.

If you decide to deploy, install or run Trapdoor you will be agreeing to release and hold us harmless from any responsibility resulting or arising directly or indirectly from the use of Trapdoor.

You are solely and exclusively responsible for the use of Trapdoor.