Skip to content

add support for h0neytr4p v0.4#16

Open
t3chn0m4g3 wants to merge 1 commit into
masterfrom
h0neytr4p_v0.4
Open

add support for h0neytr4p v0.4#16
t3chn0m4g3 wants to merge 1 commit into
masterfrom
h0neytr4p_v0.4

Conversation

@t3chn0m4g3

@t3chn0m4g3 t3chn0m4g3 commented Jun 8, 2026

Copy link
Copy Markdown
Member

@trixam @elivlo Please review and test (updated images for h0neytr4p have been pushed).

Here are testing logs:

{"dest_port":"8443","header_accept":"*/*","header_content-length":"419","header_content-type":"multipart/form-data","header_user-agent":"curl/8.14.1","hostname":"127.0.0.1","payload_filename":"/data/h0neytr4p/payloads/16318505ade01496c9f7b8c874899134","payload_hash_md5":"16318505ade01496c9f7b8c874899134","payload_mime_type":"text/plain","payload_parameter":"marker=payload-test-1780936857","protocol":"https","request_method":"POST","request_proto":"HTTP/2.0","request_uri":"/vpns/portal/scripts/newbm.pl","src_ip":"172.22.0.1","timestamp":"2026-06-08T16:40:57Z","trapped":"true","trapped_for":"CVE-2019-19781","trapped_references":"https://www.kb.cert.org/vuls/id/619785","trapped_risk_rating":"9.8","user-agent":"curl/8.14.1","user-agent_browser":"curl","user-agent_browser_version":"8.14","user-agent_os":"Other"}
{"dest_port":"8443","header_accept":"*/*","header_user-agent":"curl/8.14.1","header_x-h0neytr4p-test":"cve-2026-23918-test-1780936950","hostname":"127.0.0.1","protocol":"https","request_method":"GET","request_proto":"HTTP/2.0","request_uri":"/?h0neytr4p_test=cve-2026-23918-test-1780936950","src_ip":"172.22.0.1","timestamp":"2026-06-08T16:42:30Z","trapped":"true","trapped_for":"CVE-2026-23918","trapped_references":"https://httpd.apache.org/security/vulnerabilities_24.html,https://www.openwall.com/lists/oss-security/2026/05/04/19,https://www.cve.org/CVERecord?id=CVE-2026-23918,https://orca.security/resources/blog/apache-http-server-http2-vulnerability-cve-2026-23918/","trapped_risk_rating":"8.8","user-agent":"curl/8.14.1","user-agent_browser":"curl","user-agent_browser_version":"8.14","user-agent_os":"Other"}
{"cookie_whostmgrsession":"cve-2026-41940-test-1780936963","dest_port":"2087","header_accept":"*/*","header_authorization":"Basic aDBuZXl0cjRwLXRlc3Q6c3ludGhldGljCnN1Y2Nlc3NmdWxfaW50ZXJuYWxfYXV0aF93aXRoX3RpbWVzdGFtcD10ZXN0LWN2ZS0yMDI2LTQxOTQwLXRlc3QtMTc4MDkzNjk2Mw==","header_cookie":"whostmgrsession=cve-2026-41940-test-1780936963","header_user-agent":"curl/8.14.1","header_x-h0neytr4p-test":"cve-2026-41940-test-1780936963","hostname":"127.0.0.1","protocol":"https","request_method":"POST","request_proto":"HTTP/2.0","request_uri":"/login/?login_only=1\u0026h0neytr4p_test=cve-2026-41940-test-1780936963","src_ip":"172.22.0.1","timestamp":"2026-06-08T16:42:43Z","trapped":"true","trapped_for":"CVE-2026-41940","trapped_references":"https://www.cpanel.net/blog/security/security-update-cve-2026-41940/,https://www.cve.org/CVERecord?id=CVE-2026-41940,https://www.rapid7.com/db/modules/exploit/multi/http/cpanel_whm_auth_bypass_rce/","trapped_risk_rating":"9.8","user-agent":"curl/8.14.1","user-agent_browser":"curl","user-agent_browser_version":"8.14","user-agent_os":"Other"}
{"cookie_whostmgrsession":"cve-2026-41940-test-1780936963-negative","dest_port":"2087","header_accept":"*/*","header_authorization":"Basic YWRtaW46YWRtaW4=","header_cookie":"whostmgrsession=cve-2026-41940-test-1780936963-negative","header_user-agent":"curl/8.14.1","header_x-h0neytr4p-test":"cve-2026-41940-test-1780936963-negative","hostname":"127.0.0.1","protocol":"https","request_method":"POST","request_proto":"HTTP/2.0","request_uri":"/login/?login_only=1\u0026h0neytr4p_test=cve-2026-41940-test-1780936963-negative","src_ip":"172.22.0.1","timestamp":"2026-06-08T16:42:43Z","trapped":"false","user-agent":"curl/8.14.1","user-agent_browser":"curl","user-agent_browser_version":"8.14","user-agent_os":"Other"}

@elivlo

elivlo commented Jun 12, 2026

Copy link
Copy Markdown
Member

Working on that

@elivlo elivlo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have two minor objections.

Once that's sorted I will approve the PR :)

Comment thread honeypots/h0neytr4p.py

h0neytr4p.data('timestamp', datetime.fromisoformat(line['timestamp']).strftime('%Y-%m-%d %H:%M:%S'))
h0neytr4p.data("timezone", time.strftime('%z'))
if 'timestamp' in line:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you change the timestamp parsing here? The logs for testing do not need that change because they already are in isoformat. I would remove the helper methods, because they are redundant and python datetime is able to do the same.

We drop all alerts that don't contain the timestamp so I would remove the condition.

Let's implement it like that if we don't need the actual timezone of the honeypot. If we need that, we should refactor all honeypots at the same time so all use the exact same logic.

h0neytr4p.data('timestamp', datetime.fromisoformat(line['timestamp'].replace('Z', '+00:00')).strftime('%Y-%m-%d %H:%M:%S'))
h0neytr4p.data('timezone', time.strftime('%z'))

Comment thread honeypots/h0neytr4p.py
if payloaddir and payload_filename:
candidates.append(os.path.join(payloaddir, os.path.basename(payload_filename)))

if payloaddir and payload_hash:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would elif that with the preceding if to prevent possible duplication of payloaddir.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants