Serverless honeytoken 🕵🏻♂️
Trapdoor is an AWS Serverless Application meant to create and alert on honeyTokens.
Trapdoor is inspired by the awesome work of Adel in honeyLambda.
We'll provide updates on new features and bug fixes in our blog. Visit the following articles to know more:
Trapdoor is available as a serverless application on AWS Serverless Application Repository. In the region where you'd like to deploy Trapdoor head over to Available Applications, search for Trapdoor (make sure to enable "show apps that create custom IAM roles or resources policies") and click on deploy.
While the installation of Trapdoor is fully automatic you will have to provide some input to the application before it can be deployed to your account depending on which alert modules you'd like to enable. Please check the Alert section below before continuing.
Trapdoor provides 2 alert mechanisms:
You can enable one of them or both. Enabling the alert method requires only that you enter the information in the deployment page of AWS Serverless Application Repository, as we'll explain below.
To enable the HTTP POST option (where Trapdoor will send a JSON structure of its findings to the specificed URL) simply paste the URL in the POSTURL
variable.
Trapdoor also allows you to have notifications and alerts sent to a Slack channel. This section will provide you with detailed information on how to create an app/bot to send your Trapdoor notifications.
chat:write
Bot User OAuth Token
Additionally you'll also require the ID of the channel that Trapdoor will be sending messages to. You can retrieve this information by visiting the channel in Slack Web, as demonstrated in the image below:
You now have all the information required to deploy via the AWS Serverless Application Repository.
https://your_team.slack.com
(example: https://3coresec.slack.com)
C0114EEEG59
)
Bot User OAuth Token
from the previously created appAfter the deployment is complete you can create your tokens by editing the config.json
(in the AWS Lambda page) and adding both a path as well as a friendly reminder. Due to a limitation of Cloud9 AWS Code Editor it's not possible to edit the configuration file without changing the Runtime settings. Temporarily change it to Node (for example), edit the file and change it back to its original runtime.
config.json
example:
...
{
"Paths": {
"admin": "Token present in honeypot in Germany",
"ftp": "Token from .txt in Raspberry"
},
...
Using Trapdoor is as simple as visiting the API Endpoint that is made available in the Lambda Application dashboard (presented after the deployment is complete):
While all paths ($API/Prod/WHATEVER) are accepted and alerted, choosing a path that is configured in Trapdoor config.json
will provide you with a friendly reminder of where that token is located/stored.
Consider using your custom domains instead of the AWS API URLs (and map them to the /Prod stage in AWS API) so that your tokens can be made available under, for example, https://important-corp.com/login
. Bear in mind that you can associate unlimited (different) domains to an API in AWS API GW, so it's really up to you to configure the best deception options for your tokens 🕵🏻
Found this interesting? Have a question/comment/request? Let us know!
Feel free to open an issue or ping us on Twitter.
3CORESec is releasing this project as a proof-of-concept for the research community.
Please remember that it might not be legal to run Trapdoor in some countries and that the information you will be accessing could be considered personal data.
If you decide to deploy, install or run Trapdoor you will be agreeing to release and hold us harmless from any responsibility resulting or arising directly or indirectly from the use of Trapdoor.
You are solely and exclusively responsible for the use of Trapdoor.