Skip to content

infokek/activemq-honeypot

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

assets

assets

 
 

logs

logs

 
 

resources

resources

 
 

src

src

 
 

.gitignore

.gitignore

 
 

Cargo.lock

Cargo.lock

 
 

Cargo.toml

Cargo.toml

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Service.toml

Service.toml

 
 

docker-compose.yml

docker-compose.yml

 
 

Repository files navigation

activemq-honeypot

Honeypot that scopes CVE-2023-46604 (Apache ActiveMQ RCE Vulnerability) and focused on getting Indicators of Compromise. This honeypot can be used in any Threat Intelligence infrastructure to get attacker's IP adresses, Post-Exploitation samples and malware samples. This information can be helpful to detect and prevent attacks in future.

Real usage example: https://infokek.github.io/posts/tsunami-botnet-activemq-honeypot/

How it works?

In real case attacker sends specific packet to Apache ActiveMQ service. This packet contains ExceptionResponse with Class org.springframework.context.support.ClassPathXmlApplicationContext and Message which contains XML payload url.

Attack Example
Attack Example

Secondly, vulnerable service downloads XML payload which commonly contains RCE command.

XML Payload Example
XML Payload Example

This honeypot simulates vulnerable Apache ActiveMQ service and extracts attacker's ip addresses, XML payload url and RCE command from XML payload. Then this information can be parsed from JSON.

Honeypot logs can be checked by path logfile that you specified in Service.toml.

Honeypot Logs
Honeypot Logs

Honeypot also creates JSON output with parsable indicators. You can specify path of outfile in Service.toml.

JSON Output
JSON Output

Installation

Honeypot can be deployed on your own server (for example VPS or VDS) in docker variant.

Configuration

Service configuration file Service.toml can be changed by your own:

ip = "0.0.0.0" # listen ip address 
port = 61616 # port (default for Apache ActiveMQ 61616)
logfile = "logs/service.log" # main log file
outfile = "logs/out.json" # output json for parsing

Using docker

git clone https://github.com/infokek/activemq-honeypot.git -b main
cd activemq-honeypot
docker compose up --build -d

You also should disable original Apache ActiveMQ (if exists) and make sure that configured port not used by another process. Service building can take some time.

Troubleshooting

You can create Issue using https://github.com/infokek/activemq-honeypot/issues/new/choose if you have any bug or other problem.

You also can change LevelFilter to Debug in main.rs and get more helpful debug info

Debug Level
Debug LevelFilter

About

ActiveMQ honeypot

Topics

honeypot activemq blueteam cve-2023-46604

Resources

Readme

License

Apache-2.0 license
Activity

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages