Honeypot for Router Backdoor (TCP-32764)
#Threat Defense#Honeypots
Galah is an LLM-powered web honeypot that mimics various web applications by dynamically responding to HTTP requests.
Initial Attempt at Mocking Router Backdoor
This is an initial attempt to simulate the router backdoor 'TCP32764', which was discovered in various router firmware versions at the end of 2013.
The Proof of Concept (POC) for the Backdoor
The Proof of Concept (POC) for the backdoor can be found in this repository. Please note: This honeypot is not fully compatible with the actual backdoor, but it does respond positively to commonly used tests. Both the poc.py and the web test from Heise identify this as a genuine backdoor. We kindly ask you not to raise any complaints regarding actions or issues after using this code. Take your time to relax, read through the material carefully, and then experiment with it on your own. Dependencies: NodeJS
How to Use the Honeypot for TCP 32764 (Easy Start)
To get started, run the following command to clone the repository: git clone https://github.com/knalli/honeypot-for-tcp-32764.git. Then, navigate into the cloned directory by using: cd honeypot-for-tcp-32764. Finally, install the necessary dependencies with: npm install node_modules/.bin/coffee server.coffee.
How to Use the Daemon
The package.json file contains two user scripts that manage Forever. To start the server, simply run npm start, and to stop the server, use npm stop.
Understanding the -w Flag
The -w flag is used to ensure that any changes made to files will automatically restart the server within a second.
How to Monitor Log Access
The following user scripts are available for easy access to the log: use the command npm run-script print-log to display the log file of the current daemon (sta).