- Detects and logs payloads for CVE-2019-19781 (Shitrix / Citrixmash)
- Logs failed login attempts
- Serves content and headers taken from real appliance in order to increase chance of indexing on search engines (e.g. google, shodan etc.)
If you have a Go environment ready to go:
go get github.com/x1sec/citrix-honeypotYou must provide certificate to serve HTTPS. To generate your own:
openssl genrsa -out server.key 2048
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
It's easy as:
./citrix-honeypotThe honeypot will listen on both port 80 and 443.
Or to detach and run as a background process:
$ nohup ./citrix-honeypot&
Results / data is written to the ./log directory. They are:
hits.log - Scanning attempts and exploitation attempts with all data (e.g. headers, post body)
all.log - All HTTP requests that are observed
logins.log - Attempted logins to the web interface
tlsErrors.log - Often internet scanners will send invalid data to port 443. HTTPS errors are logged here.