The Simple MongoDB Honeypot Server is a Python-based network monitoring tool designed to detect and analyze unauthorized access attempts to MongoDB databases. Built with the Twisted framework, this server emulates MongoDB protocol behavior while logging attacker activities and reconnaissance patterns. Ideal for security researchers and network administrators looking to study MongoDB-targeted threats.
- MongoDB Protocol Emulation: Realistic responses to
OP_MSGandOP_QUERYoperations - Comprehensive Logging: Captures client metadata, authentication attempts, and full commands
- Security Analytics: Logs client applications, driver versions, and OS fingerprints
- Configurable Deployment: Adjustable listening host/port and MongoDB version presentation
- Authentication Trap: Captures SCRAM-SHA credentials and client nonces
- Real-Time Monitoring: Immediate visibility into MongoDB protocol interactions
- Python 3.9+
- Twisted framework
- pymongo package
git clone https://github.com/0xNslabs/mongodb-honeypot.git
cd mongodb-honeypot
pip install twisted pymongopython3 mongodb.py [--host 0.0.0.0] [--port 27017] [--version "8.0.9"]Default Configuration:
- Binds to all interfaces (
0.0.0.0) - Listens on standard MongoDB port
27017 - Presents as MongoDB version
8.0.9
Detailed JSON-formatted logs are written to mongodb_honeypot.log, including:
- Client IP addresses and connection timestamps
- Client application metadata
- Operating system fingerprints
- Full command execution attempts
- Authentication payloads and credentials
- Database interaction patterns
Example of the honeypot capturing authentication attempts and client fingerprinting
Check out the other honeypot services for monitoring various network protocols:
- DNS Honeypot - Monitors DNS interactions.
- FTP Honeypot - Simulates an FTP server.
- LDAP Honeypot - Mimics an LDAP server.
- HTTP Honeypot - Monitors HTTP interactions.
- HTTPS Honeypot - Monitors HTTPS interactions.
- MongoDB Honeypot - Simulates a MongoDB database server.
- NTP Honeypot - Monitors Network Time Protocol interactions.
- PostgreSQL Honeypot - Simulates a PostgreSQL database server.
- SIP Honeypot - Monitors SIP (Session Initiation Protocol) interactions.
- SSH Honeypot - Emulates an SSH server.
- TELNET Honeypot - Simulates a TELNET server.
- Caution: Operate this honeypot within secure, controlled settings for research and learning purposes.
- Compliance: Deploy this honeypot in accordance with local and international legal and ethical standards.
This project is available under the MIT License. See the LICENSE file for more information.