generate realistic attack logs

pwnSpoof generates realistic spoofed log files for common web servers with customisable attack scenarios. After you have generate the log, simply ingest it into a SIEM and go hunting! pwnSpoof is perfect for CTFs, hands-on training and comparing different log analysis tools

pwnSpoof was created on the back of a threat hunting training exercise we delivered for a customer. The training exercise was to use a log analytic tool such as Splunk and IIS logs to find login brute-force attacks and command injections.

The idea behind the pwnSpoof application is to;

  • Provide a quick CTF style training environment
  • Create unique logs every run
  • Test threat hunting in IIS, Apache and NGINX logs

Once you have created a set of logs, load them in to Splunk and use various techniques to answer the following questions;

  • What was the attackers IP address and user_agent?
  • Did the attacker authenticate and if so, with what account?
  • Where was geo-location of the attacker?
  • When did the attack occur?
  • What kind of attack was it?
  • What happened during the attack?
  • What artefacts may remain on the server?
  • What steps can be taken to remediate?

Getting Started

Full installation and usage details is available on Github.



pwnSpoof is opensource and is on GitHub