Chasing bad guys is a fun and exciting activity that can be achieved in a multitude of ways. One of them is the use of honeypots.
In this post we’ll explain what a honeypot is and how it works, and give you a run-down of the top 20 best honeypots available, for intelligence capturing when an attacker hits your fake door.
But first, let’s go back to the basics and cover a few fundamental concepts.
What’s a honeypot?
In simple English, a honeypot is a computer system or application created to attract malicious agents trying to attack computer networks through the use of spam, phishing, DDoS or other nefarious methods.
Once an attacker falls into this trap, the honeypot allows administrators to obtain valuable data about the type of attacker, the activity he was attempting, and in many cases, even identify the attacker.
The major goal of all honeypots is to identify emerging attacks against different types of software and collect reports to analyze and generate intelligence data—which will later be used to create prevention techniques against network threats.
There are two different types of honeypots:
- Research honeypot: This type of trap is used by developers, system administrators, and blue team managers working in institutions such as universities, colleges, schools and other related associations.
- Production honeypot: This is used by private and public institutions, companies and corporations to investigate the behavior and techniques of hackers seeking to attack networks on the Internet.
Essentially, a honeypot allows you to obtain valuable data so you can work on different attack surface reduction strategies.
How does a honey work?
As mentioned, a honeypot is a trap system. These trap systems are often set up in a VM or cloud server connected to a network, but isolated and strictly monitored by system and network teams. To help them get noticed by the bad guys, honeypots are designed to be intentionally vulnerable, with weaknesses an attacker will detect and try to exploit.
These weaknesses could be part of a security hole inside an application, or system vulnerabilities such as unnecessary open ports, outdated software versions, a weak password or an old unpatched kernel.
Once the attacker has found his vulnerable target, he’ll try to launch an attack and escalate privileges until he can gain certain control of the box or the application.
What most of them don’t know is that a honeypot administrator is watching each one of their steps carefully, collecting data from the attacker that will actually help to harden current security policies. The administrator can also report the incident to legal authorities immediately, which is what often happens with high-end corporate networks.
Most honeypots work as traps that distract attackers from critical data that is hosted on the actual networks. Another commonality is that almost all connection attempts to a honeypot can be treated as hostile, as there are few, if any, reasons that may motivate a legitimate user to connect with these types of systems.
While configuring the honeypot, you must be aware of the level of hacking difficulty you wish to expose to the attacker. If it’s too easy to hack, they’ll probably lose interest, or even realize they’re not dealing with a real production system.
On the other hand, if the system is too hardened, you’ll actually thwart any attacks and won’t be able to collect any data. So in terms of difficulty, luring an attacker with something between easy and hard is your best bet for simulating a real-life system.
Can an attacker detect if he’s inside a honeypot? Of course. Advanced users with a high level of technical knowledge are able to recognize a few signs that they’re entering a honeypot space.
Even non-technical users can detect honeypots by using automated honeypot detectors such as Shodan’s Honeyscore, which gives you the ability to identify honeypot IP addresses.
Some systems engineers tend to classify honeypots based on the targeted software they’re trying to protect or expose. So while a list of honeypots could be extensive, we’ve listed some of the most popular ones here:
- Spam honeypot: Also known as spam trap, this honeypot is specifically created to catch spammers before they hit legitimate email boxes. These often have open relays in order to get attacked, and work closely with RBL lists to block malicious traffic.
- Malware honeypot: This type of honeypot is created to simulate vulnerable apps, APIs and systems for the purpose of getting malware attacks. The data that is then collected will later be used for malware pattern reconnaissance, to aid in creating effective malware detectors.
- Database honeypot: Databases are a common target of web attackers, and by setting up a database honeypot you can watch and learn different attack techniques such as SQL injection, privilege abuse, SQL services exploitation and much more.
- Spider honeypot: This type of honeypot works by creating false web pages and links that are only accessible by web-crawlers, not by humans. Once the crawler accesses the honeypot, it’s detected along with its headers for later analysis, usually to help with blocking malicious bots and ad-network crawlers.
Top 20+ Honeypots for Identifying Cybersecurity Threats
There are as many honeypots as there are types of software running, so creating a definitive list would be quite difficult. On this list we’ve included some of the most popular honeypot tools that are, in our own experience, a must for all blue and purple teams.
Kippo: This SSH honeypot written in Python has been designed to detect and log brute force attacks and, most importantly, the complete shell history performed by the attacker. It’s available for most modern Linux distros, and offers both cli-command management and configuration, as well as web-based interface. Kippo offers a fake file system and the ability to offer fake content to attackers (such as user password files, etc.), as well as a powerful statistics system called Kippo Graph.
Cowrite: This medium interaction SSH honeypot works by emulating a shell. It offers a fake file system based on Debian 5.0, letting you add and remove files as you wish. This application also saves all the downloaded and uploaded files in a secure and quarantined area, so you can perform later analysis if needed. Apart from the SSH emulated shell, it can be used as an SSH and Telnet proxy, and allows you to forward SMTP connections to another SMTP honeypot.
- Glastopf: This HTTP-based honeypot lets you detect web-application attacks effectively. Written in Python, Glastopf can emulate several types of vulnerabilities, including local and remote file insertion as well as SQL Injection (SQLi) and using a centralized logging system with HPFeeds.
- Nodepot: This web-app honeypot is focused on Node.js, and even lets you run it in limited hardware such as Raspberry Pi / Cubietruck. If you’re running a Node.js app and are lookingto get valuable information about incoming attacks and discover how vulnerable you are, then this is one of the most relevant honeypots for you. Available on most modern Linux distros, running it depends on only a few requirements.
- Google Hack Honeypot: Commonly known as GHH, this honeypot emulates a vulnerable web app that can be indexed by web crawlers but remains hidden from direct browser requests. The transparent link used for this purpose reduces false positives and prevents the honeypot from being detected. This lets you test your app against ever-so-popular Google dorks. GHH offers an easy configuration file, as well some nice logging capabilities for getting critical attacker information such as IP, user agent and other header details.
- Formidable Honeypot: This is one of the most popular honeypots used with Wordpress. It’s literally invisible to humans; only bots can fall into its trap, so once an automated attack comes into your form, it will be effectively detected and avoided. It’s a non-intrusive way to defend Wordpress against spam. Conveniently, it doesn’t require any configuration. Simply activate the plugin and it will be added to all the forms you use in Wordpress, in both free and pro versions.
- Blackhole for Bad Bots: This one created to avoid automated bots from using unnecessary bandwidth and other server resources from your site infrastructure. By setting up this plugin, you can detect and block bad bots, from automated malware attacks to spam and several types of adware attacks. This Wordpress honeypot works by adding a hidden link in the footer of all your pages. This way it isn’t detected by humans, and catches only bad bots that are not following the robots.txt rules. Once a bad bot is caught, it will be blocked from accessing your website.
- Wordpot: This is one of the most effective Wordpress honeypots you can use to enhance Wordpress security. It helps you detect malicious signs for plugins, themes and other common files used to fingerprint a wordpress installation. Written in Python, it’s easy to install, can be handled from the command line smoothly, and includes a wordpot.conf file for easy honeypot configuration. It also allows you to install custom Wordpot plugins so you can emulate popular Wordpress vulnerabilities.
- ElasticHoney: With Elasticsearch so frequently exploited in the wild, it’s never a bad idea to invest in a honeypot specifically created for this type of database. This is a simple yet effective honeypot that will let you catch malicious requests attempting to exploit RCE vulnerabilities. It works by receiving attack requests on several popular endpoints such as /, /_search and /_nodes, and then responds serving a JSON response that is identical to the vulnerable Elasticsearch instance. All logs are saved in a file called elastichoney.log. One of the best things about it is that this honeypot tool is available for both Windows and Linux operating systems.
- HoneyMysql: This simple MySQL honeypot is created to protect your SQL-based databases. Written in Python, it works on most platforms and can be installed easily by cloning its GitHub repo.
- MongoDB-HoneyProxy: One of the most popular MongoDB honeypots, this is specifically a honeypot proxy that can run and log all malicious traffic into a 3rd party MongoDB server. Node.js, npm, GCC, g++ and a MongoDB server are required to get this MongoDB honeypot working properly. It can be run inside a Docker container or any other VM environment.
- Honeymail: If you’re looking for a way to stop SMTP-based attacks, this is the perfect solution. Written in Golang, this honeypot for email will let you set up numerous features to detect and prevent attacks against your SMTP servers. Its main features include: configuring custom response messages, enabling StartSSL/TLS encryption, storing emails in a BoltDB file and extracting attacker information such as source domain, country, attachments and email parts (HTML or TXT). It also provides simple yet powerful DDoS protection against massive connections.
- Mailoney: This is a great email honeypot written in Python. It can be run in different modes such as open_relay (logging all emails attempted to be sent), postfix_creds (used to log credentials from login attempts) and schizo_open_relay (which allows you to log everything).
- SpamHAT: This trap is designed to catch and prevent spam from attacking any of your email boxes. To get this working, make sure you have Perl 5.10 or higher installed, as well as some CPAN modules such as IO::Socket, Mail::MboxParser, LWP::Simple, LWP::UserAgent, DBD::mysql, Digest::MD5::File, as well as having a running MySQL server with a database called ‘spampot’.
- HoneyThing: Created for the Internet of TR-069 enabled services, this honeypot works by acting as a full modem/router running the RomPager web server and supports TR-069 (CWMP) protocol. This IOT honeypot is capable of emulating popular vulnerabilities for Rom-0, Misfortune Cookie, RomPager and more. It offers support for TR-069 protocol, including most of its popular CPE commands such as GetRPCMethods, Get/Set parameter values, Download, etc. Unlike others, this honeypot offers an easy and polished web-based interface. Finally, all the critical data is logged in a file called honeything.log
- Kako: The default config will run a number of service simulations in order to capture attacking information from all incoming requests, including the full body. It includes Telnet, HTTP and HTTPS servers. Kako requires the following Python packages to work properly: Click, Boto3, Requests and Cerberus. Once you’re covered with the required packages, you can configure this IOT honeypot by using a simple YAML file called kako.yaml. All the data is recorded and is exported into AWS SNS, and flat-file JSON format.
Other types of Honeypots
- Dionaea: This low-interaction honeypot written in C and Python uses the Libemu library to emulate the execution of Intel x86 instructions and detect shellcodes. In addition, we can say it’s a multi-protocol honeypot that offers support for protocols such as FTP, HTTP, Memcache, MSSQL, MySQL, SMB, TFTP, etc. Its logging capabilities offer compatibility with Fail2Ban, hpfeeds, log_json and log_sqlite.
- Miniprint: With printers being some of the most overlooked devices within computer networks, Miniprint is the perfect ally when you need to detect and collect printer-based attacks. It works by exposing the printer to the Internet using a virtual file system where attackers can read and write simulated data. Miniprint offers a very deep logging mechanism, and saves any postscript or plain text print jobs in an upload directory for later analysis.
- Honeypot-ftp: Written in Python, this FTP honeypot offers full support for plain FTP and FTPS so you can perform a deep track of user and password credentials used in illegal login attempts, as well as uploaded files for every FTP/FTPS session.
- HoneyNTP: NTP is one of the most overlooked protocols on the Internet, and that’s why it’s a good idea to run an NTP Honeypot. This is a Python simulated NTP server that runs without a hitch on both Windows and Linux operating systems. It works by logging all the NTP packs and port numbers into a Redis database so you can perform later analysis.
- Thug: Thug isn’t a honeypot per se, but rather a honeyclient. Just as honeypot technologies enable research into server-side attacks, honeyclients take on client-side attacks. Acting as a complement to honeypots, Thug is a low-interaction honeyclient tool designed to mimic the behaviour of a web browser to analyze suspicious links and determine if they contain malicious components.
- Canarytokens: Canarytokens is a honeytoken tool created to emulate web bugs, the transparent images that track when someone opens an email by embedding a unique URL in the web page’s image tag and monitors GET requests. Canarytokens does the same thing but for file reads, database queries, process executions, patterns in log files and much more. It allows you to set up traps in your systems rather than setting up separate honeypots. In other words, attackers announce themselves as having breached your system by “tripping” over a token.
Extra tip: Don’t forget to test MHN, which isn’t actually a honeypot, but a centralized server for management and honeypot data collection. It includes a lot of the honeypots we mentioned here such as Glastopf, Dionaea, Cowrie and others.
Also important: remember, if you’re setting up a honeypot in your live infrastructure, you’re going to be exposed to a high level of incoming attacks—that’s the very nature of honeypots. You’ll be playing with fire. And it wouldn’t be the first time we heard about someone who installed a honeypot on their production servers and then got hacked because smart bad guys were able to spoof and hide behind the legal network traffic.
Today we’ve seen examined what a honeypot is, how various honeypots work, and the top 20 honeypots you can use in your cybersecurity measures against malicious attackers.
For the new players, installing and configuring any of these honeypot tools is an easy job, just remember to do it in a testing network separate from your production systems, at least on your first tests until you know what you are doing.
Are you ready to prevent even more network threats? Explore your attack surface area today, and discover just how much information you’re exposing—before the bad guys do.
Make a bold move toward safety by taking a look at SurfaceBrowser™, our enterprise-grade recon-discovery OSINT tool. Book a demo with our sales team today!