24 May 2022 | by Xavier Bellekens
If you’re feeling outgunned by cyber criminals or nation state attackers, deception technology can be your secret weapon. Deception technology tricks attackers into revealing themselves, and can help you detect attacks that would otherwise go undetected. You can start using deception technology for free with open source honeypots. In this blog post, we’ll show you how to get started!
Deception is crucial to detecting lateral movement, uncovering privilege escalation, and catching internal network attacks, and it’s now being used by blue teams, purple teams, and threat hunters worldwide.
Open source honeypots are one type of deception technology that can be deployed immediately and at no cost. Contrary to the main belief, even open-source honeypots are useful, as they can assist in the detection of advanced threats. If you decide to give them a bash, drop us a note, we would be delighted to help you set them up correctly.
There is, however, one caveat – Some of these technology may no longer be supported, and you’ll have to put in some leg-work to set them up and see results. However, they’re a fantastic method to learn about adversaries. They’re also low interaction honeypots rather than genuine systems, so you can anticipate a high number of alerts as they aren’t tuned to your environment. That being said, we love these tools, and we’d be delighted to assist you in planning how to make the best use of them when you decide to use them. We’ll take care of it for you, no strings attached. Simply contact us!
Because there are so many open source honeypots to choose from, compiling a comprehensive list would be nearly impossible. We’ve included some of the most popular honeypot software on this list, based on our own experience.
Dionaea and Kippo, can be used to detect attacks against common protocols, such as SMB, FTP, and SSH. These honeypots can also be configured to look like different versions of these services in order to lure attackers into revealing their true intentions.
Cowrie is an SSH honeypot based of Kippo. Cowrie also features honeyfs, which creates a filesystem that looks real to an attacker but is actually a trap.
RDPY Honeypot. There is still a high number of RDP servers, hence tracking the volume and credentials used for RDP scans can be interesting.
ADBHoney is a low interaction honeypot designed for Android Debug Bridge over TCP/IP and can help you discover Android malware deploying miners on phones and smart TVs via ADB (port 5555).
Honeything emulates the TR-069 WAN management protocol, as well as a RomPager webserver. This makes it appear as if the honeypot is an ADSL or cable router that can be remotely configured and managed.
Telnet IoT Honeypot emulates the telnet protocol. The client-server nature of Telnet is based on a reliable connection-oriented transport protocol. To connect to the telnet honeypot, an attacker can use port number 23 without any password, where a Telnet server application (telnetd) is waiting.
OWASP’s Honeyweb is a great open source honeypots web application honeypot that can be used to detect attacks against common web applications and services, such as WordPress, Joomla, and Drupal.
Nodepot: This web-app honeypot is designed for Node.js, and it even supports limited hardware such as Raspberry Pi / Cubietruck. If you’re developing a Node.js application and want to learn more about incoming attacks and how vulnerable you are, this is one of the most relevant honeypots for you.
Glastopf: is a Python based honeypot that may be used to simulate a variety of vulnerabilities, including local and remote file inclusion as well as SQL Injection (SQLi) and logging using HPFeeds, a decentralized logging system.
Formidable Honeypot: This is one of the most popular honeypots utilized with WordPress. It’s totally undetectable to people; only bots can get trapped by it, so when an bot tries to exploit your form, it will be swiftly detected and avoided. It’s a non-intrusive method for defending WordPress against spam.
Wordpot: This is one of the most successful WordPress honeypots for improving WordPress security.It’s written in Python, so it’s simple to set up and can be operated from the command line. It also comes with a wordpot.conf file for simple honeypot setup. It also allows you to install your own Wordpot plugins, which can be used to simulate popular WordPress flaws.
Honeymail:This is the ideal answer if you’re searching for a method to counteract SMTP-based attacks. This tiny application is highly useful while preventing large connections from online threats. It allows you to customize response messages, use STARTSSL/TLS encryption, save emails in a BoltDB file, and extract attacker data such as source domain, country, attachments, and email parts (HTML or TXT). It also protects against massive connection DDoS attacks.
Mailoney: This is a fantastic Python-based email honeypot. It may be configured to operate in several modes, including open_relay (logging all emails attempted to be sent), postfix_creds (recording login attempts) and schizo_open_relay (allowing you to log everything).
A honeytoken is an item of data that appears to be valuable but is actually a trap. Honeytokens can take the form of login credentials, credit card numbers, or even code snippets. When attackers attempt to use these honeytokens, it triggers an alert that allows you to detect and track them.
These honeypots are designed to simulate industrial control systems (ICS) or supervisory control and data acquisition (SCADA) systems. By doing so, they can attract and detect attackers who are targeting these types of systems.
Conpot this open source honeypot is written in Python and simulates an ICS/SCADA system. It supports Modbus, DNP-IP, SML, and other industrial protocols.
Honeyd is a small daemon that creates virtual hosts on a network. These virtual hosts can be configured to run arbitrary services, and may be customized to impersonate specific operating systems including ICS devices.
GasPot is a honeypot that aims to mimic a Veeder Root Gaurdian AST. These Tank Gauges are used in the oil and gas sector to keep track of fuels inventory at gasoline stations. GasPot was created to be as random as possible, with no two instances looking alike.
T-Pot is an all-in-one option, it’s a distributed honeypot platform based on Debian GNU/Linux. With T-Pot, you can monitor all honeypot traffic in one single place.
It includes all of these for you to play with
Most of these open source honeypots may be set up in a lab in a weekend including T-pot. You can then use red-team tactics to learn what kind of telemetry you might get from the different honeypots. Finally, you may modify the code to make it simpler or simply try to fingerprint the honeypots and if you manage to do so, make sure to let the creators know.
If you’re looking to get started with cyber deception, open source honeypots are a great way to do so. Not only are they free to use, but they can also be deployed quickly and easily.