Honeypot

A decoy application or system, commonly known as a honeypot, is a carefully designed and intentionally vulnerable tool used as bait to attract and trap cyber attackers. By simulating real systems, services, or applications, honeypots create realistic targets that appear valuable to threat actors. This approach enables organizations to observe attacker behavior, study tactics, techniques, and procedures (TTPs), and collect valuable intelligence about potential threats. All of this occurs within a controlled and isolated environment, ensuring that the organization’s actual systems, sensitive data, and network infrastructure remain safe from compromise.

• Purpose
  • Detection: To identify the presence of potential cyber threats by mimicking real systems or applications.
  • Monitoring: To observe the behavior of threat actors, including how they attempt to exploit vulnerabilities.
  • Analysis: To gather intelligence on attack methods, tools used, and tactics employed by cybercriminals.
• Types
  • Low-Interaction: Designed to simulate minimal services.
    • Primarily captures connection attempts, allowing administrators to log who is probing the system and when.
    • Useful for detecting automated attacks or scanning activities.
  • Medium-Interaction: Simulates more realistic services than low-interaction honeypots.
    • Captures connection attempts and login credentials, providing insight into attempted attacks and brute-force attempts.
    • Allows limited interaction with attackers while still containing potential risks.
  • High-Interaction: Provides a fully interactive environment that mimics real systems.
    • Captures connection attempts, login credentials, and attacker actions, allowing detailed behavioral analysis.
    • Can perform multiple functions and respond to client requests, offering deeper insight into attack methods, tools, and tactics.
• Components
  • Decoy Systems: These can include virtual machines, servers, or network devices that simulate real infrastructure.
  • Decoy Applications: Software applications that mimic critical business systems, such as databases or web services.
• Benefits
  • Early Warning: Provides early detection of intrusion attempts before they reach actual production systems.
  • Threat Intelligence: Provides valuable insights into the latest attack techniques and helps refine security strategies.
  • Cost-Effective: Enables organizations to obtain threat intelligence without dedicating resources to full-scale incident response.
• Challenges
  • False Positives: Ensuring that legitimate activities are not mistaken for malicious behavior.
  • Maintenance: Keeping decoys up to date and relevant to current threat landscapes.
  • Ethical Considerations: Balancing the need for security with ethical concerns related to the surveillance of attackers.
• Example Use Cases
  • Phishing Simulations: Using decoy email systems to analyze phishing attempts.
  • Vulnerability Exploits: Setting up virtual machines to detect and study exploit kits targeting specific vulnerabilities.
  • Network Intrusions: Creating simulated network segments to monitor lateral movement by threat actors within an organization.

---

Honeypots Projects

There are different honeypots projects that can be installed on the Raspberry Pi operating system, the following are steps to install one of the open source projects called honeypots

Install the honeypots package using pip

PIP_BREAK_SYSTEM_PACKAGES=1 # Environment variable telling pip to ignore warnings about installing packages that could overwrite system-managed Python packages
pip3 # Python 3 package installer (pip for Python 3)
install # Command to install Python packages
“bcrypt<4.0.0” # Install the ‘bcrypt’ package but restrict version to less than 4.0.0 (dependency compatibility)
honeypots # Install the ‘honeypots’ Python package

(RPi) PIP_BREAK_SYSTEM_PACKAGES=1

Run the honeypots project, this command will run the ftp honeypot

sudo # Run the command with superuser (administrator) privileges
-E # Preserve the user’s environment variables (like PIP_BREAK_SYSTEM_PACKAGES)
python3 # Use Python 3 interpreter to run the module
-m honeypots # Run the Python module named ‘honeypots’
–setup ftp:21 # Command-line argument for the module; sets up a honeypot service to simulate an FTP server on port 21

(RPi) sudo -E python3 -m honeypots --setup ftp:21
[!] For updates, check https://github.com/qeeqbox/honeypots
[x] Use [Enter] to exit or python3 -m honeypots --kill
[x] Parsing honeypot [normal]
{"action": "process", "dest_ip": "0.0.0.0", "dest_port": "21", "password": "test", "server": "ftp_server", "src_ip": "0.0.0.0", "src_port": "21", "status": "success", "timestamp": "2023-08-22T18:00:26.430681", "username": "test"}
[x] QFTPServer running..
[x] Everything looks good!

Connect to the ftp honeypot from the host using an ftp client, you need to change janedoe.local to the hostname you picked and enter a username and password

ftp> # Indicates you are in an interactive FTP client session
open # FTP command to connect to a remote FTP server
jdoe.local # The hostname or local network address of the FTP server you want to connect to

ftp> open jdoe.local
421 Service not available, remote server has closed connection
Connected to jdoe.local.
220 ProFTPD 1.2.10
Name (jdoe.local:pc): user123
331 Password required for user123.
Password: 
530 Sorry, Authentication failed.
ftp: Login faile

The ftp honeypot recorded the user name and password

{"action": "connection", "dest_ip": "0.0.0.0", "dest_port": "21", "server": "ftp_server", "src_ip": "192.168.2.1", "src_port": "50173", "timestamp": "2023-08-22T18:00:29.081757"}
{"action": "login", "dest_ip": "0.0.0.0", "dest_port": "21", "password": "pass123", "server": "ftp_server", "src_ip": "192.168.2.1", "src_port": "50173", "status": "failed", "timestamp": "2023-08-22T18:00:35.037311", "username": "user123"}