Honeypots

A honeypot is a computer security mechanism set to detect, deflect, or in some manner, counteract attempts at unauthorized use of information systems.

Detecting Honeypot

When entered target system, then if we felt something is wrong. For example,

Cannot execute common OS commands e.g. ls, cat, etc.
There are few files under /home/<user> unnaturally.
There are few users or uncommon users exist in /etc/passwd unnaturally.
Found either cowrie-env, cowrie.cfg, tpot.yml, dionaea.cfg in system.

We may be able to suspect the system is a honeypot.

Cowrie

is an SSH/Telnet honeypot.

Directories & Files

etc/cowrie.cfg
etc/userdb.txt
var/log/cowrie/

Or we can find the associated files by the following command.

find / -name "*cowrie*" 2>/dev/null

Reconnaissance

# OS
uname -a
cat /etc/issue

# CPU
nproc
cat /proc/cpuinfo

Honeypots

Detecting Honeypot

Cowrie

Directories & Files

Reconnaissance

T-Pot

Dionaea

Mailoney

Detecting Honeypot

Cowrie

Directories & Files

Reconnaissance

T-Pot

Dionaea

Mailoney