Honeypots

A honeypot is a computer security mechanism set to detect, deflect, or in some manner, counteract attempts at unauthorized use of information systems.

Detecting Honeypot

When entered target system, then if we felt something is wrong. For example,

  • Cannot execute common OS commands e.g. ls, cat, etc.

  • There are few files under /home/<user> unnaturally.

  • There are few users or uncommon users exist in /etc/passwd unnaturally.

  • Found either cowrie-env, cowrie.cfg, tpot.yml, dionaea.cfg in system.

We may be able to suspect the system is a honeypot.

Cowrie

Cowrie is an SSH/Telnet honeypot.

Directories & Files

etc/cowrie.cfg
etc/userdb.txt
var/log/cowrie/

Or we can find the associated files by the following command.

find / -name "*cowrie*" 2>/dev/null

Reconnaissance

# OS
uname -a
cat /etc/issue

# CPU
nproc
cat /proc/cpuinfo

T-Pot

T-Pot is the all in one, optionally distributed, multiarch (amd64, arm64) honeypot platform.

Dionaea

Dionaea

Mailoney

Mailoney is an SMTP honeypot.

PreviousFirewallNextAttack Flow

Last updated