Honeypots: Detection, Recon, and Misdirection
A honeypot in cyber security is basically a trap that lures in attackers and can slow down the pace of an attack, gather actionable intelligence, and even alert an organization that an attack is occurring. In this blog, we’ll explore how honeypots work, their benefits, and demonstrate how they can be deployed to bridge the gap between prevention and anticipation.
Why Use Honeypots?
When thinking about traditional security practices, the focus has historically been on building a strong perimeter and engaging in passive, reactive defense—firewalls, intrusion detection systems, antivirus solutions, incident response processes, and more. Although many of these components are still necessary, they primarily work by reducing the probability of attacks or minimizing damage after an incident has occurred.
However, these approaches commonly lack proactive and engaged measures to learn from adversaries and anticipate future threats. What if you could go beyond reaction and actively gather intelligence on attackers? This is where deception techniques like honeypots come into play. Honeypots are designed to detect and distract attackers while simultaneously gathering valuable intelligence about their techniques, tactics, and procedures (TTPs).
What is a Honeypot?
A honeypot acts as a decoy system or network resource designed to mimic legitimate targets for a cyberattack. Unlike genuine production systems, a honeypot is intentionally vulnerable or configured to appear as an enticing target for cybercriminals. The key purpose of a honeypot usually isn’t to stop attacks directly but to learn from them and distract adversaries. When attackers interact with a honeypot (user accounts, shares, or services), it records their actions and provides real-world intelligence about the attacker’s techniques and behavior.
Honeypots often vary in complexity, with low-interaction honeypots simulating minimal services without offering much in-depth interaction, more akin to a tripwire. These types of systems are much easier to deploy and maintain (and less resource intensive), but provide limited opportunities to capture an attacker’s interactions.
In contrast, high-interaction honeypots provide attackers with a realistic, fully functional system to exploit (such as a Linux server or production database). A high-interaction decoy will provide much more valuable threat intelligence as it relates to an attacker’s tactics, techniques, and procedures (TTPs) and post-exploitation behavior. However, they of course require much more effort to build and monitor.
Deploying a Honeypot: Artillery
Deploying a honeypot is a strategic decision that requires planning, collaboration, and ongoing management. However, to demonstrate the power of honeypots in action, we’ll explore how Artillery can be deployed to entice, monitor, and alert honeypot interactions on a Linux server. The Artillery project, developed by Binary Defense (TrustedSec), is an open-source blue team tool designed to act as a honeypot, monitoring solution, and alerting system to detect attacks on common ports, track file system modifications, and monitor for brute force attempts on network services. Although the official repository is slightly outdated and not actively maintained, it’s a perfect tool to demonstrate basic honeypot functionality.
Installing Artillery
With a fresh Ubuntu server installed, the first step is to clone the Artillery repository from GitHub. In this example, I’ve named my server prod-jenkins to mimic a production Jenkins server, making it more likely to attract attackers in the network who might believe they are targeting a critical system for software deployment.
Cloning the repository can be done by running the following command:
git clone https://github.com/BinaryDefense/artillery.git

Next, I’ll change into the artillery/ directory and run the setup.py script to initiate the installation. When Artillery installs on Linux, it sets itself up to run as a service with initialization scripts to ensure it starts on boot. Additionally, it interacts with iptables to configure firewall rules as it runs. The setup script can be run with the following command:
sudo python3 setup.py

Configuring Artillery
With Artillery installed, the next step is to configure it to suit our specific decoy system. For example, Artillery’s configuration file allows us to define which ports and services we want to emulate and monitor, such as SSH, SMTP, HTTP, etc.
We can view the current configuration at /var/artillery/config:
For simplicity’s sake, we can limit our honeypot’s ports to just 22 (SSH), 21 (FTP), and 8080, a common proxy port that many Jenkins installations use. To do this, modify the TCPPORTS directive to include only these ports and comment out the UDPPORTS line:
sudo python3 artillery.py
To ensure Artillery is running as expected, we can run the netstat command to pull back listening network sockets and filter for processes related to Python, which Artillery runs on:
sudo netstat -nlp | grep python
Detecting Attacks with a Honeypot
Now that we have our honeypot in place, we can test how it will react when someone attempts various methods of attack on our network.
FTP Detection
Now with Artillery running, we can use a second system to emulate an attacker and attempt to connect to the honeypot’s FTP service. First, I’ll note my honeypot’s IP address by running the ifconfig command:
ftp <HONEYPOT_IP>
If we return to our honeypot system, we’ll notice a very interesting log entry:
SSH Detection
Additionally, we can perform a similar test against the decoy SSH service. A common attack vector is brute-forcing or spraying SSH credentials to gain remote access to a system. By simulating this attack against the honeypot, we’ll determine if Artillery successfully detects the brute force attempt.
On the Kali (attacker) system, I’ll initiate a brute force attack using Hydra with the following command:
hydra -l admin -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://10.0.2.11
Upon navigating back to the honeypot system, we’ll notice that once again, Artillery was able to detect the attack:
Web Detection
Lastly, let’s perform one more attack against the honeypot HTTP service on port 8080. To do so, I’ll run the nikto web vulnerability scanner on Kali and point it to the honeypot server:
nikto -h 10.0.2.11 -port 8080
Logging and Incident Response
It’s important to note we’re not just limited to the standard command-line console output. Artillery’s detection events can also be found in syslog, which we can verify by pulling back some of the most recent logs in the file:
tail /var/log/syslog -n 4
For example, hunting the detected source IP address across various log sources can give analysts more context into the attacker’s activity before the attack or their behavior on the honeypot system afterward. This information helps build a timeline, making it more clear to identify additional kill chain actions such as escalation, lateral movement, or exfiltration within the network.
Best Practices for Deploying Honeypots
On the topic of best practices when deploying honeypots, it’s important to isolate honeypots from your actual production environment using network segmentation and firewalls to prevent attackers from using them as a pivot point. Because honeypots are often intentionally misconfigured to appear vulnerable, we need to avoid allowing an attacker to easily pivot through or stage additional attacks using our infrastructure.
Second, while isolation is important, we also want to make our honeypots enticing. Make sure your honeypot blends seamlessly with your network by mimicking legitimate systems, including realistic naming conventions and offering realistic open ports or services. There is no point in setting up all of this infrastructure only for an attacker to immediately recognize it as a decoy and move on to legitimate targets.
Lastly, treat your honeypot as any other important intelligence asset—monitor it regularly for interactions, centralize its events, and analyze the data it collects through a feedback loop to stay ahead of the game and improve your overall threat detection capabilities.
Conclusion
In conclusion, deploying honeypots offers a supplementary approach for detecting and distracting attackers while simultaneously gathering valuable intelligence about their techniques, tactics, and procedures. While honeypots are not a replacement for traditional security measures, they provide an additional layer of pertinent and actionable threat intelligence straight from the source, helping to detect and stop potential threats before they escalate further.
If you are looking for practical blue team training TCM offers a SOC 101 course with an Academy subscription. Once you’ve learned these skills, you can provide proof of your knowledge by earning a Practical SOC Analyst Associate certification.
About the Author: Andrew Prince
Andrew is a seasoned and passionate security professional who brings a wealth of experience in areas such as security operations, incident response, threat hunting, vulnerability management, and cloud infrastructure security. With a professional background in development and system administration, Andrew offers a well-rounded perspective on his security strategy. Andrew also navigates both offensive and defensive operations to provide a holistic approach to keeping people, processes, and technology secure. He is also active in developing various Capture the Flag challenges, creating security training, and sharing knowledge through content creation. Andrew created the Security Operations (SOC) 101 course in TCM Security Academy and the Practical SOC Analyst Associate certification.
Social Media Links:
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.