fbpx

Honeypots: Detection, Recon, and Misdirection

A honeypot in cyber security is basically a trap that lures in attackers and can slow down the pace of an attack, gather actionable intelligence, and even alert an organization that an attack is occurring. In this blog, we’ll explore how honeypots work, their benefits, and demonstrate how they can be deployed to bridge the gap between prevention and anticipation.

Why Use Honeypots?

When thinking about traditional security practices, the focus has historically been on building a strong perimeter and engaging in passive, reactive defense—firewalls, intrusion detection systems, antivirus solutions, incident response processes, and more. Although many of these components are still necessary, they primarily work by reducing the probability of attacks or minimizing damage after an incident has occurred.

However, these approaches commonly lack proactive and engaged measures to learn from adversaries and anticipate future threats. What if you could go beyond reaction and actively gather intelligence on attackers? This is where deception techniques like honeypots come into play. Honeypots are designed to detect and distract attackers while simultaneously gathering valuable intelligence about their techniques, tactics, and procedures (TTPs).

What is a Honeypot?

A honeypot acts as a decoy system or network resource designed to mimic legitimate targets for a cyberattack. Unlike genuine production systems, a honeypot is intentionally vulnerable or configured to appear as an enticing target for cybercriminals. The key purpose of a honeypot usually isn’t to stop attacks directly but to learn from them and distract adversaries. When attackers interact with a honeypot (user accounts, shares, or services), it records their actions and provides real-world intelligence about the attacker’s techniques and behavior.

cyber-security-honey-pot
The scope of honeypot systems is essentially limitless. For instance, an organization might stand up a honeypot system to imitate a vulnerable web application or API endpoint, allowing the team to observe web-based payloads. Some honeypots might simulate misconfigured databases, email systems, file servers, or even workstation endpoints.

Honeypots often vary in complexity, with low-interaction honeypots simulating minimal services without offering much in-depth interaction, more akin to a tripwire. These types of systems are much easier to deploy and maintain (and less resource intensive), but provide limited opportunities to capture an attacker’s interactions. 

In contrast, high-interaction honeypots provide attackers with a realistic, fully functional system to exploit (such as a Linux server or production database). A high-interaction decoy will provide much more valuable threat intelligence as it relates to an attacker’s tactics, techniques, and procedures (TTPs) and post-exploitation behavior. However, they of course require much more effort to build and monitor.

Deploying a Honeypot: Artillery

Deploying a honeypot is a strategic decision that requires planning, collaboration, and ongoing management. However, to demonstrate the power of honeypots in action, we’ll explore how Artillery can be deployed to entice, monitor, and alert honeypot interactions on a Linux server. The Artillery project, developed by Binary Defense (TrustedSec), is an open-source blue team tool designed to act as a honeypot, monitoring solution, and alerting system to detect attacks on common ports, track file system modifications, and monitor for brute force attempts on network services. Although the official repository is slightly outdated and not actively maintained, it’s a perfect tool to demonstrate basic honeypot functionality.

Installing Artillery

With a fresh Ubuntu server installed, the first step is to clone the Artillery repository from GitHub. In this example, I’ve named my server prod-jenkins to mimic a production Jenkins server, making it more likely to attract attackers in the network who might believe they are targeting a critical system for software deployment.

Cloning the repository can be done by running the following command:

git clone https://github.com/BinaryDefense/artillery.git
Cloning the Artillery repo
This will acquire the necessary scripts and configuration files, allowing us to manage and deploy the honeypot onto our system.

Next, I’ll change into the artillery/ directory and run the setup.py script to initiate the installation. When Artillery installs on Linux, it sets itself up to run as a service with initialization scripts to ensure it starts on boot. Additionally, it interacts with iptables to configure firewall rules as it runs. The setup script can be run with the following command:

sudo python3 setup.py
Artillery honeypot installation
Upon running the setup script, Artillery has told us the installation is complete and we are ready to run our honeypot. By default, it installs inside the /var/artillery directory.

Configuring Artillery

With Artillery installed, the next step is to configure it to suit our specific decoy system. For example, Artillery’s configuration file allows us to define which ports and services we want to emulate and monitor, such as SSH, SMTP, HTTP, etc.

We can view the current configuration at /var/artillery/config:

View Artillery configuration
In the abridged screenshot above, we can see several TCP and UDP ports pre-defined through the TCPPORTS and UDPPORTS directives, respectively. As you navigate through the configuration file, you’ll notice additional options, such as IP whitelisting and various file directives. Artillery also allows us to specify and monitor specific directories or files, akin to a File Integrity Monitoring (FIM) solution, helping us set up tripwires for enticing locations on the server.

For simplicity’s sake, we can limit our honeypot’s ports to just 22 (SSH), 21 (FTP), and 8080, a common proxy port that many Jenkins installations use. To do this, modify the TCPPORTS directive to include only these ports and comment out the UDPPORTS line:

Setting the honeypot ports
With our configuration changes saved, we can now start up Artillery by calling artillery.py:
sudo python3 artillery.py
Starting up Artillery
From the above terminal output, Artillery has started, verified our configuration file, enabled console logging, and has created the appropriate iptables rules to expose our decoy services. Typically something like this would be run in the background, however, doing it this way will allow us to get immediate feedback in the console of any detections.

To ensure Artillery is running as expected, we can run the netstat command to pull back listening network sockets and filter for processes related to Python, which Artillery runs on:

sudo netstat -nlp | grep python
Verify Artillery is running
In the above screenshot, we can verify our three services are listening on port 8080, 22, and 21.

Detecting Attacks with a Honeypot

Now that we have our honeypot in place, we can test how it will react when someone attempts various methods of attack on our network.

FTP Detection

Now with Artillery running, we can use a second system to emulate an attacker and attempt to connect to the honeypot’s FTP service. First, I’ll note my honeypot’s IP address by running the ifconfig command:

Find the honeypots IP address
With a second attacker system running Kali Linux, I’ll attempt to interact with the FTP service on the honeypot. In this scenario, perhaps an attacker previously gained internal access through a different vulnerability and is looking to enumerate services or extract sensitive data from the server.
ftp <HONEYPOT_IP>
Honeypot FTP connection test
Upon connecting to the FTP service, we received a very strange, garbled output. This behavior is intentional to confuse and divert attackers. In a real-world scenario, receiving this kind of response might discourage further exploration while still allowing us to monitor and log the attempt.

If we return to our honeypot system, we’ll notice a very interesting log entry:

Honeypot FTP detection log
This log confirms that Artillery has detected suspicious activity from the attacker’s IP address (10.0.2.5) trying to connect to the FTP service (port 21) on the honeypot. A second consequence is that Artillery has now blocked all connections from our attacker’s IP address and any further attempts will be met with timeout errors.

SSH Detection

Additionally, we can perform a similar test against the decoy SSH service. A common attack vector is brute-forcing or spraying SSH credentials to gain remote access to a system. By simulating this attack against the honeypot, we’ll determine if Artillery successfully detects the brute force attempt.

On the Kali (attacker) system, I’ll initiate a brute force attack using Hydra with the following command:

hydra -l admin -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://10.0.2.11
SSH brute force attempt against honeypot
This command attempts to brute-force the SSH login for the username admin using a wordlist of common passwords. Rather than attempting to run through the password list, Hydra immediately returns with an error due to the received banner size.

Upon navigating back to the honeypot system, we’ll notice that once again, Artillery was able to detect the attack:

SSH brute force detection log

Web Detection

Lastly, let’s perform one more attack against the honeypot HTTP service on port 8080. To do so, I’ll run the nikto web vulnerability scanner on Kali and point it to the honeypot server:

nikto -h 10.0.2.11 -port 8080
Web attack against honeypot
Once again, we are immediately met with a failed attempt. Back on the honeypot system, as expected by this point, we’ve successfully logged the attack:
Honeypot web attack detection log

Logging and Incident Response

It’s important to note we’re not just limited to the standard command-line console output. Artillery’s detection events can also be found in syslog, which we can verify by pulling back some of the most recent logs in the file:

tail /var/log/syslog -n 4
Honeypot detection logs
As best practice in a real deployment, a honeypot would be configured to send these detections to a centralized logging system like a SIEM. This allows us to create specific alert rules to detect future honeypot activity for rapid investigation, as it’s clear there is something likely malicious going on. By correlating the collected IPs, timestamps, and other detection data from Artillery (or any other honeypot solution), you can more effectively address the scope of an incident response investigation. 

For example, hunting the detected source IP address across various log sources can give analysts more context into the attacker’s activity before the attack or their behavior on the honeypot system afterward. This information helps build a timeline, making it more clear to identify additional kill chain actions such as escalation, lateral movement, or exfiltration within the network.

Best Practices for Deploying Honeypots

On the topic of best practices when deploying honeypots, it’s important to isolate honeypots from your actual production environment using network segmentation and firewalls to prevent attackers from using them as a pivot point. Because honeypots are often intentionally misconfigured to appear vulnerable, we need to avoid allowing an attacker to easily pivot through or stage additional attacks using our infrastructure. 

Second, while isolation is important, we also want to make our honeypots enticing. Make sure your honeypot blends seamlessly with your network by mimicking legitimate systems, including realistic naming conventions and offering realistic open ports or services. There is no point in setting up all of this infrastructure only for an attacker to immediately recognize it as a decoy and move on to legitimate targets.

Lastly, treat your honeypot as any other important intelligence asset—monitor it regularly for interactions, centralize its events, and analyze the data it collects through a feedback loop to stay ahead of the game and improve your overall threat detection capabilities.

Conclusion

In conclusion, deploying honeypots offers a supplementary approach for detecting and distracting attackers while simultaneously gathering valuable intelligence about their techniques, tactics, and procedures. While honeypots are not a replacement for traditional security measures, they provide an additional layer of pertinent and actionable threat intelligence straight from the source, helping to detect and stop potential threats before they escalate further.

If you are looking for practical blue team training TCM offers a SOC 101 course with an Academy subscription. Once you’ve learned these skills, you can provide proof of your knowledge by earning a Practical SOC Analyst Associate certification.

Andrew Prince

About the Author: Andrew Prince

Andrew is a seasoned and passionate security professional who brings a wealth of experience in areas such as security operations, incident response, threat hunting, vulnerability management, and cloud infrastructure security. With a professional background in development and system administration, Andrew offers a well-rounded perspective on his security strategy. Andrew also navigates both offensive and defensive operations to provide a holistic approach to keeping people, processes, and technology secure. He is also active in developing various Capture the Flag challenges, creating security training, and sharing knowledge through content creation. Andrew created the Security Operations (SOC) 101 course in TCM Security Academy and the Practical SOC Analyst Associate certification.

Social Media Links:

About TCM Security

TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.

Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: sales@tcm-sec.com

See How We Can Secure Your Assets

Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.

tel: (877) 771-8911 | email: info@tcm-sec.com