Go To Home

Open Source Honeypots That Detect Threats For Free

by Smokescreen Team

Open source honeypots

If you’re a target for either financially motivated cyber criminals, or nation state grade attackers, chances are your security team feels outgunned. Deception technology excels at detecting these attacks by shifting the cognitive, economic and time costs of the attack back onto the attacker. The principles of deception have been around for years, and recently, they’ve become the secret weapon of purple teams and threat hunters worldwide. Here’s the good new — You can start seeing the benefits of deception for free using open source honeypots that can be deployed immediately.

Deception is so crucial to detecting lateral movement, uncovering privilege escalation, and building threat intelligence, that any deception, even open-source honeypots are valuable. Whenever we’re on the road, we make it a point to give a shout-out to some of these tools, and will happily help you plan how you can use them. And we’ll do this for free, no strings attached. Just get in touch!

Caveat Emptor: You get what you pay for — Some of these tools may no longer be supported, and will require leg-work to setup and see results. However, they’re a great way to get familiar with deception. They’re also emulations, not real systems, so don’t expect high-interaction activity. While we’ll offer friendly advice around how you can use them, we don’t officially support them.

For more on planning effective deception, check out our strategy focused blog-posts:

Network services honeypots

  • Cowrie – Cowrie is an SSH honeypot based off an earlier favourite called Kippo. It will emulate an interactive SSH server with customisable responses to commands. Another alternative is HonSHH which sits between a real SSH server and the attacker, MiTMing the connection and logging all SSH communications.
  • Dionaea is a multi-protocol honeypot that covers everything from FTP to SIP (VoIP attacks). Where it really excels is for SMB decoys. It can even simulate malware payload execution using LibEmu to analyse multi-part stagers.

IOT (Internet of Things) honeypots

  • Honeything emulates the TR-069 WAN management protocol, as well as a RomPager web-server, with vulnerabilities. Other IoT decoys can be created by emulating embedded telnet / FTP servers, for example with BusyBox.

SCADA/ICS honeypots

  • ConPot emulates a number of operational technology control systems infrastructure. These include protocols like MODBUS, DNP3 and BACNET. It comes with a web-server that can emulate a SCADA HMI as well.
  • GasPot emulates a Veeder Root Gaurdian AST that is commonly used for monitoring in the oil and gas industry.

Database and NoSQL honeypots

  • MongoDB-HoneyProxy emulates an insecure MongoDB database. Hackers regularly scan the interwebs looking for administrators who had an ‘oops moment’ and exposed their DB to the world.
  • ElasticHoney emulates an ElasticSearch instance, and looks for attempted remote code execution.

Credential honeypots and honeytokens

  • DCEPT by Dell SecureWorks places deceptive credentials in Microsoft’s Active Directory.
  • Canarytokens by the great guys at Thinkst let you place different types of decoy data across your systems, waiting for an attacker to trigger them.

Honeyclients and malware analysis

  • Thug is a ‘honeyclient’ that mimics the behaviour of a web-browser to analyse client-side exploits. It can be used to analyse dodgy links, determining whether they serve up malicious JavaScript, ActiveX or Flash components. It can download payload samples and integrates with VirusTotal to analyse what gets served.
  • Cuckoo Sandbox is not really a honeypot, but it’s a great sandbox for malware analysis. You can safely and programmatically execute possible malware samples, including binaries, Microsoft Office documents and emails within a Cuckoo VM. You’ll receive a full report on what the code executed, what file / registry changes were made, and what network callbacks were observed. Pair it with VMCloak to automatically build sandbox VMs that are harder for malware to fingerprint.


  • Honeydrive is a GNU/Linux distribution that comes pre-installed with a lot of active defence capabilities. Consider it the anti-Kali.
  • MHN combines Snort, Kippo, Dionaea and Conpot, and wraps them for easy installation and use.

Setting up most of these open source honeypots in a lab should be a fairly simple weekend project for seasoned security professionals. You can then run red-team style attacks against them to understand what sort of telemetry you can expect. Finally, you can tweak the source to reduce how easily they can be fingerprinted (don’t forget to submit patches to the authors if you do).

If you’d like to take the next step with professional deception technology, check out our IllusionBLACK platform by seeing a live demo.

#deception#incident response#malware#strategy#Tools

Continue Reading

Have you tried out IllusionBLACK yet?
  • Detect zero-days, APTs, and insider threats
  • 10x the detection capabilities with 1/2 the team
  • Get started in minutes, fully functional in hours
Schedule a demo
Go to home

Simple solutions for detecting and containing threats. Working with us does not break the bank or your spirit. We’re the company of choice for offensive security teams with a Net Promoter Score of 70+.

© 2015-2021 Smokescreen. All rights reserved.

Solutions For
Web Application AttacksLateral MovementRansomware AttacksTargeted ThreatsSocial EngineeringMalware-less Attacks