Chasing bad guys can be an exciting and fun activity that can be achieved in many different ways. One of the best ways to chase bad guys is through the use of the best honeypot software.
If you are a target for financially motivated cyber criminals or nation-state-grade attackers, you might need deception technology to save your ass. The best honeypot software have been around for many years and have recently become the secrete weapon of threat hunters and purple teams worldwide.
In this post, we will explain what a honeypot is, how it works, how to use it and the list of the best honeypot software, both free and paid. Before I list the best honeypot software, let’s get familiar with honeypot software.
Honeypot software is a PC application or system created to attract malicious agents trying to attack PC networks through the use of pushing, DDoS, spam and other nefarious methods.
Once an attacker falls into this trap, the honeypot lets the administrators obtain valuable data about the type of attacker, what the attacker was trying to do and identify the attacker.
The main reason you need a honeypot is to identify emerging attacks against your system’s software and collect reports to analyze and generate intelligence data which you can use to create prevention methods against threats.
We have two types of honeypots which include:
ProductionHoneypot: This type of honeypot is used by public and private institutions, corporations and companies to investigate the behavior and methods of hackers seeking to attack networks on the Internet
Research honeypot: This type of honeypot software is used by developers, blue team managers and system administrators working in institutions like schools, universities, colleges and other related associations.
Essentially, the best honeypot software lets you collect important data needed to work on different attack surface reduction techniques.
Honeypot is a trap system and it is often st up in a cloud server or VM connected to a network, but isolated and strictly monitored by network teams and system. To help them get noticed by the hackers, honeypots are created to be intentionally vulnerable, with weakness an attacker will detect and try to exploit.
Such weakness could be part of a security vacuum inside an application or system vulnerability like unnecessary open ports, a weak password, outdated software version or an old unpatched kernel. once the attacker finds a vulnerability, he will try to launch an attack until he gains certain control of the application or box.
While the attacker is trying to exploit the vacuum, the honeypot administrator is watching every step carefully, collecting data from the attacker that will help to harden current security policies. In this case, the administrator can report the attacker’s activities to legal authorities, which is what high-end corporate networks usually do.
Some honeypot software work as a trap that distracts attackers from vital data that’s hosted on the actual network. When you are configuring your honeypot software, you need to be aware of the level of hacking difficulty you plan to expose to the attacker. If it is not hard for them to hack, they may lose interest.
Also, if you harden the system for the attacker too much, you will thwart any attacks and will not be able to collect any data. You should also know that some savvy attackers may detect when they are inside a honeypot.
In fact, non-technical users can detect honeypot using automated honeypot detectors like Honeyscore, which identifies honeypot IP addresses.
Some system engineers classify honeypot based on the targeted software they are trying to expose or protect. So while the list could be long, but here are the most popular:
Malwarehoneypot: This is designed to simulate vulnerable apps, systems and APIs for the purpose of getting malware attacks.
Spider honeypot: This honeypot is created to help block malicious ad-network crawlers and bots.
Database honeypot: Designed to find web attackers.
Spam honeypot: Works with RBL lists to block malicious traffic
The Best Honeypot Software
There are many honeypot software out there but we have collated the best honeypot software here for you. These applications are a must for blue and purple teams. Some of the software are open-source software.
1. SSH Honeypots
Cowrite: Cowrite is a medium interaction SSH honeypot that works by emulating a shell. The software provides a fake file system that is based on Debian 5.0, allowing you to add and remove files as you wish. It also saves all the uploaded and downloaded files in a quarantined and secure area, so that you can easily perform analysis if needed. The software can also be used as SSH and Telenet proxy and lets you forward SMTP connections to another SMTP honeypot.
Kippo: Kippo is another SSH honeypot software written in python to detect and log brute force attacks, as well as the complete shell history performed by the attacker. This software provides a fake file system and the ability to offer fake content to attackers (e.g. user password files) and a powerful stat system known as Kippo Graph.
2. HTTP Honeypot
Google Hack Honeypot: Known as GHH, this software emulates a vulnerable web app that can be index by web crawlers but remains hidden from direct browser requests. The transparent link used prevents the honeypot from being found out by the attacker. This allows you to test your app against Google dorks. This software provides an easy configuration file and logging capabilities for getting critical attacker information such as user agent, IP and other details.
Nodepot: Nodepot focuses on Node.js and allows you to even run it in limited hardware like Raspberry Pi/ Cubietruck. If you run a Node.js app and want to get important information about any incoming attack and discover how vulnerable you are, this is the best honeypot software for you.
Glastopf: Glastopf is an HTTP-based that allows you to detect several types of vulnerabilities, including remote and local file insertion and SQL injection (SQLi) as well as using a centralized logging system with HPFeeds.
3. WordPress Honeypot
Wordpot: Wordpot is one of the most effective WordPress honeypot software that can be used to boost WordPress security. The software helps to detect malicious signs for themes, plugins and other common files used to fingerprint a WordPress installation. It is written in Python, easy to install and can be handled from the command line without any hassle. The software lets you install custom Wordpot plugins.
Blackhole For Bad Bots: This software is designed to avoid automated bots from using unnecessary bandwidth. It means it lets you detect and block bad bots. It works by adding a hidden link in all your pages’ footer to catch bad bots. Once a bad bot is caught, it’ll be blocked from accessing your site.
Formidable Honeypots: This honeypot is one of the most famous honeypots used with WordPress. It is not visible to humans but will effectively detect bad bots. This does not require any configuration as you only need to activate the plugin and it will automatically be added to all the forms you use in WordPress, whether pro or free versions.
4. Database Honeypots
MongoDB-HoneProxy: This is a honeypot proxy that can run and log all malicious traffic into a third-party MongoDB server. To get this software working perfectly, you need GCC, Node.js, g++ and a MongoDB server. It can be run inside a Docker container or other VM environments.
HoneyMysql: Created to protect SQL-based databases, this software is a simple MySQL program that is written in Python. It can be installed easily and it works on most platforms.
ElasticHoney: This is an effective honeypot that allows you to catch malicious requests attempting to exploit your RCE vulnerabilities. The best thing about this honeypot software is that it is available for both Linux and Windows operating systems.
5. Email Honeypots
SpamHAT: Designed to catch and prevent spam from attacking your inbox, this is great software for you. Be sure to have Perl 5.10 or higher installed to get this honeypot to work properly. You may also need to install some CPAN modules like Mail::MboxParser, Digest::MD5::File, IO::Socket, LWP::Simple, DBD::MySQL, LWP::UserAgent, as well as having a running MySQL server with ‘spampot.’
Mailoney:Mailoney is an excellent email honeypot written in Python. You can run it in different modes including pstfix_creds, open_relay and schizo_open_relay.
Honeymail: This is the best honeypot software for stopping SMTP-based attacks. Written in Golang, this software will allow you to set up numerous features to detect and prevent attacks against your SMTP servers. It also offers you powerful DDoS protection against massive connections. A few of its features include, ability to configure custom response messages, storing emails in a BoltDB file, enabling StartSSL/TLS encryption and extracting attacker’s information like source domain, attachment, country and email parts (TXT or HTML).
6. IOT Honeypots
Kako: This software works to capture attacking information from all incoming requests, including the full body. It includes HTTPS, HTTP, Telnet servers. The software requires python’s Boto3, Cerberus, Click and Requests to work.
HoneyThing: Designed for the Internet of TR-069 enabled service, HoneyThing is software that works by acting as a full modem/router running the RomPager web server and supports TR-069 (CWMP) protocol. HoneyThing can emulate popular vulnerabilities for Misfortune Cookies, Rom-0, RomPager and more. This software also provides an easy and polished web-based interface. It provides support for TR-069 protocol.
7. All-In-One Honeypots
Honeydrive: Honeydrive is a GNU/Linux distribution that comes pre-installed with a lot of active defence capabilities.
MHN: This combines Kippo, Conpot, Dionaea and Snort and wraps them for easy installation and use.
Note: If you are setting up a honeypot in your live infrastructure, you are going to be exposed to a very high level of incoming attacks and be playing with fire. Smart attackers can spoof and hide behind the legal network traffic to hack you. Be careful!
Now, you already know what honeypot is, how it works and the best honeypot software you can use. If you are a new player, it is not difficult to install and configure any of these honeypots. Just remember to do it in a testing network separate from your production system, at least for the first tests until you are confident enough.
Nathaniel is a tech enthusiast and a passionate blogger. He writes tech blogs and reviews products. He is also a teacher who loves designing stuff on PowerPoint, Photoshop and creating videos and product images on Blender software