T-Pot Honeynet: How to Set Up and Monitor Your Own Network of Decoys

30 April 2023

In today's digital age, cybersecurity is more important than ever. With the increasing number of cyber threats, it's crucial to have a strong defense system in place to protect your organization's network from attacks. One such defense mechanism is a honeynet, which is a network of decoy systems that are designed to lure cybercriminals into revealing their methods and tactics.

T-Pot honeynet is a popular open-source honeynet solution that is easy to use and configure. It has a wide range of features that allow you to monitor your network and detect cyber threats in real-time. With T-Pot honeynet, you can create a network of decoy systems that simulate real-world environments and lure attackers into revealing their methods.

In our previous blog post “An Introduction to T-POT: The All-in-One Honeypot Solution” we discussed the system's architecture and how to install it using Terraform in Amazon Web Services (AWS), as well as how to access Kibana to view attacks. In this post, we will take a closer look at how to use and configure the T-Pot honeynet. We will cover the basics of popular honeypots inside T-Pot, how to obtain statistics from these decoys, and how to interpret the dashboards in Kibana. Whether you are a cybersecurity professional or just starting with honeynets, this article will provide you with the knowledge and tools to configure T-Pot and obtain relevant information that can be used to protect your network against cyber threats.

Requirements

The only requirement to follow along with this article is to have your own T-Pot system installed in AWS and to have access to the Web admin page and the Kibana Dashboard. You can refer to our previous article “An Introduction to T-POT: The All-in-One Honeypot Solution”.

Honeypots in T-Pot

T-Pot honeynet offers a wide range of honeypots that can be deployed to simulate vulnerable services and detect attacks against various systems and protocols. Some of the most popular decoys available in T-Pot include cowrie, dionaea, honeytrap, and conpot, each designed to lure attackers into revealing their methods and tactics. Other honeypots, such as citrixhoneypot, ddospot, and ipphoney, are designed to detect attacks against specific systems, such as Citrix remote access solutions, DDoS attacks, and IP telephony devices. In this section, you will find a comprehensive list of all the honeypots supported by T-Pot. Later on, we will provide a more in-depth description of some of the most popular honeypots.

adbhoney: A honeypot designed to detect attacks against Android Debug Bridge (ADB) servers.
ciscoasa: A honeypot designed to emulate Cisco Adaptive Security Appliances (ASAs), which are commonly targeted by attackers.
citrixhoneypot: A honeypot designed to emulate the Citrix Gateway VPN appliance to detect attacks against the Citrix remote access solution.
conpot: An ICS/SCADA honeypot that simulates vulnerable ICS/SCADA protocols to detect attacks against industrial control systems.
cowrie: A medium interaction SSH and Telnet honeypot that logs all brute force attempts and shell interaction.
ddospot: A honeypot designed to lure and detect DDoS attacks by emulating vulnerable services that are often used for DDoS attacks.
dicompot: A honeypot designed to simulate vulnerable DICOM (Digital Imaging and Communications in Medicine) servers to detect attacks against medical imaging systems.
dionaea: A high interaction honeypot that emulates vulnerable services such as SMB, FTP, and HTTP to lure attackers into exploiting them.
elasticpot: A web application honeypot that emulates commonly targeted web applications like WordPress, Drupal, and Joomla.
endlessh: A low interaction SSH honeypot that can keep an attacker connected to the honeypot for a long time, making it difficult for the attacker to realize that they are interacting with a honeypot.
glutton: A honeypot designed to emulate various protocols like HTTP, DNS, FTP, and SSH to detect attacks against these protocols.
heralding: A honeypot designed to detect reconnaissance attacks by emulating common network services.
hellpot: A honeypot designed to detect SSH brute force attacks by presenting the attacker with a fake shell that appears to be locked.
honeyd: A low interaction honeypot that emulates a wide range of services and operating systems to lure attackers into revealing their attack methods.
honeytrap: A high interaction honeypot that emulates commonly targeted services like SSH, Telnet, and FTP to lure attackers into interacting with the honeypot.
ipphoney: A honeypot designed to emulate IP telephony devices to detect attacks against VoIP systems.
log4pot: A honeypot designed to detect attacks against log management systems by emulating popular logging frameworks like Log4j.
mailoney: A honeypot designed to detect attacks against email systems by emulating SMTP, POP3, and IMAP services.
medpot: A honeypot designed to detect attacks against medical devices by emulating vulnerable medical devices and medical systems.
redishoneypot: A honeypot designed to detect attacks against Redis servers, which are often targeted by attackers.
sentrypeer: A honeypot designed to detect attacks against peer-to-peer (P2P) networks.
snare: A honeypot designed to detect attacks against network file shares by emulating SMB and NFS shares.
tanner: A honeypot designed to detect attacks against web servers by emulating popular web applications and web servers.

As you can see, T-Pot supports numerous honeypots, each with different features that can be useful to gather intelligence about cyberthreats. For example, there are several SSH honeypots with different features, and not all of them may be necessary. Similarly, some services, such as certain Industrial Control Systems (ICS) protocols used in the conpot honeypot, may not be used in your network. Therefore, before delving into the most popular honeypots, we'll learn how to disable unnecessary honeypots in T-Pot. This can also help you to conserve resources on your EC2 instance.

Disable not needed honeypots in T-Pot

To disable honeypots that are not needed in T-Pot, you will need access to the terminal of the server. There are two different methods you can use to achieve this:

You can use an SSH client and log into the server with your authentication key using a command similar to this one:

ssh -i {private_key_file} -p 64295 admin@{public name or ip of your EC2 instance}

Alternatively, you can use the T-Pot Admin UI by connecting to the URL outputted by the Terraform implementation. This URL should be similar to the following:

https://{public name or ip of your EC2 instance}:64294/

In this article we will use the second method and after connecting to the Admin UI you will see a web page like the following:

t-pot-admin-ui-overview T-Pot Honeynet: How to Set Up and Monitor Your Own Network of Decoys

Click on the link “Terminal” on the left, and you will be connected to a terminal inside your server.

t-pot-admin-ui-terminal T-Pot Honeynet: How to Set Up and Monitor Your Own Network of Decoys

Once you have access to the terminal, you will need to modify the “tpot.yaml” file, which is located in “/opt/tpot/etc”, and use a text editor such as nano, vi, or vim to edit it. You can use the following command to open the file for editing:

sudo nano /opt/tpot/etc/tpot.yaml

Next, you'll need to comment out all of the lines related to the honeypot that you want to disable in the “tpot.yaml” file, located in “/opt/tpot/etc”. For example, to disable adbhoney, you'll need to comment out all of the lines for that service, as shown below:

# Adbhoney service
# adbhoney:
#    container_name: adbhoney
#    restart: always
#    networks:
#     - adbhoney_local
#    ports:
#     - "5555:5555"
#    image: "dtagdevsec/adbhoney:2204"
#    read_only: true
#    volumes:
#     - /data/adbhoney/log:/opt/adbhoney/log
#     - /data/adbhoney/downloads:/opt/adbhoney/dl

We disable all the services, except for:

cowrie: To emulate SSH and Telnet Service
dionaea: To emulate FTP, TFTP, Microsoft RPC, NetBIOS, SMB, SQL Server, MySQL
elasticpot: To emulate the Elasticsearch REST API
honeytrap: A high-interaction, modular honeypot that can simulate a variety of services
ipphoney: To emulate Internet printing Services
mailoney: To emulate SMTP services

Once you have made all your changes, save the file. In nano, you can use CTRL-X, then type Y to confirm the changes, and press ENTER to save the file with the same filename. The last step is to restart the T-Pot service. To do that, issue the following command and wait a couple of minutes.

sudo systemctl restart tpot

Note: Be careful which services you disable. You can see that some services have the keyword “depends_on”.The services listed under that section are required to run successfully, so they cannot be disabled.

Cowrie Honeypot

Cowrie is a medium interaction SSH and Telnet honeypot designed to emulate a Linux shell that attracts attackers and records their actions. The cowrie honeypot listens on ports 22 and 23 and can be used to simulate vulnerable SSH and Telnet services. Cowrie provides several decoys, including fake file systems with planted content, a simulated server message block (SMB) server, and a fake HTTP server. Cowrie is configurable and can be customized with custom banners and messages, as well as file system layouts, including planted files and folders. The cowrie logs capture all the commands and keystrokes entered by the attacker, as well as any files uploaded or downloaded during the session.

Cowrie honeypot can be used to learn about several types of attacks. One of the most common attacks against SSH services is password guessing, and cowrie honeypot logs all the username and password combinations used by attackers. Cowrie can also detect attempts to exploit known vulnerabilities in SSH and Telnet services. Additionally, attackers may try to download or upload files during their session, and cowrie can capture these files, allowing for further analysis. Cowrie honeypot is capable of detecting malware and trojans by emulating vulnerable services and allowing attackers to execute code. By monitoring and analyzing the logs captured by cowrie, defenders can better understand the tactics and techniques used by attackers and take steps to improve their security posture.

You can try to connect to the service yourself to try it by going to the default ssh port of your host, using the credentials “root/root” you will be able to navigate the File System in this honeypot

To check all the info collected by the Cowrie honeypot, you need to connect to the T-POT Web UI and select the Kibana service. You will be connected to the page with a list of all the dashboards. Search for the keyword "cowrie" and you will see the only dashboard for this service. Click on the dashboard, and you will be presented with the dashboard.

t-pot-kibana-cowrie-dashboard-1 T-Pot Honeynet: How to Set Up and Monitor Your Own Network of Decoys

The Cowrie honeypot in T-Pot provides a wealth of information about attacks targeting it. In the Kibana dashboard, you can view several visualizations and data sets that provide insights into the type and frequency of attacks.

The “Cowrie Attacks Bar” and “Cowrie Attack” widgets provides a quick summary of the number of attacks over time (that you can change at the right of the search bar). The “Attack Map – Dynamic” provides a geographic view of the source of attacks.

The “Cowrie Attacks Histogram” shows the distribution of attacks over time. The “Attacks by Destination Ports Histogram – Incoming” provides information on the ports targeted by attackers. The “Attacks by Destination Ports Histogram – Dynamic” gives a dynamic view of the targeted ports. The “Attacks by Country Histogram – Dynamic” provides a view of the geographic distribution of attackers. The “Attacker Src IP Reputation – Dynamic” shows the reputation of the source IPs. The “Attacks by Country – Dynamic” provides a dynamic view of the source countries of attackers.

The “Cowrie - Attacks by Port” graph shows the number of attacks per port. The “Cowrie Version Pie - Top 10” shows the versions of Cowrie attacked the most. The “Country Port Relation – Vega” provides a visual relationship between the country and port attacked. The “Cowrie - HASSH / IP – Pie” shows the type of HASSH keys used by attackers.

The “Username Tagcloud – Dynamic” and “Password Tagcloud – Dynamic” show the most common usernames and passwords used by attackers. The “Attacker AS/N - Top 10 – Dynamic” provides information on the autonomous systems used by attackers. The “Src IP - Top 10 – Dynamic” shows the top attacking source IPs.

The “Cowrie Input - Top 10” provides information on the most common commands used by attackers. The “Cowrie - Top URI Downloads” shows the most common URIs used by attackers to download malicious code. The “Cowrie - Top Downloads” provides information on the files downloaded by attackers.

All these data and visualization tools in T-Pot's Kibana dashboard provide valuable information about the Cowrie honeypot.

Dionaea Honeypot

Dionaea is a low-interaction honeypot that simulates vulnerable services to lure attackers into interacting with it. It is primarily designed to capture and analyze malware samples, collect attacker tools and techniques, and provide intelligence about the latest attack trends. In T-Pot, Dionaea is configured to expose a range of services such as SMB, FTP, MongoDB, Microsoft SQL, MySQL and MQTT Messaging Service on multiple ports. Once an attacker interacts with the honeypot, it logs the attacker's behavior, including the commands issued, files downloaded or uploaded, and other relevant details.

By analyzing the logs and reports generated by Dionaea, security researchers can gain insights into the latest attack trends, the tactics, and techniques used by attackers, and the types of malware that are currently in circulation. For example, the T-Pot Kibana dashboard provides a range of visualizations that summarize the types of attacks that have been performed against Dionaea, including a bar chart of the most common attack types, a histogram of the attacker source IP addresses, and a world map that highlights the countries from which attacks originated. Other visualizations include a histogram of the destination ports targeted by attackers, a pie chart that shows the most common protocols used in attacks, and a tag cloud of the most commonly used usernames and passwords. All of these insights can be used to improve an organization's security posture and enhance their threat intelligence capabilities.

To access the Dionaea dashboard in Kibana search in the dashboards list for the term “dionaea” and open the link, you will be presented with the following dashboard.

t-pot-kibana-dionaea-dashboard T-Pot Honeynet: How to Set Up and Monitor Your Own Network of Decoys

Elasticpot Honeypot

Elasticpot is a low-interaction honeypot designed to emulate various Elasticsearch-related services and applications. It is one of the honeypots supported by T-Pot and allows for easy deployment of an Elasticsearch honeypot. The honeypot can be used to attract and detect various types of attacks such as attempts to exploit vulnerabilities in Elasticsearch, brute force attacks on Elasticsearch credentials, and other types of reconnaissance and data exfiltration attempts. Elasticpot exposes the REST API services on port 9200, that is the port used to receive all the API calls over HTTP including search and aggregations, monitoring and anything else that uses HTTP requests. Elasticpot provide a way to simulate a real Elasticsearch environment and the data collected by Elasticpot can be used to gain insights into the tactics, techniques, and procedures (TTPs) of attackers targeting Elasticsearch.

By analyzing the data collected by Elasticpot, it is possible to gain a better understanding of the attacks targeting Elasticsearch and the techniques used by attackers. The data collected by the honeypot can be visualized using the Kibana service. Some of the widgets in the dashboard available in Kibana for Elasticpot include Elasticsearch Activity, which shows the types of queries and operations performed on the honeypot's Elasticsearch instance, and Top Queries, which shows the most common queries performed by attackers. In addition to these widgets, Elasticpot also provides information on the source IP addresses, geolocation data, and ASNs of attackers, as well as the payloads used in various attacks. Overall, Elasticpot provides a powerful and easy-to-deploy honeypot for detecting and analyzing attacks targeting Elasticsearch.

t-pot-kibana-elasticpot-dashboard T-Pot Honeynet: How to Set Up and Monitor Your Own Network of Decoys

Please note that the number of attacks on this honeypot is comparatively lesser than the others. The reason for this is that the more specialized a service is, the fewer attackers will try to exploit it. Only a few attackers who are specifically looking for opportunities to exploit these services will attempt to attack this honeypot.

Honeytrap Honeypot

Honeytrap is a low-interaction honeypot designed to emulate various protocols and services, allowing it to detect and analyze various types of attacks. It operates in monitor mode nfq, which means that it intercepts network traffic through the Netfilter queue system, allowing it to observe and capture incoming traffic for analysis. By emulating various services and protocols, honeytrap can capture and analyze a wide range of attacks, including those that target web servers, email servers, and other types of network services.

In terms of the types of attacks that honeytrap can detect, it is capable of identifying and analyzing a wide range of network-based attacks, including brute-force attacks, buffer overflow attacks, SQL injection attacks, and many others. It can also capture and analyze malware that is delivered through network traffic, providing valuable insights into the tactics and techniques used by attackers to distribute and execute malware.

T-pot includes honeytrap as one of its supported honeypots, and the data captured by honeytrap is presented in the Kibana dashboard. The dashboard for honeytrap includes a variety of visualizations and data summaries, including charts showing the number of attacks detected over time, the types of protocols and services that were targeted, and the geographic locations of the attackers. It also includes detailed information about individual attacks, including the source IP addresses, the type of attack, and any payloads that were delivered.

t-pot-kibana-honeytrap-dashboard T-Pot Honeynet: How to Set Up and Monitor Your Own Network of Decoys

Ipphoney Honeypot

IPPHoney is a honeypot designed to mimic internet printing services, which are commonly used in offices to print documents from a variety of devices. It emulates a number of common printing protocols, including LPR, IPP, and JetDirect, and records any attempts to access these services. Like other honeypots, the goal is to attract attackers and record their activities, giving defenders valuable insights into the types of attacks that are currently being used and the tactics that are being employed.

When an attacker attempts to connect to an IPP service, the honeypot records the IP address of the attacker, as well as the time and date of the connection. It also records any commands that are sent to the service, allowing analysts to study the techniques that attackers are using to exploit the service. Some of the attacks that IPPHoney can detect include buffer overflow attacks, command injection attacks, and directory traversal attacks. By studying the methods that attackers are using, defenders can better prepare their systems to resist these types of attacks and develop more effective security strategies.

In T-Pot's Kibana dashboard, the IPPHoney honeypot shows a number of visualizations that provide insights into the types of attacks that are being detected. For example, the dashboard includes a histogram that shows the number of attacks over time, as well as a map that shows the geographic location of the attackers. It also includes a table that lists the top attackers by IP address, as well as their activity level and the protocols that they are using. Finally, the dashboard includes a list of the top commands that attackers are using, allowing defenders to see the techniques that are currently in use and develop effective countermeasures.

t-pot-kibana-ipphoney-dashboard T-Pot Honeynet: How to Set Up and Monitor Your Own Network of Decoys

Mailoney Honeypot

Mailoney is a honeypot designed to mimic an SMTP server and capture malicious traffic and attacks targeting email services. The honeypot works by emulating a full SMTP service, accepting incoming email messages, and logging all traffic and interactions with the service. The honeypot can detect a variety of attacks, including attempts to relay spam emails, brute-force attacks against user credentials, and attempts to exploit vulnerabilities in the email server software.

In T-pot, the Mailoney honeypot is configured to capture data and store it in Elasticsearch and display it in Kibana dashboards. The Kibana dashboard for Mailoney includes visualizations of different aspects of the captured data, such as the number of messages received, the source IP addresses of incoming connections, the authentication attempts, and the types of attacks detected. Additionally, the dashboard includes charts that show the distribution of message types, the email addresses targeted, and the geographic distribution of the attackers. By analyzing these visualizations, researchers can gain insights into the methods and motivations of attackers targeting email services and develop strategies to improve email security.

t-pot-kibana-mailoney-dashboard T-Pot Honeynet: How to Set Up and Monitor Your Own Network of Decoys

In conclusion, honeypots are an essential tool for detecting and analyzing attacks in a controlled and isolated environment. T-Pot is a powerful honeypot platform that offers a wide range of honeypots, each one specialized in detecting different types of attacks. With T-Pot, you can monitor attacks on various services and protocols, such as SSH, HTTP, FTP, DNS, and more, and gain insights into attacker behavior, including the tools and techniques they use.

Moreover, the Kibana dashboard provides a comprehensive view of the data collected by the honeypots, including visualizations, charts, and graphs that can help you understand the nature and scope of the attacks. With T-Pot, you can stay one step ahead of attackers and gain valuable knowledge that can help you improve your security posture. Overall, T-Pot is an excellent choice for organizations that want to enhance their threat intelligence capabilities and protect their networks from sophisticated attacks.

One constant we've seen in this article is the numerous attacks received in a short amount of time on different services. These services are fake, but what if they were your real Internet Edge and your actual services exposed to the world? As a business, you need to be aware of your security posture. Bokeh Solutions offers professional penetration testing and security audits to protect your business's Internet edge. Our team of experienced experts can help you identify vulnerabilities in your network and provide actionable recommendations to enhance your security. Don't wait until it's too late - contact us today to schedule a consultation and ensure your business is well-protected.