General understanding :
Honeypots are network connected
devices that look very vulnerable and
attractive in the eyes of a hacker but the
sole reason for their existence is that they
are meant to be hacked. The honeypot
can also be referred as a computer
So basically, the system is designed to
intentionally have vulnerabilities.
(1)A group of such Honeypots are called Honeynets. They
are multiple systems that are present on a network all of
which are vulnerable and can be hacked
(2)Honeynets can also contain real time applications and
services in order to attract the hacker to exploit the
(3)These applications are given attractive names like
finance or important documents,etc.
Why do they exist?
(1)Leaves a vulnerable system
on your network.
(2)Designing a system for the
task is tedious.
(3)Expensive while building
Main reasons for existence :
(1) You realise the different types of attacks that can be implemented
and hence develop more secure and reliable networks.
(1) Develop an alert system during the process of breaching the
(1) To have an in depth study of the activities of the hackers.
(1) Diverting the user from the original application, hence giving the
hacker the misconception that he/she managed to hack the system.
Types of honeypots:
Databases are most vulnerable to sqli attacks. So the most
databases today include the honeypot architecture.Intruder
runs through a trap database while the web application still
(1)Email traps also called Spam-traps
Used for collecting spam messages.
The honeypot detects a message is spam and hence further
blocks that email address from sending it to another user on
the same network.
Types of honeypots:
(3) Malware Honeypot :
Make a copy of the existing malware and test it by running
the existing malware vectors. This can be used for scanning
of USB’s to test for malware.
(4) Pure honeypot :
Full copy of a production system. For example : Make an
instance of a working application and redirect the attacker to
a fake database.
Based on interaction with an attacker :
(1)Low interaction Honeypot :
Simulate only the services frequently requested by the
attackers. Is mainly used to just alert.
(2) Medium interaction Honeypot :
Offers more activity than low interaction honeypots and less
(3) High interaction Honeypot :
Imitates the activities of a real system. Offers a wide variety of
services to the attacker. Lets the user interact as much as
possible with the OS. Commercially expensive.
Hands on Session
Penetration Testing Tool
Programmed in Ruby , it is a
security kit that will help ethical
hackers to perform their job more
Compatible with Windows,Linux ,
(1)Download the file in
browser. Url is :
(2)Extract the zipped file using
Tar -xvf filename
(3) Go to the folder and start
(1)Select Auto Configuration starts the honeypot service
on Port 80 which is the Web Service port.
Access Denied but are we missing
(1)Get statement specifies what the user is trying to extract from during the request. The default is
(2)Host is the IP address
(3)User-Agent : Name of the Browser followed by the Linux OS. Gecko is the browser engine used
(4)Accept : The type of the data the user wants to receive.
(5)Accept language - Language in which the data will be received.
(6)Connection : Type of connection . Persistent or Non-persistent. If persistent then connection is not
closed after every request.
(1)What if the user tries to insert a query while pinging?
(1)Will the request be seen at the admin side?
Yes. It will be.
This helps us to track the user’s activity .
(1) Linux distro.
(2) Virtual appliance with Xubuntu
(3)It is the premier honeypot OS, it has about 10 pre configured
honeypot software packages such as Kippo SSH, Dionaea malware
(4) More than 90 tools present for malware analysis,forensics and
network monitoring tools.
The most importants file, the README file on desktop
contains all the details to the configurations of the various
honeypots and the malware scanning tools.
The paths, passwords,etc are all stored in the README
Kippo is a medium interaction SSH Honeypot written in
The main job of Kippo is to log brute force attacks on the
system, collect the entire information about the entire shell
interaction made by the attacker.
Kippo consists of a fake filesystem, tricking the attacker into
thinking that it is a legitimate one.
Interesting features of Kippo :
(1)Fake filesystem with ability to add/remove files. The
system resembles a Debian 5.0 installed
(2)Adding contents to important files like
(3)Session logs are stored and complete analysis of the
user is done using kippo-graph.
To start Kippo :
(1)Browser to your /honeydrive/kippo folder.
(2)Start kippo using the command ./start.sh
(3)You will receive a message which says kippo running in
(4)Kippo successfully started.
To test Kippo :
(1)Open another terminal and try to ssh your localhost.
(2)Once you ping it , it asks for a password.
(3)Default password is ‘123456’.
(4)On entering password the symbol root@svr03 shows you
have successfully entered the fake filesystem.
(5)Browse through the fake file system and explore the files.
(6)Check nmap to see port 22 running.
Task 1 : CHANGE THE PASSWORD FOR AN
Description : The default password was
‘123456’, add another password as
‘anonymousclub’ and ssh into your localhost.
Clue : Where do you think passwords would be
Browse to /honeydrive/kippo/data/userdb.txt
Add another line to the file
Save and exit. Now ssh back to check if
Where do you think the details of the entire
configuration for the honeypot are stored?
Just browse to kippo.cfg in the same kippo
folder. It contains all the details to configure the
Kippo-Graph - The tool for analysing the attacker.
(1)Go to your web browser and type in
(2) Select on Kippo-graph.
(3) Select on Kippo-input.
(4) Select on Kippo-playlog.
(5) Select on Kippo-IP.
Based on the understanding of the filesystem, complete the
Task : Modify the fake filesystem to add a new file or directory
to the system such that every time an attacker tries to ssh
into the system, it will show your created file system.
Clue: Recall how the fake filesystem is actually built using
python script and pickle.