Glutton 1.0 Release

23 Sep 2023 Lukas Rist honeypot glutton

I’d like to announce the 1.0 release of the server-side, low-interaction honeypot Glutton!

We have built Glutton as a versatile honeypot, capable of receiving any network traffic by accepting connections on any port. Being very easy to adapt and extend, Glutton is a fantastic tool to understand network threats.

GSOC 2020 PROJECT SUMMARY: HosTaGe

29 Sep 2020 Irini Lygerou honeypot mobile mobile-hostage

HosTaGe: a mobile honeypot Why I choose this project I am passionate about Network Security, Cybersecurity, and programming, and I wanted to get involved with a project that includes it all. HosTaGe project drew my attention because I found it really fascinating the idea that any android device can be turned into a honeypot and be transformed into an essential tool for attack detection. I wanted to work on this project because it allowed me to improve this new generation of mobile honeypots and consequently improve the security of the internet in general.

Dionaea honeypot: from Conficker to WannaCry + SambaCry CVE 2017-7494

30 May 2017 Roberto Tanara dionaea honeypot sambacry wannacry

This is a contribution by Tan Kean Siong, follow him on Twitter @gento_ . The open source honeypot Dionaea supported SMB since long but lacked support for the recent WannaCry ransomware SMB vulnerability and the most recent Samba RCE vulnerability CVE 2017-7494 dubbed “SambaCry” wormable attacks. With the recent changes, both attack vectors are supported and respective samples caught in the wild. Dionaea is a low interaction, server side honeypot which emulates a vulnerable system or device.

Initial analysis of four million login attempts

09 Sep 2016 Johnny Vestergaard analysis heralding honeypot

Introduction This blog post is a follow up to an earlier article, where I set out to conceive a system that could deliver the data needs to answer 5 specific questions. The setup To provide the data needed for this analysis, my setup consisted of 4 VPS situated respectively at Amazon EC2, Azure, MeeBox and a Danish ISP end-user connection. Even though the same 4 VPS were used throughout the data collection, 6 different IP addresses were used for the honeypots - the reason for this was that one of the honeypots had a dynamically assigned IP address.

Heralding - the credentials catching honeypot

23 Mar 2016 Johnny Vestergaard heralding honeypot

Sometimes (actually, most times) you don’t need advanced deception technology, but rather just a simple tool to answer some simple questions. I was recently in that situation, and needed the answers to the following questions: Which protocols does my adversary try to brute-force? Which username and password did he use? At which speed did he brute-force? From where did he proxy from? What time of day did he brute-force? To answer these questions, I needed a tool that would output something similar to:

Improved logging capabilities of dionaea

14 Dec 2015 Stanislav Barta dionaea frontend honeypot

Hello, recently I made fork of dionaea and DionaeaFR. Changes that I did are related with remote logging to relational database. Dionaea honeypot can now log remotely to postgresql database. In DionaeaFR frontend I had to do some changes, so it could support reading data from postgresql. Links are github.com/GovCERT-CZ/dionaea and github.com/GovCERT-CZ/DionaeaFR. I think that some one could use that so I write this post. Have a nice day, Stanislav Bárta

Frontends for shockpot and wordpot

04 Dec 2015 Stanislav Barta frontend honeypot shockpot wordpot

Hello, recently I published forks of shockpot and wordpot on GitHub. These new versions include support for logging to postgresql database. I also created two frontends. One for shockpot with a name Shockpot-Frontend and second for wordpot with a name Wordpot-Frontend. Both frontends are based of great tool Kippo-Graph. You can find them also on GitHub. Links are github.com/GovCERT-CZ/Shockpot-Frontend and github.com/GovCERT-CZ/Wordpot-Frontend. These frontends require data from honeypots stored in postgresql database and that’s why I made forks of those honeypots.

Conpot 0.5.0 released

13 Nov 2015 Lukas Rist conpot honeypot ics scada

The Conpot development team is proud to announce the 0.5.0 release. Highlights of this release are the support for two new protocols and one additional device. Peter Soóky did a major contribution with support for the BACnet protocol, which is used for building automation and control networks, and support for IPMI, which is used an interface to a computer subsystem that provides management and monitoring capabilities independently of the host system’s CPU, firmware and operating system (consider the insights you can get from someone exploiting this).

Gas Tank Monitoring System Honeypot

09 Sep 2015 Lukas Rist conpot honeypot ics

The Conpot team is following closely the latest developments in Honeypot research and the methods and technologies used. If you look at the topics presented on security conferences, you might have also noticed an increased interest in ICS security and honeypot technologies in the last two years. One presentation from this years Blackhat’15 conference caught my attention also knowing previous research done by Kyle and Stephen: “The little pump gauge that could: Attacks against gas pump monitoring systems” [link] If you are interested in their findings, I recommend their white paper: “The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems“ [link, pdf] by Kyle Wilhoit and Stephen Hilt from Trend Micro’s Forward-Looking Threat Research team.

Get STIX Reports from ICS Honeypot Conpot

06 Aug 2014 Lukas Rist conpot honeypot ics scada stix taxii

The team working on the ICS/SCADA honeypot Conpot, just merged in a more mature support for STIX (Structured Threat Information eXpression) formatted reporting via TAXII (Trusted Automated eXchange of Indicator Information) into the master branch on Github. STIX allows us to represent event sessions captured by the honeypot in a structured format, which eases the integration of Conpot into existing consumer (e.g. SIEM) infrastructures. By transforming an arbitrary honeypot event into a schema defined format, we are able to communicate an incident in a language, which is also understandable by someone not trained in interpreting industrial protocol messages.