Honeypot Overview - Over half a million attacks in under 30 days.

My Homelab Honeypot

Honeypot Overview - Over half a million attacks in under 30 days.

After being inspired by the research that comes out of the SANS Internet Storm Center with their Dshield Honeypot setup, I wanted to gather some threat intelligence from the comfort of my own homelab.

I had looked into several different services, including the DShield Honeypot, but ended up selecting the T-Pot Community Edition honeypot from Telekom Security.

It was incredibly exciting to see that this honeypot had the following built-in docker images for threat collection:

Honeypots List

• ADBHoney - Low interaction honeypot designed for Android Debug Bridge over TCP/IP

• Cisco ASA Honeypot - Low interaction honeypot for the Cisco ASA component.

• Citrix Honeypot- Honeypot for Citrix ADC

• Conpot - ICS/SCADA Honeypot

• Cowrie - SSH and Telnet Honeypot

• DDoSPot - Tracking UDP-based Distributed Denial of Service Attacks

• Dicompot - Digital Imaging and Communications in Medicine (DICOM)

• Dionaea - Detects shellcodes for multiple vulnerabilities

• ElasticPot - Elasticsearch Honeypot

• Endlessh - An SSH Tarpit

• Glutton - A low interaction honeypot

• Heralding - A credential capture honeypot

• HellPot - Endless Honeypot that sends unruly HTTP bots to hell.

• Honeypots - 25 Different Honeypots in a single package!

• Honeytrap - TCP or UDP Honeypot

• IPP Honey - Internet Printing Protocol Honeypot

• Log4Pot - Honeypot for the Log4Shell Vulnerability

• Mailoney - SMTP Honeypot

• Medpot - HL7 / FHIR Honeypot

• RedisHoneyPot - Redis

• SentryPeer - SIP Honeypot

• Snare/Tanner - Web Application Honeypot Sensor

Cybersecurity Tools Built In

T-Pot also comes with some incredible tools built in as well:

• Cockpit for a lightweight and secure WebManagement and WebTerminal.
• Cyberchef a web app for encryption, encoding, compression and data analysis.
• Elastic Stack to beautifully visualize all the events captured by T-Pot.
• Elasticvue a web front end for browsing and interacting with an Elastic Search cluster.
• Fatt a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.
• Geoip-Attack-Map a beautifully animated attack map optimized for T-Pot.
• P0f is a tool for purely passive traffic fingerprinting.
• Spiderfoot a open source intelligence automation tool.
• Suricata a Network Security Monitoring engine.

Proper Network Segmentation

It is incredibly important to have proper network segmentation when implementing a honeypot in any environment.

My current setup is with a commercial router running OpenWRT. OpenWRT is a suite of tooling and packages that allow you to replace stock firmware on a commercial home router, and can be argued that it is typically more secure than default firmware.

I followed a pretty good framework from "cydergoth" on setting up multiple VLANs in a home environment, but the basic network segmentation can be summed up as follows:

• VLAN-2 is required by my ISP for the upstream link. All packets exiting the SFF router to the fiber-to-ethernet adapter are required to be tagged with VLan-2, QoS-3

• VLAN-3 is my guest network. Devices on this network may only access the internet and not devices on the other VLans.

• VLAN-4 is my Internet-of-Things (IoT) network. This is where I put all of my devices like Nest Thermostats, Security Cameras etc.

• VLAN-5 is my work network, where my corporate provided laptop lives

• VLAN-6 is where the honeypot resides.

For more details, I'd recommend following this guide created on github.

Threat Intelligence - Half a million attacks later

After more than half a million attacks later, I am greeted with a ton of real world threat intelligence.

For the TOP 12 CVE's that were found to be exploited are as follows:

• CVE-2006-2369 - RealVNC

• CVE-2020-11899 - Treck TCP/IP Stack

• CVE-2005-4050 - MultiVOIP

• CVE-2019-12263 - Wind River VxWorks

• CVE-2019-9621 - Zimbra Collaboration Suite

• CVE-2013-0156 - Ruby on Rails

• CVE-2015-0204 - OpenSSL

• CVE-2006-3602 - FarsiNews

• CVE-2012-1823 - PHP-CGI

• CVE-2018-14847 - MikroTik RouterOS

• CVE-2021-44228 - Apache Log4j2

• CVE-2014-6271 - GNU Bash

For the top usernames being tried:

root
user
admin
pi
ubuntu
test
postgres
oracle
chia
guest
git
support
zabbix
ftpuser
hadoop
mysql
ts3
ansible
Administrator

For the top passwords being tried:

1
123456
Password
1q2w3e4r
password
admin
root
12345
1qaz2wsx
1234
raspberry
raspberryraspberry993311
(empty)
123
test
PASSWORD
12345678
mypassword
user
666666

Lessons Learned

This was a quick overview of T-Pot and it's capabilities that can help you at home, or any small business gain actionable, real-time threat intelligence. Make sure that any services you expose on the internet are either using Key-Based Authentication or ensure you use Cloudflare Argo Tunnels to gain access to your internal infrastructure, and you won't even need to expose your services.