Skip to content

Honeypots

Typical honeypots (somehow old):

  • Kipo
  • Dionaea: fake an smb server.
  • T-Pot
  • Elasticpot
  • https://github.com/mushorg/conpot

Course: https://formacion.seguridadsi.com/

Typical honeypots: old OS, outdated apps, registry keys, juicy files, ports, open services, change server banners, etc.

Metaphor for an active defense: leave an open house knowing that there are thieves in the area.

Interesting acronyms:

  • MTTD - MeanTimeToDetect
  • MTTR - MeanTimeToRecover

Nmap and Nuclei already have options and flags for detecting honeypots.

Some other honeypots: - Active Defense Harbinger Distribution (ADHD)

Installation

Canary Tokens

URL: https://canarytokens.com/nest/ Repo: https://github.com/thinkst/canarytokens-docs/tree/master

Canary Tokens are decoy artifacts placed in systems to detect unauthorized access or misuse. When someone interacts with the token, it silently triggers an alert to the owner.

  1. Use canary for creating an alert https://canarytokens.org/nest/ Use the module "# Create JS cloned website Token"

For instance, in js.

  1. Use https://js.do/ to execute the code

You will get an email. Also you can create a webhook

Others: RDP, Folder DNS (adding a DNS route in the location of the icon of the folder) Create an user Service, that creates a service, enabled, but not authorized to login at any time.

Simulate request LLMNR (Local Link Multicast Name Resolution). We can use invoke-honeycreds.ps1 from github.

Techniques to get the whoami without asking whoami.

https://formacion.seguridadsi.com/courses/take/especialista-en-honeypots-y-sistemas-de-decepcion

Last update: 2025-12-16
Created: October 6, 2024 19:24:59