Specialized Honeypots for SSH, Web and Malware Attacks

Specialized honeypots for different attack types: Kippo logs SSH brute force and records shell interactions, Glastopf emulates web vulnerabilities like RFI and SQL injection, Dionaea collects malware by emulating exploitable Windows services, and Thug acts as a honeyclient to explore malicious websites automatically.

A honeypot is a decoy IT infrastructure or application component that is deployed to be attacked. It can take the form of a system, a network or an app, and may be implemented as a real or emulated resource. Since a honeypot has no other purpose, every attempt to interact with it is suspicious.

Honeypots can help discover malicious activities at a lower rate of false positives than traditional intrusion detection approaches. Honeypots can also slow down and mislead the attacker by automatically providing slow responses or incorrect information. Lastly, the logs and artifacts collected by honeypots can be used to learn about the attacker’s capabilities and intentions.

Here are several freely-available honeypot tools specialized for understanding SSH, web and malware attacks:

Kippo is an SSH honeypot that can log brute force attacks, where remote the remote attempts to guess logon credentials of an SSH server. Best of all, Kippo is able to record and replay the attacker’s interactions with the emulated shell on the fake SSH server.
Glastopf is a web application honeypot. It emulates often-exploited web vulnerabilities, such as remote and local file inclusion and SQL injection. Glastopf examines the attacker’s HTTP request and attempts to respond according to expectations to, for instance, download malicious files.
Dionaea is a honeypot for collecting malware. It emulates vulnerabilities in Windows services often targeted by malware, such as SMB, HTTP, TFP and FTP. Dionaea’s handling of the SMB protocol is particularly liked by researchers, as is its ability to emulate the execution of the attacker’s shellcode.
Thug is a client-side honeypot (honeyclient) that emulates a web browser. It is designed to automatically interact with the malicious website to explore its exploits and malicious artifacts, often in the form of JavaScript.

In addition to these honeypot tools, you might also explore Honeywall, Honeyd, and INetSim. Additional malware-focused honeypot tools are Omnivora and Amun. For additional pointers, see Wikipedia articles on Honeypots and Client Honeypots. An excellent book on this topic is Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →