Specialized Honeypots for SSH, Web and Malware Attacks

A honeypot is a decoy IT infrastructure or application component that is deployed to be attacked. It can take the form of a system, a network or an app, and may be implemented as a real or emulated resource. Since a honeypot has no other purpose, every attempt to interact with it is suspicious.

Honeypots can help discover malicious activities at a lower rate of false positives than traditional intrusion detection approaches. Honeypots can also slow down and mislead the attacker by automatically providing slow responses or incorrect information. Lastly, the logs and artifacts collected by honeypots can be used to learn about the attacker’s capabilities and intentions.

Here are several freely-available honeypot tools specialized for understanding SSH, web and malware attacks:

  • Kippo is an SSH honeypot that can log brute force attacks, where remote the remote attempts to guess logon credentials of an SSH server. Best of all, Kippo is able to record and replay the attacker’s interactions with the emulated shell on the fake SSH server.
  • Glastopf is a web application honeypot. It emulates often-exploited web vulnerabilities, such as remote and local file inclusion and SQL injection. Glastopf examines the attacker’s HTTP request and attempts to respond according to expectations to, for instance, download malicious files.
  • Dionaea is a honeypot for collecting malware. It emulates vulnerabilities in Windows services often targeted by malware, such as SMB, HTTP, TFP and FTP. Dionaea’s handling of the SMB protocol is particularly liked by researchers, as is its ability to emulate the execution of the attacker’s shellcode.
  • Thug is a client-side honeypot (honeyclient) that emulates a web browser. It is designed to automatically interact with the malicious website to explore its exploits and malicious artifacts, often in the form of JavaScript.

In addition to these honeypot tools, you might also explore Honeywall, Honeyd, and INetSim. Additional malware-focused honeypot tools are Omnivora and Amun. For additional pointers, see Wikipedia articles on Honeypots and Client Honeypots. An excellent book on this topic is Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz.


About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more