What is a Honeypot?
A honeypot is a security mechanism designed to detect, deflect, or study attempts at unauthorized use of information systems. It consists of a computer, data, or network that appears to be part of a legitimate network but is actually isolated and monitored — designed to attract and trap attackers.
Types of Honeypots
Low-Interaction Honeypots
Simulate only a limited number of services and operating system functions. Easy to deploy but provide less detailed intelligence.
Examples: Honeyd, Dionaea
High-Interaction Honeypots
Run real operating systems and services, providing attackers with a full environment to interact with. More complex to maintain but yield richer intelligence.
Examples: Cowrie (SSH/Telnet), Conpot (ICS/SCADA)
Research Honeypots
Designed to gather information about attack patterns, tools, and techniques used by threat actors. Operated by security researchers and CERTs.
Production Honeypots
Placed within production networks as early warning systems to detect and alert on unauthorized access attempts.
Common Honeypot Software
| Software | Protocols | Purpose |
|---|---|---|
| Cowrie | SSH, Telnet | Credential capture, session logging |
| Dionaea | SMB, HTTP, FTP, MSSQL | Malware collection |
| Conpot | ICS/SCADA (Modbus, S7) | Industrial control system traps |
| HoneyDB | Multiple | Honeypot data aggregation |
| T-Pot | Multiple | Multi-honeypot platform |
Detection
Experienced attackers may detect honeypots through:
- Unrealistic service configurations
- Known honeypot fingerprints (JARM, banner patterns)
- Unusual response patterns or latency
- Too many open services on a single host
Search on Zondex
Use the honeypot: filter to identify likely honeypots:
honeypot:>7— find hosts with high honeypot probability (score 0-10)tag:honeypot— find hosts tagged as honeypotsdevice:router honeypot:>7— find honeypots emulating routers