Honeypot Cybersecurity

By Michele Berardi
Picture of the author
Published on
image alt attribute

Introduction

In the realm of network security, detecting and responding to malicious activities is a constant challenge. Malicious network actors, such as hackers and malware, often probe networks, searching for open ports to gain unauthorized access to systems. One effective countermeasure is the use of a honeypot. In this article, we'll explore how to create a simple yet effective honeypot using Python and its socket library to detect suspicious activities on your network.

What is a Honeypot?

A honeypot is essentially a decoy system set up to attract cyber attackers. By simulating vulnerable services, it can lure potential attackers, allowing you to monitor and study their behavior. This not only helps in understanding the tactics used by attackers but also aids in strengthening your network's defenses.

Creating a Python Honeypot

Our goal is to develop a honeypot that mimics a commonly targeted service, such as Telnet, to detect unauthorized access attempts. We'll use Python's socket library to create a listener on a known IPv4 port address.

Prerequisites

  • Basic knowledge of Python
  • Familiarity with network concepts like TCP/IP
  • Python environment set up on your machine

Step 1: Setting Up the Python Listener

We'll start by writing a Python script that listens on a specific port for incoming connections. Here's a basic outline of the code:

import socket

def create_honeypot(port):
    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_socket.bind(('0.0.0.0', port))
    server_socket.listen(5)
    print(f"Honeypot listening on port {port}")

    while True:
        client_socket, address = server_socket.accept()
        print(f"Connection attempt from {address}")
        # Additional logic for handling connections

create_honeypot(23) # Example port for Telnet

Step 2: Detecting Scans with nmap

Tools like nmap are often used by attackers to scan for open ports. Our honeypot, when running, should appear as an open Telnet port. You can test this by scanning your network with nmap:

nmap -sV -p 23 your_network_ip

Step 3: Alerting on Access

The final step is to set up an alert mechanism. Whenever our honeypot detects a connection attempt, it can notify us. This can be done via email, logging, or integrating with a monitoring system.

Caution and Ethics

While developing a honeypot can be a fun and educational experience, it's important to handle it responsibly. Never use honeypots to deploy malicious software or to harm others. The primary purpose of a honeypot should be for learning and enhancing network security.

EXAMPLE OF SCRIPT WITH SLACK AND EMAIL NOTIFICATION

    import sys
    import argparse
    from socket import socket, AF_INET, SOCK_STREAM
    import requests
    import datetime
    
    VERSION = '0.1a'
    welcome = b"Ubuntu 18.04.1 LTS\nserver login: "
    
    datenow = datetime.datetime.now()
    
    def slack_msg_error(msg):
    result_dict = ("*HONEY POT 🍯 PORT 23* \n" + "*MSG* " + str(msg) + "\n DATE: " + str(datenow))
    slack_report = {"attachments": [{"fallback": "*HONEY POT 🍯 PORT 22*", "color": "#ECB22E", "text": result_dict}]}
    webhook = 'https://hooks.slack.com/services/<TOKEN>'
    response = requests.post(webhook, json=slack_report, headers={'Content-Type': 'application/json'})
    if response.ok:
        json_data = response.text
        result = json_data
        return result
    else:
    
        return response.text
    
    
    def send_email(src_address):
    """ Todo: send an email if we're scanned / probed on this port """
    pass
    
    
    def honeypot(address, port=23):
    print("Starting honeypot on port {}".format(port))
    """ create a single Threaded telnet listen port """
    try:
    
        ski = socket(AF_INET, SOCK_STREAM)
        ski.bind((address, port))
        ski.listen()
        conn, addr = ski.accept()
        print('honeypot has been visited by ' + str(addr))
        data = 'honeypot has been visited by ' + str(addr)
        slack_msg_error(data)
        send_email(addr[0])
        conn.sendall(welcome)
        while True:
            data = conn.recv(1024)   
            if data == b'\r\n':
                slack_msg_error(data)
                
            elif data == b'':
                print(data)
                ski.close()
                sys.exit()
            else:
                print(data)
                slack_msg_error(data)
                
    except Exception as e:
        ski.close()
        sys.exit()
        print(e)
        print("honeypot failed")
        ski.close()
        sys.exit()
    
    
    if __name__ == '__main__':
    
    honeypot('0.0.0.0')

Conclusion

With just a few lines of Python code, you can set up a basic honeypot on your network. This simple tool can provide valuable insights into potential security threats and help you fortify your network against real attacks. Remember, a honeypot is just one component of a comprehensive security strategy.

For more detailed code and advanced honeypot strategies, stay tuned to our blog!

Keywords: Honeypot, Python, Network Security, Malicious Activity Detection, Cybersecurity

Stay Tuned

Want to become a AI pro?
The best articles, links and news related to AI delivered once a week to your inbox.
HomeBlogProjectsStockMarketIp LocationMotoGPLiveFormula1LivePasswordGeneratorContact