Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

TinyPot, My Small Honeypot

Published: 2017-07-27
Last Updated: 2017-07-27 13:02:38 UTC
by Xavier Mertens (Version: 1)
6 comment(s)

Running honeypots is always interesting to get an overview of what’s happening on the Internet in terms of scanners or new threats. Honeypots are useful not only in the Wild but also on your internal networks. There are plenty of solutions to deploy honeypots with more or less nice features (depending on the chosen solution). They are plenty of honeypots[1] which can simulate specific services or even mimic a complete file system, computer or specific hardware.

That’s cool but often such honeypots require a lot of dependencies (Python/Perl modules) or must be compiled. Sometimes, you just need to collect basic data to understand who’s knocking on your door. I was looking for a quick & dirty solution that does not require the installation of many packages or extra-tools. What are my basic requirements:

  • Run on any Linux distribution
  • Accept connections on ANY port
  • Collect basic protocol details
  • Log everything (of course!)

The first step is to capture the traffic on any TCP ports. To achieve this, we can use iptables to redirect any incoming connection to a specific port:

# iptables -t nat -A PREROUTING -p tcp --dport 1:65534 -j REDIRECT --to-ports 10000

Note: I limited the range to port 65534 to allow binding my SSH daemon to port 65535 (if you need to access the honeypot remotely).

The next step is to accept and establish a connection on any port (at least the TCP handshake). netcat[2] is the perfect tool for this and is usually installed by default with many Linux distribution. Let’s bind it to our collection port 10000 (see above) and log all the junk received:

# netcat -l -k -p 10000 | tee -a /tmp/netcat.log

Finally, a full packet capture is always nice to have, let’s collect all the traffic hitting our honeypot except the SSH management port:

# tcpdump -i eth0 -w /tmp/tcpdump.pcap -C 1000 -W 10 -lenx -X -s 0 not port 65534

Finally, we can put all the commands in a single script I'm using the "screen" command (also available in most distributions) to detach the tools from the console and to keep an eye on them later.

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1:65534 -j REDIRECT --to-ports 10000
/usr/bin/screen -S netcat -d -m /bin/netcat -l -k -p 10000 | tee -a /tmp/netcat.log
/usr/bin/screen -S tcpdump -d -m /sbin/tcpdump -i eth0 -w /tmp/tcpdump.pcap -C 1000 -W 10 -lenx -X -s 0 not port 65534
echo TinyPot running, use "screen -r [netcat|tcpdump] to access tools"

Here is an example of data dumped by netcat:

We can see classic stuff like bots scanning for open proxies, SMB shares or searching for admin interfaces. What's next? Wireshark can be used to export statistics (menu "Statistics -> Conversations"). The generated CVS file once indexed in Splunk gives us the classic top-20:

Nothing fancy here and  I'm sure that it can be improved but TinyPot just does the work!


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

Keywords: honeypot
6 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Malspam pushing Emotet malware
Jul 26th 2017
1 day ago by Brad (8 comments)

Trends Over Time
Jul 25th 2017
3 days ago by Russell (8 comments)

Uber drivers new threat: the "passenger"
Jul 24th 2017
3 days ago by Renato (2 comments)

Another .lnk File
Jul 23rd 2017
4 days ago by DidierStevens (0 comments)

Black Hat is coming and with it a good reason to update your "Broadcom-based" devices
Jul 22nd 2017
6 days ago by Renato (2 comments)

Malicious .iso Attachments
Jul 21st 2017
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Phishing mail/URL link scanning with the online/freeware tool.
created Jul 26th 2017
1 day ago by Anonymous (0 replies)

Suspicious URL http://ust-af-com showing up as denied on logs
created Jul 13th 2017
2 weeks ago by Anonymous (0 replies)

International visitors come in Morocco to discover New Places
created Jul 11th 2017
2 weeks ago by ericwatson239 (0 replies) needs IPv6 address
created Jul 10th 2017
2 weeks ago by Anonymous (0 replies)

Increased traffic hitting TCP Port 10224
created Jun 28th 2017
4 weeks ago by Brad (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 month ago by Brad (6 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
2 months ago by Bojan (6 comments)

Massive wave of ransomware ongoing
May 15th 2017
2 months ago by Xme (10 comments)

Checking out the new Petya variant
Jun 27th 2017
1 month ago by Brad (6 comments)

Malspam with password-protected Word documents
Mar 21st 2017
4 months ago by Brad (13 comments)