https://maymeow.blog/tags/network-security/ Recent content in Network-Security on May Meow Hugo en Copyright © 2020, May Meow. Sun, 31 May 2026 11:36:24 +0200 https://maymeow.blog/notes/honeypots/ Sun, 31 May 2026 11:15:24 +0200 https://maymeow.blog/notes/honeypots/ <h1 id="-honeypots">🍯 Honeypots</h1> <ul> <li>vulnerable security tool designed to attract attackers and record the actions of adversaries</li> <li>can be used in a defensive role to alert administrators of potential breaches</li> <li>and/or to distract attackers away from real infrastructure</li> <li>collects data, tools and techniques</li> </ul> <h2 id="classification">Classification</h2> <h3 id="by-interactivity">by Interactivity</h3> <ul> <li><strong>Low-Interaction</strong> <ul> <li>only capable of simulating the functions that are required to simulate a service and capture attacks against it</li> <li><strong>Adversaries are not able to perform any post-exploitation activity</strong></li> <li>Example:  <a href="https://github.com/awhitehatter/mailoney">mailoney</a>,  <a href="https://github.com/DinoTools/dionaea">dionaea</a>.</li> </ul> </li> <li><strong>Medium Interaction</strong> <ul> <li>emulating both vulnerable services as well as the underlying OS, shell, and file systems</li> <li>ℹ️ the system presented to adversaries is a simulation, <ul> <li>it is usually not possible for to complete full range of post-exploitation activity</li> </ul> </li> <li><strong>allows adversaries to complete initial exploits and carry out post-exploitation activity</strong></li> <li>For example: <a href="https://github.com/cowrie/cowrie">Cowrie</a></li> </ul> </li> <li><strong>High-Interaction</strong> <ul> <li>fully complete systems that are usually Virtual Machines that include deliberate vulnerabilities</li> <li><strong>Adversaries should be able (but not necessarily allowed) to perform any action against the honeypot as it is a complete system</strong></li> <li>⚠️ Needs to be carefully managed, otherwise they can be used to attack other systems</li> <li>For example Cowrie as an SSH Proxy</li> </ul> </li> </ul> <h3 id="by-deployment-location">by Deployment location</h3> <ul> <li><strong>Internal Honeypots</strong> <ul> <li>deployed inside LAN</li> <li> for threats originating from the inside, for example, attacks originating from trusted personnel or attacks that by-parse firewalls like phishing attack</li> <li>⚠️ should never be compromised</li> </ul> </li> <li><strong>External Honeypots</strong> <ul> <li>Deployed on the internet</li> <li>Monitor attacks outside LAN</li> <li>Collects much more data since they are effectively guaranteed to be under attack at all times</li> </ul> </li> </ul> <h2 id="typical-behavior-of-bots">Typical behavior of bots</h2> <p>ℹ️ <strong>Majority of typical SSH deployemnts are automated</strong>. Most of the post-exploitation activity that takes place after a bot gains initial access to the honeypot will follow a broad pattern.</p>