Skip to main content

HoneyPi – an easy honeypot for a Raspberry Pi


It is astonishingly easy as an attacker to move around on most networks undetected. Let’s face it, unless your organization is big enough to have full packet capture with some expensive IDS, you will likely have no idea if there is an attacker on your network. What are the options for home users and small businesses?

What if there were a cheap Raspberry Pi device you could plug into your network that masquerades as a juicy target to hackers?

HoneyPi attempts to offer a reliable indicator of compromise with little to no setup or maintenance costs. There are tons of honeypot options out there, but we leveraged our experience in penetration testing to gain insight into Tactics, Techniques and Procedures (TTPs) that real-world attackers would use. We set out to answer the question What some activities that could be flagged that would catch us when attacking an internal network?

That is why HoneyPi tries to keep it simple compared to other honeypots. HoneyPi only flags a few surefire triggers that would catch most attackers snooping around on an internal network:

  1. Port Scanning Activities
  2. FTP Connection Attempts
  3. Telnet Connection Attempts
  4. VNC Connection Attempts

Wrap up these TTPs in a RaspberryPi form factor and youโ€™ve got a simple honeypot that you can add to your network to gain insight when a breach has occured.

Why do we need another honeypot project?

When I set out on this project, I was hoping to use an existing honeypot to throw on my home network and notify me if someone tries to connect to it. There are many honeypots out there. I tried many existing honeypot offerings, but ran into problems with each one. Here is what I learned:

  • Many honeypots are designed to go on the external perimeter of a network and collect “threat intelligence” data from external attackers, essentially opening all ports and logging all connection attempts. I wanted something to go on the internal network for “intrusion detection”.
  • Many honeypots are very complicated to set up and relay data to larger frameworks. I wanted something simple and localized.
  • Many logged full TCP/UDP sessions and what the attacker did after connecting, but none really logged port-scanning activities. Port scanning is one of the first things I do when pentesting a network, so this is an important feature.

I decided to use existing open-source tools to create a reliable honeypot that can be installed on a Raspberry Pi. Here are the ingredients:

  1. Raspbian – Linux distro for Raspberry Pi.
  2. PSAD: Port Scan Attack Detection – This uses iptables to log port scanning and connection attempts. This also handles the email notifications.
  3. A simple Python script – Opens some enticing ports and masquerade as vulnerable services.

++

PSAD really does most of the work here. It’s a wonderful tool, but can be tricky to set up. The real value of HoneyPi is the simple installation script that installs all dependencies and changes necessary settings.

Installation

You’ll need a Raspberry Pi running Rasbian.

From the Pi, do this:

  1. wget https://github.com/mattymcfatty/HoneyPi/archive/master.zip
  2. unzip master.zip
  3. cd HoneyPi-master
  4. chmod +x *.sh
  5. sudo ./honeyPiInstaller.sh
  6. Follow the prompts

Please note: Installing this will change some things on your Raspberry Pi. Most notably, it will change your iptables configuration. Please proceed with caution if you are using this Raspberry Pi for other purposes.

Future Improvements

There are many ways the HoneyPi could be improved. One of the most obvious would be the ability to choose the type of system you are imitating would be an improvement. It could have a menu of OSes and services so that HoneyPi could blend into the network better.

The most exciting improvements could be made using the GPIO ports on the Raspberry Pi. These GPIO ports allow your Raspberry Ri to connect to the “real world”. Here is an example of wiring up a toy police car to trigger an alarm when a breach is detected:

The police siren sounds when an attacker connects to one of the open TCP ports. Sure this is a toy example, but there are lots of possibilities here. Imagine disconnecting the physical WAN when an breach is detected or shutting down a sensitive machine.

Did you find this useful? Do you have questions?

Contact us or leave a comment below.

Matt South

Matt is a penetration tester from Kansas City, MO. He specializes in web and mobile application testing, but loves all things security. Matt's favorite types of exploits to find are business logic flaws that an automated scanner would miss.

26 Comments

  • Weston says:

    I am getting the test message from honey pi, but when I do an nmap scan, I am not getting any alerts. Is there a threshold for triggering? I ran about 5 scans in a row, and got nothing. I might write a script to send to slack. Any considerations when passing variables for source IP, dest port etc?

    • Matt South says:

      Hey Weston– I sent you an email for some steps to try. I’ll update the install script if we can find out what’s going on here. Thanks for reaching out!

      • Weng says:

        I am getting the same problem. Please let me know if you get it to work.

        • Matt South says:

          Hey Weng-

          Looks like psad changed their code recently. I updated HoneyPi to include the new psad.conf. Should fix the problem.

  • Evan says:

    Hey I also am having issues with the alert’s It says the config file “/etc/psad/psad.conf doe snot contain the variables” IPT_OUTPUT_FILE”

  • pcmcia says:

    Hi – Doesnt work for me either – fresh rasbian install – run script as root – no output created and the following message – thanks!:

    Traceback (most recent call last):
    File “/root/honeyPi/mattshoneypot.py”, line 50, in
    reactor.listenTCP(5900, FakeVNC, interface = interface)
    File “/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py”, line 478, in listenTCP
    p.startListening()
    File “/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py”, line 983, in startListening
    raise CannotListenError(self.interface, self.port, le)
    twisted.internet.error.CannotListenError: Couldn’t listen on 0.0.0.0:5900: [Errno 98] Address already in use.

  • ROBERT HANCOCK says:

    I’m seeing this after updating to the latest kernel (March 14, 2018), Is this important? Also I don’t seem to be getting email email notifications any more from port scans. the ssmtp.conf file looks OK though.

    ok. should be good to go. Now go portscan this honeyPi and see if you get an alert!
    pi@FileMakerDB:~/HoneyPi-master $ 2018-03-22 13:27:40: Starting up honeypot python program…
    Traceback (most recent call last):
    File “/root/honeyPi/mattshoneypot.py”, line 50, in
    reactor.listenTCP(5900, FakeVNC, interface = interface)
    File “/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py”, line 478, in listenTCP
    p.startListening()
    File “/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py”, line 983, in startListening
    raise CannotListenError(self.interface, self.port, le)
    twisted.internet.error.CannotListenError: Couldn’t listen on 0.0.0.0:5900: [Errno 98] Address already in use.

  • ROBERT HANCOCK says:

    Now just got this by set email address:

    [-] You may just need to add a default logging rule to the
    ‘filter’ ‘INPUT’ chain on FileMakerDB. For more information,
    see the file “FW_HELP” in the psad sources directory or visit:

    http://www.cipherdyne.org/psad/docs/fwconfig.html

  • ROBERT HANCOCK says:

    Tried a second time with 2017 November kernel and same error at end.

    File “/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py”, line 983, in startListening
    raise CannotListenError(self.interface, self.port, le)
    twisted.internet.error.CannotListenError: Couldn’t listen on 0.0.0.0:5900: [Errno 98] Address already in use.

  • ROBERT HANCOCK says:

    When I set the gmail details during the install and click OK, I do get the first test message:

    test message from honeyPi

    to my set gmail address.

    but subsequent scans of the honeypi RPi do not produce warning emails.

    This was working but seems to have stopped after the March 14 2018 kernel update and is also no longer working with the old November 2017 kernel from a fresh Raspian install.

    Any help appreciated.

  • Robert Hancock says:

    Matt, I posted three times with a similar problem to the above but they seem to have been deleted. Any word why?
    Is there a solution to this issue?

    • Alex Lauerman says:

      Comments just have to be approved to prevent spam. They are now approved. You’re welcome to continue posting here, but the GitHub page seems ideal, since it has a built-in issue tracker and pull requests can be submitted.

  • Matt South says:

    Good idea Alex! I just checked with the latest version of Rasbian (2018-03-13-raspbian-stretch.img), and I’m getting alerts via email just fine. If you’re having issues, head on over to github and open up a ticket and I’ll try to help ๐Ÿ™‚
    https://github.com/mattymcfatty/HoneyPi/issues

  • greg says:

    Great Project Matt !

    Quick question regarding the alerts , i do receive email alerts for Port scans against the HoneyPi – However none for connection to services (Telnet ,ftp or VNC)

    i only used the normal setup script , is there any additional configurations required for this ?

    in addition this is is possible to differentiate the alerts , for example – Email alert on port scan , BUT GPIO alert on FTP connect for example ?

    Thx
    Greg

  • greg says:

    Got it working … scratch my prior comment … i think i had a network issue

    Still valid is my question of differentiate the alerts ?? is it Possible ?

    • Matt South says:

      Glad you got it working, Greg. Great question about different alerts! I do know that PSAD (the main alerting component) has options for Alert Levels. But I’m not sure that different Alert Levels can go via a different method. I doubt would work how you want using Alert Levels.

      One thing I’m thinking might work is using the “run a script” option to call a custom shell script. Then inside of your script have logic to either blink the GPIO or shoot an email depending on what is being flagged.

      The issue with that idea is whether or not PSAD has the option to pass the necessary information on when it calls the script. PSAD will normally call our external scripts like this:

      /path/to/script –ip SRCIP -v

      I’m looking to see if, in addition to the SRCIP variable, there are other variables which could be passed. Something like NOTIFICATION or CONNECT_METHOD that could be parsed by a script and used for the logic.

      So far, the only variable I’m seeing that can be passed is SRCIP ๐Ÿ™ We might be out of luck.

      Last idea, perhaps you could set it up to always run a script (ie blink GPIO) for all alerts, then set the email alert level so that you only get an email for higher alert levels. Then it’s just a matter making sure port scan is considered high level (like 5) and something like FTP connect is considered low (like 1).

      See if this gives you any ideas: http://cipherdyne.org/psad/docs/config.html

  • Phillip says:

    In case others have a similar issue, I tried this on the “2018-03-13-raspbian-stretch.img” and got the first email, but not others. When I tried running “sudo iptables -L” to confirm the iptable rules were added, I received the following error: iptables v1.6.0: can’t initialize iptables table `filter’: Table does not exist (do you need to insmod?). To fix this I installed raspberrypi-kernel-headers (sudo apt install raspberrypi-kernel-headers) and rebooted. Then I reran the installer and everything is up and working now.

    • Matt South says:

      This is great! I’m going to add raspberrypi-kernel-headers to the installer on github. Thanks Phillip!

  • Sw says:

    Matt thank you, really easy to install and use.

    One question, I noticed that the PI is still using it’s default MAC address which identifies it as a PI. Do you think it’s worth changing this to hide the true identity?
    Thanks again

  • Emmanuel says:

    hi,

    it is possible to Change the config to scan more ports like 8080 or 8443?
    or
    get an alert if someone tried to brute force my ssh Access?

    Thanks

    Best regards

    Emmanuel

  • fishy says:

    – how to uninstall again?
    – nmap test localhost produces unlimited bunches of warning mails. how to control the honeypot and stop it? one scan is an email bomb ๐Ÿ˜‰
    – runned on latest raspbian. when starting psad it writes an email:
    You may just need to add a default logging rule to the
    ‘filter’ ‘INPUT’ chain on zeus. For more information,
    see the file “FW_HELP” in the psad sources directory or visit:
    => I’m not confirm with this fw stuff. That’s why i wanted this easy setup. ๐Ÿ˜‰
    – alexa in the web checks dns… and psad yells around honeyPi-SCAN-alert] DL2 src: amazon-e1efa849c.domain dst: dns
    => how to allow this? I think the amazon device searches just a dns or whatever? dunno.

    please help.

  • rob says:

    great software! it was a pain to install but i managed to read the gpio trigger and send the signal over mqtt with “gpiotomqtt” to homeassistant to fire an alarm to blink all my inhome smart lamps when a port is scanned on my network.

  • Mathil says:

    How do i uninstall? and remove completely all traces/dependencies of Honeypi? Thank you.

  • Mondo says:

    Mathil,
    Personally, I’d just flash the micro SD card. Done.

  • Yogi says:

    Matt

    I installed it on my RaspberryPi2. I chose Gmail as my mail service and obtain the 16 digit code. HoneyPi never sent any test email. I reinstalled and did it again (and obtained another 16 digit code) and could not receive email. Any suggestions