HoneyPi – an easy honeypot for a Raspberry Pi

It is astonishingly easy as an attacker to move around on most networks undetected. Let’s face it, unless your organization is big enough to have full packet capture with some expensive IDS, you will likely have no idea if there is an attacker on your network. What are the options for home users and small businesses?

What if there were a cheap Raspberry Pi device you could plug into your network that masquerades as a juicy target to hackers?

HoneyPi attempts to offer a reliable indicator of compromise with little to no setup or maintenance costs. There are tons of honeypot options out there, but we leveraged our experience in penetration testing to gain insight into Tactics, Techniques and Procedures (TTPs) that real-world attackers would use. We set out to answer the question What some activities that could be flagged that would catch us when attacking an internal network?

That is why HoneyPi tries to keep it simple compared to other honeypots. HoneyPi only flags a few surefire triggers that would catch most attackers snooping around on an internal network:

  1. Port Scanning Activities
  2. FTP Connection Attempts
  3. Telnet Connection Attempts
  4. VNC Connection Attempts

Wrap up these TTPs in a RaspberryPi form factor and you’ve got a simple honeypot that you can add to your network to gain insight when a breach has occur ed.

Why do we need another honeypot project?

When I set-out on this project, I was hoping to use an existing honeypot to throw on my home network and notify me if someone tries to connect to it. There are many honeypots out there. I tried many existing honeypot offerings, but ran into problems with each one. Here is what I learned:

  • Many honeypots are designed to go on the external perimeter of a network and collect “threat intelligence” data from external attackers, essentially opening all ports and logging all connection attempts. I wanted something to go on the internal network for “intrusion detection”.
  • Many honeypots are very complicated to set up and relay data to larger frameworks. I wanted something simple and localized.
  • Many logged full TCP/UDP sessions and what attacker did after connecting, but none really logged port-scanning activities. Port scanning is one of the first things I do when pentesting a network, so this is an important feature.

I decided to use existing open-source tools to create a reliable honeypot that can be installed on a Raspberry Pi. Here are the ingredients:

  1. Raspbian – Linux distro for Raspberry Pi.
  2. PSAD: Port Scan Attack Detection – This uses iptables to log port scanning and connection attempts. This also handles the email notifications.
  3. A simple Python script – Opens some enticing ports and masquerade as vulnerable services.

 

++

 

PSAD really does most of the work here. It’s a wonderful tool, but can be tricky to set up. The real value of HoneyPi is the simple installation script that installs all dependencies and changes necessary settings.

 

Installation

You’ll need a Raspberry Pi running Rasbian.

From the Pi, do this:

  1. wget https://github.com/mattymcfatty/HoneyPi/archive/master.zip
  2. unzip master.zip
  3. cd HoneyPi-master
  4. chmod +x *.sh
  5. sudo ./honeyPiInstaller.sh
  6. Follow the prompts

Please note: Installing this will change some things on your Raspberry Pi. Most notably, it will change your iptables configuration. Please proceed with caution if you are using this Raspberry Pi for other purposes.

 

Future Improvements

There are many ways the HoneyPi could be improved. One of the most obvious would be the ability to choose the type of system you are imitating would be an improvement. It could have a menu of OSes and services so that HoneyPi could blend into the network better.

The most exciting improvements could be made using the GPIO ports on the Raspberry Pi. These GPIO ports allow your Raspberry Ri to connect to the “real world”. Here is an example of wiring up a toy police car to trigger an alarm when an breach is detected:

The police siren sounds when an attacker connects to one of the open TCP ports. Sure this is a toy example, but there are lots of possibilities here. Imagine disconnecting the physical WAN when an breach is detected or shutting down a sensitive machine.

 

Did you find this useful? Do you have questions?

Contact us or leave a comment below.