deception technology

Implementing Network Deception with Honeypots

Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.

cowriedeceptiondetectionhoneypotlateral-movementnetwork-securityopencanaryt-pot
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When deploying deception technology to detect lateral movement
  • To create early warning indicators for network intrusion
  • During security architecture design to add detection depth
  • When monitoring for unauthorized internal scanning or credential theft
  • To gather threat intelligence on attacker techniques and tools

Prerequisites

  • Linux server or VM for honeypot deployment (Ubuntu 22.04+ recommended)
  • Python 3.8+ with pip for OpenCanary installation
  • Docker for T-Pot or containerized deployment
  • Network segment with appropriate VLAN configuration
  • SIEM integration for alert forwarding (syslog, webhook, or file-based)
  • Firewall rules allowing inbound connections to honeypot services

Workflow

  1. Plan Deployment: Select honeypot types and network placement strategy.
  2. Install Honeypot: Deploy OpenCanary, Cowrie, or T-Pot on dedicated host.
  3. Configure Services: Enable emulated services (SSH, HTTP, SMB, FTP, RDP).
  4. Set Up Alerting: Configure log forwarding to SIEM and alert channels.
  5. Deploy Canary Tokens: Place credential files, shares, and DNS entries.
  6. Monitor Interactions: Analyze honeypot logs for attacker activity.
  7. Tune and Maintain: Update configurations based on detection results.

Key Concepts

Concept Description
OpenCanary Lightweight Python honeypot with modular service emulation
Cowrie Medium-interaction SSH/Telnet honeypot capturing commands
T-Pot Multi-honeypot platform with ELK stack visualization
Canary Token Tripwire credential or file that alerts when accessed
Low-Interaction Emulates services at protocol level without full OS
High-Interaction Full OS honeypot capturing complete attacker sessions

Tools & Systems

Tool Purpose
OpenCanary Modular honeypot daemon with service emulation
Cowrie SSH/Telnet honeypot with session recording
T-Pot All-in-one multi-honeypot platform
Dionaea Malware-capturing honeypot for exploit detection
Splunk/Elastic SIEM for honeypot alert aggregation

Output Format

Alert: HONEYPOT-[SERVICE]-[DATE]-[SEQ]
Honeypot: [Hostname/IP]
Service: [SSH/HTTP/SMB/FTP/RDP]
Source IP: [Attacker IP]
Interaction: [Login attempt/Port scan/File access]
Credentials Used: [Username:Password if applicable]
Commands Executed: [For SSH honeypots]
Risk Level: [Critical/High/Medium/Low]
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.8 KB

Network Deception with Honeypots Reference

OpenCanary Installation

# Ubuntu/Debian
sudo apt-get install python3-dev python3-pip python3-virtualenv libssl-dev libpcap-dev
virtualenv canary-env && source canary-env/bin/activate
pip install opencanary
 
# Docker
docker pull thinkst/opencanary
docker run -d --network host -v /path/to/config:/etc/opencanaryd thinkst/opencanary

OpenCanary CLI

# Generate default config
opencanaryd --copyconfig
 
# Start daemon
opencanaryd --start
 
# Stop daemon
opencanaryd --stop
 
# Check status
opencanaryd --status
 
# Run in foreground (debug)
opencanaryd --dev

Configuration File (/etc/opencanaryd/opencanary.conf)

{
    "device.node_id": "honeypot-dmz-01",
    "ssh.enabled": true,
    "ssh.port": 22,
    "ssh.version": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3",
    "http.enabled": true,
    "http.port": 80,
    "http.banner": "Apache/2.4.41 (Ubuntu)",
    "http.skin": "nasLogin",
    "smb.enabled": true,
    "smb.filelist": [{"name": "passwords.xlsx", "type": "xlsx"}],
    "ftp.enabled": true,
    "ftp.port": 21,
    "ftp.banner": "FTP server ready",
    "mysql.enabled": true,
    "mysql.port": 3306,
    "rdp.enabled": true,
    "rdp.port": 3389
}

Available Service Modules

Service Config Key Default Port Interaction Level
SSH ssh.enabled 22 Medium
HTTP http.enabled 80 Low-Medium
FTP ftp.enabled 21 Low
SMB smb.enabled 445 Low
MySQL mysql.enabled 3306 Low
RDP rdp.enabled 3389 Low
Telnet telnet.enabled 23 Low
SNMP snmp.enabled 161 Low
Git git.enabled 9418 Low
Redis redis.enabled 6379 Low
VNC vnc.enabled 5000 Low

Log Format (JSON, one per line)

{
    "dst_host": "10.0.0.50",
    "dst_port": 22,
    "src_host": "10.0.0.100",
    "src_port": 45321,
    "logtype": 3001,
    "node_id": "honeypot-dmz-01",
    "utc_time": "2025-03-01 14:30:00.123456",
    "logdata": {"USERNAME": "admin", "PASSWORD": "password123"}
}

Log Type Codes

Code Service Event
1001 FTP Login attempt
2001 HTTP Login attempt
3001 SSH Login attempt
5001 SMB File open
6001 Telnet Login attempt
7001 MySQL Login attempt
8001 RDP Login attempt

Cowrie SSH Honeypot

# Docker deployment
docker run -d -p 22:2222 cowrie/cowrie
 
# Session replay
bin/playlog log/tty/20250301-143000-abc123.log

Syslog Forwarding

{
    "logger": {
        "class": "PyLogger",
        "kwargs": {
            "handlers": {
                "syslog": {
                    "class": "logging.handlers.SysLogHandler",
                    "address": ["siem.example.com", 514]
                }
            }
        }
    }
}

Scripts 1

agent.py8.3 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Honeypot Deployment Agent - deploys OpenCanary honeypots and analyzes interaction logs."""

import json
import argparse
import logging
import subprocess
import os
from collections import defaultdict
from datetime import datetime

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)

OPENCANARY_CONFIG_TEMPLATE = {
    "device.node_id": "opencanary-001",
    "ip.ignorelist": [],
    "logtype.console.enabled": True,
    "logger": {
        "class": "PyLogger",
        "kwargs": {
            "formatters": {"plain": {"format": "%(message)s"}},
            "handlers": {
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/tmp/opencanary.log",
                },
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout",
                },
            },
        },
    },
    "ftp.enabled": False,
    "ftp.port": 21,
    "ftp.banner": "FTP server ready",
    "http.enabled": False,
    "http.port": 80,
    "http.banner": "Apache/2.4.41 (Ubuntu)",
    "http.skin": "nasLogin",
    "httpproxy.enabled": False,
    "httpproxy.port": 8080,
    "ssh.enabled": False,
    "ssh.port": 22,
    "ssh.version": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3",
    "smb.enabled": False,
    "smb.filelist": [{"name": "passwords.xlsx", "type": "xlsx"}, {"name": "backup-credentials.txt", "type": "txt"}],
    "telnet.enabled": False,
    "telnet.port": 23,
    "telnet.banner": "Welcome to the management console",
    "rdp.enabled": False,
    "rdp.port": 3389,
    "mysql.enabled": False,
    "mysql.port": 3306,
    "snmp.enabled": False,
    "snmp.port": 161,
}


def generate_config(services, node_id="opencanary-001", log_path="/var/tmp/opencanary.log"):
    """Generate OpenCanary configuration with specified services enabled."""
    config = OPENCANARY_CONFIG_TEMPLATE.copy()
    config["device.node_id"] = node_id
    config["logger"]["kwargs"]["handlers"]["file"]["filename"] = log_path
    for service in services:
        key = f"{service}.enabled"
        if key in config:
            config[key] = True
    enabled = [s for s in services if f"{s}.enabled" in config]
    logger.info("Generated config with %d services: %s", len(enabled), ", ".join(enabled))
    return config


def deploy_opencanary(config, config_path="/etc/opencanaryd/opencanary.conf"):
    """Deploy OpenCanary with generated configuration."""
    os.makedirs(os.path.dirname(config_path), exist_ok=True)
    with open(config_path, "w") as f:
        json.dump(config, f, indent=2)
    logger.info("Configuration written to %s", config_path)
    start_cmd = ["opencanaryd", "--start"]
    result = subprocess.run(start_cmd, capture_output=True, text=True, timeout=120)
    return {"config_path": config_path, "started": result.returncode == 0, "output": result.stdout[:200]}


def parse_opencanary_log(log_path="/var/tmp/opencanary.log"):
    """Parse OpenCanary JSON log file for interaction events."""
    events = []
    try:
        with open(log_path) as f:
            for line in f:
                line = line.strip()
                if not line:
                    continue
                try:
                    event = json.loads(line)
                    events.append({
                        "timestamp": event.get("utc_time", ""),
                        "dst_host": event.get("dst_host", ""),
                        "dst_port": event.get("dst_port", 0),
                        "src_host": event.get("src_host", ""),
                        "src_port": event.get("src_port", 0),
                        "logtype": event.get("logtype", 0),
                        "node_id": event.get("node_id", ""),
                        "logdata": event.get("logdata", {}),
                    })
                except json.JSONDecodeError:
                    continue
    except FileNotFoundError:
        logger.warning("Log file not found: %s", log_path)
    return events


def analyze_interactions(events):
    """Analyze honeypot interactions for threat intelligence."""
    by_source = defaultdict(lambda: {"count": 0, "services": set(), "credentials": []})
    by_service = defaultdict(int)
    credential_attempts = []
    log_type_map = {
        1001: "ftp_login", 2001: "http_login", 3001: "ssh_login",
        5001: "smb_file_open", 6001: "telnet_login", 7001: "mysql_login",
        8001: "rdp_login",
    }

    for event in events:
        src = event["src_host"]
        service = log_type_map.get(event["logtype"], f"type_{event['logtype']}")
        by_source[src]["count"] += 1
        by_source[src]["services"].add(service)
        by_service[service] += 1
        logdata = event.get("logdata", {})
        username = logdata.get("USERNAME", logdata.get("username", ""))
        password = logdata.get("PASSWORD", logdata.get("password", ""))
        if username:
            cred = {"username": username, "password": password, "service": service, "source": src}
            credential_attempts.append(cred)
            by_source[src]["credentials"].append(cred)

    source_summary = {}
    for ip, data in sorted(by_source.items(), key=lambda x: x[1]["count"], reverse=True):
        source_summary[ip] = {
            "interaction_count": data["count"],
            "services_targeted": list(data["services"]),
            "credential_attempts": len(data["credentials"]),
        }

    return {
        "total_interactions": len(events),
        "unique_sources": len(by_source),
        "service_distribution": dict(sorted(by_service.items(), key=lambda x: x[1], reverse=True)),
        "top_sources": dict(list(source_summary.items())[:20]),
        "credential_attempts": len(credential_attempts),
        "unique_usernames": len(set(c["username"] for c in credential_attempts)),
        "top_credentials": credential_attempts[:20],
    }


def check_honeypot_status():
    """Check if OpenCanary daemon is running."""
    cmd = ["opencanaryd", "--status"]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    is_running = "running" in result.stdout.lower() or result.returncode == 0
    return {"running": is_running, "status_output": result.stdout.strip()[:200]}


def generate_report(analysis, status, config):
    """Generate honeypot deployment and interaction report."""
    enabled_services = [k.replace(".enabled", "") for k, v in config.items() if k.endswith(".enabled") and v]
    report = {
        "timestamp": datetime.utcnow().isoformat(),
        "honeypot_type": "OpenCanary",
        "node_id": config.get("device.node_id", ""),
        "enabled_services": enabled_services,
        "daemon_status": status,
        "interaction_analysis": analysis,
    }
    return report


def main():
    parser = argparse.ArgumentParser(description="Honeypot Deployment and Analysis Agent")
    parser.add_argument("--action", choices=["deploy", "analyze", "status", "full"], default="analyze")
    parser.add_argument("--services", nargs="+", default=["ssh", "http", "smb", "ftp", "telnet"],
                        help="Services to enable (default: ssh http smb ftp telnet)")
    parser.add_argument("--node-id", default="opencanary-001", help="Honeypot node identifier")
    parser.add_argument("--log-path", default="/var/tmp/opencanary.log", help="OpenCanary log file path")
    parser.add_argument("--config-path", default="/etc/opencanaryd/opencanary.conf")
    parser.add_argument("--output", default="honeypot_report.json")
    args = parser.parse_args()

    config = generate_config(args.services, args.node_id, args.log_path)

    if args.action in ("deploy", "full"):
        deploy_result = deploy_opencanary(config, args.config_path)
        logger.info("Deployment: %s", "success" if deploy_result["started"] else "failed")

    status = check_honeypot_status()
    events = parse_opencanary_log(args.log_path)
    analysis = analyze_interactions(events)
    report = generate_report(analysis, status, config)

    with open(args.output, "w") as f:
        json.dump(report, f, indent=2, default=str)
    logger.info("Honeypot: %d interactions from %d sources, %d credential attempts",
                analysis["total_interactions"], analysis["unique_sources"],
                analysis["credential_attempts"])
    print(json.dumps(report, indent=2, default=str))


if __name__ == "__main__":
    main()
Keep exploring