Private Island Networks Inc.

Use Python and Sockets to Create a Honey Pot and Catch Bad Network Actors

Article discusses using Python with sockets to create and deploy a honey pot for the purpose of detecting malicious activity on a network. A sample Python 3 script is provided.

Overview

A malicious network actor (e.g., malware or an intruder) on a local network will attempt to find open ports as a way to discover information about a system and gain entry into it. One of the ways to detect this activity is with a honey pot. This is a specialized open port disguised as a legitimate service for the purpose of catching and alerting malicious or undesired activity.

In this article, we use Python and its socket library to develop a honey pot. There are many different paths to take when developing a honey pot. One can go as far as fully emulating a particular service (i.e., ftp) and allowing the bad actor to download false or potentially dangerous files (e.g., launch malware on your neighbor's network in retribution for him or her jumping onto yours).

In this article, we're going to meet the following goals:

  • Create a Python listener on an IPv4 known port address (telnet) using sockets
  • Show that nmap discovers our honey pot
  • Alert us when our honey pot is accessed: occurrence of a TCP (SYN/ACK) handshake

With just this basic, simple Python script, we can be alerted to malicious activity on our network.

network with hacker and honeypot

Configuration

We develop and test our honey pot using two Linux systems. The client system (Ubuntu 18.04) is used to run nmap and tcpdump. The server (Yocto, embedded Linux) is used to run our Python3 honeypot.py script as root. Note that two systems aren't actually required, and the honey pot could be run on almost any machine where Python is installed.

Tcpdump is a command line program that displays network activity. If you're unfamiliar with tcpdump you may want to review our article Examples and Options with tcpdump.

Nmap "is a free and open source (license) utility for network discovery and security auditing". It's a great tool for probing networks and discovering information (i.e., open ports on any networked system).

Both nmap and tcpdump can be installed on Ubuntu using the apt package manager:

$ sudo apt install tcpdump
$ sudo apt install nmap

The Python socket interface is modeled after the Unix socket API. When working with Python sockets, you may want to refer to Linux man pages for various definitions:

$ man socket
...
DESCRIPTION
socket() creates an endpoint for communication and returns a file descriptor that refers to that endpoint.  
The file descriptor returned by a successful call will be the lowest-numbered file descriptor not currently 
open for the process.
...

As pointed out in the Python socket documentation, the socket module / interface depends on calls to the underlying operating system, so your usage of the provided example may work differently ( or not at all) on a particular system.

Preliminaries

Let's start out by verifying that nmap and tcpdump are working properly on our client system by confirming that an ftp server is running on our embedded Linux server. Shell 1 will be used for nmap and shell 2 will be used for tcpdump. Note that we're just using ftp (tcp port 21) as an example here with the assumption that this is a service commonly run on a server. In our honey pot example below, we'll switch to telnet ( tcp port 23). Other popular ports to consider are 80 for HTTP and 22 for ssh, and you can take a look at your /etc/services file for a comprehensive list of popular ports.

client shell 1
$ nmap 192.168.3.200 -p 21

Starting Nmap 7.60 ( https://nmap.org ) at 2018-12-01 12:01 EST
Nmap scan report for p1010 (192.168.3.200)
Host is up (0.00034s latency).

PORT   STATE SERVICE
21/tcp open  ftp

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
client shell 2
$ sudo tcpdump -Xvn -i enp2s0 host 192.168.3.200 and port 21
...
<packet dump>
...

You should see packets exchanged in shell 2 when running nmap in shell 1. It's a good idea at this point to play around with different nmap options (e.g., -sV: determine service) and also try this with the ftp server not running. Note that if you're not sure which services are actually running on your (Linux) machine that have open ports, then you can run nmap without any port arguments to get a full list:

$ nmap 192.168.3.200

...
PORT     STATE  SERVICE     VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp         vsftpd 3.0.3
22/tcp   open   ssh         OpenSSH 7.4 (protocol 2.0)
80/tcp   closed http
443/tcp  closed https
3128/tcp closed squid-http

And keep in mind that an intruder on your system can run a similar discovery!

Socket basics from the shell

The Python socket documentation is extensive and provides enough examples that will get you started. For our purposes, let's show the setup of a basic listening port using the Python 3 interpreter on port 23 (telnet):

server shell
# python3
>>> from socket import socket, AF_INET, SOCK_STREAM
>>> sk=socket(AF_INET,SOCK_STREAM)
>>> sk.bind(('192.168.3.200',23))
>>> sk.listen()
>>> conn,addr = sk.accept()

This last line should now block, waiting for a client to connect. Go back to shell 1 on the client and run nmap with "-p 23".

client shell 1
$ nmap 192.168.3.200 -p 23

...
PORT   STATE SERVICE
23/tcp open  telnet

Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

Go back to your Python shell on the server, and the command line should have returned. Type the following into the shell:

server shell
>>> print('alert ' + addr[0] + ' has connected with us')

Bringing it together

The source code for our honeypot.py script is provided below. Run the script on your server and provide the IP address that matches the interface you're listening on using the '-a' option.

server shell
# ./honeypot.py -a 192.168.3.200

Now run nmap to scan the system at port 23:

client shell 1
$ nmap 192.168.3.200 -p 23

...
PORT   STATE SERVICE
23/tcp open  telnet

Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

You should see the honey pot report the activity as shown below:

server shell
# ./honeypot.py -a 192.168.3.200
honeypot has been visited by 192.168.3.36

You can also try your honey pot using the telnet client. It should close the port after the user hits the enter key (return).

$ telnet 192.168.3.200
Trying 192.168.3.200...
Connected to 192.168.3.200.
Escape character is '^]'.
Ubuntu 18.04.1 LTS
server login: 

Note that it can take up to a minute or two for ports to close after running these tests, so subsequent runs of honeypot.py may return immediately until the port closes / time outs.

Source Code

python3 script, honeypot.py
#!/usr/bin/env python3  
""" 
Copyright 2017,2018 Mind Chasers Inc,
file: honeypot.py
Demo code.  No warranty of any kind.  Use at your own risk
"""
import sys
import argparse
from socket import socket, AF_INET, SOCK_STREAM

VERSION = '0.1a'
welcome = b"Ubuntu 18.04.1 LTS\nserver login: "

def send_email(src_address):
    """ Todo: send an email if we're scanned / probed on this port """
    pass

def honeypot(address,port=23):
    """ create a single Threaded telnet listen port """
    try:
        ski=socket(AF_INET,SOCK_STREAM)
        ski.bind((address, port))
        ski.listen()
        conn,addr = ski.accept()
        print('honeypot has been visited by ' + addr[0])
        send_email(addr[0])
        conn.sendall(welcome)
        while True:
            data=conn.recv(1024)
            if data == b'\r\n':
                ski.close()
                sys.exit()
    except: 
        ski.close()
        sys.exit()
    
if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='honeypot prototype',
                                 epilog='Version: ' + str(VERSION))
    parser.add_argument('-a','--address',help='server ip address to use',action='store', required=True)   
    args = parser.parse_args()
    
    honeypot(args.address)

Debugging

If you want to step through your honeypot.py script, you can add the following line to the source:

import pdb; pdb.set_trace()

This will create an interactive debugger instance in the shell where you invoked the script. Refer to Python's documentation for more information on the Python debugger.

Issues

You now have the basics of a useful honey pot, but there is still much that can be added and should be considered:

  • Keep in mind that a honey pot is basically a fake network service, and they're easy to write. The other side of this story is to remind yourself to not blindly trust network services since providers and hackers can replace or modify them with a compromised implementation for the purpose of stealing data.
  • We picked telnet because it's simple to emulate and test. However, you NEVER want to actually have a telnet server running on one of your hosts. Telnet exchanges data across the network in the clear, which means that any eavesdropper can sniff all data exchanged including user credentials.
  • If your goal is to create an elaborate honey pot that very closely mimics the behavior of a service, then it may be better to just start with the existing source (e.g., vsftp) and patch in your alerts.
  • Our example is single threaded, which may be preferred. Consider the dangers of a multi-threaded honey pot that sends email alerts on each access and the potential to create denial of service attacks by repeatedly stimulating the honey pot service. At the very least, you'll want some sort of rate limiting in a multi-threaded honey pot.
  • Consider turning your honey pot script into a daemon and using a cron job to check its status & restart it if necessary. References are provided below for this.
  • You may see something like the following between invocations: "honeypot exception : [Errno 98] Address already in use". This can be expected while waiting for the OS to close the port. Give it a little time and try again. If you're stuck, post a comment below

References & Attribution

Didn't find an answer to your question? Post your issue below or in our new FORUM, and we'll try our best to help you find a solution.

And please note that we update our site daily with new content related to our open source approach to network security and system design. If you would like to be notified about these changes, then please join our mailing list.

Related articles on this site:

share
subscribe to mailing list:

Date: Sept. 20, 2017

Author: Chidi maduakoh

Comment:

Please can you show me some honeypots on windows OS?

Date: Sept. 20, 2017

Author: Mind Chasers

Comment:

Hi Chidi, I found that our honeypot.py script did work fine on a Windows 10 machine using python 3.5.2 from an Anaconda installation. I ran the script in a PowerShell window that I launched as Administrator: > python3 honeypot.py I wanted the Administrator permission levels so I could open port 23. I also made some tweaks to the python script to fix a couple of bugs ( e.g., the ip address is no longer hard coded ). Please let us know if you were able to get it working on Windows or if you need any other help.

Date: Sept. 28, 2017

Author: Chidi maduakoh

Comment:

Wow! thanks

Date: Jan. 3, 2021

Author: raks

Comment:

i am not able to run it on windows.When I run the script the port opens but when I do nmap scan from client shell it shows no output. everything before "conn,addr = ski.accept()" is working in windows but not after that even though i did nmap scan

Date: July 30, 2019

Author: Pritesh Joshi

Comment:

Hii Chidi, I want developing honeypot for IoT devices as my engineering projeCt can you guide me. I am studying this topic and get explored to so many things and I don't know which one will work for me Please help

Date: July 30, 2019

Author: Mind Chasers

Comment:

Hello Pritesh. Yes, A honeypot is very important for any device that can be accessed on a network since it can alert someone to an unwanted access attempt. Your request is very generic, but we would be happy to help you. Have you tested it? Did it work for you? The code is just a template / starter code. It will be up to you to customize it for your needs. Good luck!

Date: July 30, 2019

Author: Pritesh Joshi

Comment:

No I haven't implemented this code To be specific in what I want to develop is a honeypot for simple IoT based network ( simple home automation ). I am confused because every resource in internet have different approach And I am not getting correct resources for IOT honeypot. What would you recommend to study for this project. Which protocol we should use UPnP or WQTT We are group of 4. We are beginners in cyber security field Please tell necessary resources tutorials for this project. Please tell your idea for implementing this project

Add a new comment here or reply to one above:

your email address will be kept private
authenticate with a 3rd party for enhanced features, such as image upload
previous month
next month
Su
Mo
Tu
Wd
Th
Fr
Sa
loading