// Cybersecurity clarified.

Setting Up Educational Honeypot Trap

2022-04-05   Dawid Farbaniec
The set of methods known as honeypot (trap) exists for a long time. They are not closely related to a specific technology. Honeypot should be understood as: idea, philosophy, mechanism or methods. In simple words, honeypot is a resource, service or program which task is attracting cyberattacks. The honeypot is intentionally exposed to hacker attacks and allows the blue team to collect information. For example:
  • are we under attack,
  • what tool or attack method is used,
  • what is attacked: entire network, specific resource, machine,
  • what is the attack motivation,
  • what the attacker wants: data exfiltration, remote control, paralysis, ransom, joke?

In this text, I would like to present the idea of the honeypot a little closer. It is worth noting that despite the ethical use of the honeypot, it may be illegal. Especially it is about privacy - monitoring of transmitted data without the user's knowledge. I'm not a lawyer. Check local and international law.

There are two main honeypot types:
  • low interaction — simulated service allows low interaction for example simulated SSH service which logs incorrect login attempts,
  • high interaction — simulated service allows high interaction for example simulated Remote Desktop service.

Why honeypots are used? The main goals are: threat hunting, network monitoring, collecting new malware samples etc. Notice that honeypot should be properly isolated. The main dangers when using honeypots are:
  • attacker finds out that this is honeypot,
  • attacker can take over honeypot and use for attack.

HoneyDB as Sample Honeypot

There are many honeypot solutions available. The HoneyDB has been selected as the example.

To setup a HoneyDB agent one can use a Virtual Private Server (VPS) with Windows or other preferred operating system. This is very comfortable solution. Created machine can be easily managed with Remote Desktop (RDP).

The HoneyDB agent for Windows is like a typical program.

Agent can be installed as a service.

Notice that the HoneyDB agent application should be allowed to communicate through Windows Defender Firewall.

Performing port scan on the server shows that there are honeypot services exposed.

One can turn off or configure these services by modifying services.conf file. Notice that the Remote Desktop honeypot service (3389) should be disabled when there is real Remote Desktop used to manage the server.

Access HoneyDB Threat Information API with C#.NET

Provide a good bait to fish malicious payloads. Attract with easy prey. Encourage attackers to target the honeypot. When there is some data collected it can be extracted. Project HoneyDB exposes Threat Information API. The example code in C#.NET (Console Application) is provided below. Notice that observing the data field when the event is equal to RX (data received) one can find payloads used in attacks.

// See for more information

using Newtonsoft.Json;

using (HttpClient httpClient = new())
    using HttpRequestMessage request = new(new HttpMethod("GET"),
        "" +

    request.Headers.Add("X-HoneyDb-ApiId", "26b2d...30a0e4");
    request.Headers.Add("X-HoneyDb-ApiKey", "71...9aa25");

    var response = await httpClient.SendAsync(request);

    var json = await response.Content.ReadAsStringAsync();

    var data = JsonConvert.DeserializeObject<List<Root>>(json);



/*-- JSON Classes --*/
internal class Data
    public string date { get; set; }
    public string time { get; set; }
    public string millisecond { get; set; }
    public string session { get; set; }
    public string protocol { get; set; }
    public string @event { get; set; }
    public string service { get; set; }
    public string remote_host { get; set; }
    public string data { get; set; }
    public string bytes { get; set; }
    public string data_hash { get; set; }

internal class Root
    public List<Data> data { get; set; }
    public string from_id { get; set; }

Final Words

The most dangerous scenarios are honeypot detection and honeypot hijacking. To avoid detection do not provide unreal resources like file on banking site. Do not open too many ports. The server must appear as real world production machine. To avoid hijacking isolate the honeypot from other machines. The virtual machines can be used for this. Keep the real services and operating system updated and patched.

Bibliography [access: 2022-04-05]