8/26/2024

Create a Honeypot Using T-Pot

  ,,     ,,     ,,
  xx    _xx_   ,xx,
 /==\   /==\   /==\
(/==\) (/==\) (/==\)
  \/     \/     \/

Honeypots are virtual traps to lure threat actors. An intentionally compromised system allows attackers to exploit vulnerabilities so you can study them to improve security policies. Setting up your own honeypot is a quick and easy project especially when utilizing T-Pot. T-Pot is a free, all-in-one multi honeypot platform that uses 20+ honeypots on various ports and features countless visualization options to display data obtained from attackers.

We will be creating our honeypot on a cloud server hosted through Vultr. It is not suggested to host honeypots using your home internet. You can sign up for a Vultr account using my referral link here. This will give you $300 in credits which will allow you to host your honeypot for free for around 6 months when following this tutorial.

After creating your Vultr account, navigate to the top right of the dashboard and click the "Deploy +" button. You will be directed to the server deployment screen. For the type, select "Cloud Computed - Shared CPU". For the server location, select a region closest to your home. It is worth noting that selecting other regions may produce different interesting results as far as the number of threat actors attempting to access your server and their location. Feel free to experiment. When asked to select an image for your server, click "Ubuntu" and select the most recent version. When selecting a plan, click the "Regular Cloud Compute" option and select the 160GB SSD option. This option gives us the base requirements for running T-Pot. You may turn off all additional features for your server including Auto Backups and IPv6. You will then be asked to name your server under "Server Hostname & Label". Once done, click "Deploy Now".

On your Compute dashboard, once the status of the server is listed as "Running", click the server name to go to the server dashboard. Click the top right "View Console" icon to launch the console for your server where you will be greeted with the server login screen. Use the Username and Password credentials listed on the server dashboard. This will give you root access to your server.

T-Pot requires you to install the service using a non-root user. We will create a new user using the following command where "*username*" is your desired username:

adduser *username*

You will be prompted through the user creation process where you will set a password and other information regarding the user. Once the user is created you will need to give them sudo privileges using the following command:

usermod -aG sudo *username*

Once given sudo permission to the new user, switch to that user by entering the following command:

su *username*

You will now switch to your new user. If you have been following this tutorial you will be in the root folder and will need to enter the following command to move back one directory:

cd ..

Change directories using the command below where "*username*" is the name of your user:

cd home/*username*

This directory is where we will clone the T-Pot Github repository. We will first need to install Git by entering the following command:

sudo apt install git

Clone the Github repository using the command below:

git clone https://github.com/telekom-security/tpotce

Change into the tpotce/ directory:

cd tpotce

Run the installer:

./install.sh

Follow the T-Pot installer prompts. Installation will take a few minutes. When asked which type of T-Pot you would like to use, select Hive by typing "h" into the command prompt.

You will be asked to setup the web user information. This information will be used to log into the T-Pot web dashboard/command center where you will be able to access the collected data. Complete the prompt by entering in a username and password.

You will eventually be told the installation is complete and you may reboot your server. Reboot by using the following command:

sudo reboot

Once your server has been rebooted, you may close out of the Vultr console. Congratulations, your honeypot is up and running!

To access the web dashboard/command center for your new honeypot enter https://<your.ip>:64297 into your web browser where "<your.ip>" is the ip address of your server, which can be found on your server dashboard on Vultr. You will be prompted to log in. Use the username and password created during the installation of T-Pot for the web dashboard. You may receive a warning from your browser. You can ignore this. Once logged in, you will be greeted with your T-Pot web dashboard:

One of the most popular tools in T-Pot is the real-time Attack Map. This map displays attacks in real-time on your server. The interface displays the world map along with information on each attack including the service the attacker is utilizing and the location/ip address of the attacker.

The Kibana tool on T-Pot is a great way to see more in-depth details about the attacks being done on your server. When accessing Kibana, you will be asked to select a dashboard. Dashboards are broken up into the honeypot type. For example, selecting the Cowrie dashboard displays attacks using ssh/telnet on ports 22 and 23. 

To see the complete list of honeypots on T-Pot and their ports, click here. The T-Pot Github also has links to all the honeypots under Technical Concept where you can learn more about each one.

No comments:

Post a Comment