Practical Honeypots – A List of Open-source Deception Tools That Detect Threats For Free

If you’re a target for either financially motivated cyber-criminals, or nation state grade attackers, chances are your security team feels outgunned — the bad guys have the time, the skills, and the resources to affect a data-breach, and they only have to succeed once, while your security team has to get it right every time. What if you could turn the tables on them?

Deception technology excels at detecting these attacks by shifting the cognitive, economic and time costs of the attack back onto the attacker. The principles of deception have been around for years, and recently, they’ve become the secret weapon of purple teams and threat hunters worldwide. The good news is, you can get started seeing the benefits of deception for free using a plethora of open-source honeypots that you can deploy immediately.

We’re firm believers that deception is so crucial to detecting lateral movement, uncovering privilege escalation, and building threat intelligence, that any deception, even old-school honeypots are valuable. Whenever we’re on the road, we make it a point to give a shout-out to some of these tools, and will happily help you plan how you can use them. For free, no strings attached. Just get in touch!

Caveat Emptor: You get what you pay for — Some of these tools may no longer be supported, and will require leg-work to get going, but they’re a great way to get familiar with deception. They’re also emulations, not real systems, so don’t expect high-interaction activity. While we’ll offer friendly advice around how you can use them, we don’t officially support them.

Network services

  • Cowrie – Cowrie is an SSH honeypot based off an earlier favourite called Kippo. It will emulate an interactive SSH server with customisable responses to commands. Another alternative is HonSHH which sits between a real SSH server and the attacker, MiTMing the connection and logging all SSH communications.
  • Dionaea is a multi-protocol honeypot that covers everything from FTP to SIP (VoIP attacks). Where it really excels is for SMB decoys. It can even simulate malware payload execution using LibEmu to analyse multi-part stagers.

IOT (Internet of Things) decoys

  • Honeything emulates the TR-069 WAN management protocol, as well as a RomPager web-server, with vulnerabilities. Other IoT decoys can be created by emulating embedded telnet / FTP servers, for example with BusyBox.

SCADA/ICS decoys

  • ConPot emulates a number of operational technology control systems infrastructure, including protocols like MODBUS, DNP3 and BACNET. It comes with a web-server that can emulate a SCADA HMI as well.
  • GasPot emulates a Veeder Root Gaurdian AST that is commonly used for monitoring in the oil and gas industry.

Database and NoSQL honeypots

  • MongoDB-HoneyProxy emulates an insecure MongoDB database. Hackers regularly scan the interwebs looking for administrators who had an ‘oops moment’ and exposed their DB to the world.
  • ElasticHoney emulates an ElasticSearch instance, and looks for attempted remote code execution.

Credential honeypots and honeytokens

  • DCEPT by Dell SecureWorks places deceptive credentials in Microsoft’s Active Directory.
  • Canarytokens by the great guys at Thinkst let you place different types of decoy data across your systems, waiting for an attacker to trigger them.

Honeyclients and malware analysis

  • Thug is a ‘honeyclient’ that mimics the behaviour of a web-browser to analyse client-side exploits. It can be used to analyse dodgy links, determining whether they serve up malicious JavaScript, ActiveX or Flash components. It can download payload samples and integrates with VirusTotal to analyse what gets served.
  • Cuckoo Sandbox is not really a honeypot, but it’s a great sandbox for malware analysis. You can safely and programmatically execute possible malware samples, including binaries, Microsoft Office documents and emails within a Cuckoo VM and receive a full report on what code executed, what file / registry changes were made, and what network callbacks were observed. Pair it with VMCloak to automatically build sandbox VM’s that are harder for malware to fingerprint.


  • Honeydrive is a GNU/Linux distribution that comes pre-installed with a lot of active defence capabilities. Consider it the anti-Kali.
  • MHN combines Snort, Kippo, Dionaea and Conpot, and wraps them for easy installation and use.

Setting up most of these in a lab should be a fairly simple weekend project for the seasoned security professional. You can then run red-team style attacks against them to figure out exactly what sort of telemetry you can expect. Finally, you can tweak the source to reduce how easily they can be fingerprinted (don’t forget to submit patches to the authors if you do).