Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


introduction and use of pot honey pot

Posted by muschett at 2020-03-26

brief introduction

T-pot honeypot is a community honeypot project under Deutsche Telekom. It is a system based on docker container that integrates many honeypot programs for different applications. At present, the highest version released is t-pot 17.10 released on November 7, 2017. According to the official introduction, a new version will be released every year.

Project address:


The figure above is a part of the latest version of t-pot. T-pot can be understood as an integration of so many systems.

Here is a brief introduction to each part


Elastic search is a very powerful full-text search engine, which can quickly query massive data

In the practical application of t-pot, the logs generated by each honeypot will be imported into elastic search, so you can use elastic search to retrieve, and you can also use it to query and export data under various complex conditions


Logstash is used to receive the logs delivered from the honeypot, filter and format the data, and then submit it to elastic search for storage and indexing


Kibana is used for visual query of data, supports output of various graphs such as histogram, line chart, pie chart, sunrise chart, etc., and can also analyze the trend of a certain feature of honeypot log through time series.


Head is a web page front-end, which is mainly used to interact with elastic search cluster.

Unlike kibana above, his visualization is relatively low, but it is easier to operate the data directly, similar to the existence of phpMyAdmin


Conpot is a honeypot of low interactive industrial control system. It has a series of common industrial control protocols built in, and it is easy to modify and expand. It can cheat the attacker as much as it can to get the ultimate goal of the attacker


Cowrie is a moderately interactive SSH / telnet honeypot designed to record brute force cracking and shell operations after login

The main functions are:

cat /etc/passwd


Dionaea is a series of honeypot systems developed based on Python language and analyzed by libemu as shellcode. It supports a variety of different protocols, as shown in the following table


Elasticpot is an elasticsearch honeypot


Emobility is a highly interactive honeypot for the next generation of transportation infrastructure (charging point system) to collect the motives and methods of attackers.

The system mainly includes central charging system, charging point and simulated user transactions.


Glassopf is a web honeypot developed by Python language, which can provide various simulation based on vulnerability types


Honeytrap is a low interactive honeypot. By listening to nfqueue user mode packets, it is equivalent to listening to all other non listening ports

The main function is to observe the attacker's behavior, at the same time, it can parse the string of the attack, and download and save it accordingly


Mailoney is an SMTP honeypot


Rdpy is an RDP and VNC protocol implemented in Python. It can be used as a server and a client. It also provides a honeypot of RDP to record the RDP process


Vnclowpot is a low interactive VNC honeypot, which is mainly used to record the authentication process of VNC


Suricata is a network IDS, IPS and NSM engine, which mainly analyzes and records some useful information in the connection


P0f uses a series of complex traffic fingerprint identification to passively identify the other party's information in TCP / IP communication, such as the system and online time of the other party


Mirror installation

Install under existing system

Currently, it supports installation under the new Ubuntu 16.04 (64bit) system


The interface of t-pot is probably the web interface of kibana, ES head and other components

The honeypots in kibana in the last 7 days (August 15, 2018 to August 22, 2018) will be shown below for reference

(attack map)

(total amount and trend of attacks)

(attack area distribution)

(username and password of SSH honeypot record)


Basically, the logs of each honeypot are imported into elastic search, so we can quickly find the logs we want in the huge logs. However, I am not familiar with the syntax of elastic search, so I will record several commonly used structures for future use

Use location: ES head - > composite query

ES Head -> 复合查询

Query logs from an IP

{ "query": { "bool": { "must": [ { "term": { "src_ip.keyword": "" } } ] } }, "from": 0, "size": 50 }

Query logs from an IP and arrange them in reverse order by date

{ "query": { "bool": { "must": [ { "term": { "src_ip.keyword": "" } } ] } }, "from": 0, "size": 50, "sort": [ { "@timestamp": "desc" } ] }

List the most frequently used user names from the Cowrie honeypot

{ "query": { "bool": { "must": [ { "term": { "type.keyword": "Cowrie" } } ] } }, "aggs": { "genres": { "terms": { "field": "username.keyword", "size": 10 } } }, "size": 0 } 2018.08.21 root - 19660 admin - 7267 空 - 2626 enable - 876 shell - 870 user - 596 Administrator - 571 super - 515 superuser - 514 tech - 375

By the way, I listed the first 20 passwords. Just change the query parameters

空 - 5255 1234 - 1024 system - 876 admin - 862 sh - 846 password - 833 123456 - 802 12345 - 623 ibmdb2 - 514 user - 434 pass - 421 1111 - 415 7ujMko0admin - 414 666666 - 413 888888 - 412 54321 - 410 changeme - 384 cat1029 - 380 alpine - 377 manager - 363

List logs from Suricata with port 80 and user agent starting with Python request

{ "query": { "bool": { "must": [ { "term": { "type.keyword": "Suricata" } }, { "term": { "dest_port": "80" } }, { "wildcard": { "http.http_user_agent.keyword": "python-request*" } } ], "must_not": [], "should": [] } }, "size": 50 }

Reference link

dtag-dev-sec/tpotce: T-Pot Universal Installer and T-Pot ISO Creator

dtag-dev-sec/t-pot-autoinstall: Autoinstall T-Pot on Ubuntu 16.04

T-Pot 17.10 - Multi-Honeypot Platform rEvolution

Construction of honeypot platform based on docker: t-pot 17.10 - freebuf Internet security new media platform | focus on hackers and Geeks