Detecting Honeypots

Honeypots are systems which are designed to lure attackers, so that they attempt to exploit the system. The logs generated by the honeypots can then be used for intelligence purposes such as identifying attackers methodology, understanding their aims to divide them into groups, or simply to figure out exploits and malware being used in the wild.

An attacker can however use various techniques to identify honeypot servers. For example, they could leverage differences in responses from honeypot servers and legitimate servers. I tried testing this technique in a elasticsearch honeypot. First I used the delilah honeypot, https://github.com/Novetta/delilah to test this techniques out.

First of all i sent a simple get request using the browser, although some minor difference (most likely due to elasticsearch version differences) output was somewhat similar.

Legitimate Server Output

Delilah output

However, when i issued the request to list all indices, there was some major differences which differentiate legitimate servers from honeypot.

Legitimate Server when index are present(Information intentionally blurred out)

Even if no indices was not present, the upper column names would still be present.

Delilah Server

The page simply responded with page not found.

Similarly I tried this for elasticpot, (https://hub.docker.com/r/honeynet/elasticpot/) error was thrown. Furthermore, elastichoney (https://github.com/jordan-wright/elastichoney/releases) responded differently to original simple get request, with no \n character at the end.

Something to note is that these honeypots are designed to gather information about specific CVE exploits. However, similar techniques could be used in other honeypot.