Tom's Honeypot


Tom’s Honeypot is a low interaction Python honeypot that is designed to mimic a few specific services that are commonly targeted by attackers. These services include:

  • Remote Desktop Protocol (RDP) (TCP/3389)
  • Microsoft SQL Server (MSSQL) (TCP/1433, UDP/1434)
  • Virtual Network Computer (VNC) (TCP/5900)
  • RAdmin (Remote Administration) (TCP/4899)
  • Session Initiation Protocol (SIP) (UDP/5060)

Click Here to Download Tom's Honeypot

Tom’s Honeypot listens on specified ports for communication related to these services. When an attacker attempts to access one of these services, an alert is generated in the tomshoneypot.log file.

Since Tom’s Honeypot is just a Python script, all you need to do to run it is install a prerequisite (the Python Twisted module) and then use Python to run it. The following command will install the prerequisite in Security Onion:

sudo apt-get install python-twisted

It can be executed by running the following command:

python tomshoneypot.py >> tomshoneypot.log

Before running, you'll need to edit the interface variable near the top of the file (set it to your machine's IP address). Also, there are some instructions in the body of the code itself for getting the honeypot to tweet attacks, if you're interested in doing that.

By default, Tom’s Honeypot runs with all of its available services turned on. If you only want to run a subset of these services, you will have to manually edit the script and comment the appropriate sections out. These sections are:

reactor.listenTCP(1433, fMSSQL, interface = interface)
reactor.listenTCP(3389, fTS, interface = interface)
reactor.listenTCP(5900, fVNC, interface = interface)
reactor.listenTCP(22292, fDump, interface = interface)
reactor.listenTCP(4899, fRAdmind, interface = interface)
reactor.listenUDP(1434, uFakeMSSQL(), interface = interface)
reactor.listenUDP(5060, uFakeSIP(), interface = interface)

If you don’t want to run a particular service, simple place a pound symbol at the beginning of that services line. This will cause the Python interpreter to skip this line and forgo starting a listener on the ports tied to these services.

If you have any questions, run into any issues, or want to help improve Tom's Honeypot, you can e-mail me at tom@inguardians.com.