Forum Thread: How to Identify Honeypots?

How to identify and avoid honeypots?

9 Responses

In some cases, it is hard to identify them, but if it is very easy to exploit, it probably a honeypot.

Also, make yourself familiar with the most widely used honeypots and that should help. For instance, check out dionaea and nepenthes and kfsensor as well as all those in the honeynet project.

The old saying "if it is too good to be true, it isn't true" applies here.


i had bruteforced a website with recon-ng subdomain bruteforce module. and it returned me every single request with ok header. is it a honeypot?

It probably is.


You can use shodan to identify honeypots. I believe it is useful.

How would that work?


There's a page on shodan which can help you:)

Here's a video Identifying Honeypots at Black Hat

This is right from EC-Council's CEH exam:

Attackers craft malicious probe packets and scan for services such as HTTP over SSL (HTTPS), SMTP over SSL (SMPTS) and IMAP over SSL (IMAPS) to detect honeypots in a network. Which of the following condition shows the presence of a honeypot?

Ports show a particular service running but deny 3 way handshakes.

Also, a service running on port 12345 might be indicative of a honeypot.

Share Your Thoughts

  • Hot
  • Active