Forum Thread: How to Identify Honeypots?

How to identify and avoid honeypots?

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

5 Responses

In some cases, it is hard to identify them, but if it is very easy to exploit, it probably a honeypot.

Also, make yourself familiar with the most widely used honeypots and that should help. For instance, check out dionaea and nepenthes and kfsensor as well as all those in the honeynet project.

i had bruteforced a website with recon-ng subdomain bruteforce module. and it returned me every single request with ok header. is it a honeypot?

You can use shodan to identify honeypots. I believe it is useful.

Here's a video Identifying Honeypots at Black Hat

This is right from EC-Council's CEH exam:

Attackers craft malicious probe packets and scan for services such as HTTP over SSL (HTTPS), SMTP over SSL (SMPTS) and IMAP over SSL (IMAPS) to detect honeypots in a network. Which of the following condition shows the presence of a honeypot?

Ports show a particular service running but deny 3 way handshakes.

Also, a service running on port 12345 might be indicative of a honeypot.

Share Your Thoughts

  • Hot
  • Active