Close Menu

Virtual Honeypot Fingerprinting

Center for Cyber Security and Forensics Education, Cyber Forensics and Security Laboratory, Information Technology and Management Project
Victor Gomes
Christopher Hernandez
Kayode Omojola
David Schluchter
Spring 2016

In this paper, KFSensor and Honeyd (two widely-used low-interaction honeypots) and Kippo (a medium-interaction honeypot) are deployed to simulate Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and Secure Shell (SSH) services in an isolated, virtual environment. This environment is populated with legitimate virtual machines running actual services to both hide the honeypots and to provide a control baseline for analysis. Both low-interaction honeypots were identified using commonly available network scanning and vulnerability analysis tools while the medium interaction one was not.


In this paper, KFSensor, Honeyd and Kippo are fingerprinted against control machines running legitimate services in an isolated, virtual environment. Specifically, these honeypots will be simulating FTP and HTTP and SSH servers. The network is populated with two legitimate virtual machines in order to hide the honeypots and act as controls for the services being tested. A “Gray Hat” machine is placed within the network environment to mimic an attacker’s initial probing, network reconnaissance and vulnerability assessment. These scans attempt to fingerprint the honeypots by their network behavior and interactions with the adversary.

Despite the varying size, scope and use, all honeypots can be classified by shared similarities in their characteristics and behavior.

High-interaction honeypots allow the attacker to interact more with the honeypot. High-interaction honeypots are real-world systems with bogus data that, once breached, allow the intruder access to the system. This high level of interaction can allow more detailed analysis of attack patterns, new vulnerabilities or identifying the attacker’s identification and motives. However, allowing access into the system creates the potential risk of giving the attacker a foothold into one’s actual systems in which to launch further attacks.

The Gray Hat virtual machine is an installation of Kali Linux 2.0, a Debian-based distribution designed for digital forensics and penetration testing. As a Windows-based honeypot, KFSensor is installed on a separate machine running Windows 8 Professional. The Linux machine contains an installation of HoneyDrive, a collection of honeypots, network and forensic tools pre-installed and pre-configured in Xubuntu Desktop 12.04.4 LTS. Other similar honeypot distributions exist (two of note are Stratagem and ADHD), but HoneyDrive was chosen because of it is an active project with a large active community.

Honeyd and KFSensor are configured to simulate FTP (a file transfer language over a TCP/IP network), HTTP (a language for encoding and transporting information between a web server such as Apache, and a client such as a web browser) and SSH services while Kippo only runs SSH service. SSH is a service that provides secure and encrypted communication between two untrusted hosts over an insecure network. These three services were chosen because they are not platform specific; thus, they can run on both low-interaction honeypots and both control machines.


Initial testing concluded the two low-interaction honeypots tested were easily fingerprinted using service interaction technique. On the other hand, the only medium-interaction honeypot, Kippo, was not fingerprinted using that same technique.For the honeypot implementations, future work will focus upon finding newer honeypots and refining the honeypots already in place. Honeyd is an older tool and may be deprecated. However, fixing the latency caused by ARP spoofing and updating Honeyd’s outdated service scripts will be examined to see if performance can be enhanced.In terms of detection, future iterations of this project will look at customizing NSE scripting and implementing Python scripts. A means of automating the detection process will be examined to closely mirror the unattended operation of many of today’s cyber-attacks.

SmartLab Student Projects

Our team was given the task of develop an electronic prototype covering the elements learned in the Embedded Systems course. These elements are electricity, data collection, data transmission, and data presentation. To do this, we created an electronic version of the board game Go.

EcoTower takes Hydroponic farming to the next level by using technology to self-regulate plant growth. Hydroponics is the science of giving a plant the necessities for growth and longevity.

Technology has brought the benefits of incorporated multi-sensor equipment to the masses. Although, the application of sensors and their associated systems has increased and transformed the world forever, the fundamentals of the main sensor types and their functionality has not.

This project is the outcome of multiple semesters work with ComEd to develop a reliable sensor platform.

As an Information Technology student and a person very much interested in Art, it was easy for me to be hooked by Digital Art. Project Aura was an idea that stemmed from my passion for Technology and Art.