Skip to main content

HoneyTrap and HoneyFarm User Documentation

PurposeThis guide is your go-to resource for understanding and using HoneyTraps and the Honeyfarm app in the Raven Portal. Whether you are new to these tools or a old user, you will find user-friendly insights and practical tips to enhance your skills and protect your digital assets effectively.
CreatedOctober 25, 2023

What is HoneyTrap?

A HoneyTrap is a highly customizable honeypot framework designed for monitoring and operating inside networks. HoneyTrap can be configured to perform a wide array of tasks trough the HoneyFarm App offered inside the Raven Portal. A HoneyTrap can be set to listen on all available ports to detect potential threats and gather information or to focus on a specific port, providing predefined responses to incoming traffic.

HoneyTraps provide decoy data sets designed to attract potential attackers. When an intruder takes the bait and attempts to access these resources, HoneyTraps are triggered. Instead of revealing valuable data, they extract information from the attacker. This intel helps cybersecurity teams in comprehending the tactics and intentions of these attackers, helping them to proactively act and prevent future attacks.

These HoneyTraps can be discreetly placed in different digital contexts, such as emails, documents, and more. They lay in wait, ready to trigger upon an attacker's attempt to access them.

Advantages of Using HoneyTrap

  1. Identify Targeted Attacks: HoneyTrap allows you to gain insights into whether your system is under active targeting, helping you stay proactive in your security efforts.

  2. Understand Attack Methods: By using HoneyTrap, you can closely analyze how potential threats are targeting your system, enabling you to better fortify your defenses.

  3. IP disallow-list Generation: The framework assists in creating IP disallow-lists, helping you block known malicious IP addresses, thereby strengthening your security posture.

  4. Breach Detection: With HoneyTrap, you can effectively detect security breaches and potential vulnerabilities, allowing you to respond to protect your system.

  5. Misleading Information Deployment: HoneyTrap also empowers you to deploy misleading information, which can misguide attackers and provide valuable insights into their tactics and motivations.

Installing HoneyTrap

Currently, the deployment of Honeytrap, also referred to as HoneyTrap Agents, is managed exclusively by the DTACT team. If there arises a need for setting up a Honeytrap, we request you to reach out to your designated contact within the company for additional guidance and support.

You should know that Honeytrap Agent is build on Linux and it is a single binary and does not depend on any other files/services, meaning you can install it where you want.

HoneyToken

HoneyTokens are UUID (Universally Unique Identifier) strings that each HoneyTrap Agent provides so that we are able to connect and identify this unique HoneyTrap Agent in the HoneyFarm.

On start it reads its token from /etc/honeytrap-agent/honeytrap.token, but in any case that it does not find one, a new unique token is generated and stored.

HoneyFarm

HoneyFarm is an essential tool within the Raven Portal that simplifies the process of collecting, visualizing, and organizing data and events captured by HoneyTraps. It serves as a centralized platform for efficiently managing the data generated by these security instruments.

When you access the HoneyFarm application, you will discover distinct sections designed for interacting with the HoneyTraps you have established which will be discussed in the following sections:

Dashboards

This section is currently under development and will provide an overview of the HoneyTrap network's activity and performance when completed.

Agents

Within the HoneyTrap system, Agents take on the role of orchestrators, guiding the flow of network traffic. They act as intermediaries, managing the exchange of data between potential threats and the system's defenses.

They play a vital role in observing, analyzing, and responding to incoming and outgoing data, ensuring the network's security. Think of them as the traffic directors, keeping the digital roadways safe and efficient.

In the Agents section of the HoneyFarm app, you have the capability to oversee and register the different Agents that have been created. The main tab offers a summary of information for all your registered Agents, including:

  • Agent Name
  • Local Address
  • Geographical Location
  • Tags
  • Last Ping Timestamp
  • Last Update Timestamp

For each listed Agent, a three-dotted button at the far right corner grants you the options to edit or delete the particular Agent. Clicking on a specific Agent reveals a detailed view with more extensive information about that Agent.

At the top right corner of this tab, you'll find two essential buttons:

  1. Edit Agent: This button allows you to modify specific Agent details, such as the Name, Description, Location, Topic, and Tags. Any changes can be saved by pressing the "Update" button at the bottom of the editing pane.

  2. Delete Agent: Use this button to permanently remove the Agent from your list.

You can register a new Agent by clicking the "Register" button at the top right corner of the main page.

Towards the lower section of the tab, you'll find an overview of the services which emulate or proxy specific traffic provided by the selected Agent. This includes the name of the service, version, description, status, protocol, and port. For each service, the three-dotted button on the far right corner offers options to disable, configure, or delete services associated with the Agent.

At the top right corner of this section, there is an "ADD SERVICE" button, which allows you to include additional services. specific information is required to add the services including:

Protocol: When it comes to choosing the appropriate transport protocol, you have two distinct options at your disposal:

  • UDP (User Datagram Protocol): UDP is a lightweight, connectionless transport protocol that prioritizes speed and efficiency. It's commonly used for real-time applications like voice and video streaming, online gaming, and some IoT devices where a minor loss of data is acceptable.

  • TCP (Transmission Control Protocol): TCP is a connection-oriented transport protocol that focuses on reliability. It establishes a connection before data transfer and guarantees the orderly, error-free delivery of data. TCP is suitable for applications like browsing the web, sending and receiving email, and file transfers where data integrity is crucial.

    SSL/TLS commonly runs on top of TCP which adds a layer of security to communication.

    For more information on TCP follow link below:

    Learn more about TCP

Ports: A Port refers to a communication endpoint or a logical construct that allows multiple networked devices to distinguish between different services or processes running on the same host.

Description: In this field, provide a brief and informative description of the service you intend to create. Describe its purpose, functionality, or any other relevant details.

Brick: In this space, you can specify additional configuration or parameters related to the service. Depending on the service's requirements, you can input settings that are specific to your network or application needs.

Filling these required information will create the desired service. Press the "UPDATE" button at the bottom of the pane to confirm and save any changes.