Skill

implementing-network-deception-with-honeypots

Deploys and manages network honeypots with OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.

Python

Docker

Linux

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When deploying deception technology to detect lateral movement

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Implementing Network Deception with Honeypots

When to Use

When deploying deception technology to detect lateral movement
To create early warning indicators for network intrusion
During security architecture design to add detection depth
When monitoring for unauthorized internal scanning or credential theft
To gather threat intelligence on attacker techniques and tools

Prerequisites

Linux server or VM for honeypot deployment (Ubuntu 22.04+ recommended)
Python 3.8+ with pip for OpenCanary installation
Docker for T-Pot or containerized deployment
Network segment with appropriate VLAN configuration
SIEM integration for alert forwarding (syslog, webhook, or file-based)
Firewall rules allowing inbound connections to honeypot services

Workflow

Plan Deployment: Select honeypot types and network placement strategy.
Install Honeypot: Deploy OpenCanary, Cowrie, or T-Pot on dedicated host.
Configure Services: Enable emulated services (SSH, HTTP, SMB, FTP, RDP).
Set Up Alerting: Configure log forwarding to SIEM and alert channels.
Deploy Canary Tokens: Place credential files, shares, and DNS entries.
Monitor Interactions: Analyze honeypot logs for attacker activity.
Tune and Maintain: Update configurations based on detection results.

Key Concepts

Concept	Description
OpenCanary	Lightweight Python honeypot with modular service emulation
Cowrie	Medium-interaction SSH/Telnet honeypot capturing commands
T-Pot	Multi-honeypot platform with ELK stack visualization
Canary Token	Tripwire credential or file that alerts when accessed
Low-Interaction	Emulates services at protocol level without full OS
High-Interaction	Full OS honeypot capturing complete attacker sessions

Tools & Systems

Tool	Purpose
OpenCanary	Modular honeypot daemon with service emulation
Cowrie	SSH/Telnet honeypot with session recording
T-Pot	All-in-one multi-honeypot platform
Dionaea	Malware-capturing honeypot for exploit detection
Splunk/Elastic	SIEM for honeypot alert aggregation

Output Format

Alert: HONEYPOT-[SERVICE]-[DATE]-[SEQ]
Honeypot: [Hostname/IP]
Service: [SSH/HTTP/SMB/FTP/RDP]
Source IP: [Attacker IP]
Interaction: [Login attempt/Port scan/File access]
Credentials Used: [Username:Password if applicable]
Commands Executed: [For SSH honeypots]
Risk Level: [Critical/High/Medium/Low]