Skill

implementing-network-deception-with-honeypots

From asi

Deploys and manages network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.

Python

Docker

Linux

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When deploying deception technology to detect lateral movement

SKILL.md

Similar Skills

implementing-network-deception-with-honeypots

5.9k

Deploys and manages network honeypots with OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.

3 files

cybersecurity-skills

implementing-network-deception-with-honeypots

Deploys and manages network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance in cybersecurity setups.

3 files

cybersecurity-skills-zh

performing-deception-technology-deployment

Deploys honeypots, honeytokens, and decoy systems like Thinkst Canary to detect post-breach lateral movement, credential abuse, and reconnaissance for SOC teams with high-fidelity alerts.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Implementing Network Deception with Honeypots

When to Use

When deploying deception technology to detect lateral movement
To create early warning indicators for network intrusion
During security architecture design to add detection depth
When monitoring for unauthorized internal scanning or credential theft
To gather threat intelligence on attacker techniques and tools

Prerequisites

Linux server or VM for honeypot deployment (Ubuntu 22.04+ recommended)
Python 3.8+ with pip for OpenCanary installation
Docker for T-Pot or containerized deployment
Network segment with appropriate VLAN configuration
SIEM integration for alert forwarding (syslog, webhook, or file-based)
Firewall rules allowing inbound connections to honeypot services

Workflow

Plan Deployment: Select honeypot types and network placement strategy.
Install Honeypot: Deploy OpenCanary, Cowrie, or T-Pot on dedicated host.
Configure Services: Enable emulated services (SSH, HTTP, SMB, FTP, RDP).
Set Up Alerting: Configure log forwarding to SIEM and alert channels.
Deploy Canary Tokens: Place credential files, shares, and DNS entries.
Monitor Interactions: Analyze honeypot logs for attacker activity.
Tune and Maintain: Update configurations based on detection results.

Key Concepts

Concept	Description
OpenCanary	Lightweight Python honeypot with modular service emulation
Cowrie	Medium-interaction SSH/Telnet honeypot capturing commands
T-Pot	Multi-honeypot platform with ELK stack visualization
Canary Token	Tripwire credential or file that alerts when accessed
Low-Interaction	Emulates services at protocol level without full OS
High-Interaction	Full OS honeypot capturing complete attacker sessions

Tools & Systems

Tool	Purpose
OpenCanary	Modular honeypot daemon with service emulation
Cowrie	SSH/Telnet honeypot with session recording
T-Pot	All-in-one multi-honeypot platform
Dionaea	Malware-capturing honeypot for exploit detection
Splunk/Elastic	SIEM for honeypot alert aggregation

Output Format

Alert: HONEYPOT-[SERVICE]-[DATE]-[SEQ]
Honeypot: [Hostname/IP]
Service: [SSH/HTTP/SMB/FTP/RDP]
Source IP: [Attacker IP]
Interaction: [Login attempt/Port scan/File access]
Credentials Used: [Username:Password if applicable]
Commands Executed: [For SSH honeypots]
Risk Level: [Critical/High/Medium/Low]