T-Pot Honeypot Implementation and Analysis

5 min readFeb 11, 2022


First, I would like to thank you for taking time to read this as we all understand everyone’s time is invaluable. I will be striaght to the point on the steps and ideas used for this project.

*Contact me if you have any questions or feel as though I left out any steps*

Contact Banner

Table of Contents:

  1. Technologies Used
  2. T-Pot Time and Location
  3. Types of Attacks Analysis
  4. Debrief


Good day!

First, I use AWS EC2 in order to create a virtual machine that is configured in such a way that it attracts bears to the honey!

Next, T-Pot 20.06 runs on Debian (Stable), is based heavily on docker, docker-compose and includes dockerized versions of honeypots that can be used to view and analyze traffic/data

Then, Elastic stack. I use an elastic stack called ELK stack which consists of Elasticsearch, Kibana, Beats, and Logstash.

Last, but certainly not least… Docker! We use docker here to deliver software in packages called containers! What does this mean?

It means docker, docks the application we want to run to a port we want to visit!

Happy Sailing!


You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic.


The T-Pot Honeypot is a virtual machine with multiple Honeypots created by T-Mobile, combining existing honeypots (glastopf, kippo, honeytrap and dionaea) with the network IDS/IPS suricata, and T-Mobile’s own data submission ewsposter which now also supports hpfeeds honeypot data sharing.

Elastic Stack

It is a multi-layered tool that assists in threat vulnerability scanning and monitoring. That’s Elasticsearch, Kibana, Beats, and Logstash (also known as the ELK Stack). Reliably and securely take data from any source, in any format, then search, analyze, and visualize it in real time. Elasticsearch is a search engine based on the Lucene library. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.


Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers.

2) T-Pot Time and Location

On AWS you can select the region you would like set-up your region to. For mine, I selected Asia Pacific (Seoul) ap-northeast-2.

AWS Regions

The time we will be using is covering the span of 8hrs:

  • Start: 04:25 EST
  • End: 12:25 EST
  • Date: February 09, 2022

I have a AWS cloud VM set up with using EC2 in the region of Asia Pacific (Seoul) ap-northeast-2. I choose this region for the exercise in order to gauge the attack activity from countries I find interesting that are in that area.


I will provide a list of common honeypots:

  • adbhoney — a low interaction honeypot designed to catch whatever malware is being pushed by attackers to unsuspecting victims which have port 5555 exposed.
  • ciscoasa — A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018–0101, a DoS and remote code execution vulnerability
  • citrixhoneypot — Honeypot for CVE-2019–19781 (Citrix ADC)
  • conpot — Conpot is an ICS honeypot with the goal to collect intelligence about the motives and methods of adversaries targeting industrial control systems.
  • cowrie — Cowrie is a medium to high interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.
  • dicompot — Dicompot is a fully functional DICOM server with a twist.
  • dionaea — Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls.
  • elasticpot — elasticpot is a honeypot simulating a vulnerable Elasticsearch server opened to the Internet.
  • heralding — Sometimes you just want a simple honeypot that collects credentials, nothing more. Heralding is that honeypot!
  • honeysap — HoneySAP is a low-interaction research-focused honeypot specific for SAP services. It’s aimed at learn the techniques and motivations behind attacks against SAP systems.
  • honeytrap — Honeytrap is an extensible and opensource system for running, monitoring and managing honeypots.
  • mailoney — Mailoney is a SMTP Honeypot.
  • medpot — HL7 / FHIR honeypot
  • rdpy — Remote Desktop Protocol honeypot
  • snare — SNARE is a web application honeypot sensor attracting all sort of maliciousness from the Internet.
  • tanner — TANNER is a remote data analysis and classification service to evaluate HTTP requests and composing the response then served by SNARE.

First, I will filter for cowrie:

Then we will filter for what commands were run:

And now we analyze the results:

94 hits, largest spike at 0550 with 26 at once and the most persistent at 1030–1110 totaling 47 during this span of time.

Feb 9, 2022 @ 05:51:56.508


Feb 9, 2022 @ 05:51:56.507


Feb 9, 2022 @ 05:51:56.491

cd /tmp && chmod +x vg7WeNQK && bash -c ./vg7WeNQK

Feb 9, 2022 @ 05:51:52.444

scp -t /tmp/vg7WeNQK

I will now search for what *Usernames and *Passwords were the most used during this time:

Pi — 5

root — 1

User — 1

From this I see that Raspberry Pi was the most targeted.


I used AWS EC2 in order to start up a VM and connect to it via SSH from my Kali VM. I then installed tpot and accessed the dashboard through an assigned port. I researched and viewed different types of attacks. I then used tpot to conduct analysis on attacks done on tpot.

*Contact me if you would like to recommend a tutorial/topic*




Experienced Cyber Security/Intelligence Analyst with a demonstrated history of working in the US Military and IT industry.