Dear readers of Tecnogalaxy, today we will talk about honeypot, we will see what they are and why they are used in the computer environment.

Honeypots are hardware or software systems used as bait to attract cyber criminals, study their moves and techniques in order to understand their intentions in advance and activate the right countermeasures to respond to a possible cyber attack.

The name honeypot is linked to the world of espionage, where a romantic relationship is used to steal secrets. Often an enemy spy is compromised by setting up a trap of this kind and then blackmailing her to get all the information she knows.

Technically, it is a computer that is sacrificed as a trap to attract a cyber attack. Presenting itself as a target for cyber criminals and therefore fall fully within the scope of “Intrusion Detection System (IDS)”, allowing continuous monitoring in order to identify – in advance – all attacks on computer networks and connected computers.

The use of honeypots is an active defense technique also defined as “Cyber Deception”, where you try to trick your opponent to hit the cyber perimeter of our organization, will be unwittingly driven to a precise point so as to draw him out.


As mentioned above the honeypot looks like a normal computer that has installed software and data and for this very reason it becomes a classic target for cybercriminals. The bait could present itself as a corporate billing system, “which we often see as a target of cyber criminals”, who try to find out credit card numbers.

Once inside the cyber criminals are tracked and their behavior is investigated to get clues on how to make the real corporate network safer.

To make them more attractive honeypots are made attractive because of security vulnerabilities, for example they will have ports that respond to a scan, they will have weak passwords, and vulnerable ports could be left open to attract cyber into the honeypot environment.

There are different types of honeypots, the first being email traps or spam traps that put a fake email address in a hidden location.

Since the address has the only function of being a spam trap, you are 100% sure that any mail you receive is spam. All messages that contain the same content as those sent to the trap will be automatically blocked and the sender’s IP will be added to a blacklist.

Bait database other type of honeypot that can be set up to monitor software vulnerabilities and detect attacks such as “SQL injections“, exploitation of SQL services, or abuse of permissions.

Honeypot malware mimics software apps and APIs to attract malware attacks, the malware’s features will then be analyzed to develop antimalware software or to eliminate vulnerabilities in APIs.

Spider honeypot , designed to trap webcrawlers “also called spiders” creating web pages and links accessible only to them. By doing crawler detection you can learn techniques to block malicious bots and crawlers from ad networks.

By implementing all these techniques you can monitor the incoming traffic in the honeypot system by establishing the following:

  • Where do cybercriminals come from
  • What level has the threat
  • What technique is the attacker using
  • What data and software they are interested in
  • Level of effectiveness of current security measures against cyberattacks


As we have seen in this article, honeypots are very useful to discover vulnerabilities in large systems, they could for example be used to show the high level of threat posed by device attacks, may also suggest ways to improve security.

There is also a dangerous part about using honeypots, as described a well-configured honeypot will lure cyber criminals into deception, making the attacker believe they have gained access to a real system.

There will be the same access warning messages, the same aspect , the same data fields, the same logos of your systems (all obviously fake). However, if the attacker is aware of the deception, he will surely change the attack strategy by continuing to attack your other systems leaving aside the trap.

Once an attacker touches the honeypot, they can create fake attacks to distract attention from a real exploit directed at your real production systems, sending false information to the honeypot.

A real war strategy!!!

Below I’ll show you a simple example of honeypot called the “flirt folder”, which is a frequently used technique for detecting malicious ransomware attacks.

The configuration starts by creating a folder within the system that will contain a number of files “with typical extensions that ransomware encrypts”.

This folder will be controlled by a special agent “a probe” that will be able to detect any interaction with the files contained in it.

These files being unimportant and not used by system users, any interaction “for example an encryption” will be immediately reported as an attack.

Usually ransomware encrypts by going folder by folder, the technique is to place the “flirt” folder in a location that is the first one hit by the attack.

For example, we will give it a name that puts it first in alphabetical order, the ransomware technique is to proceed to encrypt the folders in alphabetical order.

On the web you can find many solutions that are offered to set up honeypots, even some open source.

Here is a list of the most known and used:

  • Capture-HPC: A high-interaction honeypot that uses a client-server architecture, a server that establishes the sites to visit and controls several clients, which in turn open the pages and send the results of their analysis to the server.
  • Honeyd: is one of the best known, is a low-interaction honeypot server side that allows you to emulate different services and different operating systems.
  • mapWOC : an open source honeypot with high client-side interaction, loads the pages thanks to real browsers running on a virtual machine.

In conclusion, the honeypots should be implemented within a coordinated architecture that also includes an IDS “Intrusion Detection System” and the firewall.

In this way you will achieve a dual purpose: to bring out the action of the attacker, without blocking it, and collect information such as to know better their enemy.

However, the very important use of all’honeypot does not replace adequate cybersecurity within your organization

As always make good use of it by making tests on your devices / computers , making them on devices/ computers is illegal.

To the next article!

Read also:

Was this article helpful to you? Help this site to keep the various expenses with a donation to your liking by clicking on this link. Thank you!

Follow us also on Telegram by clicking on this link to stay updated on the latest articles and news about the site.

If you want to ask questions or talk about technology you can join our Telegram group by clicking on this link.

© - It is forbidden to reproduce the content of this article.