sshoney.sh is a simple Python-based SSH Honeypot that can be used for conducting security research.

Logon attempts and login data (ip:username:password) are recorded to a local “credentials.txt” file which you can review at any time.

The setup instructions below are exclusively for the Debian distribution.

Before running the sshoney.py Python script you will need to generate an RSA key pair that is used by the script when an attempt is made to login to the Python-based SSH Honeypot.

To generate the RSA key pair, follow the instructions below.

  1. Generate an RSA key pair using ssh-keygen.
  2. When prompted enter the location where you will store the key pair. In this example I simply stored them in the /tmp directory.
    1. /tmp/id_rsa  # private key
    2. /tmp/id_rsa.pub  # public key
  3. Enter no passphrase when prompted. We won’t be utilizing a password with our RSA private key.
Copy to Clipboard

Within the sshoney.sh script you will need to specify the private rsa_key like in the source code below.

Copy to Clipboard

You can now run sshoney.py. It will bind to port 22.

If you would like to run sshoney.py as a daemon at startup, then you will need to fill out the following Daemon Skeleton file.

Create this file like the following:

Copy to Clipboard
Copy to Clipboard

In the next step you will activate the script to run as a daemon using the following commands.

Copy to Clipboard

You can find the source code and additional instructions for the SSH Honeypot here:

https://github.com/ultros/sshoney

This honeypot was run for four months and it collected just over 45,000 passwords. The sorted and de-duped list can be found at:

https://www.cybertutorials.org/downloads/sshoney-password-list-1-13-23.txt

Here are the top collected passwords:

156 Password123!
159 Abc123
159 Root@123
161 Admin123456
162 password1!
162 support
168 2022
173 102030
173 1qaz@WSX
174 123qwe
175 Huawei@123
180 1qaz@WSX3edc
181 passw0rd
182 123.com
184 Huawei12#$
192 dgtij24jti3u3ji4rg
193 11111111
194 1q2w3e4r
194 P@ssw0rd123
194 root@123
207
207 Admin123
208 default
210 password123
212 abcd1234
217 0
219 000000
220 ftp
233 1qaz2wsx
241 abc123
254 J5cmmu=Kyf0-br8CsW
283 raspberry
285 passwd
289 ubnt
296 pass
309 123123
309 test123
328 1234567890
329 1234567
333 user
372 111111
404 admin123
448 p@ssw0rd
456 toor
457 ubuntu
476 123456789
486 guest
530 qwerty
697 12345678
810 1
872 root
967 test
1052 12345
1154 admin
1166 P@ssw0rd
1563 password
1571 1234
1791 123
7376 123456