View Larger Image How to use sshoney.py (SSH Honeypot) sshoney.sh is a simple Python-based SSH Honeypot that can be used for conducting security research. Logon attempts and login data (ip:username:password) are recorded to a local “credentials.txt” file which you can review at any time. The setup instructions below are exclusively for the Debian distribution. Before running the sshoney.py Python script you will need to generate an RSA key pair that is used by the script when an attempt is made to login to the Python-based SSH Honeypot. To generate the RSA key pair, follow the instructions below. Generate an RSA key pair using ssh-keygen. When prompted enter the location where you will store the key pair. In this example I simply stored them in the /tmp directory. /tmp/id_rsa # private key /tmp/id_rsa.pub # public key Enter no passphrase when prompted. We won’t be utilizing a password with our RSA private key. Copy to ClipboardSyntax Highlighter$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): /tmp/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /tmp/id_rsa Your public key has been saved in /tmp/id_rsa.pub The key fingerprint is: SHA256:YrepKXqCq4R0+24sIAdTg7g4iZz+B2cffqxq/I6wwPA The key's randomart image is: +---[RSA 3072]----+ |.. | |o o | |++.. | |Oo | |o= . o S | |*+o..+ + o | |o*Eo* o = | |o oo**.= o | |+..=***+o | +----[SHA256]-----+ Within the sshoney.sh script you will need to specify the private rsa_key like in the source code below. Copy to ClipboardSyntax Highlighterrsa_key = '/tmp/id_rsa' # RSA host key par_rsa_key = paramiko.RSAKey(filename=rsa_key)You can now run sshoney.py. It will bind to port 22. If you would like to run sshoney.py as a daemon at startup, then you will need to fill out the following Daemon Skeleton file. Create this file like the following: Copy to ClipboardSyntax Highlighter# vim /etc/systemd/system/sshoney.serviceCopy to ClipboardSyntax Highlighter[Unit] Description=sshoney.py After=network.target [Service] Type=simple WorkingDirectory=/path/to/sshoney/ ExecStart=python3.11 sshoney.py Restart=always [Install] WantedBy=multi-user.targetIn the next step you will activate the script to run as a daemon using the following commands. Copy to ClipboardSyntax Highlighter# vim /etc/systemd/system/sshoney.service # systemctl daemon-reload # systemctl enable /etc/systemd/system/sshoney.service # systemctl start /etc/systemd/system/sshoney.service # systemctl status /etc/systemd/system/sshoney.serviceYou can find the source code and additional instructions for the SSH Honeypot here: https://github.com/ultros/sshoney This honeypot was run for four months and it collected just over 45,000 passwords. The sorted and de-duped list can be found at: https://www.cybertutorials.org/downloads/sshoney-password-list-1-13-23.txt Here are the top collected passwords: 156 Password123! 159 Abc123 159 Root@123 161 Admin123456 162 password1! 162 support 168 2022 173 102030 173 1qaz@WSX 174 123qwe 175 Huawei@123 180 1qaz@WSX3edc 181 passw0rd 182 123.com 184 Huawei12#$ 192 dgtij24jti3u3ji4rg 193 11111111 194 1q2w3e4r 194 P@ssw0rd123 194 root@123 207 207 Admin123 208 default 210 password123 212 abcd1234 217 0 219 000000 220 ftp 233 1qaz2wsx 241 abc123 254 J5cmmu=Kyf0-br8CsW 283 raspberry 285 passwd 289 ubnt 296 pass 309 123123 309 test123 328 1234567890 329 1234567 333 user 372 111111 404 admin123 448 p@ssw0rd 456 toor 457 ubuntu 476 123456789 486 guest 530 qwerty 697 12345678 810 1 872 root 967 test 1052 12345 1154 admin 1166 P@ssw0rd 1563 password 1571 1234 1791 123 7376 123456 By D. Clark|2023-01-27T00:13:05+00:00January 14, 2023|Code, Tutorials|0 Comments Share This Story, Choose Your Platform! FacebookTwitterRedditLinkedInWhatsAppTelegramTumblrPinterestVkXingEmail About the Author: D. Clark Cybersecurity Related Posts OpenAI/ChatGPT Powered Daemon Enumerator on Debian Gallery OpenAI/ChatGPT Powered Daemon Enumerator on Debian Leave A Comment Cancel replyComment Save my name, email, and website in this browser for the next time I comment.