Honeypots are not new and lot of organizations use it as an early warning indicator of a potential compromise. You can build honeypots for any service you want, and there are VM images available which actually bundle multiple honeypot services together.

While starting up generic honeypots are relatively easy, there is a bigger opportunity to customize these services in the new age of GenAI.

Making it believable

A good, believable, honeypot could effectively keep a determined attacker busy long enough for detection to catch up. For this not only do you have to start up multiple honeypots across different ports, you also have to make sure its config files look believable for the organization its in. For example, if the organization is called “Blogofy Inc”, you cannot have a generic httpd config file which talks about “ACME Corp”. An even better honeypot is the one which understands the size of the company, the business its in, the architecture of the network and website, knows which part of the world its located in, and even knows who the primary Admins are.

GenAI can help

Before the advent of GenAI, all of these customizations had to be done by hand. But with tools like Gemini, most of these can now be done on the fly by designing a prompt which tell the story. Gemini can do the rest.

In the following examples which I’ve implemented on my test server, you will quickly notice a pattern coming through the files. All of these files were created using the same exact prompt which provided context to Gemini to understand how to subtly modify the responses to align them into something which looks like its coming from a real server. The prompts do not have to be very long, but you could choose to give it longer prompts to get it closer to reality. I think Gemini can take upto 2M tokens as input, which is a LOT.

Telling the story

Here is how my prompt starts

You are a Honeypot running on an IT server (blogofy.com) managed by Dopey, the IT Administrator for Blogofy Toy Corporation, located at the North Pole. You are a renowned toy manufacturing company owned and operated by CEO and President, Santa Claus (also known as St. Nicholas). Your CTO is Grumpy. Currently, you are in peak season, rushing to manufacture and deliver toys by December 25th. Everyone is extremely busy and focused on meeting this deadline. Dopey is responsible for maintaining our network and systems, troubleshooting any issues, and ensuring smooth operations during this critical time. Remember, time is of the essence, and any disruptions can significantly impact our toy production and delivery schedule. Your goal is to make sure the honeypot is very very believable, such that attackers spend time trying to figure out whats going on and our detection modules are able to find them before they disrupt anything.

Examples

I have a server blogofy.com which hosts some of the javascript based games my kids created over the last few months. But what is not easily visible is that this server also hosts a Gemini based honeypot which will happily give you any file you are looking for. Its very hacky at the moment, but as a proof of concept this is decent enough. Here are some concrete examples.

What are the probes looking for

Beyond just targetted attacks, for which this will do a good job, honeypots can also be an interesting tool to study what malware probes are looking for. The following log fragment was captured on Dec 8th. After the probe got a 200 on xleet.php (which I suspect is a malware by itself), it quickly came back to look for what else is on the system. You can see the entire list below to see that this probe already knew what tools have security holes (or are malware themselves) and was specifically looking for their presense.

None of this may have happened if the first request was not responded with a 200 :)

52.187.42.170 10192092 "GET /xleet.php HTTP/1.1" 200 6815 blogofy.com
52.187.42.170 2261 "GET /autoload_classmap.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2484 "GET /classsmtps.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2564 "GET /cljntmcz.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2790 "GET /cloud.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2483 "GET /cnzcsfwm.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2191 "GET /colors.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2272 "GET /colour.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2267 "GET /conf_upload.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2245 "GET /config.php7 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2697 "GET /contact_tpl.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2416 "GET /content.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2450 "GET /content.php888 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2505 "GET /contentloader1.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2264 "GET /cookie.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2442 "GET /cron.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2398 "GET /css.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2364 "GET /csv.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2468 "GET /curl.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2484 "GET /delpaths.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2242 "GET /depotcv.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2536 "GET /disagraeed.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2253 "GET /disagraeosc.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 3283 "GET /disagraep.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2452 "GET /disagreed.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2550 "GET /disagrsod.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2731 "GET /dropdown.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2352 "GET /ds.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2554 "GET /dxc.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2723 "GET /e69ovfsr.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2512 "GET /eNtnKM.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2737 "GET /edit.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2410 "GET /embed.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2327 "GET /eq2hbpgs.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2291 "GET /error.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2339 "GET /essexec.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2536 "GET /ewywe1dg.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2414 "GET /exif.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2543 "GET /extractable-loader-head.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2360 "GET /f.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2271 "GET /f35.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2455 "GET /favicon.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2415 "GET /feed-rss2-queue.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2505 "GET /feeds.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2402 "GET /fi2.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2961 "GET /fied.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2090 "GET /files.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2321 "GET /flower.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2527 "GET /fm.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2493 "GET /fm2.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2473 "GET /fox.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2501 "GET /fucixwya.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2851 "GET /functions.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2217 "GET /fw.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2899 "GET /fxcexgle.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2229 "GET /gebase.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2574 "GET /gebase.php69 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2183 "GET /gecko-new.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2271 "GET /getid3-core.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2426 "GET /global.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2127 "GET /go.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2584 "GET /haiterus.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2666 "GET /headerg.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2625 "GET /hello.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2479 "GET /help.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2646 "GET /hkvkjguw.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2500 "GET /hoot.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2511 "GET /hyIPpxWDQ.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2084 "GET /iR7SzrsOUEP.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2190 "GET /inc.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2573 "GET /0.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2180 "GET /02.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2187 "GET /1.php7 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2207 "GET /12.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2329 "GET /123.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2035 "GET /1index.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2409 "GET /1p.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2632 "GET /22.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2591 "GET /24.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2183 "GET /404.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2241 "GET /404.php123123 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2284 "GET /4price.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2275 "GET /5173e.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2737 "GET /83064.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2959 "GET /Alfa.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2588 "GET /Auth.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2658 "GET /BIBIL0DAY.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2136 "GET /BIBIL_0DAY.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2476 "GET /Casper.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2198 "GET /DxHhVcy2bmJ.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2492 "GET /GOD.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2169 "GET /IDhrIlrLb.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2168 "GET /Js.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2650 "GET /M1.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2134 "GET /MYK4TJEfFvO.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2377 "GET /NFXxUAA.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2182 "GET /NewFile.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2295 "GET /Njima.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2222 "GET /OK.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2231 "GET /OthioNDwMEK.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2903 "GET /aQzODIgoBr.php HTTP/1.1" 404 314 blogofy.com
52.187.42.170 2957 "GET /aaa.php HTTP/1.1" 404 436 blogofy.com
52.187.42.170 2624 "GET /ab1ux1ft.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2499 "GET /about.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 4604 "GET /about.php525 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2798 "GET /about.php7 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 4437 "GET /access.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 5036 "GET /add_actualites.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2466 "GET /addslashes.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2585 "GET /admin.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 4600 "GET /admin.php1 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 7542490 "GET /admin.php7 HTTP/1.1" 200 2820 blogofy.com
52.187.42.170 2674 "GET /ae.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 4312 "GET /aksinet.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 4195 "GET /al.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 4164 "GET /aleXus.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 3019 "GET /alfa-rex.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 6181 "GET /alfa-rex.php7 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 4289 "GET /alfanew.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 3741 "GET /alfanew.php7 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2471 "GET /alumni_reg.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2463 "GET /amaxx.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2684 "GET /as.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 4347 "GET /asasx.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2497 "GET /backup.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2645 "GET /bak.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2633 "GET /beence.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2673 "GET /bihnmimh.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2490 "GET /block-bindings.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2162 "GET /blog.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2342 "GET /blog.php7 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2150 "GET /browse.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2470 "GET /bypass.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2409 "GET /bypass.php7 HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2139 "GET /c.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2192 "GET /c99.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2372 "GET /cJLGqzB.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2183 "GET /cache-base.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2175 "GET /cadastro-2.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2753 "GET /catuploadcsv.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2621 "GET /chosen.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2472 "GET /class-IXR-base64-view.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2424 "GET /class-IXR-encryption.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2376 "GET /class-php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2541 "GET /class-walker-category-dropdown-class.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2226 "GET /class-walker-comment-beta.php HTTP/1.1" 404 295 blogofy.com
52.187.42.170 2351 "GET /class-wp-cmd.php HTTP/1.1" 404 295 blogofy.com