Creating a Raspberry Pi Honeypot
Creating a honeypot using DShield
CyberWannaBe
10/9/2024
This is a project that is fun to mess with once you have it setup. All logs will be recorded at https://isc.sans.edu/. You will need to create an account which I will go over later. Keep in mind that this will be running on your local network. Even though you should not have issues with malicious connections to your actual network, you should still make sure you have a properly configured firewall in place before making this public facing.
Step 1: Install Raspberry pi Lite 32-bit version
Go to https://www.raspberrypi.com/software/and download the Pi OS imager
Select the device you will be using, the version of Raspberry, and the SD card. Remember that the SD card will be completely reformatted.
I will be using the OS Lite 32-bit version that can be found under the "Other OS" section of the imager.
Open configuration and enable SSH and "Use password authentication".
Make sure to set hostname, set username and password, and time zones and keyboard.
I had issues with the keyboard because I did not set it to US.
Next write the drive
Step 2: SSH into the pi and run updates
FYI: I ran into some networking issue here where I could not find the ip of the device on my network. It turns out the device was not connecting to the network after configuring the network settings in the Pi Imager. If thats happening to you I documented the solution at the end of the post.
Find the device on the network using arp or any network scanning tool you like to use. I am on Mac and use LanScan.
Next, SSH into the device. You can use putty or something similar. I am going to be using Royal TSX.
Now that you are connected, run some updates to prep the system
I am going to be using "sudo apt update && sudo apt-get -uy dist-upgrade"
“-u” is used to tell “apt-get” to upgrade all installed packages.
“y” is used to answer “yes” to any prompts.
“dist-upgrade” is used to ensure that the system is upgraded to the latest version of the distro. It also removes old packages that are no longer needed.
Once that is complete, restart the pi with "sudo reboot".
Step 3: Install DShield
SSH back into the pi and install git with "sudo apt-get -y install git"
When it installs, download dshield with "git clone https://github.com/DShield-ISC/dshield.git"
Once thats done, cd to the "/dshield/bin/" directory and run the installer there with "sudo ./install.sh".
After it is finished, you will see the following prompt.
Select "yes" for the prompts until you see the "Automatic updates" prompt. Make sure it is set to automatic updates since you do not want to have to manually do this.
Next you will see the prompt below. Visit https://isc.sans.edu/honeypot.html and create an account.
After signing up you will see your API key. You want to enter the email address you used to sign in and the API key to proceed.
Next you want to keep everything as default until you get to this prompt
Take note of this because this is how you will be connecting as an admin.
Keep going making everything default until you get to your SSL Certificate. This is basically your decoy information that you can set to anything you like. I am just going to leave it as default for now.
Next say "yes" to signing the certificate reboot the pi with "sudo reboot".
With that the honeypot is complete! Run some tests and go into kali to run nmap and see how many ports are open
Here is the network issue I ran into earlier.
The pi was not connecting to my home network even though I set everything up in the pi imager settings. This is the solution.
I connected the pi to a monitor and changed directories to “/etc/wpa_supplicant/”
I configured the “wpa_supplicant.conf” with nano and entered the following line of data.
Restart the wpa_supplicant service with “sudo systemctl restart wpa_supplicant”
Then connect to the network using the following command:
sudo nmcli dev wifi connect network-ssid password "network-password”