SSH honeypot, deployed in the wild, collecting and sharing data


This page contains references to resources that were useful during my research for Secure Honey. I also maintain a curated list of awesome honeypots.

Page last updated 4 Aug 2021.



Bartlett, Jonathan. "Programming from the Ground Up." Bartlett Publishing (2004).
If you ever wondered how computers really work under the hood, this book will tell you. It gets down and dirty with Linux and assembly language to show you just how your computer manages things on the low levels. This book is written with the novice in mind, but will be a benefit to anyone who is interested in learning either assembly language or how their computer really works. If you are already a programmer in another language, this book will help you see what is really happening when you program, and will make you a better programmer in whatever language you choose.

Eagle, Chris. "The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler." No Starch Press (2008).
No source code? No problem. With IDA Pro, the interactive disassembler, you live in a source code-optional world. IDA can automatically analyze the millions of opcodes that make up an executable and present you with a disassembly. But at that point, your work is just beginning. With The IDA Pro Book, you'll learn how to turn that mountain of mnemonics into something you can actually use. Chris Eagle is a Senior Lecturer of Computer Science at the Naval Postgraduate School in Monterey, CA. He is the author of many IDA plug-ins, co-author of Gray Hat Hacking, and has spoken at numerous security conferences, including Black Hat, Defcon, ToorCon, and ShmooCon.

Engebretson, Patrick. "The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy." Syngress (2011).
The Basics of Hacking and Penetration Testing serves as an introduction to the steps required to complete a penetration test or perform an ethical hack. You learn how to properly utilize and interpret the results of modern day hacking tools; which are required to complete a penetration test. Tool coverage will include, Backtrack Linux, Google, Whois, Nmap, Nessus, Metasploit, Netcat, Netbus, and more. A simple and clean explanation of how to utilize these tools will allow you to gain a solid understanding of each of the four phases and prepare them to take on more in-depth texts and topics. This book includes the use of a single example (pen test target) all the way through the book which allows you to clearly see how the tools and phases relate.

Erickson, Jon. "Hacking: The Art of Exploitation." No Starch Press (2008).
While other books merely show how to run existing exploits, Hacking: The Art of Exploitation broke ground as the first book to explain how hacking and software exploits work and how readers could develop and implement their own. In the second edition, author Jon Erickson again uses practical examples to illustrate the most common computer security issues in three related fields: programming, networking and cryptography. Jon Erickson has a formal education in computer science and has been hacking and programming since he was five years old. He speaks at computer security conferences and trains security teams around the world. Currently, he works as a vulnerability researcher and security specialist in Northern California.

Fyodor, Gordon Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning." Nmap Project (2009).
Nmap Network Scanning is the official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. Examples and diagrams show actual communication on the wire.

Hadnagy, Christopher. "Social Engineering: The Art of Human Hacking, Paul Wilson." Wiley (2010).
The first book to reveal and dissect the technical aspect of many social engineering manoeuvres From elicitation, pretexting, influence and manipulation all aspects of social engineering are picked apart, discussed and explained by using real world examples, personal experience and the science behind them to unravelled the mystery in social engineering. Kevin Mitnick -- one of the most famous social engineers in the world -- popularized the term "social engineering". He explained that it is much easier to trick someone into revealing a password for a system than to exert the effort of hacking into the system. Mitnick claims that this social engineering tactic was the single-most effective method in his arsenal. This indispensable book examines a variety of manoeuvres that are aimed at deceiving unsuspecting victims, while it also addresses ways to prevent social engineering threats.

Kennedy, David; O'Gorman, Jim; Kearns, Devon; Aharoni, Mati. "Metasploit: The Penetration Tester's Guide." No Starch Press (2011).
The Metasploit Framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. But while Metasploit is used by security professionals everywhere, the tool can be hard to grasp for first-time users. Metasploit: The Penetration Tester's Guide fills this gap by teaching you how to harness the Framework and interact with the vibrant community of Metasploit contributors. Once you've built your foundation for penetration testing, you'll learn the Framework's conventions, interfaces, and module system as you launch simulated attacks. You'll move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, wireless attacks, and targeted social-engineering attacks.

Levy, Steven. "Hackers: Heroes of the Computer Revolution." Penguin Books (1984).
This 25th anniversary edition of Steven Levy's classic book traces the exploits of the computer revolution's original hackers -- those brilliant and eccentric nerds from the late 1950s through the early '80s who took risks, bent the rules, and pushed the world in a radical new direction. With updated material from noteworthy hackers such as Bill Gates, Mark Zuckerberg, Richard Stallman, and Steve Wozniak, Hackers is a fascinating story that begins in early computer research labs and leads to the first home computers. Levy profiles the imaginative brainiacs who found clever and unorthodox solutions to computer engineering problems. They had a shared sense of values, known as "the hacker ethic," that still thrives today. Hackers captures a seminal period in recent history when underground activities blazed a trail for today's digital world, from MIT students finagling access to clunky computer-card machines to the DIY culture that spawned the Altair and the Apple II.

Mcclure, Stuart; Scambray, Joel; Kurtz, George. "Hacking Exposed: Network Security Secrets & Solutions." McGraw-Hill/Osborne Media (2003).
Bolster your system's security and defeat the tools and tactics of cyber-criminals with expert advice and defence strategies from the world-renowned Hacking Exposed team. Case studies expose the hacker's latest devious methods and illustrate field-tested remedies. Find out how to block infrastructure hacks, minimize advanced persistent threats, neutralize malicious code, secure web and database applications, and fortify UNIX networks. Hacking Exposed 7: Network Security Secrets & Solutions contains all-new visual maps and a comprehensive "countermeasures cookbook."

Mitnick, Kevin. "Ghost In The Wires: My Adventures as the World's Most Wanted Hacker." Little, Brown and Company (2011).
Kevin Mitnick, the world's most wanted computer hacker, managed to hack into some of the country's most powerful - and seemingly impenetrable - agencies and companies. By conning employees into giving him private information and manoeuvring through layers of security, he gained access to data that no one else could. The suspenseful heart of the book unfolds as Mitnick disappears on a three-year run from the FBI. He creates fake identities, finds jobs at a law firm and hospital, and keeps tabs on his myriad pursuers - all while continuing to hack into computer systems and phone company switches that were considered flawless. A modern, technology-driven adventure story, GHOST IN THE WIRES is a dramatic account of the joy of outsmarting security programs, the satisfaction of code-cracking, and the thrill of unbelievable escape.

Mitnick, Kevin; Allsopp, Wil. "Unauthorised Access: Physical Penetration Testing for IT Security Teams." Wiley (2009).
The first guide to planning and performing a physical penetration test on your computer's security. Most IT security teams concentrate on keeping networks and systems safe from attacks from the outside - but what if your attacker was on the inside? While nearly all IT teams perform a variety of network and application penetration testing procedures, an audit and test of the physical location has not been as prevalent. IT teams are now increasingly requesting physical penetration tests, but there is little available in terms of training. The goal of the test is to demonstrate any deficiencies in operating procedures concerning physical security. Featuring a Foreword written by world-renowned hacker Kevin D. Mitnick and lead author of The Art of Intrusion and The Art of Deception , this book is the first guide to planning and performing a physical penetration test.

O'Connor, TJ. "Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers." Syngress Publishing (2012).
"Violent Python" shows you how to move from a theoretical understanding of offensive computing concepts to a practical implementation. Instead of relying on another attacker's tools, this book will teach you to forge your own weapons using the Python programming language. This book demonstrates how to write Python scripts to automate large-scale network attacks, extract metadata, and investigate forensic artefacts. It also shows how to write code to intercept and analyse network traffic using Python, craft and spoof wireless frames to attack wireless and Bluetooth devices, and how to data-mine popular social media websites and evade modern anti-virus.

Ramachandran, Vivek. "BackTrack 5 Wireless Penetration Testing Beginner's Guide." Packt Publishing (2011).
Wireless has become ubiquitous in today's world. The mobility and flexibility provided by it makes our lives more comfortable and productive. But this comes at a cost - Wireless technologies are inherently insecure and can be easily broken. BackTrack is a penetration testing and security auditing distribution that comes with a myriad of wireless networking tools used to simulate network attacks and detect security loopholes. Backtrack 5 Wireless Penetration Testing Beginner's Guide will take you through the journey of becoming a Wireless hacker. You will learn various wireless testing methodologies taught using live examples, which you will implement throughout this book. The engaging practical sessions very gradually grow in complexity giving you enough time to ramp up before you get to advanced wireless attacks.

Stoll, Clifford. "The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage." Gallery Books (1989).
Clifford Stoll's first-person account of the hunt for a computer hacker who broke into a computer at the Lawrence Berkeley National Laboratory (LBNL).

Stuttard, Dafydd; Pinto, Marcus. "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws." John Wiley & Sons (2007).
The highly successful security book returns with a new edition, completely updated Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.

Williams, Sam. "Free as in Freedom: Richard Stallman's Crusade for Free Software." O'Reilly Media (2002).
Free as in Freedom interweaves biographical snapshots of GNU project founder Richard Stallman with the political, social and economic history of the free software movement. Starting with how it all began--a desire for software code from Xerox to make the printing more efficient--to the continuing quest for free software that exists today. It is a movement that Stallman has at turns defined, directed and manipulated. Like Alan Greenspan in the financial sector, Stallman has assumed the role of tribal elder in a community that bills itself as anarchic and immune to central authority.

Research papers

Barrera, David et al. "What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks." International conference on PASSWORDS. Springer, Cham (2015).
We report on what we believe to be the largest dataset (to date) of automated secure shell (SSH) bruteforce attacks. The dataset includes plaintext password guesses in addition to timing, source, and username details, which allows us to analyze attacker behaviour and dynamics (e.g., coordinated attacks and password dictionary sharing). Our methodology involves hosting six instrumented SSH servers in six cities. Over the course of a year, we recorded a total of 17M login attempts originating from 112 different countries and over 6K distinct source IP addresses. We shed light on attacker behaviour, and based on our findings provide recommendations for SSH users and administrators.

Brown, Stephen, et al. "Honeypots in the Cloud." University of Wisconsin-Madison (2012).
A study using honeypots within various cloud computing platforms (such as Amazon EC2, Windows Azure etc.) with the objective of learning more about what kind of packets they receive.

Michelle et al. "Measuring Password Guessability for an Entire University." ACM CCS (2013).
Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifcally collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood. We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy.

Owens, Jim et al. "A study of passwords and methods used in brute-force SSH attacks." USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2008).
In this paper, we report on a study of brute-force SSH attacks observed on three very different networks: an Internet-connected small business network, a residential system with a DSL Internet connection, and a university campus network. The similarities observed in the methods used to attack these disparate systems are quite striking. The evidence suggests that many brute-force attacks are based on pre-compiled lists of usernames and passwords, which are widely shared. Analysis of the passwords used in actual malicious traffic suggests that the common understanding of what constitutes a strong password may not be sufficient to protect systems from compromise. Study data are also used to evaluate the effectiveness of a variety of techniques designed to defend against these attacks.


Analysis reveals popular Adobe passwords, BBC (2013).
"123456" was the most popular password among the millions of Adobe users whose details were stolen during an attack on the company. About 1.9 million people used the sequence, according to analysis of data lost in the leak.

SSH Brute Force - The 10 Year Old Attack That Still Persists, Sucuri (2013).
Article on ssh brute force attacks over past 10 years + turning server into IRC bots

The keys to the keydom, Bit-player (2013).
Interesting article on using Euclid's algorithm to find the greatest common divisor in two products of large prime numbers

Tracking down hi-tech crime, BBC (2006).
If every hour a burglar turned up at your house and rattled the locks on the doors and windows to see if he could get in, you might consider moving to a safer neighbourhood. And while that may not be happening to your home, it probably is happening to any PC you connect to the net. An investigation by the BBC News website has established the scale of the dangers facing the average net user. Using a computer acting as a so-called "honeypot" the BBC has been regularly logging how many potential net-borne attacks hit the average Windows PC every day.

Trapping hackers in the honeypot, BBC (2006).
In this second part of our investigation using the BBC honeypot we recount what happened when we let the machine get infected rather than just log attacks. It is rare that you would willingly let vandals and burglars into your home but a controlled environment like a honeypot computer lets you do the technological equivalent in relative safety. The idea of letting the PC get infected was to see exactly what nasty programs hit our machine and how easy it was to recover from infection.


Open threat exchange run by AT&T Cybersecurity.

IP Geolocation API
IP geolocation lookup is the identification of an IP address' geographic location in the real world. IPinfo builds and maintains our own proprietary IP geolocation database, which can be used to generate various forms of geographic information for your IP traffic.

Kippo SSH honeypot logs graph visualisation.

One Man's Opinion Lost in the Wilderness of Mediocrity
Website run by Darren Popham, presents data collected from Kippo honeypot.

Internet-connected devices search engine.

VirusTotal aggregates multiple antivirus products and online scan engines.