€2 Honeypot with ESPCanary on an ESP-01

Yesterday I bumped into an interesting post on Hackster.io titled ESPCanary Detects If a Hacker Is Spying on Your Network about an Arduino library to turns an ESP8266 or ESP32 into a FTP Honeypot. This looks like an inexpensive and interesting option to detect intruders on your network.

a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.

Wikipedia

The concept of the library is that of a Honeypot for intruders on your network to trip over and alert you in case anyone accesses it. This is by no means a separate line of defence, but an additional probe that can be added to a network as additional way to notice when someone is exploring your network.

For this the library supports configuring a web hook that is called upon login of a user. By combining this with the free CanaryTokens service of Thinkst Applied Research who also offer a more advanced commercial product (I have no relation with them and don’t know nor endorse their product!).

The library is available on GitHub and through the Arduino library manager and is is a clever modification of ESP8266FTPServer (which in turn is an ESP-ready version of Arduino-Ftp-Server). It provides an Simple FTP server that can be protected by a specific username and password or simply accept any password (and even any username). The FTP Server is fully functional in that it can serve files present and allows for uploads, though any file uploaded is silently ignored and the files available reside in the flash of the ESP module (using the ESP’s deprecated SPIFFS Filesystem).

Since (at least in my case) the source IP address of an intrusion will generally always be an internal IP address, just having an IP server up and running is not really helpful (other than for getting the initial alert). Therefore it is advisable to plant a few interesting files that can also be generated with CanaryTokens on the FTP Server.

I got this working today pretty fast on a cheap ESP-01 module and it works fine, though in my setup it still needs some more work to make it really useful and I have some thoughts about additional functionality. The concept is great and a very simple and cheap solution that begs to be extended. A few things I would like to explore further (when I find time for this) are:

  • Create a wired version using ESP or Arduino with a W5500 module
  • Make the configuration easier and seperate from the firmware
  • Use an LED to indicate status and support a button to get in config mode
  • Make it easier to find the module (e.g. add mDNS broadcast)
  • Support more wires for intruders to trip over (e.g. TELNET, SMTP, HTTP, SSH)
  • Look into more ways to log/alerts (e.g. e-mail, syslog, SNMP, MQTT)
  • Detect Network port scans

Please let me know via the comments what you think and what other features (simple ones please, it’s still only a microcontroller!) might be useful to add.

2 Replies to “€2 Honeypot with ESPCanary on an ESP-01”

  1. Great idea.
    Unfortunately, it didnt work for me. I was able to compile and send it over to an ESP-01 & Wemos D1 Mini. but it did not connect to my wifi, and even the COM just kept showing …..
    I will give it another go, later
    I like the idea of using MQTT or even Pushbullet / Join as a notification, mDNS as well.
    Using Wifi-Manager to create a hotspot to enter the SSID & PSK would be cool as well.
    Imagine if you could upload the bin file to an ESP8266 lightbulb or plug?? Amazing.

    1. Really? Sorry to hear as I did not have any problems now. I did have issues in the past when I had flashed an ESP-01 numerous times and despite the WiFi SSID/password being correct it took ages (sometimes over 3 minutes) to connect, it eventually would.

      I recall clearing the WiFi settings while flashing (that’s a setting in the Arduino IDE in the Tools menu) solved this for me in some cases, perhaps something to try.

      I was indeed considering WifiManager for this, a pushbullet or other push is theoretically already possible as these normally only require a specific URL. I really like the idea of combining this with a normal appliance as they normally have plenty of spare CPU cycles for this… great suggestion!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.