Troubleshooting Honeypots

Because you can't log in to a honeypot, troubleshooting issues can be difficult.

Rapid7 has a special honeypot you can download for network troubleshooting:

US

https://s3.amazonaws.com/com.rapid7.razor.public/interactive-honeypot-collector.ova

EU

https://s3.eu-central-1.amazonaws.com/public.razor-prod-0.eu-central-1.insight.rapid7.com/interactive_eu_honeypot.ova

JP

https://s3-ap-northeast-1.amazonaws.com/public.razor-prod-2.ap-northeast-1.insight.rapid7.com/interactive_ap_honeypot.ova

CA

https://s3.ca-central-1.amazonaws.com/public.razor-prod-3.ca-central-1.insight.rapid7.com/interactive_ca_honeypot.ova

AU

https://s3-ap-southeast-2.amazonaws.com/public.razor-prod-4.ap-southeast-2.insight.rapid7.com/interactive_au_honeypot.ova

Log in to the Rapid7 troubleshooting honeypot

Before you begin, download the troubleshooting honeypot for your region.

  1. To exit out of the log stream at the console and use the linux system to run diagnostics, switch terminals by pressing Alt+Right Arrow or Option+Right Arrow.
  2. Log in using the following credentials: ‘root/password’.

This interactive honeypot should NOT remain in your environment after you finish troubleshooting.

How to Configure VMWare NIC

You may experience network connectivity on the honeypots when the VM is configured to use the E1000 NIC driver. To resolve it, switch it to use VMXNET 3. See here for more information: https://kb.vmware.com/kb/1001805

Pull the Collector Log from a Honeypot

Note that you must bring the honeypot in question offline to pull the collector log from it. To pull the Collector Log:

  1. Power off the VM hosting the honeypot.
  2. Use the vmware-mount utility (for Windows only) below, or Vmware Workstation mount utility to mount the vmdk disk to the host machine. You can find more information here: https://my.vmware.com/web/vmware/details?productId=46&downloadGroup=WKST-550-DISK-MOUNT-UTL
  3. Once the disk is mounted, navigate to <mount location>/opt/rapid7/userinsight/logs/.
  4. The collector log is bootstrap.0.log.
  5. To convert the honeypot.ova file into another VM format, use this converter that can successfully convert the file to a Hyper-V VHD file: https://www.starwindsoftware.com/converter
  6. You can also use VirtualBox to convert the file using the steps described here:
    https://superuser.com/questions/1133256/convert-ova-to-vhd-for-usage-in-hyper-v

Error: The OVF Package Is Invalid and Cannot Be Deployed

If you are deploying honeypots through VMWare 6.5 or newer, please note that vSphere Client does not support SHA256. You can read more about the error here: https://kb.vmware.com/s/article/2151537

To fix this error, either use the embedded host to redeploy the OVA file or use the OVT Tool (https://www.vmware.com/support/developer/ovf/) through the command line to convert the OVA, and then deploy it.

Helpful Suggestions

Deploy multiple honey pots around the environment for more coverage.

Then, give each honeypot a name that will make it appear like all of the other assets at the organization. It should make the asset seem to be of high value. For example, the name could make the system appear to be a domain controller, finance system, database server, or something similar.