In this guide, we will create a SCADA/ICS Honeypot. As you know, a honeypot is a computer system that looks and acts like a vulnerable system. This particular honeypot is on an Ubuntu system with various SCADA protocols, including modbus.
Honeypots are used to study attacks. This particular Honeypot was developed by the Honeynet Project (www.honeynet.org) and is one of the most sophisticated SCADA honeypots developed to date. It is a low-interaction honeypot that changes the MAC address of its adapters so that attackers cannot easily hack it. As we'll see, it looks and acts almost identically to a real SCADA/ICS system, including slow response times like a heavily loaded industrial system.
To get started, you'll need an Ubuntu 12 or newer operating system. I have created a user “honey” with password “honey”, but of course, you can create any user/password you want.
Step #1 Install the necessary libraries
The first step is to install the necessary libraries and dependencies.
ubuntu > sudo apt-get install libsmi2ldbl snmp-mibs-downloader python-dev libevent-dev libxslt1-dev libxml2-dev
Step #2 Install the Python-pip package manager
In this step, we need to download the pip package manager
ubuntu>sudo apt-get install python pip
Step #3 Install MySQL and dependencies
Next, we need to install the open source database management system MySQL and its dependencies.
ubuntu>sudo apt-get install python-dev libmysqlclient-dev
ubuntu> sudo pip install MySQL-python
Step #4 Install Conpot
In this step, we download and install the SCADA honeypot conpot system, using pip.
ubuntu>sudo pip install conpot
Step #5 Run conpot
Next, we need to run the conpot system. Conpot comes with four different templates to replicate different SCADA systems. Here, we will use the default template that reproduces a Siemens SIMATIC S7-200.
ubuntu>sudo conpot – template default
As you can see, the honeypot is started and using an external IP address of 188.8.131.52.