The SSH Key Breadcrumb Trap 🦩

The SSH Key Breadcrumb Trap 🦩

Most honeypots have one fatal flaw: they're too clean.
Empty bash history. Pristine directories. No evidence of actual use. Attackers notice.

So I plant breadcrumbs. ‍️

Realistic bash history. A private SSH key in .ssh/. History showing SSH connections to "other servers" using that key.

Those "other servers"? Also honeypots!

When bots hit my honeypots, they brute force and move on. Boring.
But when a HUMAN does post-compromise recon, finds that key, and tries to pivot to those other servers?

Critical Wazuh alert, because only humans do this!!

Bots don't read history files. They don't hunt for lateral movement opportunities. They don't use found SSH keys.

Standard attacker tradecraft requires checking for keys and using them. If they skip it, they might miss real opportunities. If they follow it, I know I'm dealing with an actual human threat actor.

It's a catch-22. And it works beautifully. (And "@sashatheflamingo Approved")
Full writeup coming to sashatheflamingo.xyz soon!!

#Cybersecurity #HoneyPot #ThreatIntel #Deception

Honeypot Deployment Pro Tip: Let Them Think They're Winning

Want to know a dirty little secret about honeypot deployment that I've been using for years?

When you spin up a new production server with SSH access, don't immediately lock it down behind a non-standard port. Let it sit on port 22 running your actual SSH daemon for the first 4-6 weeks.

Let the attackers find it. Let them probe it. Let them catalog it in their target lists as "real infrastructure worth attacking."

Then, after they've committed you to memory:

Move your real SSH to a non-standard port. Deploy OpenCanary SSH on port 22 configured to match the EXACT version banner of whatever you were running before.

Now here's the magic: The attackers think they're still hitting the same production system. But you're collecting every username and password combination they try. They don't know they've been demoted from "attacking production" to "feeding your threat intelligence."

It's totally deceptive. They invested weeks cataloging your server. They're not going to just give up because you didn't respond the way they expected.

I've been running this technique for years across my global honeypot network. Works every single time.

Remember to match the SSH version banner exactly - down to the patch level. OpenSSH 8.2p1 vs 8.2p2 matters to some scanners. Make it identical.

This is how you turn production infrastructure into long-term intelligence gathering without anyone noticing the transition.

You're welcome. 🦩
@sashatheflamingo #cybersecurity #infosec #honeypot #deceptiontech

Today I built a threat intelligence feed powered entirely by a Magic 8-Ball – Asked it if my network was compromised. It said “Reply hazy, try again.” So basically identical to every vendor threat report I’ve ever read.