Lab Activity — Threat Intelligence
Live Honeypot
Analysis Lab
Connect to a real honeypot server, observe live attacker traffic, and conduct open-source threat intelligence on real-world attack data.
Connect to a real honeypot server, observe live attacker traffic, and conduct open-source threat intelligence on real-world attack data.
A honeypot is a deliberately exposed decoy system designed to attract attackers. It looks like a real server but contains no production data. Every connection it receives is malicious by definition — legitimate users have no reason to connect to it.
In this lab we are running Cowrie, an SSH and Telnet honeypot. When attackers connect on port 22, Cowrie emulates a real Linux shell, accepts any password, and records everything the attacker does — commands typed, files downloaded, tools used. The attacker thinks they are inside a real server. They are not.
The server you are connecting to in this lab is a real, live honeypot on the public internet. The attacker IPs you will see are real. The credentials they are trying are real. This is not a simulation.
Use the account assigned to you by your instructor to SSH into the analysis server. This is the real VPS running the honeypot — you will be reading its logs, not connecting to the honeypot itself.
The honeypot runs on port 22. Your SSH connection to the analysis server uses port 2222. If you connect on port 22 you will land inside the honeypot and be logged as an attacker. Always use port 2222.
Your username and password have been provided by your instructor separately — via Canvas or verbally in class. You will need your assigned username (studentXX) and password before proceeding.
Replace studentXX with your assigned username:
ssh -p 2222 studentXX@173.255.198.113 # Enter the password provided by your instructor
Use PowerShell or Windows Terminal — both support SSH natively. If your school machine does not have SSH, use PuTTY (free download at putty.org). Set Host to 173.255.198.113 and Port to 2222.
After logging in you will see the lab menu automatically. You have four commands available:
================================================
SOC Honeypot Lab
You are connected to the analysis server.
Type 'menu' at any time to see available commands.
================================================
Available commands:
livefeed — watch live attack stream
topips — show top attacking IPs
myip IP — filter all events for a specific IP
menu — show this menu
exit — disconnect
lab>
| Command | What It Does |
|---|---|
| livefeed | Streams live attack events as they happen — scroll through and observe attacker behavior |
| topips | Shows the most active attacking IPs — use this to pick an IP to investigate |
| myip 1.2.3.4 | Shows all events for a specific IP — use this to build a full timeline of one attacker |
| exit | Disconnects from the server |
Click the View Live Attack Dashboard button at the top of this page to open the live feed. Watch the dashboard for a few minutes and pick one attacker IP to investigate — ideally one showing a LOGIN SUCCESS or COMMAND RUN event.
The dashboard shows these event types in real time:
| Event | What It Means | Severity |
|---|---|---|
| NEW CONNECTION | An attacker made a new connection to the honeypot | LOW |
| LOGIN FAILED | Attacker tried a username/password that was rejected | LOW |
| LOGIN SUCCESS | Attacker "logged in" — Cowrie accepted their credentials and gave them a fake shell | MEDIUM |
| COMMAND RUN | Attacker ran a command inside the fake shell — this reveals their intent | MEDIUM |
| FILE DOWNLOAD | Attacker attempted to download a file (often malware) | HIGH |
| DISCONNECTED | Connection ended — attacker disconnected or timed out | LOW |
Write down the IP you chose for investigation:
Target IP:
Pick an IP from the Top Attacking IPs panel on the dashboard — these are the most active attackers and will have the most data to investigate.
Open each of the following tools in your browser and look up your chosen attacker IP. Record your findings in the table below.
Record your findings:
| Field | Your Finding |
|---|---|
| Attacker IP | |
| Country | |
| City / Region | |
| ISP / Organization | |
| ASN | |
| AbuseIPDB Confidence Score | |
| Times Reported on AbuseIPDB | |
| VirusTotal Detections | |
| Shodan — Open Ports | |
| Usernames Tried | |
| Passwords Tried | |
| Commands Run (if any) | |
| Your Threat Assessment |
Answer the following questions based on what you observed on the dashboard. Be prepared to discuss with the class.
How long after the honeypot went live did the first connection arrive? What does this tell you about the speed of automated internet scanning?
Look at the usernames being tried across all attackers. What patterns do you notice? Why do attackers try these specific usernames?
Look at the passwords being tried. What does this credential list tell you about the importance of strong password policies?
Your attacker's IP came back with a high AbuseIPDB score (or low — either way). What does this score mean, and how would a real SOC analyst use this information?
If an attacker ran uname -a or cat /etc/passwd immediately after logging in — what were they trying to accomplish? What phase of the cyber kill chain is this?
How is a honeypot different from an intrusion detection system (IDS)? What can a honeypot reveal that an IDS cannot?
Should we block the attacker IP on our firewall? Argue for or against — consider what we lose if we block them.
What is the ethical and legal consideration of running a honeypot on the public internet? Who bears responsibility if an attacker uses our honeypot as a relay to attack someone else?
Find an attacker that ran commands after logging in. Identify every command they ran, explain what each command does, and explain what the attacker was trying to accomplish. What stage of an attack does this represent?