Never Ending Security

It starts all here

Raspberry Pi – HoneyPot

Raspberry Pi: HoneyPot

Now let’s have another cool setup for your Raspberry Pi! This time, we would like to introduce to you Glastopf Pi! Raspbery Pi Honeypot



Glastopf is a web application honeypot project lead by Lukas Rist a.k.a glaslos of the Honeynet Project. The Glastopf project started in the year 2009. It is a simple and minimalistic web server written in Python that records information of web-based application attacks like Structured Query Language Injection (SQLI), Remote Code Execution (RCE), Local File Inclusion (LFI), Remote File Inclusion (RFI), and many more, and it emulates web application vulnerabilities, tricking attackers or scanners that it is a vulnerable web server.

Here are some snippets of the README file for this project in order to understand this web application honeypot better:

The adversaries usually use search engines and special crafted search requests to find their victims. In order to attract them, Glastopf provide those keywords (aka dork) and extracts them also from request and extends its attack surface automatically. So over time and with a growing number of attacks, the honeypot gets more and more attractive. In the feature we will make the SQL injection emulator pubic, provide IP profiling for crawler recognition and intelligent dork selection.

Glastopf has also hpfeeds, which is a central logger of the project that reports the events, but it can actually be turned off under the glastopf.cfg configuration file.

Now let’s begin with the setup!


  1. A Raspberry Pi board
  2. The Soft-float Debian “wheezy” Linux, which can be downloaded here
  3. A Micro SD card of at least 4GB in size
  4. An Internet Access


Add the backports repository to your sources list file, which can be found under the /etc/apt directory:

sudo echo “deb squeeze-backports main” >> /etc/apt/sources.list

Now let’s install the dependencies:

sudo apt-get update
sudo apt-get install python python-openssl python-gevent libevent-dev python-dev build-essential make
sudo apt-get install python-argparse python-chardet python-requests python-sqlalchemy python-lxml
sudo apt-get install python-beautifulsoup python-pip python-dev python-numpy python-setuptools
sudo apt-get install python-numpy-dev python-scipy libatlas-dev g++ git php5 php5-dev liblapack-dev gfortran
sudo apt-get install libxml2-dev libxslt-dev
sudo pip install –upgrade distribute


Configure the PHP sandbox.
Download BFR (Better Function Replacer) by using git:

sudo apt-get install git-core
cd /opt
sudo git clone git://
cd BFR
sudo phpize
sudo ./configure –enable-bfr
sudo make && make install

It should have this following message after the make install:

Build complete.
Don’t forget to run ‘make test’.
Installing shared extensions: /usr/lib/php5/20100525+lfs/

Copy or append the search path to and add it to php.ini file:

sudo echo “zend_extension = /usr/lib/php5/20100525+lfs/” >> /etc/php5/cli/php.ini

You should see the extension on the output by using the php –version command in the terminal: php –version
PHP 5.4.4-14 (cli) (built: Mar 4 2013 19:41:30)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
with Better Function Replacer (BFR) v0.1, by Lukas Rist

Install the latest stable release of Glastopf from pip:

sudo pip install glastopf


Configuration and Preparation for the Glastopf environment

cd /opt
sudo mkdir glastopfi

Stop the apache service so that the web application honeypot could listen to port 80:

sudo service apache2 stop

Now, run the web application honeypot:

sudo glastopf-runner

A new default glastopf.cfg will be created in the glastopfpi directory, which can be customized to your liking just like what port you want the application to listen on.

Sample Screenshot of the Web Server Running



The log files can be found under the log directory.

(glastopf.glastopf) Initializing Glastopf using "/opt/glastopfpi" as work directory
(glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db
(glastopf.modules.handlers.emulators.dork_list.dork_page_generator) Bootstrapping dork database.
(requests.packages.urllib3.connectionpool) Starting new HTTPS connection (1):
(requests.packages.urllib3.connectionpool) "POST /login HTTP/1.1" 200 30
(requests.packages.urllib3.connectionpool) "GET /api/v1/aux/dorks?limit=1000 HTTP/1.1" 200 177444
(glastopf.modules.handlers.emulators.dork_list.mnem_service) Successfully retrieved 1000 dorks from the mnemosyne service.
(glastopf.glastopf) Generating initial dork pages - this can take a while.
(glastopf.modules.reporting.auxiliary.log_hpfeeds) Connecting to feed broker.
(glastopf.modules.reporting.auxiliary.log_hpfeeds) Connected to hpfeed broker.
(glastopf.glastopf) Glastopf started and privileges dropped.
(glastopf.glastopf) requested GET / on
(glastopf.glastopf) requested GET /style.css on
(glastopf.glastopf) requested GET /favicon.ico on
(glastopf.glastopf) requested GET /?id=-1%20union%20select%201,2,3,4,5,6 on
(glastopf.glastopf) requested GET /favicon.ico on
(glastopf.glastopf) requested GET /?id=1%20union%20select%201,2,3,4,5,6 on
(glastopf.glastopf) requested GET /favicon.ico on
(glastopf.glastopf) requested GET /?id=1 on
(glastopf.glastopf) requested GET /style.css on
(glastopf.glastopf) requested GET /favicon.ico on
(glastopf.glastopf) requested GET /?id=1' on
(glastopf.glastopf) requested GET /style.css on
(glastopf.glastopf) requested GET /favicon.ico on
(glastopf.glastopf) requested GET /?id=1%20union%20select%201,2,3,4,5 on
(glastopf.glastopf) requested GET /favicon.ico on
(glastopf.glastopf) requested GET /?id=ls%20-la on
(glastopf.glastopf) requested GET /style.css on
(glastopf.glastopf) requested GET /favicon.ico on
(glastopf.glastopf) requested GET /?id= on
(glastopf.sandbox.sandbox) File successfully parsed with sandbox.
(glastopf.glastopf) requested GET /favicon.ico on
(glastopf.glastopf) Stopping Glastopf.


So what can we learn or get from setting up this kind of web application honeypot? Here are some scenarios and examples:

  1. Discover malicious sources, links, or scripts just like the URLs used in Timthumb Remote Code Execution attacks:
  2. Capture the links or sources of possible IRC botnets.
  3. Determine what kind of attacks are being thrown out in a day by attackers or scanners.
  4. Live capture of SQL injection techniques in a POST request used by attackers.
  5. Discover unknown or new attacks.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s