CySA+ Project: This lab showcases defensive skills using a decoy service (honeypot) on Kali Linux to detect and observe intrusion attempts, mapping to CompTIA Security+ and CySA+ objectives around detection, logging, and threat analysis.
This lab demonstrates how to set up a simple honeypot on Kali Linux using PentBox, then generate and observe intrusion attempts against it.
The honeypot is configured to listen on TCP port 443, and a browser connection to https://<kali-ip> triggers an INTRUSION ATTEMPT DETECTED log entry.
By completing this lab, you will be able to:
- Identify the inet IP of a Linux host on interface
eth0. - Install and launch a PentBox honeypot on Kali Linux.
- Configure the honeypot to listen on a specific TCP port (443).
- Generate traffic to the honeypot and observe how intrusion attempts are logged.
- Explain how honeypots support detection, logging, and analysis in blue-team operations.
- OS: Kali Linux (lab VM)
- User:
ucertify/root(per lab instructions) - Tool: PentBox 1.8 (Ruby-based security toolkit with honeypot module)
- Network:
eth0with IPv4inetaddress (e.g.,10.1.217.52in this run)
In the Kali terminal:
ifconfigUnder eth0, record the IPv4 inet address:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.217.52 netmask 255.0.0.0 broadcast 10.255.255.255
...
Result: eth0 inet IP = 10.1.217.52 (value used for the rest of the lab).
Screenshot idea:
showing
ifconfigwithinet 10.1.217.52.
From the terminal (as root or using sudo):
apt update
apt install git ruby -y
cd /opt
git clone https://github.com/technicaldada/pentbox.git
cd pentbox/pentbox-1.8
chmod +x pentbox.rbLaunch PentBox:
sudo ./pentbox.rbSelect:
2– Network Tools3– Honeypot
Screenshot idea:
showing the PentBox main menu with “Network tools” and “Honeypot” options.
In the PentBox Honeypot menu:
- Choose
2– Manual Configuration. - Port:
443 - False message:
Caught You !! - Save log:
y(use default log file) - Beep:
n
PentBox then reports:
HONEYPOT ACTIVATED ON PORT 443 (2026-03-19 17:09:44 -0700)
Screenshot idea:
showing the honeypot activated on port 443.
Open a browser on Kali and browse to:
https://10.1.217.52
Because the honeypot is not a real HTTPS service, Firefox shows:
- Secure Connection Failed
- Error code:
SSL_ERROR_RX_RECORD_TOO_LONG
This indicates traffic is reaching port 443, but the TLS handshake is invalid—exactly what we expect from a simple honeypot.
Screenshot idea:
Browser attempting HTTPS to https://10.1.217.52 and showing “Secure Connection Failed”.
You can also generate traffic from a second terminal:
nc 10.1.217.52 443
# type some text, press Enter a few times, then Ctrl+CReturn to the PentBox terminal window. After the browser or nc connection, PentBox logs:
HONEYPOT ACTIVATED ON PORT 443 (2026-03-19 17:09:44 -0700)
INTRUSION ATTEMPT DETECTED! from 10.1.217.52:52466 (2026-03-19 17:42:44 -0700)
This confirms the honeypot detected and logged the intrusion attempt, including:
- Source IP:
10.1.217.52 - Source port:
52466 - Timestamp
Screenshot idea:
showing the
INTRUSION ATTEMPT DETECTED!line in the PentBox terminal.
- Honeypot: A decoy system or service designed to attract attackers and record their activity, without exposing real assets.
- Decoy port (443): Often associated with HTTPS; running a fake service here makes scanning and enumeration more interesting to attackers.
- Detection vs. Prevention: Honeypots do not primarily block attacks; they observe and log them, providing telemetry and insight into attacker behavior.
- Log-based detection: SOC and blue-team analysts can use honeypot logs to detect scanning, brute force attempts, and suspicious traffic patterns.
Attackers may:
- Scan the network for open ports (Nmap, masscan, etc.).
- Probe services on common ports (22/80/443) to fingerprint and exploit them.
- Interact with decoy services without realizing they are being monitored.
Defenders can:
- Use honeypots as early-warning sensors for scanning and probing activity.
- Enrich threat intelligence with attacker IPs, tools, and patterns.
- Test detection rules and logging pipelines without risking production systems.
In a SOC, this lab maps directly to creating high-signal telemetry sources that highlight hostile reconnaissance.
In this lab, you:
- Identified the Kali VM’s
eth0IP address (10.1.217.52). - Deployed a PentBox honeypot on TCP port 443.
- Sent traffic to
https://10.1.217.52and observed a Secure Connection Failed browser error. - Confirmed that PentBox logged the activity as:
INTRUSION ATTEMPT DETECTED! from 10.1.217.52:52466 (...).
This demonstrates practical understanding of honeypot setup, traffic generation, and intrusion detection on a Linux host.
- 1.5: Explain the importance of efficiency and process improvement in security operations (using honeypots to improve detection and telemetry).
- 2.x / 3.x: Topics around monitoring, logging, and detection of attacks on network services.
- 1.x – Threat and vulnerability management: Using decoy systems to detect and study attacker behavior.
- 2.x – Security operations and monitoring: Collecting and analyzing honeypot logs as part of continuous monitoring.
- 3.x – Incident response: Using honeypot-derived indicators (IPs, methods) to support triage and containment.
Honeypot-on-Kali-Linux/
├── README.md # This file
├── Notes/
│ └── honeypot-concepts.md # Honeypot theory, SOC use cases, exam mapping
└── Screenshots/
├── ifconfig.png
├── PentBox main menu.png
├── Honeypot activated on port 443.png
├── honeypot-https-failed.png
└── honeypot-intrusion-log.png
Author: Mozella L. McCoy-Flowers (BecomingCyber)
Role: Cybersecurity & Digital Forensics Student – Virginia State University
Focus: Blue-team homelabs, threat detection, and incident response