The Simple Telnet Honeypot Server is a lightweight, low-interaction Telnet service intended for capturing and analyzing unauthorized connection and authentication attempts. Implemented in Python using the Twisted networking framework, it emulates common Telnet behaviors (including basic option negotiation) while logging both credentials and raw network bytes to assist in incident response and threat research.
- Low-Interaction Honeypot: Simulates a Telnet login flow (username/password) without providing a real shell.
- Telnet Option Negotiation: Performs common Telnet negotiations (e.g., SGA/BINARY, NAWS, terminal type) to better match real clients.
- Configurable Settings: Set bind host/port and connection banner using command-line arguments.
- Extensive Logging:
- Logs connection metadata and authentication attempts.
- Logs raw received bytes (hex-encoded, truncated) to help spot unusual payloads and potential zero-day behavior.
- Logs Telnet telemetry when available (e.g., terminal type, window size).
- Educational Resource: Useful for learning about Telnet behaviors, brute-force patterns, and defensive monitoring.
- Python 3.x
- Twisted Python library
Clone the repository and install dependencies:
git clone https://github.com/0xNslabs/telnet-honeypot.git
cd telnet-honeypot
pip install twistedStart the server with the following command. By default, it binds to 0.0.0.0 on port 2323.
python3 telnet.py --host 0.0.0.0 --port 2323Customize the banner shown to clients on connect:
python3 telnet.py --host 0.0.0.0 --port 2323 --banner "User Access Verification"All events are written to telnet_honeypot.log, including:
- New connections (IP/port)
- Username and password attempts
- Telnet option telemetry (when negotiated)
- Raw received bytes (hex), truncated to a safe maximum size per event
The above image showcases the Simple Telnet Honeypot server capturing login attempts.
Check out the other honeypot services for monitoring various network protocols:
- DNS Honeypot - Monitors DNS interactions.
- FTP Honeypot - Simulates an FTP server.
- LDAP Honeypot - Mimics an LDAP server.
- HTTP Honeypot - Monitors HTTP interactions.
- HTTPS Honeypot - Monitors HTTPS interactions.
- MongoDB Honeypot - Simulates a MongoDB database server.
- NTP Honeypot - Monitors Network Time Protocol interactions.
- PostgreSQL Honeypot - Simulates a PostgreSQL database server.
- SIP Honeypot - Monitors SIP (Session Initiation Protocol) interactions.
- SSH Honeypot - Emulates an SSH server.
- TELNET Honeypot - Simulates a TELNET server.
- Caution: Operate this honeypot within a secure and controlled environment.
- Compliance: Deploy this honeypot in accordance with applicable laws and regulations.
This project is made available under the MIT License. For more information, see the LICENSE file.