Summary: Respotter is an open-source honeypot tool designed to detect the presence of the Responder tool within a network by monitoring specific DNS query behaviors. It utilizes various protocols to identify active instances of Responder and can send alerts to popular communication platforms or log events for SIEM integration.
Threat Actor: Responder Users | Responder
Victim: Network Environments | network environments
Key Point :
- Respotter detects Responder by querying non-existent hostnames using LLMNR, mDNS, and NBNS protocols.
- The tool can send notifications to Slack, Teams, or Discord and supports syslog for SIEM integration.
- It is designed to be lightweight and easy to deploy, catering to users looking for a simple honeypot solution.
- Respotter is available for free on GitHub, promoting accessibility for cybersecurity practitioners.
Respotter is an open-source honeypot designed to detect attackers when they launch Responder within your environment.
This application identifies active instances of Responder by exploiting its behavior when responding to any DNS query. Respotter leverages LLMNR, mDNS, and NBNS protocols to query a non-existent hostname (default: Loremipsumdolorsitamet). If any of these requests receive a response, Responder is likely operating on your network.
Respotter can send webhooks to Slack, Teams, or Discord. It also supports sending events to a syslog server to be ingested by a SIEM.
“I wanted an easy-to-deploy, lightweight Responder Honeypot. I could not find one, so I wrote a script after trying my hand at red-teaming with Respotter. I designed it with a few features intentionally,” Baden Erb, the creator of Respotter, told Help Net Security.
Respotter is available for free on GitHub.
Must read:
Source: https://www.helpnetsecurity.com/2024/09/06/respotter-open-source-responder-honeypot