Conpot is a low-interaction ICS\/SCADA honeypot that emulates common industrial services (Modbus, S7, SNMP, HTTP, EtherNet\/IP). It is useful for:<\/p>\n\n\n\n
Run it on an isolated VM\/VPS so nothing production-facing shares its network.<\/p>\n\n\n\n
Conpot is not<\/strong> a real industrial process \u2014 it\u2019s a computationally limited emulation<\/strong>. This limitation is crucial: it bounds the complexity of interactions.<\/p>\n\n\n\n In real ICS, the state space is enormous \u2014 physical sensors, actuators, PLC logic, network events, timing, etc. Conpot reduces this to finite, predictable state transitions: Modbus read\/write, S7 communication, HTTP responses.<\/p>\n\n\n\n Formally speaking, Conpot represents a decidable system<\/strong> \u2014 the number of possible states and transitions is finite and fully describable. This boundedness makes the \u201cattack problem\u201d tractable, while still retaining enough realism to study attacker strategies.<\/p>\n\n\n\n \u201cA honeypot is an NP problem made P \u2014 it transforms an unbounded, complex environment into a controlled, solvable simulation.\u201d<\/p>\n<\/blockquote>\n\n\n\n <\/p>\n\n\n\n Update the system, install Docker and Nmap:<\/p>\n\n\n\n Firewall (example, adjust to your policy):<\/p>\n\n\n\n Conpot\u2019s default templates in the image often bind to container ports like Inside the container start Conpot:<\/p>\n\n\n\n You should see:<\/p>\n\n\n\n Watch activity in real time from the host:<\/p>\n\n\n\n Verify the service is reachable:<\/p>\n\n\n\n Expect Use the NSE What you get:<\/strong> Slave IDs, Slave ID data and any human-readable device strings \u2014 useful to learn which devices or scanners are probing you.<\/p>\n\n\n\n Probe Siemens S7 emulation with the NSE What you get:<\/strong> CPU\/device identification or fingerprints \u2014 with Conpot you\u2019ll usually see simulated or partial responses, but they still indicate probing activity.<\/p>\n\n\n\n If a script is missing, update the Nmap script DB or add the script manually:<\/p>\n\n\n\n For research \/ threat-intel you can search Shodan for public Conpot instances using this filter:<\/p>\n\n\n\n Use that filter in the Shodan search bar to find exposed honeypots (and study how others deploy Conpot). Don\u2019t abuse \u2014 use results for defensive research and responsible disclosure if you discover sensitive exposures.<\/p>\n\n\n\n Conpot is more than a trap \u2014 it\u2019s a computational model<\/strong>. By constraining state and transitions we make an intractable real-world problem analyzable. That\u2019s the defender\u2019s advantage: convert infinite-state complexity into a finite, decidable system and observe how attackers compute against it.<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Why Conpot matters Conpot is a low-interaction ICS\/SCADA honeypot that emulates common industrial services (Modbus, S7, SNMP, HTTP, EtherNet\/IP). It is useful for: Run it on an isolated VM\/VPS so nothing production-facing shares its network. Conpot as a bounded computational system Conpot is not a real industrial process \u2014 it\u2019s a computationally limited emulation. This […]<\/p>\n","protected":false},"author":2,"featured_media":1744,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[296,295,292,4,293,3,289,48,294,23,299],"tags":[297,7,298,13,6,12,47,20],"class_list":["post-1742","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-automata-theory","category-complexity-theory","category-conpot","category-cyber-security","category-honeypot","category-ics-security","category-modbus","category-ot-security","category-s7comm","category-shodan","category-theoretical-computer-science","tag-conpot","tag-cyber-security","tag-honeypot","tag-ics","tag-ics-security","tag-ot","tag-ot-security","tag-shodan"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1742"}],"version-history":[{"count":4,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1742\/revisions"}],"predecessor-version":[{"id":1747,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1742\/revisions\/1747"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media\/1744"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n\n\n\n1) Prepare the VM \/ VPS<\/h2>\n\n\n\n
sudo apt update && sudo apt upgrade -y\nsudo apt install -y docker.io nmap ufw\nsudo systemctl enable --now docker\n<\/code><\/pre>\n\n\n\nsudo ufw default deny incoming\nsudo ufw default allow outgoing\nsudo ufw allow 22\/tcp # SSH\nsudo ufw allow 80\/tcp # HTTP (optional)\nsudo ufw allow 502\/tcp # Modbus (if you expose it)\nsudo ufw allow 102\/tcp # S7 (if you expose it)\nsudo ufw enable\n<\/code><\/pre>\n\n\n\n
\n\n\n\n2) Pull and run Conpot (map host \u2192 container ports)<\/h2>\n\n\n\n
5020<\/code> and 10201<\/code>. Map the host standard ports<\/strong> to the container ports so external scanners and Nmap hit it correctly:<\/p>\n\n\n\nsudo docker pull honeynet\/conpot:latest\n\nsudo docker run -it \\\n -p 80:80 \\\n -p 102:10201 \\\n -p 502:5020 \\\n -p 161:161\/udp \\\n --name conpot_lab \\\n --network bridge \\\n honeynet\/conpot:latest \/bin\/sh\n<\/code><\/pre>\n\n\n\n~\/.local\/bin\/conpot -f --template default\n<\/code><\/pre>\n\n\n\nModbus server started on: ('0.0.0.0', 5020)\nS7Comm server started on: ('0.0.0.0', 10201)\nHTTP server started on: ('0.0.0.0', 8800)\n<\/code><\/pre>\n\n\n\n
\n\n\n\n3) Tail logs (host)<\/h2>\n\n\n\n
sudo docker logs -f conpot_lab\n\n<\/code><\/pre>\n\n\n\n
\n\n\n\n4) Nmap: quick port check<\/h2>\n\n\n\n
sudo nmap -sT -p 502,102 <target-ip>\n# example when testing locally on the VPS\nsudo nmap -sT -p 502,102 127.0.0.1\n<\/code><\/pre>\n\n\n\n502\/tcp open<\/code> and 102\/tcp open<\/code> if port mapping and firewall are correct.<\/p>\n\n\n\n
\n\n\n\n5) Nmap Modbus discovery<\/h2>\n\n\n\n
modbus-discover<\/code> script to enumerate slave IDs and device identification strings:<\/p>\n\n\n\n# basic\nsudo nmap -sT -p 502 --script modbus-discover.nse <target-ip>\n\n# aggressive (more unit ID probing; noisy)\nsudo nmap -sT -p 502 --script modbus-discover.nse --script-args='modbus-discover.aggressive=true' <target-ip>\n<\/code><\/pre>\n\n\n\n
\n\n\n\n6) Nmap S7 discovery<\/h2>\n\n\n\n
s7-info<\/code> script:<\/p>\n\n\n\nsudo nmap -sT -p 102 --script s7-info <target-ip>\n\n# or with version detection\nsudo nmap -sT -sV -p 102 --script s7-info <target-ip>\n<\/code><\/pre>\n\n\n\n
\n\n\n\n7) Ensure NSE scripts are present<\/h2>\n\n\n\n
sudo nmap --script-updatedb\nls \/usr\/share\/nmap\/scripts | grep -E 'modbus|s7'\n# if missing: download from Nmap repo into \/usr\/share\/nmap\/scripts then run --script-updatedb\n<\/code><\/pre>\n\n\n\n
\n\n\n\n8) Shodan: find Conpot instances<\/h2>\n\n\n\n
product:\"Conpot\"\n<\/code><\/pre>\n\n\n\n
\n\n\n\nSafety & operational notes (short)<\/h2>\n\n\n\n
\n
-p 80:8800<\/code>, -p 502:5020<\/code>, -p 102:10201<\/code>) to ensure external scanners reach the services.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nConclusion<\/h2>\n\n\n\n