Skip to main content

Overview

scan4all includes intelligent honeypot detection to avoid wasting time on deception systems and prevent potential blacklisting. The detection system analyzes HTTP server headers and response patterns to identify likely honeypots.
Honeypot detection is disabled by default. Enable it explicitly when scanning untrusted or unknown networks.

Enable Honeypot Detection

Environment Variable

# Enable honeypot detection
EnableHoneyportDetection=true ./scan4all -l targets.txt

# Disable (default)
EnableHoneyportDetection=false ./scan4all -l targets.txt

Configuration File

In config/config.json: 
{
  "EnableHoneyportDetection": true
}

Detection Methods

Server Header Analysis

The primary detection method analyzes HTTP Server headers for anomalies: 
func CheckHoneyportDetection4HeaderServer(server, szUrl string) bool {
    if 50 < len(server) || 3 < len(strings.Split(server, ",")) {
        // Suspicious: Very long server string or multiple components
        hdCache.Store(szUrl, true)
        SendLog(szUrl, "Honeypot found", "")
        return true
    }
    return false
}

Detection Criteria

A target is flagged as a honeypot if:
  1. Server header exceeds 50 characters
  2. Server header contains more than 3 comma-separated components
  3. Unusual server identification patterns

Why These Indicators?

Honeypots often exhibit unusual characteristics:
  • Long Server Strings: Attempting to mimic multiple services
  • Multiple Components: Fake banner stacking
  • Inconsistent Responses: Conflicting service information
Legitimate servers typically have concise, consistent headers: 
Server: nginx/1.20.1
Server: Apache/2.4.41
Server: Microsoft-IIS/10.0
Honeypot examples: 
Server: Apache/2.4.1,nginx/1.19,Microsoft-IIS/8.0,Tomcat/9.0
Server: Very-Long-Custom-Server-Name-That-Attempts-To-Confuse-Scanners-And-Make-Them-Think-This-Is-Something-Special

Detection Workflow

Implementation Details

Memory Caching

Results are cached to avoid repeated checks: 
var hdCache sync.Map  // Thread-safe cache

func HoneyportDetection(host string) bool {
    // Check cache first
    if v, ok := hdCache.Load(host); ok {
        return v.(bool)
    }
    
    // Perform detection
    isHoneypot := checkServer(host)
    
    // Cache result
    hdCache.Store(host, isHoneypot)
    
    return isHoneypot
}

HTTP HEAD Request

Minimal network footprint using HEAD requests: 
timeout := time.Duration(8 * time.Second)
client := http.Client{
    Timeout: timeout,
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
        DisableKeepAlives: true,
    },
    CheckRedirect: func(req *http.Request, via []*http.Request) error {
        return http.ErrUseLastResponse // Don't follow redirects
    },
}

resp, err := client.Head(target)

Target Filtering

Certain targets are automatically excluded: 
if !EnableHoneyportDetection || len(host) < 5 || isIPCIDR(host) {
    return false  // Skip detection
}
Skipped:
  • Very short hostnames (likely invalid)
  • CIDR ranges (checked during host enumeration)
  • When detection is disabled

Integration Points

Port Scanner Integration

// From pkg/naabu/v2/pkg/runner/targets.go
if HoneyportDetection(target) {
    log.Println("Honeypot found, skipped for you:", target)
    continue  // Skip this target
}

Fingerprint Scanner Integration

func CheckHoneyport(fingerprints []string) (bool, []string) {
    isHoneypot := util.EnableHoneyportDetection && len(fingerprints) > 10
    if isHoneypot {
        fingerprints = []string{}  // Clear results
    }
    return isHoneypot, fingerprints
}
If more than 10 different fingerprints are detected on a single target, it’s flagged as suspicious and results are discarded.

Behavior

When Honeypot Detected

  1. Log Entry: “Honeypot found, skipped for you: [target]”
  2. Skip Scanning: Target removed from queue
  3. Cache Result: Avoid re-checking same target
  4. Continue: Move to next target

What Gets Skipped

  • Port scanning
  • Service detection
  • Vulnerability scanning
  • Fingerprinting
  • Exploitation attempts

Performance Impact

Network Overhead

# Per target:
# - 1 HTTP HEAD request (~200 bytes)
# - 8 second timeout
# - No impact if cached

# For 1000 targets:
# - First scan: ~1000 HEAD requests
# - Subsequent: 0 (cached)

Time Impact

Minimal delay:
  • Cached lookups: less than 1ms
  • HEAD request: ~100-500ms average
  • Timeout: 8 seconds maximum

Advanced Configuration

Customize Detection Logic

Edit lib/util/HoneypotDetection.go: 
// Adjust detection thresholds
func CheckHoneyportDetection4HeaderServer(server, szUrl string) bool {
    // More aggressive: shorter threshold
    if 30 < len(server) || 2 < len(strings.Split(server, ",")) {
        return true
    }
    
    // Additional checks
    if strings.Contains(server, "honeypot") {
        return true
    }
    
    return false
}

Custom Fingerprint Threshold

var Max_Count = 10  // Maximum fingerprints before flagging

// In config or code:
Max_Count = 5  // More aggressive
Max_Count = 20 // More permissive

Logging

Honeypot detections are logged: 
SendLog(szUrl, string(Scan4all), "Honeypot found", "")
Logs include:
  • Target URL
  • Detection source (scan4all)
  • Detection message
  • Timestamp

False Positives

Common Causes

  1. Load Balancers: May aggregate multiple server headers
  2. WAF/Proxy: Security appliances add headers
  3. Misconfigured Servers: Poor administration

Handling False Positives

# Disable detection if too many false positives
EnableHoneyportDetection=false ./scan4all -l targets.txt

# Or adjust thresholds in source code

False Negatives

Sophisticated Honeypots

Some honeypots may evade detection:
  • Perfectly mimicked server headers
  • Realistic response patterns
  • Professional implementation
No honeypot detection is 100% accurate. This feature reduces false targets but doesn’t guarantee complete avoidance.

Best Practices

  1. Enable for Unknown Networks: Always enable when scanning unfamiliar targets
  2. Monitor Logs: Review detected honeypots for patterns
  3. Adjust Thresholds: Tune based on your environment
  4. Combine with Other Intel: Use alongside passive reconnaissance
  5. Regular Updates: Keep detection logic current with honeypot trends

Use Cases

Bug Bounty Hunting

# Avoid wasting time on security research honeypots
EnableHoneyportDetection=true ./scan4all -l scope.txt

Red Team Operations

# Avoid detection and blacklisting
EnableHoneyportDetection=true ./scan4all -host target.com

Mass Scanning

# Filter honeypots from large internet scans
EnableHoneyportDetection=true ./scan4all -l ips.txt

Penetration Testing

# Usually disabled for client networks
EnableHoneyportDetection=false ./scan4all -l client_targets.txt

Troubleshooting

Detection Not Working

# Verify it's enabled
echo $EnableHoneyportDetection

# Check configuration
cat config/config.json | grep EnableHoneyport

# Enable explicitly
export EnableHoneyportDetection=true

Too Many Detections

# Adjust thresholds in source
# Or disable if environment has many load balancers
EnableHoneyportDetection=false ./scan4all -l targets.txt

Cache Issues

// Clear cache by restarting scan4all
// Cache is in-memory only

Comparison with Other Tools

Featurescan4allOther Scanners
Auto DetectionYes (optional)Usually No
Server AnalysisYesLimited
Fingerprint CountYesNo
CachingYesVaries
ConfigurableYesLimited

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us