FaPro: Building a Virtual Honeypot Network with 50+ Protocol Simulators
Hook
Most honeypots simulate one protocol well. FaPro simulates 50+ protocols across an entire fake subnet—convincing enough to fool automated scanners and sophisticated enough to log SSH terminal commands, RDP authentication attempts, and SQL queries.
Context
Traditional honeypots face a fundamental trade-off: depth versus breadth. Tools like Cowrie excel at deep SSH interaction, complete with fake filesystems and command execution. But deploying 50 specialized honeypots—each simulating a different protocol—becomes a maintenance nightmare. Meanwhile, simple banner-grabbing honeypots trip detection by failing to handle protocol handshakes correctly.
FaPro emerged from this gap. The tool appears designed for threat intelligence gathering at scale, implementing just enough protocol logic to capture reconnaissance patterns, credential stuffing attempts, and exploit delivery without the overhead of full service emulation. The result is a single binary that can masquerade as an entire enterprise network.
Technical Insight
FaPro operates in two fundamentally different modes, controlled by the network_build parameter. In localhost mode, it binds services to your local machine—essentially a multi-protocol honeypot running on one IP. In virtual network mode, it creates an entire simulated subnet using raw packet capture and injection.
Here’s how virtual network simulation works. When you generate a configuration with fapro genConfig -n 172.16.0.0/16, FaPro creates a JSON structure defining hosts across that subnet. Each host can run multiple services:
{
"network": "172.16.0.0/16",
"network_build": "userdef",
"hosts": [
{
"ip": "172.16.10.50",
"handlers": [
{
"handler": "ssh",
"port": 22,
"params": {
"accounts": ["root:toor:/root:0"],
"server_version": "SSH-2.0-OpenSSH_7.4"
}
},
{
"handler": "mysql",
"port": 3306,
"params": {
"version": "5.7.32",
"accounts": ["admin:admin123"]
}
}
]
},
{
"ip": "172.16.10.51",
"handlers": [
{
"handler": "rdp",
"port": 3389,
"params": {
"image": "/path/to/login_screen.bmp"
}
}
]
}
]
}When an attacker scans 172.16.10.50, FaPro intercepts packets at the network layer (using libpcap/winpcap), responds to SYN packets with SYN-ACK from the virtual IP, and maintains stateful TCP connections. The syn_dev, udp_dev, and icmp_dev parameters specify which network interface to monitor. This allows FaPro to respond to ICMP ping requests across the entire subnet—making the network topology appear legitimate during reconnaissance.
The protocol implementations vary in sophistication. Deep interaction protocols like SSH go beyond banner grabbing. According to the README, FaPro supports user login and fake terminal commands. The account format username:password:home:uid lets you define fake users. It logs every command attempt, capturing the attacker’s post-exploitation behavior.
Similarly, the MySQL handler supports SQL statement query interaction according to the README. You can configure database versions, and FaPro will respond to authentication attempts with protocol-compliant responses.
RDP simulation implements CredSSP and NTLMv2 NLA authentication—the same mechanisms used by real Windows servers. You can configure an image to display during login attempts, creating a convincing visual replica. The cert_name parameter controls the SSL certificate presented during the RDP handshake.
The HTTP handler includes website cloning via Chrome/ChromeDriver:
fapro genConfig -p http > http_config.json
# Edit config to specify target URL
fapro run -c http_config.jsonFaPro launches a headless Chrome instance to clone websites, though the README notes you need to install Chrome browser and ChromeDriver for this to work.
Log aggregation happens through multiple backends. The storage parameter supports SQLite for local testing, MySQL for centralized collection, and Elasticsearch for large-scale analysis:
{
"storage": "es://http://elastic:password@localhost:9200",
"geo_db": "/usr/share/GeoIP/GeoLite2-City.mmdb",
"use_logq": true
}The use_logq parameter enables asynchronous log queuing. When using Elasticsearch, the README states you don’t need the geo_db field as it will be automatically generated using the geoip processor of Elasticsearch. All logs include JA3 SSL fingerprints, allowing you to track scanning tools by their TLS client signatures.
Rate limiting and IP blocking protect the honeypot from overwhelming traffic:
{
"limiter": {
"period": 10,
"count": 3,
"block_period": 20
},
"exclusions": ["192.168.1.100", "10.0.0.0/8"]
}This configuration blocks IPs making more than 3 connection attempts within 10 minutes (the period is specified in minutes according to the README), preventing abuse from disrupting logging. The exclusions array whitelists trusted IPs.
The README mentions support for TCP forwarding to forward network traffic, though implementation details are not provided.
Gotcha
The README is explicit about protocol simulation depth limitations. Protocols like Oracle TNS, BACnet, and COAP “currently only support nmap fingerprint spoofing.” This means they’ll respond correctly to nmap’s fingerprinting probes but won’t handle actual protocol interactions. If an attacker attempts to execute Oracle SQL commands, the simulation falls apart. This is fine for detecting scanners but inadequate for researching post-exploitation behavior on those specific protocols.
Virtual network mode requires raw packet capture, which means administrative privileges (root on Linux, Administrator on Windows). Windows users must install WinPcap or Npcap as noted in the README. The README shows interface name format for Windows as “\Device\NPF_{xxxx-xxxx}” but doesn’t provide detailed guidance on identifying interface names across platforms.
Website cloning via Chrome requires installing Chrome browser and ChromeDriver according to the README, which links to ChromeDriver downloads.
The configuration format, while comprehensive, appears complex. The README provides extensive examples but focuses more on demonstrating capabilities than explaining parameter semantics in detail. Learning happens primarily through the provided configuration examples.
Verdict
Use FaPro if you need broad protocol coverage for threat intelligence, want to deploy honeypots quickly without configuring 50 different tools, or need virtual network simulation to create realistic infrastructure decoys. It’s ideal for security researchers mapping adversary scanning patterns, SOC teams wanting early-warning systems for network reconnaissance, or red teamers building training environments. The Elasticsearch integration makes it powerful for teams already running ELK stacks. Skip it if you need deep interaction for specific protocols (specialized honeypots like Cowrie or Dionaea likely provide better fidelity), require Windows compatibility without driver installation hassles, or want detailed API documentation beyond configuration examples. Also skip if you’re expecting enterprise support—this is an open-source tool built for researchers. For detecting and logging reconnaissance across dozens of protocols simultaneously, FaPro’s breadth is unmatched. For analyzing sophisticated attacks against specific services, purpose-built honeypots may be superior.
