TelNet Logger and HoneyNetIP Automation

This is a follow up to my previous post on the initial deployment of TelnetLogger and HoneyNetIPCed. Typically while I do one of these sort of projects I keep notes at each step, things went a bit differently this time. I was quite giddy while initially setting things up so it took me a bit to retrace my steps. So let’s kick things off.

As typical let’s get things updated and downloaded.

sudo apt-get update -y && sudo apt-get upgrade -y 

If you don’t have git already installed go ahead and knock that out as well. This will also make you life much easier in the future.

sudo apt-get install git -y

As for the two scripts, which directory you clone them is up to you, but I recommend you clone them into /opt/.

sudo git clone
sudo git clone

Robert is nice enough to help out some of us newbies on how to get TelNetLogger complied and ready to go. So first thing is to change directories to where TelnetLogger resides. Then as Robert recommends run the following string.

gcc telnetlogger.c -o telnetlogger -lpthread

If this fails on you make sure you have gcc installed.

sudo apt-get install gcc

Once you have gcc and TelnetLogger installed you can go ahead and run TelNetLogger and get the output right on you screen. It will also output the information to ips.txt and passwords.txt. Get things up and running with


Now we can incorporate the bash script from Daniel Meissler. This is a great addition to the whole process because it cleans up the output from TelNetLogger into sorted lists. In my haste I didn’t clone this script directly into the TelNetLogger so I went ahead and edited the script to point to the full file path of the TelNetLogger output. At this point I set up a few cron jobs. Two of them copy the output of TelNetLogger to a archive folder on the same server and the other to run HoneyCredIPTracker.

0 * * * * cp /opt/telnetlogger/ips.txt /telnetlogger_logs/ips-$(date +%Y.%m.%d-%H.%M.%S).txt
0 * * * * cp /opt/telnetlogger/passwords.txt /telnetlogger_logs/passwords-$(date +%Y.%m.%d-%H.%M.%S).txt
0 * * * * ./opt/HoneyCredIPTracker/

At this point it is was time to automate the startup of TelNetLogger. This was as simple as adding a entry to rc.local.

sudo vi /etc/rc.local

I like to add a note in rc.local so I don’t forget what it is for, so mine looks like the following.

#Start telnet logger


So at this point you could restart the server and all the tasks would kick off and you would get an updated ips.txt and passwords.txt file every hour on the hour. In my case I didn’t want to restart the server because I am concerned with maintaining my current uptime. So in order to start the process and keep it running when I close my terminal I disown the process when I start it.

./opt/telnetlogger/telnetlogger &  disown

At this point it should all be up and running. You can see the output from my servers at the following links:


Sorted Ip’s

Sorted Passwords

Thanks for taking the time to read this and i hope it was helpful. Let me know if there is anything I should do differently.



TelnetLogger and HoneyCredIPTracker

Update #1: **Go to this post for the setup and automation process**

Update #2:**Mirai Botnet User: Pass Tracking**

Sorted Passwords

Sorted IP’s


Yesterday while browsing Twitter I stumbled across TelnetLogger and HoneyCredIPTracker and decided I would add them to my collection process from the CapAnalysis project. The general idea here is that Telnet Logger logs all of the telnet attempts on a server, and since the server I am using for POL is internet facing I decided I would throw it on there and see what happens and the results I get. Here is the intro from the Telnet Logger GitHub page which explains the goal:

“It’s designed to track the Mirai botnet. Right now (Oct 23, 2016) infected Mirai machines from around the world are trying to connect to Telnet on every IP address about once per minute. This program logs both which IP addresses are doing the attempts, and which passwords they are using.”

And the description from the HoneyCredIPTracker

“Initially set up to capture connections to Robert Graham’s TelnetLogger project that he created to look at Mirai connections, but it can be used to look at IPs.”

I have some automation setup that will update Credentials and IP address file every hour at 5 min after. Take a look and let me know your thoughts.