Testing & Validation

This guide explains how to validate a TrapEye deployment by generating controlled interactions against a deployed TrapEye device.

These tests simulate common attacker techniques to validate TrapEye operation, traffic capture, and alert visibility.

Before starting, ensure that:

• At least one TrapEye device is deployed and visible in the Devices section
• The TrapEye device appears online
• A policy enabling the services to be tested is applied to the TrapEye device
• A testing machine with shell access, on the same network as the TrapEye device, is available

All tests below will generate Interactions that can be viewed in Detection → Interactions.

Each interaction includes attacker fingerprinting, protocol metadata, and payload details.

TrapEye detects common reconnaissance activity at the network layer.

sudo apt install nmap

brew install nmap

1. From a machine on the same network, run a port scan against the TrapEye IP:

   nmap -Pn -sS <TRAPEYE_IP>

   Flag details:

   • -Pn: No Ping. Treats the host as online and skips discovery. Useful if ICMP is blocked or to ensure the scan proceeds regardless of reachability checks.
   • -sS: SYN Stealth Scan. This “half-open” scan sends a SYN packet and waits for a response but never completes the 3-way handshake. It is faster and often stealthier.

   Or for a TCP Connect scan (if you don’t have root privileges):

   nmap -Pn -sT -p 21,22,80,443,3389 <TRAPEYE_IP>

   • -sT: TCP Connect Scan. This scan performs a full 3-way handshake (SYN, SYN/ACK, ACK) for every port. It is used when raw packet privileges are not available.
   • -p: Port Specification. Scans only the specified ports (e.g., FTP, SSH, HTTP, HTTPS, RDP) instead of the default 1000 most common ports.

Expected Result

• A Port Scan Interaction is generated
• Source IP, scan type, ports, and timing are visible in the TrapEye console
• A Threat may be created if this is the first interaction from the source IP

TrapEye emulates FTP services to capture attacker behavior.

sudo apt install inetutils-ftp

1. Connect to the TrapEye device using FTP:

   ftp <TRAPEYE_IP> <FTP_PORT>

2. Use common FTP commands:

   USER anonymous
   PASS test
   ls
   mkdir test_dir
   put localfile.txt
   get id_ed25519

Expected Result

• Each command generates an Interaction
• Uploaded/downloaded file metadata is recorded

TrapEye detects SSH authentication attempts and interactive sessions.

Note: If the sandbox feature is enabled in the interface, TrapEye will log all executed commands and provide an interactive shell to the attacker.

sudo apt install openssh-client

1. Attempt an SSH connection:

   ssh root@<TRAPEYE_IP>

2. Enter any password when prompted

Expected Result

• Authentication attempts are recorded
• Username, source IP, client fingerprint, and timing are visible
• Interactive shell commands generate additional interactions if authentication is successful

TrapEye detects Telnet connection and authentication attempts.

sudo apt install telnet

brew install telnet

TrapEye simulates SMTP services to capture email-based attacks.

sudo apt install swaks

brew install swaks

1. Send a simulated email with authentication using swaks:

   swaks --server <TRAPEYE_IP>:<SMTP_PORT> \
     --ehlo client.example.com \
     --auth LOGIN \
     --auth-user "admin" \
     --auth-password "admin" \
     --from "admin@example.com" \
     --to "recipient@example.com" \
     --header "Subject: Test SEND MAIL" \
     --body "Content of test email generated with swaks."

Expected Result

• SMTP commands are logged as interactions
• Sender, recipient, and payload metadata are captured

TrapEye detects web traffic and fingerprints the visiting browser.

1. Open a web browser (Chrome, Firefox, Safari).

2. Navigate to the TrapEye IP address:

   http://<TRAPEYE_IP>

Expected Result

• An Interaction is generated
• Browser fingerprinting (User-Agent, headers) is visible

TrapEye detects LDAP enumeration attempts.

sudo apt install ldap-utils

brew install openldap

1. Run an LDAP search against the TrapEye device:

   ldapsearch -LLL -x \
     -H ldap://<TRAPEYE_IP>:<LDAP_PORT> \
     -D "user@example.com" \
     -w "Password123" \
     -b "DC=example,DC=com" \
     "(&(whenChanged>=20250125000000.0Z))" \
     sAMAccountName whenChanged

Expected Result

• LDAP query is logged as an interaction
• Search filter and base DN are captured

TrapEye detects Modbus protocol interactions commonly used in industrial control systems (ICS/SCADA).

1. Clone the SMOD repository:

   git clone https://github.com/Joshua1909/smod.git
   cd smod

2. Run SMOD using Docker with Python 2.7:

   docker run -it --rm \
     -v "$(pwd):/app" \
     -w /app \
     python:2.7 \
     python smod.py

3. Use the Modbus read coils function:

   SMOD >use modbus/function/readCoils
   SMOD modbus(readCoils) >show options
   SMOD modbus(readCoils) >set RHOSTS <TRAPEYE_IP>
   SMOD modbus(readCoils) >set UID <UNIT_ID>
   SMOD modbus(readCoils) >exploit

Expected Result

• Modbus connection and query attempts are recorded
• Function codes, unit IDs, and register addresses are captured
• Response data from TrapEye Modbus emulation is visible

TrapEye detects unauthorized RDP connection attempts.

Expected Result

• RDP handshake and authentication attempts are recorded
• Source system fingerprinting is visible

TrapEye detects authentication attempts on PostgreSQL services.

sudo apt install postgresql-client

brew install libpq

1. Attempt to connect to the PostgreSQL service:

   psql -h <TRAPEYE_IP> -p 5432 -U admin -d dbtest -W

2. Enter any password when prompted.

Expected Result

• Connection attempt and credentials are recorded
• Database name and username are captured

TrapEye detects and correlates repeated authentication failures to identify brute-force attacks.

sudo apt install medusa

1. Download a common password list (e.g., SecLists):

   wget https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Common-Credentials/darkweb2017_top-100.txt -O darkweb2017_top-100.txt

2. Run a brute-force attack using Medusa:

   medusa -h <TRAPEYE_IP> -n <SSH_PORT> -u root -P darkweb2017_top-100.txt -M ssh -t 5

Expected Result

• 5 authentication failures are logged, followed by a Brute Force interaction including the number of attempts

Once validation is complete, you can:

• Integrate TrapEye alerts into your SIEM and build SOAR playbooks for automated response
• Scale the deployment with additional TrapEye devices