Testing & Validation

This guide explains how to validate a TrapEye deployment by generating controlled interactions against a deployed TrapEye device.

These tests simulate common attacker techniques to validate TrapEye operation, traffic capture, and alert visibility.

Before starting, ensure that:

• At least one TrapEye device is deployed and visible in the Devices section
• The TrapEye device appears online
• A policy enabling the services to be tested is applied to the TrapEye device
• A testing machine with shell access, on the same network as the TrapEye device, is available

All tests below will generate Interactions that can be viewed in Detection → Interactions.

Each interaction includes attacker fingerprinting, protocol metadata, and payload details.

TrapEye detects common reconnaissance activity at the network layer.

sudo apt install nmap

brew install nmap

1. From a machine on the same network, run a port scan against the TrapEye IP:

   nmap -Pn -sS <TRAPEYE_IP>

   Flag details:

   • -Pn: No Ping. Treats the host as online and skips discovery. Useful if ICMP is blocked or to ensure the scan proceeds regardless of reachability checks.
   • -sS: SYN Stealth Scan. This “half-open” scan sends a SYN packet and waits for a response but never completes the 3-way handshake. It is faster and often stealthier.

   Or for a TCP Connect scan (if you don’t have root privileges):

   nmap -Pn -sT -p 21,22,80,443,3389 <TRAPEYE_IP>

   • -sT: TCP Connect Scan. This scan performs a full 3-way handshake (SYN, SYN/ACK, ACK) for every port. It is used when raw packet privileges are not available.
   • -p: Port Specification. Scans only the specified ports (e.g., FTP, SSH, HTTP, HTTPS, RDP) instead of the default 1000 most common ports.

Expected Result

• A Port Scan Interaction is generated
• Source IP, scan type, ports, and timing are visible in the TrapEye console
• A Threat may be created if this is the first interaction from the source IP

TrapEye emulates FTP services to capture attacker behavior.

sudo apt install inetutils-ftp

1. Connect to the TrapEye device using FTP:

   ftp <TRAPEYE_IP> <FTP_PORT>

2. Use common FTP commands:

   USER anonymous
   PASS test
   ls
   mkdir test_dir
   put localfile.txt
   get id_ed25519

Expected Result

• Each command generates an Interaction
• Uploaded/downloaded file metadata is recorded

TrapEye detects SSH authentication attempts and interactive sessions.

Note: If the sandbox feature is enabled in the interface, TrapEye will log all executed commands and provide an interactive shell to the attacker.

sudo apt install openssh-client

1. Attempt an SSH connection:

   ssh root@<TRAPEYE_IP>

2. Enter any password when prompted

Expected Result

• Authentication attempts are recorded
• Username, source IP, client fingerprint, and timing are visible
• Interactive shell commands generate additional interactions if authentication is successful

TrapEye simulates SMTP services to capture email-based attacks.

sudo apt install swaks

brew install swaks

1. Send a simulated email with authentication using swaks:

   swaks --server <TRAPEYE_IP>:<SMTP_PORT> \
     --ehlo client.example.com \
     --auth LOGIN \
     --auth-user "admin" \
     --auth-password "admin" \
     --from "admin@example.com" \
     --to "recipient@example.com" \
     --header "Subject: Test SEND MAIL" \
     --body "Content of test email generated with swaks."

Expected Result

• SMTP commands are logged as interactions
• Sender, recipient, and payload metadata are captured

TrapEye detects web traffic and fingerprints the visiting browser.

1. Open a web browser (Chrome, Firefox, Safari).

2. Navigate to the TrapEye IP address:

   http://<TRAPEYE_IP>

Expected Result

• An Interaction is generated
• Browser fingerprinting (User-Agent, headers) is visible

TrapEye detects LDAP enumeration attempts.

sudo apt install ldap-utils

brew install openldap

1. Run an LDAP search against the TrapEye device:

   ldapsearch -LLL -x \
     -H ldap://<TRAPEYE_IP>:<LDAP_PORT> \
     -D "user@example.com" \
     -w "Password123" \
     -b "DC=example,DC=com" \
     "(&(whenChanged>=20250125000000.0Z))" \
     sAMAccountName whenChanged

Expected Result

• LDAP query is logged as an interaction
• Search filter and base DN are captured

TrapEye detects unauthorized RDP connection attempts.

Expected Result

• RDP handshake and authentication attempts are recorded
• Source system fingerprinting is visible

TrapEye detects authentication attempts on PostgreSQL services.

sudo apt install postgresql-client

brew install libpq

1. Attempt to connect to the PostgreSQL service:

   psql -h <TRAPEYE_IP> -p 5432 -U admin -d dbtest -W

2. Enter any password when prompted.

Expected Result

• Connection attempt and credentials are recorded
• Database name and username are captured

TrapEye detects and correlates repeated authentication failures to identify brute-force attacks.

sudo apt install medusa

1. Download a common password list (e.g., SecLists):

   wget https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Passwords/Common-Credentials/darkweb2017_top-100.txt -O darkweb2017_top-100.txt

2. Run a brute-force attack using Medusa:

   medusa -h <TRAPEYE_IP> -n <SSH_PORT> -u root -P darkweb2017_top-100.txt -M ssh -t 5

Expected Result

• 5 authentication failures are logged, followed by a Brute Force interaction including the number of attempts

Once validation is complete, you can:

• Integrate TrapEye alerts into your SIEM and build SOAR playbooks for automated response
• Scale the deployment with additional TrapEye devices