Skip to content

Contents

Honeypots

  • Database Honeypots - Delilah - Elasticsearch Honeypot written in Python (originally from Novetta). - ESPot - Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120. - Elastic honey - Simple Elasticsearch Honeypot. - MongoDB-HoneyProxy - MongoDB honeypot proxy. - NoSQLpot - Honeypot framework built on a NoSQL-style database. - mysql-honeypotd - Low interaction MySQL honeypot written in C. - MysqlPot - MySQL honeypot, still very early stage. - pghoney - Low-interaction Postgres Honeypot. - sticky_elephant - Medium interaction postgresql honeypot.
  • Web honeypots - EoHoneypotBundle - Honeypot type for Symfony2 forms. - Glastopf - Web Application Honeypot. - Google Hack Honeypot - Designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources. - Laravel Application Honeypot - Simple spam prevention package for Laravel applications. - Nodepot - NodeJS web application honeypot. - Servletpot - Web application Honeypot. - Shadow Daemon - Modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl, and Python apps. - StrutsHoneypot - Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers. - WebTrap - Designed to create deceptive webpages to deceive and redirect attackers away from real websites. - basic-auth-pot (bap) - HTTP Basic Authentication honeypot. - bwpot - Breakable Web applications honeyPot. - django-admin-honeypot - Fake Django admin login screen to notify admins of attempted unauthorized access. - drupo - Drupal Honeypot. - honeyhttpd - Python-based web server honeypot builder. - phpmyadmin_honeypot - Simple and effective phpMyAdmin honeypot. - shockpot - WebApp Honeypot for detecting Shell Shock exploit attempts. - smart-honeypot - PHP Script demonstrating a smart honey pot. - Snare/Tanner - successors to Glastopf - Snare - Super Next generation Advanced Reactive honeypot. - Tanner - Evaluating SNARE events. - stack-honeypot - Inserts a trap for spam bots into responses. - tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study - WordPress honeypots - HonnyPotter - WordPress login honeypot for collection and analysis of failed login attempts. - HoneyPress - Python based WordPress honeypot in a Docker container. - wp-smart-honeypot - WordPress plugin to reduce comment spam with a smarter honeypot. - wordpot - WordPress Honeypot.
  • Service Honeypots - ADBHoney - Low interaction honeypot that simulates an Android device running Android Debug Bridge (ADB) server process. - AMTHoneypot - Honeypot for Intel's AMT Firmware Vulnerability CVE-2017-5689. x - Ensnare - Easy to deploy Ruby honeypot. - HoneyPy - Low interaction honeypot. - Honeygrove - Multi-purpose modular honeypot based on Twisted. - Honeyport - Simple honeyport written in Bash and Python. - Honeyprint - Printer honeypot. - Lyrebird - Modern high-interaction honeypot framework. - MICROS honeypot - Low interaction honeypot to detect CVE-2018-2636 in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (MICROS). - RDPy - Microsoft Remote Desktop Protocol (RDP) honeypot implemented in Python. - SMB Honeypot - High interaction SMB service honeypot capable of capturing wannacry-like Malware. - Tom's Honeypot - Low interaction Python honeypot. - WebLogic honeypot - Low interaction honeypot to detect CVE-2017-10271 in the Oracle WebLogic Server component of Oracle Fusion Middleware. - WhiteFace Honeypot - Twisted based honeypot for WhiteFace. - dhp - Simple Docker Honeypot server emulating small snippets of the Docker HTTP API. - honeycomb_plugins - Plugin repository for Honeycomb, the honeypot framework by Cymmetria. - honeyntp - NTP logger/honeypot. - honeypot-camera - Observation camera honeypot. - honeypot-ftp - FTP Honeypot. - honeytrap - Advanced Honeypot framework written in Go that can be connected with other honeypot software. - pyrdp - RDP man-in-the-middle and library for Python 3 with the ability to watch connections live or after the fact. - troje - Honeypot that runs each connection with the service within a separate LXC container.
  • Distributed Honeypots - DemonHunter - Low interaction honeypot server.
  • Anti-honeypot stuff - kippo_detect - Offensive component that detects the presence of the kippo honeypot.
  • ICS/SCADA honeypots - Conpot - ICS/SCADA honeypot. - GasPot - Veeder Root Gaurdian AST, common in the oil and gas industry. - SCADA honeynet - Building Honeypots for Industrial Networks. - gridpot - Open source tools for realistic-behaving electric grid honeynets. - scada-honeynet - Mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.
  • Other/random - Damn Simple Honeypot (DSHP) - Honeypot framework with pluggable handlers. - NOVA - Uses honeypots as detectors, looks like a complete system. - OpenFlow Honeypot (OFPot) - Redirects traffic for unused IPs to a honeypot, built on POX. - OpenCanary - Modular and decentralised honeypot daemon that runs several canary versions of services that alerts when a service is (ab)used. - ciscoasa_honeypot A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability. - miniprint - A medium interaction printer honeypot.
  • Botnet C2 tools - Hale - Botnet command and control monitor. - dnsMole - Analyses DNS traffic and potentionaly detect botnet command and control server activity, along with infected hosts.
  • IPv6 attack detection tool - ipv6-attack-detector - Google Summer of Code 2012 project, supported by The Honeynet Project organization.
  • Dynamic code instrumentation toolkit - Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android.
  • Tool to convert website to server honeypots - HIHAT - Transform arbitrary PHP applications into web-based high-interaction Honeypots.
  • Malware collector - Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database.
  • Distributed sensor deployment - Community Honey Network - CHN aims to make deployments honeypots and honeypot management tools easy and flexible. The default deployment method uses Docker Compose and Docker to deploy with a few simple commands. - Modern Honey Network - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.
  • Network Analysis Tool - Tracexploit - Replay network packets.
  • Log anonymizer - LogAnon - Log anonymization library that helps having anonymous logs consistent between logs and network captures.
  • Low interaction honeypot (router back door) - Honeypot-32764 - Honeypot for router backdoor (TCP 32764). - WAPot - Honeypot that can be used to observe traffic directed at home routers.
  • honeynet farm traffic redirector - Honeymole - Deploy multiple sensors that redirect traffic to a centralized collection of honeypots.
  • HTTPS Proxy - mitmproxy - Allows traffic flows to be intercepted, inspected, modified, and replayed.
  • System instrumentation - Sysdig - Open source, system-level exploration allows one to capture system state and activity from a running GNU/Linux instance, then save, filter, and analyze the results. - Fibratus - Tool for exploration and tracing of the Windows kernel.
  • Honeypot for USB-spreading malware - Ghost-usb - Honeypot for malware that propagates via USB storage devices.
  • Data Collection - Kippo2MySQL - Extracts some very basic stats from Kippo’s text-based log files and inserts them in a MySQL database. - Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster).
  • Passive network audit framework parser - Passive Network Audit Framework (pnaf) - Framework that combines multiple passive and automated analysis techniques in order to provide a security assessment of network platforms.
  • VM monitoring and tools - Antivmdetect - Script to create templates to use with VirtualBox to make VM detection harder. - VMCloak - Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox. - vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine.
  • Mobile Analysis Tool - Androguard - Reverse engineering, Malware and goodware analysis of Android applications and more. - APKinspector - Powerful GUI tool for analysts to analyze the Android applications.
  • Low interaction honeypot - Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc. - T-Pot - All in one honeypot appliance from telecom provider T-Mobile
  • Honeynet data fusion - HFlow2 - Data coalesing tool for honeynet/network analysis.
  • Server - Amun - Vulnerability emulation honeypot. - Artillery - Open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods. - Bait and Switch - Redirects all hostile traffic to a honeypot that is partially mirroring your production system. - Bifrozt - Automatic deploy bifrozt with ansible. - Conpot - Low interactive server side Industrial Control Systems honeypot. - Heralding - Credentials catching honeypot. - HoneyWRT - Low interaction Python honeypot designed to mimic services or ports that might get targeted by attackers. - Honeyd - See honeyd tools. - Honeysink - Open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network. - Hontel - Telnet Honeypot. - KFSensor - Windows based honeypot Intrusion Detection System (IDS). - LaBrea - Takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet. - MTPot - Open Source Telnet Honeypot, focused on Mirai malware. - SIREN - Semi-Intelligent HoneyPot Network - HoneyNet Intelligent Virtual Environment. - TelnetHoney - Simple telnet honeypot. - UDPot Honeypot - Simple UDP/DNS honeypot scripts. - Yet Another Fake Honeypot (YAFH) - Simple honeypot written in Go. - arctic-swallow - Low interaction honeypot. - glutton - All eating honeypot. - go-HoneyPot - Honeypot server written in Go. - go-emulators - Honeypot Golang emulators. - honeymail - SMTP honeypot written in Golang. - honeytrap - Low-interaction honeypot and network security tool written to catch attacks against TCP and UDP services. - imap-honey - IMAP honeypot written in Golang. - mwcollectd - Versatile malware collection daemon, uniting the best features of nepenthes and honeytrap. - potd - Highly scalable low- to medium-interaction SSH/TCP honeypot designed for OpenWrt/IoT devices leveraging several Linux kernel features, such as namespaces, seccomp and thread capabilities. - portlurker - Port listener in Rust with protocol guessing and safe string display. - slipm-honeypot - Simple low-interaction port monitoring honeypot. - telnet-iot-honeypot - Python telnet honeypot for catching botnet binaries. - telnetlogger - Telnet honeypot designed to track the Mirai botnet. - vnclowpot - Low interaction VNC honeypot.
  • IDS signature generation - Honeycomb - Automated signature creation using honeypots.
  • Lookup service for AS-numbers and prefixes - CC2ASN - Simple lookup service for AS-numbers and prefixes belonging to any given country in the world.
  • Central management tool - PHARM - Manage, report, and analyze your distributed Nepenthes instances.
  • Network connection analyzer - Impost - Network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons.
  • Honeypot extensions to Wireshark - Wireshark Extensions - Apply Snort IDS rules and signatures against packet capture files using Wireshark.
  • PDF document inspector - peepdf - Powerful Python tool to analyze PDF documents.
  • Hybrid low/high interaction honeypot - HoneyBrid
  • SSH Honeypots - Blacknet - Multi-head SSH honeypot system. - Cowrie - Cowrie SSH Honeypot (based on kippo). - DShield docker - Docker container running cowrie with DShield output enabled. - HonSSH - Logs all SSH communications between a client and server. - HUDINX - Tiny interaction SSH honeypot engineered in Python to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker. - Kippo - Medium interaction SSH honeypot. - Kippo_JunOS - Kippo configured to be a backdoored netscreen. - Kojoney2 - Low interaction SSH honeypot written in Python and based on Kojoney by Jose Antonio Coret. - Kojoney - Python-based Low interaction honeypot that emulates an SSH server implemented with Twisted Conch. - LongTail Log Analysis @ Marist College - Analyzed SSH honeypot logs. - Malbait - Simple TCP/UDP honeypot implemented in Perl. - MockSSH - Mock an SSH server and define all commands it supports (Python, Twisted). - cowrie2neo - Parse cowrie honeypot logs into a neo4j database. - go-sshoney - SSH Honeypot. - go0r - Simple ssh honeypot in Golang. - gohoney - SSH honeypot written in Go. - hived - Golang-based honeypot. - hnypots-agent) - SSH Server in Go that logs username and password combinations. - honeypot.go - SSH Honeypot written in Go. - honeyssh - Credential dumping SSH honeypot with statistics. - hornet - Medium interaction SSH honeypot that supports multiple virtual hosts. - ssh-auth-logger - Low/zero interaction SSH authentication logging honeypot. - ssh-honeypot - Fake sshd that logs IP addresses, usernames, and passwords. - ssh-honeypot - Modified version of the OpenSSH deamon that forwards commands to Cowrie where all commands are interpreted and returned. - ssh-honeypotd - Low-interaction SSH honeypot written in C. - sshForShits - Framework for a high interaction SSH honeypot. - sshesame - Fake SSH server that lets everyone in and logs their activity. - sshhipot - High-interaction MitM SSH honeypot. - sshlowpot - Yet another no-frills low-interaction SSH honeypot in Go. - sshsyrup - Simple SSH Honeypot with features to capture terminal activity and upload to asciinema.org. - twisted-honeypots - SSH, FTP and Telnet honeypots based on Twisted.
  • Honeypot Distribution with mixed content - HoneyDrive
  • Honeypot sensor - Honeeepi - Honeypot sensor on a Raspberry Pi based on a customized Raspbian OS.
  • Live CD - DAVIX - The DAVIX Live CD.
  • Commercial honeynet - Cymmetria Mazerunner - Leads attackers away from real targets and creates a footprint of the attack.
  • Dynamic analysis of Android apps - Droidbox
  • Dockerized Low Interaction packaging - Docker honeynet - Several Honeynet tools set up for Docker containers. - Dockerized Thug - Dockerized Thug to analyze malicious web content. - Dockerpot - Docker based honeypot. - Manuka - Docker based honeypot (Dionaea and Kippo). - honey_ports - Very simple but effective docker deployed honeypot to detect port scanning in your environment. - mhn-core-docker - Core elements of the Modern Honey Network implemented in Docker.
  • IOT Honeypot - HoneyThing - TR-069 Honeypot. - Kako - Honeypots for a number of well known and deployed embedded device vulnerabilities.
  • Honeytokens - CanaryTokens - Self-hostable honeytoken generator and reporting dashboard; demo version available at CanaryTokens.org. - Honeybits - Simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs and honeytokens across your production servers and workstations to lure the attacker toward your honeypots. - Honeyλ (HoneyLambda) - Simple, serverless application designed to create and monitor URL honeytokens, on top of AWS Lambda and Amazon API Gateway. - dcept - Tool for deploying and detecting use of Active Directory honeytokens. - honeyku - Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).

Honeyd Tools

  • A script to visualize statistics from honeyd - Honeyd-Viz

Network and Artifact Analysis

  • Sandbox - Argos - Emulator for capturing zero-day attacks. - COMODO automated sandbox - Cuckoo - Leading open source automated malware analysis system. - Pylibemu - Libemu Cython wrapper. - RFISandbox - PHP 5.x script sandbox built on top of funcall. - dorothy2 - Malware/botnet analysis framework written in Ruby. - imalse - Integrated MALware Simulator and Emulator. - libemu - Shellcode emulation library, useful for shellcode detection.
  • Sandbox-as-a-Service - Hybrid Analysis - Free malware analysis service powered by Payload Security that detects and analyzes unknown threats using a unique Hybrid Analysis technology. - Joebox Cloud - Analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities. - VirusTotal - Analyze suspicious files and URLs to detect types of malware, and automatically share them with the security community. - malwr.com - Free malware analysis service and community.

Data Tools

  • Front Ends - DionaeaFR - Front Web to Dionaea low-interaction honeypot. - Django-kippo - Django App for kippo SSH Honeypot. - Shockpot-Frontend - Full featured script to visualize statistics from a Shockpot honeypot. - Tango - Honeypot Intelligence with Splunk. - Wordpot-Frontend - Full featured script to visualize statistics from a Wordpot honeypot. - honeyalarmg2 - Simplified UI for showing honeypot alarms. - honeypotDisplay - Flask website which displays data gathered from an SSH Honeypot.

Guides

  • Research Papers - Honeypot research papers - PDFs of research papers on honeypots. - vEYE - Behavioral footprinting for self-propagating worm detection and profiling.