Awesome

Honey-Pots-

My collection of Honeypot resources 💻🍯 A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects.

Contents

• Related Lists
• Honeypots
• Honeyd Tools
• Network and Artifact Analysis
• Data Tools
• Guides

Related Lists

• awesome-pcaptools - Useful in network traffic analysis.
• awesome-malware-analysis - Some overlap here for artifact analysis.

Honeypots

• Database Honeypots

  • Delilah - Elasticsearch Honeypot written in Python.
  • ESPot - Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.
  • Elastic honey - Simple Elasticsearch Honeypot.
  • HoneyMysql - Simple Mysql honeypot project.
  • MongoDB-HoneyProxy - MongoDB honeypot proxy.
  • NoSQLpot - Honeypot framework built on a NoSQL-style database.
  • mysql-honeypotd - Low interaction MySQL honeypot written in C.
  • MysqlPot - MySQL honeypot, still very early stage.
  • pghoney - Low-interaction Postgres Honeypot.
  • sticky_elephant - Medium interaction postgresql honeypot.

• Web honeypots

  • Bukkit Honeypot - Honeypot plugin for Bukkit.
  • EoHoneypotBundle - Honeypot type for Symfony2 forms.
  • Glastopf - Web Application Honeypot.
  • Google Hack Honeypot - Designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.
  • Laravel Application Honeypot - Simple spam prevention package for Laravel applications.
  • Nodepot - NodeJS web application honeypot.
  • Servletpot - Web application Honeypot.
  • Shadow Daemon - Modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl, and Python apps.
  • StrutsHoneypot - Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers.
  • WebTrap - Designed to create deceptive webpages to deceive and redirect attackers away from real websites.
  • basic-auth-pot (bap) - HTTP Basic Authentication honeypot.
  • django-admin-honeypot - Fake Django admin login screen to notify admins of attempted unauthorized access.
  • honeyhttpd - Python-based web server honeypot builder.
  • phpmyadmin_honeypot - Simple and effective phpMyAdmin honeypot.
  • shockpot - WebApp Honeypot for detecting Shell Shock exploit attempts.
  • smart-honeypot - PHP Script demonstrating a smart honey pot.
  • Snare/Tanner - successors to Glastopf
    • Snare - Super Next generation Advanced Reactive honeypot.
    • Tanner - Evaluating SNARE events.
  • stack-honeypot - Inserts a trap for spam bots into responses.
  • WordPress honeypots
    • HonnyPotter - WordPress login honeypot for collection and analysis of failed login attempts.
    • HoneyPress - Python based WordPress honeypot in a Docker container.
    • wp-smart-honeypot - WordPress plugin to reduce comment spam with a smarter honeypot.
    • wordpot - WordPress Honeypot.

• Service Honeypots

  • AMTHoneypot - Honeypot for Intel's AMT Firmware Vulnerability CVE-2017-5689.
  • Ensnare - Easy to deploy Ruby honeypot.
  • HoneyPy - Low interaction honeypot.
  • Honeygrove - Multi-purpose modular honeypot based on Twisted.
  • Honeyport - Simple honeyport written in Bash and Python.
  • Honeyprint - Printer honeypot.
  • Lyrebird - Modern high-interaction honeypot framework.
  • MICROS honeypot - Low interaction honeypot to detect CVE-2018-2636 in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (MICROS).
  • RDPy - Microsoft Remote Desktop Protocol (RDP) honeypot implemented in Python.
  • SMB Honeypot - High interaction SMB service honeypot capable of capturing wannacry-like Malware.
  • Tom's Honeypot - Low interaction Python honeypot.
  • WebLogic honeypot - Low interaction honeypot to detect CVE-2017-10271 in the Oracle WebLogic Server component of Oracle Fusion Middleware.
  • WhiteFace Honeypot - Twisted based honeypot for WhiteFace.
  • honeycomb_plugins - Plugin repository for Honeycomb, the honeypot framework by Cymmetria.
  • honeyntp - NTP logger/honeypot.
  • honeypot-camera - Observation camera honeypot.
  • honeytrap - Advanced Honeypot framework written in Go that can be connected with other honeypot software.
  • troje - Honeypot that runs each connection with the service within a seperate LXC container.

• Distributed Honeypots

  • DemonHunter - Low interaction honeypot server.

• Anti-honeypot stuff

  • kippo_detect - Offensive component that detects the presence of the kippo honeypot.

• ICS/SCADA honeypots

  • Conpot - ICS/SCADA honeypot.
  • GasPot - Veeder Root Gaurdian AST, common in the oil and gas industry.
  • SCADA honeynet - Building Honeypots for Industrial Networks.
  • gridpot - Open source tools for realistic-behaving electric grid honeynets.
  • scada-honeynet - Mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.

• Other/random

  • Damn Simple Honeypot (DSHP) - Honeypot framework with pluggable handlers.
  • NOVA - Uses honeypots as detectors, looks like a complete system.
  • OpenFlow Honeypot (OFPot) - Redirects traffic for unused IPs to a honeypot, built on POX.
  • OpenCanary - Modular and decentralised honeypot daemon that runs several canary versions of services that alerts when a service is (ab)used.

• Botnet C2 tools

  • Hale - Botnet command and control monitor.
  • dnsMole - Analyses DNS traffic and potentionaly detect botnet command and control server activity, along with infected hosts.

• IPv6 attack detection tool

  • ipv6-attack-detector - Google Summer of Code 2012 project, supported by The Honeynet Project organization.

• Dynamic code instrumentation toolkit

  • Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android.

• Tool to convert website to server honeypots

  • HIHAT - Transform arbitrary PHP applications into web-based high-interaction Honeypots.

• Malware collector

  • Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database.

• Distributed sensor deployment

  • Active Defense Harbinger Distribution (ADHD) - GNU/Linux distro based on Ubuntu LTS that comes with many tools aimed at active defense preinstalled and configured.
  • Modern Honey Network - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.
  • Smarthoneypot - Custom honeypot intelligence system that is simple to deploy and easy to manage.

• Network Analysis Tool

  • Tracexploit - Replay network packets.

• Log anonymizer

  • LogAnon - Log anonymization library that helps having anonymous logs consistent between logs and network captures.

• Low interaction honeypot (router back door)

  • Honeypot-32764 - Honeypot for router backdoor (TCP 32764).

• honeynet farm traffic redirector

  • Honeymole - Deploy multiple sensors that redirect traffic to a centralized collection of honeypots.

• HTTPS Proxy

  • mitmproxy - Allows traffic flows to be intercepted, inspected, modified, and replayed.

• System instrumentation

  • Sysdig - Open source, system-level exploration allows one to capture system state and activity from a running GNU/Linux instance, then save, filter, and analyze the results.
  • Fibratus - Tool for exploration and tracing of the Windows kernel.

• Honeypot for USB-spreading malware

  • Ghost-usb - Honeypot for malware that propagates via USB storage devices.
  • Honeystick - Low interaction honeypot on USB stick.

• Data Collection

  • Kippo2MySQL - Extracts some very basic stats from Kippo’s text-based log files and inserts them in a MySQL database.
  • Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster).

• Passive network audit framework parser

  • Passive Network Audit Framework (pnaf) - Framework that combines multiple passive and automated analysis techniques in order to provide a security assessment of network platforms.

• VM monitoring and tools

  • Antivmdetect - Script to create templates to use with VirtualBox to make VM detection harder.
  • VMCloak - Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox.
  • vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine.

• Binary debugger

  • Hexgolems - Pint Debugger Backend - Debugger backend and LUA wrapper for PIN.
  • Hexgolems - Schem Debugger Frontend - Debugger frontend.

• Mobile Analysis Tool

  • Androguard - Reverse engineering, Malware and goodware analysis of Android applications and more.
  • APKinspector - Powerful GUI tool for analysts to analyze the Android applications.

• Low interaction honeypot

  • Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc.

• Honeynet data fusion

  • HFlow2 - Data coalesing tool for honeynet/network analysis.

• Server

  • Amun - Vulnerability emulation honeypot.
  • Artillery - Open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
  • Bait and Switch - Redirects all hostile traffic to a honeypot that is partially mirroring your production system.
  • Bifrozt - Automatic deploy bifrozt with ansible.
  • Conpot - Low interactive server side Industrial Control Systems honeypot.
  • Heralding - Credentials catching honeypot.
  • HoneyWRT - Low interaction Python honeypot designed to mimic services or ports that might get targeted by attackers.
  • Honeyd - See honeyd tools.
  • Honeysink - Open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.
  • Hontel - Telnet Honeypot.
  • KFSensor - Windows based honeypot Intrusion Detection System (IDS).
  • LaBrea - Takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
  • MTPot - Open Source Telnet Honeypot, focused on Mirai malware.
  • SIREN - Semi-Intelligent HoneyPot Network - HoneyNet Intelligent Virtual Environment.
  • TelnetHoney - Simple telnet honeypot.
  • UDPot Honeypot - Simple UDP/DNS honeypot scripts.
  • Yet Another Fake Honeypot (YAFH) - Simple honeypot written in Go.
  • arctic-swallow - Low interaction honeypot.
  • glutton - All eating honeypot.
  • go-HoneyPot - Honeypot server written in Go.
  • go-emulators - Honeypot Golang emulators.
  • honeymail - SMTP honeypot written in Golang.
  • honeytrap - Low-interaction honeypot and network security tool written to catch attacks against TCP and UDP services.
  • imap-honey - IMAP honeypot written in Golang.
  • mwcollectd - Versatile malware collection daemon, uniting the best features of nepenthes and honeytrap.
  • potd - Highly scalable low- to medium-interaction SSH/TCP honeypot designed for OpenWrt/IoT devices leveraging several Linux kernel features, such as namespaces, seccomp and thread capabilities.
  • portlurker - Port listener in Rust with protocol guessing and safe string display.
  • slipm-honeypot - Simple low-interaction port monitoring honeypot.
  • telnet-iot-honeypot - Python telnet honeypot for catching botnet binaries.
  • telnetlogger - Telnet honeypot designed to track the Mirai botnet.
  • vnclowpot - Low interaction VNC honeypot.

• IDS signature generation

  • Honeycomb - Automated signature creation using honeypots.

• Lookup service for AS-numbers and prefixes

  • CC2ASN - Simple lookup service for AS-numbers and prefixes belonging to any given country in the world.

• Data Collection / Data Sharing

  • HPfriends - Honeypot data-sharing platform.
    • hpfriends - real-time social data-sharing - Presentation about HPFriends feed system
  • HPFeeds - Lightweight authenticated publish-subscribe protocol.

• Central management tool

  • PHARM - Manage, report, and analyze your distributed Nepenthes instances.

• Network connection analyzer

  • Impost - Network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons.

• Honeypot deployment

  • Modern Honeynet Network - Streamlines deployment and management of secure honeypots.

• Honeypot extensions to Wireshark

  • Whireshark Extensions - Apply Snort IDS rules and signatures against packet capture files using Wireshark.

• Client

  • CWSandbox / GFI Sandbox
  • Capture-HPC-Linux
  • Capture-HPC-NG
  • Capture-HPC - High interaction client honeypot (also called honeyclient).
  • HoneyBOT
  • HoneyC
  • HoneySpider Network - Highly-scalable system integrating multiple client honeypots to detect malicious websites.
  • HoneyWeb - Web interface created to manage and remotely share Honeyclients resources.
  • Jsunpack-n
  • MonkeySpider
  • PhoneyC - Python honeyclient (later replaced by Thug).
  • Pwnypot - High Interaction Client Honeypot.
  • Rumal - Thug's Rumāl: a Thug's dress and weapon.
  • Shelia - Client-side honeypot for attack detection.
  • Thug - Python-based low-interaction honeyclient.
  • Thug Distributed Task Queuing
  • Trigona
  • URLQuery
  • YALIH (Yet Another Low Interaction Honeyclient) - Low-interaction client honeypot designed to detect malicious websites through signature, anomaly, and pattern matching techniques.

• Honeypot

  • Deception Toolkit
  • IMHoneypot
  • Single-honeypot

• PDF document inspector

  • peepdf - Powerful Python tool to analyze PDF documents.

• Hybrid low/high interaction honeypot

  • HoneyBrid

• SSH Honeypots

  • Blacknet - Multi-head SSH honeypot system.
  • Cowrie - Cowrie SSH Honeypot (based on kippo).
  • DShield docker - Docker container running cowrie with DShield output enabled.
  • HonSSH - Logs all SSH communications between a client and server.
  • HUDINX - Tiny interaction SSH honeypot engineered in Python to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
  • Kippo - Medium interaction SSH honeypot.
  • Kippo_JunOS - Kippo configured to be a backdoored netscreen.
  • Kojoney2 - Low interaction SSH honeypot written in Python and based on Kojoney by Jose Antonio Coret.
  • Kojoney - Python-based Low interaction honeypot that emulates an SSH server implemented with Twisted Conch.
  • LongTail Log Analysis @ Marist College - Analyzed SSH honeypot logs.
  • MockSSH - Mock an SSH server and define all commands it supports (Python, Twisted).
  • cowrie2neo - Parse cowrie honeypot logs into a neo4j database.
  • go-sshoney - SSH Honeypot.
  • go0r - Simple ssh honeypot in Golang.
  • gohoney - SSH honeypot written in Go.
  • hived - Golang-based honeypot.
  • hnypots-agent) - SSH Server in Go that logs username and password combinations.
  • honeypot.go - SSH Honeypot written in Go.
  • honeyssh - Credential dumping SSH honeypot with statistics.
  • hornet - Medium interaction SSH honeypot that supports multiple virtual hosts.
  • ssh-auth-logger - Low/zero interaction SSH authentication logging honeypot.
  • ssh-honeypot - Fake sshd that logs IP addresses, usernames, and passwords.
  • ssh-honeypot - Modified version of the OpenSSH deamon that forwards commands to Cowrie where all commands are interpreted and returned.
  • ssh-honeypotd - Low-interaction SSH honeypot written in C.
  • sshForShits - Framework for a high interaction SSH honeypot.
  • sshesame - Fake SSH server that lets everyone in and logs their activity.
  • sshhipot - High-interaction MitM SSH honeypot.
  • sshlowpot - Yet another no-frills low-interaction SSH honeypot in Go.
  • sshsyrup - Simple SSH Honeypot with features to capture terminal activity and upload to asciinema.org.

• Distributed sensor project

  • DShield Web Honeypot Project

• A pcap analyzer

  • Honeysnap

• Network traffic redirector

  • Honeywall

• Honeypot Distribution with mixed content

  • HoneyDrive

• Honeypot sensor

  • Honeeepi - Honeypot sensor on a Raspberry Pi based on a customized Raspbian OS.

• File carving

  • TestDisk & PhotoRec

• Sebek

  • Qebek - QEMU based Sebek, a data capture tool for high interaction honeypot.
  • Sebek - Data capture.
  • xebek - Sebek on Xen.

• Behavioral analysis tool for win32

  • Capture BAT

• Live CD

  • DAVIX - The DAVIX Live CD.

• Spamtrap

  • Mail::SMTP::Honeypot - Perl module that appears to provide the functionality of a standard SMTP server.
  • Mailoney - SMTP honeypot, Open Relay, Cred Harvester written in python.
  • SendMeSpamIDS.py - Simple SMTP fetch all IDS and analyzer.
  • Shiva - Spam Honeypot with Intelligent Virtual Analyzer.
    • Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running
  • SpamHAT - Spam Honeypot Tool.
  • Spamhole
  • honeypot - The Project Honey Pot un-official PHP SDK.
  • spamd

• Commercial honeynet

  • Cymmetria Mazerunner - Leads attackers away from real targets and creates a footprint of the attack.

• Server (Bluetooth)

  • Bluepot

• Dynamic analysis of Android apps

  • Droidbox

• Dockerized Low Interaction packaging

  • Docker honeynet - Several Honeynet tools set up for Docker containers.
  • Dockerized Thug - Dockerized Thug to analyze malicious web content.
  • Dockerpot - Docker based honeypot.
  • Manuka - Docker based honeypot (Dionaea and Kippo).
  • mhn-core-docker - Core elements of the Modern Honey Network implemented in Docker.

• Network analysis

  • Quechua

• SIP Server

  • Artemnesia VoIP

• IOT Honeypot

  • HoneyThing - TR-069 Honeypot.
  • Kako - Honeypots for a number of well known and deployed embedded device vulnerabilities.

• Honeytokens

  • CanaryTokens - Self-hostable honeytoken generator and reporting dashboard; demo version available at CanaryTokens.org.
  • Honeybits - Simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs and honeytokens across your production servers and workstations to lure the attacker toward your honeypots.
  • Honeyλ (HoneyLambda) - Simple, serverless application designed to create and monitor URL honeytokens, on top of AWS Lambda and Amazon API Gateway.
  • dcept - Tool for deploying and detecting use of Active Directory honeytokens.
  • honeyku - Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).

Honeyd Tools

• Honeyd plugin

  • Honeycomb

• Honeyd viewer

  • Honeyview

• Honeyd to MySQL connector

  • Honeyd2MySQL

• A script to visualize statistics from honeyd

  • Honeyd-Viz

• Honeyd stats

  • Honeydsum.pl

Network and Artifact Analysis

• Sandbox

  • Argos - Emulator for capturing zero-day attacks.
  • COMODO automated sandbox
  • Cuckoo - Leading open source automated malware analysis system.
  • Pylibemu - Libemu Cython wrapper.
  • RFISandbox - PHP 5.x script sandbox built on top of funcall.
  • dorothy2 - Malware/botnet analysis framework written in Ruby.
  • imalse - Integrated MALware Simulator and Emulator.
  • libemu - Shellcode emulation library, useful for shellcode detection.

• Sandbox-as-a-Service

  • Hybrid Analysis - Free malware analysis service powered by Payload Security that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
  • Joebox Cloud - Analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities.
  • VirusTotal - Analyze suspicious files and URLs to detect types of malware, and automatically share them with the security community.
  • detux.org - Multiplatform Linux Sandbox.
  • malwr.com - Free malware analysis service and community.

Data Tools

• Front Ends

  • DionaeaFR - Front Web to Dionaea low-interaction honeypot.
  • Django-kippo - Django App for kippo SSH Honeypot.
  • Shockpot-Frontend - Full featured script to visualize statistics from a Shockpot honeypot.
  • Tango - Honeypot Intelligence with Splunk.
  • Wordpot-Frontend - Full featured script to visualize statistics from a Wordpot honeypot.
  • honeyalarmg2 - Simplified UI for showing honeypot alarms.
  • honeypotDisplay - Flask website which displays data gathered from an SSH Honeypot.

• Visualization

  • Acapulco - Automated Attack Community Graph Construction.
  • Afterglow Cloud
  • Afterglow
  • Glastopf Analytics - Easy honeypot statistics.
  • HoneyMalt - Maltego tranforms for mapping Honeypot systems.
  • HoneyMap - Real-time websocket stream of GPS events on a fancy SVG world map.
  • HoneyStats - Statistical view of the recorded activity on a Honeynet.
  • HpfeedsHoneyGraph - Visualization app to visualize hpfeeds logs.
  • Kippo stats - Mojolicious app to display statistics for your kippo SSH honeypot.
  • Kippo-Graph - Full featured script to visualize statistics from a Kippo SSH honeypot.
  • Sebek Dataviz - Sebek data visualization.
  • The Intelligent HoneyNet - Create actionable information from honeypots.
  • ovizart - Visual analysis for network traffic.

Guides

• T-Pot: A Multi-Honeypot Platform

• Honeypot (Dionaea and kippo) setup script

• Deployment

  • Dionaea and EC2 in 20 Minutes - Tutorial on setting up Dionaea on an EC2 instance.
  • Using a Raspberry Pi honeypot to contribute data to DShield/ISC - The Raspberry Pi based system will allow us to maintain one code base that will make it easier to collect rich logs beyond firewall logs.
  • honeypotpi - Script for turning a Raspberry Pi into a HoneyPot Pi.

• Research Papers

  • Honeypot research papers - PDFs of research papers on honeypots.
  • vEYE - Behavioral footprinting for self-propagating worm detection and profiling.