Exploring Honeypots: A Comprehensive Guide with Downloadable Resources

 

honeypots>

Related Listings

  • awesome-pcaptools Network Traffic Analysis
  • awesome-malware-analysis Some overlap with the above, more focused on malware analysis

Honeypots

  • Database Honeypots
    • Delilah – An Elasticsearch honeypot written in Python
    • ESPot – An Elasticsearch honeypot written in NodeJS for exploiting CVE-2014-3120
    • Elastic honey – Simple Elasticsearch honeypot
    • HoneyMysql – Simple Mysql honeypot
    • MongoDB-HoneyProxy – MongoDB honeypot proxy
    • MongoDB-HoneyProxyPy – A MongoDB honeypot proxy using Python 3
    • NoSQLpot – NoSQL honeypot framework
    • mysql-honeypotd – Low-interaction MySQL honeypot in C
    • MysqlPot – MySQL honeypot
    • pghoney – Low-interaction Postgres honeypot
    • sticky_elephant – Medium-interaction PostgreSQL honeypot
  • Web Honeypots
    • HonnyPotter – WordPress login honeypot for collecting and analyzing failed login attempts
    • HoneyPress – A Python-based WordPress honeypot in Docker container
    • wp-smart-honeypot – WordPress plugin to reduce spam
    • wordpot – WordPress honeypot
    • Snare – Next-generation high-interaction honeypot
    • Tanner – Evaluate SNARE events
    • Bukkit Honeypot Honeypot – A plugin for Bukkit
    • EoHoneypotBundle – Symfony2 type honeypot
    • Glastopf – Web application honeypot
    • Google Hack Honeypot – Designed to provide reconnaissance against attackers probing resources using search engines
    • Laravel Application Honeypot – Honeypot – A simple spam prevention package for Laravel applications
    • Nodepot – NodeJS web application honeypot
    • Servletpot – Web application honeypot
    • Shadow Daemon – Modular web application firewall/high-interaction honeypot for PHP, Perl, and Python
    • StrutsHoneypot – Struts-based Apache 2 honeypot
    • WebTrap – Designed to create deceptive web pages that redirect to real sites
    • basic-auth-pot (bap) – HTTP Basic Authentication honeypot
    • bwpot – Web application honeypot
    • django-admin-honeypot – A fake Django admin login page to record unauthorized access attempts
    • drupo – Drupal honeypot
    • honeyhttpd – Tool for building a web server honeypot in Python
    • phpmyadmin_honeypot – Simple and effective phpMyAdmin honeypot
    • shockpot – Web application honeypot for detecting Shell Shock exploit attempts
    • smart-honeypot – Intelligent honeypot written in PHP scripts
    • Snare/Tanner – Successor to Glastopf
    • stack-honeypot – Inserts traps for spam bots into responses
    • tomcat-manager-honeypot – Tomcat honeypot. Logs requests and saves attacker’s WAR files
    • WordPress honeypots
  • Service Honeypots
    • ADBHoney – Low-interaction honeypot for Android.
    • AMTHoneypot – Honeypot for Intel’s AMT firmware vulnerability (CVE-2017-5689)
    • Ensnare – Easily deployable Ruby honeypot
    • HoneyPy – Low-interaction honeypot
    • Honeygrove – Multipurpose, modular honeypot based on Twisted
    • Honeyport – Simple honeyport written in Bash and Python
    • Honeyprint – Printer honeypot
    • Lyrebird – Modern high-interaction honeypot framework
    • MICROS honeypot – Low-interaction honeypot for detecting CVE-2018-2636 in Oracle Hospitality Simphony
    • RDPy – RDP honeypot implemented in Python
    • SMB Honeypot – High-interaction SMB honeypot capable of catching malware like Wannacry
    • Tom’s Honeypot – Low-interaction Python honeypot
    • WebLogic honeypot – Low-interaction honeypot for detecting CVE-2017-10271 in Oracle WebLogic Server
    • WhiteFace Honeypot – Honeypot against WhiteFace, developed on Twisted
    • honeycomb_plugins – Repository for Honeycomb plugins, Cymmetria’s honeypot framework
    • honeyntp – NTP honeypot
    • honeypot-camera – Camera honeypot
    • honeypot-ftp – FTP honeypot
    • honeytrap – Advanced honeypot framework written in Go, able to connect to other honeypots
    • pyrdp – Python 3-man-in-the-middle library for RDP able to monitor connections
    • troje – LXC container-based honeypot encapsulating connections for each service in individual LXC containers
  • Distributed Honeypots
    • DemonHunter – Low-interaction honeypot server
  • Anti-Honeypot
    • kippo_detect – Detect Kippo honeypots
  • ICS/SCADA Honeypots
    • Conpot – ICS/SCADA honeypot
    • GasPot – Veeder Root Gaurdian AST, commonly found in oil and gas industries
    • SCADA honeynet – Creating honeypots for industrial networks
    • gridpot – Open-source honeypot mimicking a real grid
    • scada-honeynet – Simulates popular PLC services to aid SCADA researchers in better understanding risks to exposed control system devices
  • Others/Random
    • DSHP – Simple honeypot with plugin support
    • NOVA – Honeypot that looks like a complete system
    • OpenFlow Honeypot (OFPot) – A POX-based OpenFlow honeypot redirecting traffic from unused IP addresses to honeypots
    • OpenCanary – Modular, distributed honeypot
    • ciscoasa_honeypot – Low-interaction honeypot for Cisco ASA detecting CVE-2018-0101 Remote Code Execution vulnerability
    • miniprint – Medium-interaction honeypot for printers
  • Botnet C&C Tools
    • Hale – Botnet C&C Monitor
    • dnsMole – Analyzes DNS traffic to detect potential botnet C&C servers and infected hosts
  • IPv6 Attack Detection Tools
    • ipv6-attack-detector – A Honeynet Project-supported Google Summer of Code 2012 project
  • Dynamic Code Inspection Toolkit
    • Frida – Injects JavaScript to explore apps on Windows, Mac, Linux, iOS, and Android
  • Turn a Website into a Server Honeypot
    • HIHAT – Converts any PHP page into a web-based high-interaction honeypot
  • Malware Collection
    • Kippo-Malware – Python script to download malicious files from URLs logged in the Kippo SSH honeypot database
  • Distributed Sensor Deployment
    • Modern Honey Network – Distributed management of Snort and honeypot sensors, employing virtual networks and minimal fingerprint SNORT installations, with servers offering stealth reconnaissance and centralized management
  • Network Analysis Tools
    • Tracexploit – Replay network packets
  • Log Anonymization Tools
    • LogAnon – Log anonymization library
  • Low-interaction Honeypot (Router Backdoor)
    • Honeypot-32764 – Router backdoor honeypot (TCP 32764).
    • WAPot – Honeypot capable of observing traffic from home routers
  • HTTPS Proxy
    • mitmproxy – Intercept, inspect, modify, and replay traffic
  • System Instrumentation
    • Sysdig – Open-source system exploration tool for capturing Linux system state/activity, capable of saving, filtering, and analyzing
    • Fibratus – Tool for exploring and tracing the Windows kernel
  • Honeypot for Detecting USB Malware Spread
    • Ghost-usb – Honeypot to detect malware spreading through USB storage devices
  • Data Acquisition
    • Kippo2MySQL – Extracts basic statistics from Kippo log files to insert into a database
    • Kippo2ElasticSearch – Python script for transferring Kippo SSH honeypot data from a MySQL database to an ElasticSearch instance (server or cluster)
  • Passive Network Audit Framework Analysis Tools
    • Passive Network Audit Framework (pnaf) – Passive network audit framework
  • Virtual Machine Monitoring Tools
    • Antivmdetect – Script for creating VirtualBox VM templates that make virtual machine detection harder
    • VMCloak – Automatic VM generation and cloaking for Cuckoo sandbox
    • vmitools – C library with Python interface to easily monitor the low-level details of running VMs
  • Binary Debugger
    • Hexgolems – Pint Debugger Backend – A debugger backend with Pin’s Lua interface
    • Hexgolems – Schem Debugger Frontend – A debugger frontend
  • Mobile Application Analysis Tools
    • Androguard – Reverse engineering tool for Android apps
    • APKinspector – Android app analysis tool with a GUI
  • Low-interaction Honeypots
    • Honeyperl – Perl-based honeypot with many plugins
    • T-Pot – Honeypot provided for telecom provider T-Mobile
  • Honeypot Data Fusion
    • HFlow2 – Data fusion tool for honeypot/network analysis
  • Server
    • Amun – Vulnerability simulation honeypot
    • Artillery – Open-source blue team tool designed to protect Linux and Windows OS through various methods
    • Bait and Switch – Honeypot redirecting malicious traffic to a production system image
    • Bifrozt – Automated deployment with ansible for bifrozt
    • Conpot – Low-interaction Industrial Control System honeypot
    • Heralding – Credential capturing honeypot
    • HoneyWRT – Low-interaction honeypot in Python, designed to mimic services or ports attackers might target
    • Honeyd See more honeyd tools
    • Honeysink – Open-source network sinkhole providing mechanisms to detect and stop malicious traffic on a specified network
    • Hontel – Telnet honeypot
    • KFSensor – Windows-based Intrusion Detection System honeypot
    • LaBrea – Takes over unused IP addresses, creating virtual services attractive to worms and hackers
    • MTPot – Open-source Telnet honeypot focusing on Mirai
    • SIREN – Semi-intelligent honeypot network – a honeynet only virtual environment
    • TelnetHoney – Simple telnet honeypot
    • UDPot Honeypot – Simple UDP/DNS honeypot script
    • Yet Another Fake Honeypot (YAFH) – Simple honeypot written in Go
    • arctic-swallow – Low-interaction honeypot
    • glutton – Feedable honeypot
    • go-HoneyPot – Honeypot written in Go
    • go-emulators – Go honeypot emulators
    • honeymail – SMTP honeypot written in Go
    • honeytrap – A low-interaction honeypot for capturing attacks against TCP and UDP services
    • imap-honey – IMAP honeypot written in Go
    • mwcollectd – Multifunctional malware collecting honeypot combining the best features of nepenthes and honeytrap
    • potd – Low to medium-interaction SSH/TCP honeypot for OpenWrt/IoT devices built with Linux Namespaces, Seccomp, and Capabilities
    • portlurker – Port listening tool/honeypot for protocol guessing and secure character display
    • slipm-honeypot – Simple low-interaction port listening honeypot
    • telnet-iot-honeypot – Telnet honeypot written in Python to capture botnet binaries
    • telnetlogger – Telnet honeypot tracking Mirai
    • vnclowpot – Low-interaction VNC honeypot
  • IDS Signature Generation
    • Honeycomb – Automatically create signatures using honeypots
  • Find ASN and prefix for service providers
    • CC2ASN – Simple query service
  • Data Collection/Data Sharing
    • HPFeeds – Lightweight authenticated subscription/publishing protocol
  • Centralized Management Tools
    • PHARM – Manage, statistic, analyze your distributed Nepenthes honeypots
  • Network Connection Analysis Tools
    • Impost – Network security auditing tool for forensic analysis of compromised/vulnerable daemons
  • Honeypot Deployment
    • Modern Honeynet Network – Simplifies the management and deployment of honeypots
  • Wireshark Honeypot Extensions
    • Whireshark Extensions – Supports applying Snort IDS rules and signatures against PCAP files
  • Client-side Honeypots
    • CWSandbox / GFI Sandbox
    • Capture-HPC-Linux
    • Capture-HPC-NG
    • Capture-HPC – High-interaction client honeypot
    • HoneyBOT
    • HoneyC
    • HoneySpider Network – A scalable system integrating multiple client honeypots to detect malicious websites
    • HoneyWeb – Web interface developed for managing and remote sharing of Honeyclients resources
    • Jsunpack-n
    • MonkeySpider
    • PhoneyC
    • Pwnypot – High-interaction client honeypot
    • Rumal
    • Shelia
    • Thug
    • Thug Distributed Task Queuing
    • Trigona
    • URLQuery
    • YALIH (Yet Another Low Interaction Honeyclient) – A low-interaction client honeypot aimed at detecting malicious websites through signature, anomaly, and pattern-matching techniques
  • Honeypots
    • Deception Toolkit
    • IMHoneypot
  • PDF Document Inspection Tools
    • peepdf
  • Hybrid Low/High Interaction Honeypots
    • HoneyBrid
  • SSH Honeypots
    • Blacknet – SSH honeypot system
    • Cowrie – Cowrie SSH honeypot (based on Kippo)
    • DShield docker – Docker container with DShield output enabled
    • HonSSH – Records all SSH communications between clients and servers
    • HUDINX – Low-interaction SSH honeypot for brute-force logging, logs full shell interaction of attackers
    • Kojoney
    • Kojoney2 – Low-interaction SSH honeypot written in Python based on Kojoney
    • Kippo – Medium-interaction SSH honeypot
    • Kippo_JunOS – Kippo-based honeypot
    • Kojoney2 – Low-interaction SSH honeypot written by Jose Antonio Coret based on Kojoney
    • Kojoney – Python-based low-interaction honeypot using Twisted Conch to emulate SSH service
    • LongTail Log Analysis @ Marist College – Analyzes SSH honeypot logs
    • Malbait – TCP/UDP honeypot implemented in Perl
    • MockSSH – SSH server supporting defined command set
    • cowrie2neo – Parses cowrie honeypot logs into neo4j database
    • go-sshoney – SSH honeypot
    • go0r – Simple SSH honeypot written in Go
    • gohoney – SSH honeypot in Go
    • hived – Honeypot written in Go
    • hnypots-agent – SSH server recording username and password combinations
    • honeypot.go – SSH honeypot in Go
    • honeyssh – SSH honeypot for dumping credentials
    • hornet – Medium-interaction SSH honeypot with multi-virtual host support
    • ssh-auth-logger – Low/zero interaction SSH honeypot
    • ssh-honeypot – Fake SSHD logging IP addresses, usernames, and passwords
    • ssh-honeypot – Modified OpenSSH DEAMON forwarding commands to Cowrie
    • ssh-honeypotd – Low-interaction SSH honeypot in C
    • sshForShits – High-interaction SSH honeypot framework
    • sshesame – Fake SSH server logging login activities
    • sshhipot – High-interaction SSH man-in-the-middle honeypot
    • sshlowpot – Low-interaction SSH honeypot in Go
    • sshsyrup – Simple SSH honeypot captures terminal activities and uploads to asciinema.org
    • twisted-honeypots – Twisted-based SSH\FTP\Telnet honeypots
  • Distributed Sensor Project
    • DShield Web Honeypot Project
  • PCAP Analysis Tools
    • Honeysnap
  • Network Traffic Redirection Tools
    • Honeywall
  • Hybrid Content Distributed Honeypot
    • HoneyDrive
  • Honeypot Sensors
    • Honeeepi – Honeypot based on a custom Raspbian OS on a Raspberry Pi
  • File Carving
    • TestDisk & PhotoRec
  • Behavior Analysis Tools for Windows
    • Capture BAT
  • Live CD
    • DAVIX – DAVIX Released
  • Spamtrap
    • Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running
    • Mail::SMTP::Honeypot – Perl module providing utilities for standard SMTP server
    • Mailoney – SMTP honeypot written in Python, features open relay, credential recording, etc.
    • SendMeSpamIDS.py – Simple SMTP that gets all IDS and analysis devices
    • Shiva – Spam honeypot and smart analysis tool
    • SpamHAT – Spam honeypot tool
    • Spamhole
    • honeypot – Unofficial PHP SDK for honeypot project group
    • spamd
  • Commercial Honeynet
    • Cymmetria Mazerunner – Can lead attackers away from real targets and create attack trace tracking
  • Server (Bluetooth)
    • Bluepot
  • Android Application Dynamic Analysis
    • Droidbox
  • Dockerized Low-interaction Honeypot
    • Docker honeynet – Deploy several honeynet tools in Docker containers
    • Dockerized Thug – Thug-based Docker honeypot for analyzing malicious web content
    • Dockerpot – Honeypot based on Docker
    • Manuka – Docker-based honeypot (Dionaea & Kippo).
    • mhn-core-docker – Core elements of modern honeynet implemented in Docker
  • Network Analysis
    • Quechua
  • SIP Server
    • Artemnesia VoIP
  • IOT Honeypot
    • HoneyThing – TR-069 honeypot
    • Kako – Honeypot for common vulnerabilities in embedded devices
  • Honeytokens
    • CanaryTokens – Honeytoken generator, Dashboard at CanaryTokens.org
    • Honeybits – Aims to lure attackers into honeypots by spreading breadcrumbs and honeytokens in production servers and workstations
    • HoneyΞ» (HoneyLambda) – Simple serverless app to create and monitor URL honeytokens atop AWS Lambda and Amazon API Gateway
    • dcept – Deploy, detect Active Directory usage honeytokens
    • honeyku – Heroku-based web honeypot

Honeyd Tools

  • Honeyd Plugins
    • Honeycomb
  • Honeyd Visualization Tools
    • Honeyview
  • Honeyd and MySQL Connection
    • Honeyd2MySQL
  • Honeyd Visualization Scripts
    • Honeyd-Viz
  • Honeyd Statistics
    • Honeydsum.pl

Network and Behavior Analysis

  • Sandbox
    • Argos – Emulator for capturing zero-day attacks
    • COMODO automated sandbox
    • Cuckoo – Leading open-source automated malware analysis system
    • Pylibemu – Libemu Cython
    • RFISandbox – Sandbox built on funcall using PHP 5.x scripts
    • dorothy2 – Malware/botnet analysis framework in Ruby
    • imalse – Integrated malware emulation and simulation tool
    • libemu – Shellcode emulation library, highly useful for shellcode detection
  • Sandbox as a Service
    • Hybrid Analysis – Free malware analysis service by Payload Security leveraging its unique hybrid analysis technology to detect and analyze unknown threats
    • Joebox Cloud – Determines the behavior of malicious files (including PE, PDF, DOC, PPT, XLS, APK, URL, and MachO) on Windows, Android, and Mac OS X, assessing for suspicious activities
    • VirusTotal
    • malwr.com – Offers free malware analysis services and community

Data Analysis Tools

  • Frontend
    • DionaeaFR – Dionaea honeypot frontend web
    • Django-kippo – Django application for kippo SSH honeypot
    • Shockpot-Frontend – Script for visualizing data from Shockpot honeypot
    • Tango – Uses Splunk to process honeypot intelligence
    • Wordpot-Frontend – Script for visualizing data from Wordpot honeypot
    • honeyalarmg2 – Simplified UI for displaying honeypot data
    • honeypotDisplay – Flask site for displaying SSH honeypot
  • Visualization
    • Acapulco – Automated attack group graph construction
    • Afterglow Cloud
    • Afterglow
    • Glastopf Analytics – Simple honeypot statistics
    • HoneyMalt – Maltego conversions mapping honeypot system
    • HoneyMap – Display real-time SVG maps of Websocket streams
    • HoneyStats – Statistical view of the honeynet
    • HpfeedsHoneyGraph – Program for visualizing hpfeeds logs
    • Kippo stats – Program for displaying data for the kippo SSH honeypot
    • Kippo-Graph – Script for visualizing data from Kippo honeypot
    • The Intelligent HoneyNet – Project to attempt the creation of actionable intelligence in the honeypot system
    • ovizart – Visualization of network traffic analysis

Guide

    • T-Pot: Multi-honeypot platform
    • Honeypot (Dionaea and kippo) setup script
    • Deployment
      • Dionaea and EC2 in 20 Minutes – Tutorial on setting up Dionaea on EC2
      • Using a Raspberry Pi honeypot to contribute data to DShield/ISC – A system based on Raspberry Pi can collect richer logs than firewall logs
      • honeypotpi – Script for turning a Raspberry Pi into a HoneyPot Pi
    • Research Papers
      • Honeypot research papers – PDF of research papers on honeypots
      • vEYE – Detection and analysis of self-propagating worm behavior traces

Download link: https://github.com/paralax/awesome-honeypots/blob/master/README_CN.md