Exploring Honeypots: A Comprehensive Guide with Downloadable Resources

>

Related Listings

• awesome-pcaptools Network Traffic Analysis
• awesome-malware-analysis Some overlap with the above, more focused on malware analysis

Honeypots

• Database Honeypots
  • Delilah – An Elasticsearch honeypot written in Python
  • ESPot – An Elasticsearch honeypot written in NodeJS for exploiting CVE-2014-3120
  • Elastic honey – Simple Elasticsearch honeypot
  • HoneyMysql – Simple Mysql honeypot
  • MongoDB-HoneyProxy – MongoDB honeypot proxy
  • MongoDB-HoneyProxyPy – A MongoDB honeypot proxy using Python 3
  • NoSQLpot – NoSQL honeypot framework
  • mysql-honeypotd – Low-interaction MySQL honeypot in C
  • MysqlPot – MySQL honeypot
  • pghoney – Low-interaction Postgres honeypot
  • sticky_elephant – Medium-interaction PostgreSQL honeypot
• Web Honeypots
  • HonnyPotter – WordPress login honeypot for collecting and analyzing failed login attempts
  • HoneyPress – A Python-based WordPress honeypot in Docker container
  • wp-smart-honeypot – WordPress plugin to reduce spam
  • wordpot – WordPress honeypot
  • Snare – Next-generation high-interaction honeypot
  • Tanner – Evaluate SNARE events
  • Bukkit Honeypot Honeypot – A plugin for Bukkit
  • EoHoneypotBundle – Symfony2 type honeypot
  • Glastopf – Web application honeypot
  • Google Hack Honeypot – Designed to provide reconnaissance against attackers probing resources using search engines
  • Laravel Application Honeypot – Honeypot – A simple spam prevention package for Laravel applications
  • Nodepot – NodeJS web application honeypot
  • Servletpot – Web application honeypot
  • Shadow Daemon – Modular web application firewall/high-interaction honeypot for PHP, Perl, and Python
  • StrutsHoneypot – Struts-based Apache 2 honeypot
  • WebTrap – Designed to create deceptive web pages that redirect to real sites
  • basic-auth-pot (bap) – HTTP Basic Authentication honeypot
  • bwpot – Web application honeypot
  • django-admin-honeypot – A fake Django admin login page to record unauthorized access attempts
  • drupo – Drupal honeypot
  • honeyhttpd – Tool for building a web server honeypot in Python
  • phpmyadmin_honeypot – Simple and effective phpMyAdmin honeypot
  • shockpot – Web application honeypot for detecting Shell Shock exploit attempts
  • smart-honeypot – Intelligent honeypot written in PHP scripts
  • Snare/Tanner – Successor to Glastopf
  • stack-honeypot – Inserts traps for spam bots into responses
  • tomcat-manager-honeypot – Tomcat honeypot. Logs requests and saves attacker’s WAR files
  • WordPress honeypots
• Service Honeypots
  • ADBHoney – Low-interaction honeypot for Android.
  • AMTHoneypot – Honeypot for Intel’s AMT firmware vulnerability (CVE-2017-5689)
  • Ensnare – Easily deployable Ruby honeypot
  • HoneyPy – Low-interaction honeypot
  • Honeygrove – Multipurpose, modular honeypot based on Twisted
  • Honeyport – Simple honeyport written in Bash and Python
  • Honeyprint – Printer honeypot
  • Lyrebird – Modern high-interaction honeypot framework
  • MICROS honeypot – Low-interaction honeypot for detecting CVE-2018-2636 in Oracle Hospitality Simphony
  • RDPy – RDP honeypot implemented in Python
  • SMB Honeypot – High-interaction SMB honeypot capable of catching malware like Wannacry
  • Tom’s Honeypot – Low-interaction Python honeypot
  • WebLogic honeypot – Low-interaction honeypot for detecting CVE-2017-10271 in Oracle WebLogic Server
  • WhiteFace Honeypot – Honeypot against WhiteFace, developed on Twisted
  • honeycomb_plugins – Repository for Honeycomb plugins, Cymmetria’s honeypot framework
  • honeyntp – NTP honeypot
  • honeypot-camera – Camera honeypot
  • honeypot-ftp – FTP honeypot
  • honeytrap – Advanced honeypot framework written in Go, able to connect to other honeypots
  • pyrdp – Python 3-man-in-the-middle library for RDP able to monitor connections
  • troje – LXC container-based honeypot encapsulating connections for each service in individual LXC containers
• Distributed Honeypots
  • DemonHunter – Low-interaction honeypot server
• Anti-Honeypot
  • kippo_detect – Detect Kippo honeypots
• ICS/SCADA Honeypots
  • Conpot – ICS/SCADA honeypot
  • GasPot – Veeder Root Gaurdian AST, commonly found in oil and gas industries
  • SCADA honeynet – Creating honeypots for industrial networks
  • gridpot – Open-source honeypot mimicking a real grid
  • scada-honeynet – Simulates popular PLC services to aid SCADA researchers in better understanding risks to exposed control system devices
• Others/Random
  • DSHP – Simple honeypot with plugin support
  • NOVA – Honeypot that looks like a complete system
  • OpenFlow Honeypot (OFPot) – A POX-based OpenFlow honeypot redirecting traffic from unused IP addresses to honeypots
  • OpenCanary – Modular, distributed honeypot
  • ciscoasa_honeypot – Low-interaction honeypot for Cisco ASA detecting CVE-2018-0101 Remote Code Execution vulnerability
  • miniprint – Medium-interaction honeypot for printers
• Botnet C&C Tools
  • Hale – Botnet C&C Monitor
  • dnsMole – Analyzes DNS traffic to detect potential botnet C&C servers and infected hosts
• IPv6 Attack Detection Tools
  • ipv6-attack-detector – A Honeynet Project-supported Google Summer of Code 2012 project
• Dynamic Code Inspection Toolkit
  • Frida – Injects JavaScript to explore apps on Windows, Mac, Linux, iOS, and Android
• Turn a Website into a Server Honeypot
  • HIHAT – Converts any PHP page into a web-based high-interaction honeypot
• Malware Collection
  • Kippo-Malware – Python script to download malicious files from URLs logged in the Kippo SSH honeypot database
• Distributed Sensor Deployment
  • Modern Honey Network – Distributed management of Snort and honeypot sensors, employing virtual networks and minimal fingerprint SNORT installations, with servers offering stealth reconnaissance and centralized management
• Network Analysis Tools
  • Tracexploit – Replay network packets
• Log Anonymization Tools
  • LogAnon – Log anonymization library
• Low-interaction Honeypot (Router Backdoor)
  • Honeypot-32764 – Router backdoor honeypot (TCP 32764).
  • WAPot – Honeypot capable of observing traffic from home routers
• HTTPS Proxy
  • mitmproxy – Intercept, inspect, modify, and replay traffic
• System Instrumentation
  • Sysdig – Open-source system exploration tool for capturing Linux system state/activity, capable of saving, filtering, and analyzing
  • Fibratus – Tool for exploring and tracing the Windows kernel
• Honeypot for Detecting USB Malware Spread
  • Ghost-usb – Honeypot to detect malware spreading through USB storage devices
• Data Acquisition
  • Kippo2MySQL – Extracts basic statistics from Kippo log files to insert into a database
  • Kippo2ElasticSearch – Python script for transferring Kippo SSH honeypot data from a MySQL database to an ElasticSearch instance (server or cluster)
• Passive Network Audit Framework Analysis Tools
  • Passive Network Audit Framework (pnaf) – Passive network audit framework
• Virtual Machine Monitoring Tools
  • Antivmdetect – Script for creating VirtualBox VM templates that make virtual machine detection harder
  • VMCloak – Automatic VM generation and cloaking for Cuckoo sandbox
  • vmitools – C library with Python interface to easily monitor the low-level details of running VMs
• Binary Debugger
  • Hexgolems – Pint Debugger Backend – A debugger backend with Pin’s Lua interface
  • Hexgolems – Schem Debugger Frontend – A debugger frontend
• Mobile Application Analysis Tools
  • Androguard – Reverse engineering tool for Android apps
  • APKinspector – Android app analysis tool with a GUI
• Low-interaction Honeypots
  • Honeyperl – Perl-based honeypot with many plugins
  • T-Pot – Honeypot provided for telecom provider T-Mobile
• Honeypot Data Fusion
  • HFlow2 – Data fusion tool for honeypot/network analysis
• Server
  • Amun – Vulnerability simulation honeypot
  • Artillery – Open-source blue team tool designed to protect Linux and Windows OS through various methods
  • Bait and Switch – Honeypot redirecting malicious traffic to a production system image
  • Bifrozt – Automated deployment with ansible for bifrozt
  • Conpot – Low-interaction Industrial Control System honeypot
  • Heralding – Credential capturing honeypot
  • HoneyWRT – Low-interaction honeypot in Python, designed to mimic services or ports attackers might target
  • Honeyd See more honeyd tools
  • Honeysink – Open-source network sinkhole providing mechanisms to detect and stop malicious traffic on a specified network
  • Hontel – Telnet honeypot
  • KFSensor – Windows-based Intrusion Detection System honeypot
  • LaBrea – Takes over unused IP addresses, creating virtual services attractive to worms and hackers
  • MTPot – Open-source Telnet honeypot focusing on Mirai
  • SIREN – Semi-intelligent honeypot network – a honeynet only virtual environment
  • TelnetHoney – Simple telnet honeypot
  • UDPot Honeypot – Simple UDP/DNS honeypot script
  • Yet Another Fake Honeypot (YAFH) – Simple honeypot written in Go
  • arctic-swallow – Low-interaction honeypot
  • glutton – Feedable honeypot
  • go-HoneyPot – Honeypot written in Go
  • go-emulators – Go honeypot emulators
  • honeymail – SMTP honeypot written in Go
  • honeytrap – A low-interaction honeypot for capturing attacks against TCP and UDP services
  • imap-honey – IMAP honeypot written in Go
  • mwcollectd – Multifunctional malware collecting honeypot combining the best features of nepenthes and honeytrap
  • potd – Low to medium-interaction SSH/TCP honeypot for OpenWrt/IoT devices built with Linux Namespaces, Seccomp, and Capabilities
  • portlurker – Port listening tool/honeypot for protocol guessing and secure character display
  • slipm-honeypot – Simple low-interaction port listening honeypot
  • telnet-iot-honeypot – Telnet honeypot written in Python to capture botnet binaries
  • telnetlogger – Telnet honeypot tracking Mirai
  • vnclowpot – Low-interaction VNC honeypot
• IDS Signature Generation
  • Honeycomb – Automatically create signatures using honeypots
• Find ASN and prefix for service providers
  • CC2ASN – Simple query service
• Data Collection/Data Sharing
  • HPFeeds – Lightweight authenticated subscription/publishing protocol
• Centralized Management Tools
  • PHARM – Manage, statistic, analyze your distributed Nepenthes honeypots
• Network Connection Analysis Tools
  • Impost – Network security auditing tool for forensic analysis of compromised/vulnerable daemons
• Honeypot Deployment
  • Modern Honeynet Network – Simplifies the management and deployment of honeypots
• Wireshark Honeypot Extensions
  • Whireshark Extensions – Supports applying Snort IDS rules and signatures against PCAP files
• Client-side Honeypots
  • CWSandbox / GFI Sandbox
  • Capture-HPC-Linux
  • Capture-HPC-NG
  • Capture-HPC – High-interaction client honeypot
  • HoneyBOT
  • HoneyC
  • HoneySpider Network – A scalable system integrating multiple client honeypots to detect malicious websites
  • HoneyWeb – Web interface developed for managing and remote sharing of Honeyclients resources
  • Jsunpack-n
  • MonkeySpider
  • PhoneyC
  • Pwnypot – High-interaction client honeypot
  • Rumal
  • Shelia
  • Thug
  • Thug Distributed Task Queuing
  • Trigona
  • URLQuery
  • YALIH (Yet Another Low Interaction Honeyclient) – A low-interaction client honeypot aimed at detecting malicious websites through signature, anomaly, and pattern-matching techniques
• Honeypots
  • Deception Toolkit
  • IMHoneypot
• PDF Document Inspection Tools
  • peepdf
• Hybrid Low/High Interaction Honeypots
  • HoneyBrid
• SSH Honeypots
  • Blacknet – SSH honeypot system
  • Cowrie – Cowrie SSH honeypot (based on Kippo)
  • DShield docker – Docker container with DShield output enabled
  • HonSSH – Records all SSH communications between clients and servers
  • HUDINX – Low-interaction SSH honeypot for brute-force logging, logs full shell interaction of attackers
  • Kojoney
  • Kojoney2 – Low-interaction SSH honeypot written in Python based on Kojoney
  • Kippo – Medium-interaction SSH honeypot
  • Kippo_JunOS – Kippo-based honeypot
  • Kojoney2 – Low-interaction SSH honeypot written by Jose Antonio Coret based on Kojoney
  • Kojoney – Python-based low-interaction honeypot using Twisted Conch to emulate SSH service
  • LongTail Log Analysis @ Marist College – Analyzes SSH honeypot logs
  • Malbait – TCP/UDP honeypot implemented in Perl
  • MockSSH – SSH server supporting defined command set
  • cowrie2neo – Parses cowrie honeypot logs into neo4j database
  • go-sshoney – SSH honeypot
  • go0r – Simple SSH honeypot written in Go
  • gohoney – SSH honeypot in Go
  • hived – Honeypot written in Go
  • hnypots-agent – SSH server recording username and password combinations
  • honeypot.go – SSH honeypot in Go
  • honeyssh – SSH honeypot for dumping credentials
  • hornet – Medium-interaction SSH honeypot with multi-virtual host support
  • ssh-auth-logger – Low/zero interaction SSH honeypot
  • ssh-honeypot – Fake SSHD logging IP addresses, usernames, and passwords
  • ssh-honeypot – Modified OpenSSH DEAMON forwarding commands to Cowrie
  • ssh-honeypotd – Low-interaction SSH honeypot in C
  • sshForShits – High-interaction SSH honeypot framework
  • sshesame – Fake SSH server logging login activities
  • sshhipot – High-interaction SSH man-in-the-middle honeypot
  • sshlowpot – Low-interaction SSH honeypot in Go
  • sshsyrup – Simple SSH honeypot captures terminal activities and uploads to asciinema.org
  • twisted-honeypots – Twisted-based SSH\FTP\Telnet honeypots
• Distributed Sensor Project
  • DShield Web Honeypot Project
• PCAP Analysis Tools
  • Honeysnap
• Network Traffic Redirection Tools
  • Honeywall
• Hybrid Content Distributed Honeypot
  • HoneyDrive
• Honeypot Sensors
  • Honeeepi – Honeypot based on a custom Raspbian OS on a Raspberry Pi
• File Carving
  • TestDisk & PhotoRec
• Behavior Analysis Tools for Windows
  • Capture BAT
• Live CD
  • DAVIX – DAVIX Released
• Spamtrap
  • Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running
  • Mail::SMTP::Honeypot – Perl module providing utilities for standard SMTP server
  • Mailoney – SMTP honeypot written in Python, features open relay, credential recording, etc.
  • SendMeSpamIDS.py – Simple SMTP that gets all IDS and analysis devices
  • Shiva – Spam honeypot and smart analysis tool
  • SpamHAT – Spam honeypot tool
  • Spamhole
  • honeypot – Unofficial PHP SDK for honeypot project group
  • spamd
• Commercial Honeynet
  • Cymmetria Mazerunner – Can lead attackers away from real targets and create attack trace tracking
• Server (Bluetooth)
  • Bluepot
• Android Application Dynamic Analysis
  • Droidbox
• Dockerized Low-interaction Honeypot
  • Docker honeynet – Deploy several honeynet tools in Docker containers
  • Dockerized Thug – Thug-based Docker honeypot for analyzing malicious web content
  • Dockerpot – Honeypot based on Docker
  • Manuka – Docker-based honeypot (Dionaea & Kippo).
  • mhn-core-docker – Core elements of modern honeynet implemented in Docker
• Network Analysis
  • Quechua
• SIP Server
  • Artemnesia VoIP
• IOT Honeypot
  • HoneyThing – TR-069 honeypot
  • Kako – Honeypot for common vulnerabilities in embedded devices
• Honeytokens
  • CanaryTokens – Honeytoken generator, Dashboard at CanaryTokens.org
  • Honeybits – Aims to lure attackers into honeypots by spreading breadcrumbs and honeytokens in production servers and workstations
  • Honeyλ (HoneyLambda) – Simple serverless app to create and monitor URL honeytokens atop AWS Lambda and Amazon API Gateway
  • dcept – Deploy, detect Active Directory usage honeytokens
  • honeyku – Heroku-based web honeypot

Honeyd Tools

• Honeyd Plugins
  • Honeycomb
• Honeyd Visualization Tools
  • Honeyview
• Honeyd and MySQL Connection
  • Honeyd2MySQL
• Honeyd Visualization Scripts
  • Honeyd-Viz
• Honeyd Statistics
  • Honeydsum.pl

Network and Behavior Analysis

• Sandbox
  • Argos – Emulator for capturing zero-day attacks
  • COMODO automated sandbox
  • Cuckoo – Leading open-source automated malware analysis system
  • Pylibemu – Libemu Cython
  • RFISandbox – Sandbox built on funcall using PHP 5.x scripts
  • dorothy2 – Malware/botnet analysis framework in Ruby
  • imalse – Integrated malware emulation and simulation tool
  • libemu – Shellcode emulation library, highly useful for shellcode detection
• Sandbox as a Service
  • Hybrid Analysis – Free malware analysis service by Payload Security leveraging its unique hybrid analysis technology to detect and analyze unknown threats
  • Joebox Cloud – Determines the behavior of malicious files (including PE, PDF, DOC, PPT, XLS, APK, URL, and MachO) on Windows, Android, and Mac OS X, assessing for suspicious activities
  • VirusTotal
  • malwr.com – Offers free malware analysis services and community

Data Analysis Tools

• Frontend
  • DionaeaFR – Dionaea honeypot frontend web
  • Django-kippo – Django application for kippo SSH honeypot
  • Shockpot-Frontend – Script for visualizing data from Shockpot honeypot
  • Tango – Uses Splunk to process honeypot intelligence
  • Wordpot-Frontend – Script for visualizing data from Wordpot honeypot
  • honeyalarmg2 – Simplified UI for displaying honeypot data
  • honeypotDisplay – Flask site for displaying SSH honeypot
• Visualization
  • Acapulco – Automated attack group graph construction
  • Afterglow Cloud
  • Afterglow
  • Glastopf Analytics – Simple honeypot statistics
  • HoneyMalt – Maltego conversions mapping honeypot system
  • HoneyMap – Display real-time SVG maps of Websocket streams
  • HoneyStats – Statistical view of the honeynet
  • HpfeedsHoneyGraph – Program for visualizing hpfeeds logs
  • Kippo stats – Program for displaying data for the kippo SSH honeypot
  • Kippo-Graph – Script for visualizing data from Kippo honeypot
  • The Intelligent HoneyNet – Project to attempt the creation of actionable intelligence in the honeypot system
  • ovizart – Visualization of network traffic analysis

Guide

• • T-Pot: Multi-honeypot platform
  • Honeypot (Dionaea and kippo) setup script
  • Deployment
    • Dionaea and EC2 in 20 Minutes – Tutorial on setting up Dionaea on EC2
    • Using a Raspberry Pi honeypot to contribute data to DShield/ISC – A system based on Raspberry Pi can collect richer logs than firewall logs
    • honeypotpi – Script for turning a Raspberry Pi into a HoneyPot Pi
  • Research Papers
    • Honeypot research papers – PDF of research papers on honeypots
    • vEYE – Detection and analysis of self-propagating worm behavior traces

Download link: https://github.com/paralax/awesome-honeypots/blob/master/README_CN.md