Contents

• Related Lists
• Honeypots
• Honeyd Tools
• Network and Artifact Analysis
• Data Tools
• Guides

Honeypots

• Database Honeypots
  • Delilah – Elasticsearch Honeypot written in Python (originally from Novetta).
  • ESPot – Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.
  • Elastic honey – Simple Elasticsearch Honeypot.
  • MongoDB-HoneyProxy – MongoDB honeypot proxy.
  • NoSQLpot – Honeypot framework built on a NoSQL-style database.
  • mysql-honeypotd – Low interaction MySQL honeypot written in C.
  • MysqlPot – MySQL honeypot, still very early stage.
  • pghoney – Low-interaction Postgres Honeypot.
  • sticky_elephant – Medium interaction postgresql honeypot.
• Web honeypots
  • EoHoneypotBundle – Honeypot type for Symfony2 forms.
  • Glastopf – Web Application Honeypot.
  • Google Hack Honeypot – Designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.
  • Laravel Application Honeypot – Simple spam prevention package for Laravel applications.
  • Nodepot – NodeJS web application honeypot.
  • Servletpot – Web application Honeypot.
  • Shadow Daemon – Modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl, and Python apps.
  • StrutsHoneypot – Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers.
  • WebTrap – Designed to create deceptive webpages to deceive and redirect attackers away from real websites.
  • basic-auth-pot (bap) – HTTP Basic Authentication honeypot.
  • bwpot – Breakable Web applications honeyPot.
  • django-admin-honeypot – Fake Django admin login screen to notify admins of attempted unauthorized access.
  • drupo – Drupal Honeypot.
  • honeyhttpd – Python-based web server honeypot builder.
  • phpmyadmin_honeypot – Simple and effective phpMyAdmin honeypot.
  • shockpot – WebApp Honeypot for detecting Shell Shock exploit attempts.
  • smart-honeypot – PHP Script demonstrating a smart honey pot.
  • Snare/Tanner – successors to Glastopf
    • Snare – Super Next generation Advanced Reactive honeypot.
    • Tanner – Evaluating SNARE events.
  • stack-honeypot – Inserts a trap for spam bots into responses.
  • tomcat-manager-honeypot – Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker’s WAR file for later study
  • WordPress honeypots
    • HonnyPotter – WordPress login honeypot for collection and analysis of failed login attempts.
    • HoneyPress – Python based WordPress honeypot in a Docker container.
    • wp-smart-honeypot – WordPress plugin to reduce comment spam with a smarter honeypot.
    • wordpot – WordPress Honeypot.
• Service Honeypots
  • ADBHoney – Low interaction honeypot that simulates an Android device running Android Debug Bridge (ADB) server process.
  • AMTHoneypot – Honeypot for Intel’s AMT Firmware Vulnerability CVE-2017-5689.
    x – Ensnare – Easy to deploy Ruby honeypot.
  • HoneyPy – Low interaction honeypot.
  • Honeygrove – Multi-purpose modular honeypot based on Twisted.
  • Honeyport – Simple honeyport written in Bash and Python.
  • Honeyprint – Printer honeypot.
  • Lyrebird – Modern high-interaction honeypot framework.
  • MICROS honeypot – Low interaction honeypot to detect CVE-2018-2636 in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (MICROS).
  • RDPy – Microsoft Remote Desktop Protocol (RDP) honeypot implemented in Python.
  • SMB Honeypot – High interaction SMB service honeypot capable of capturing wannacry-like Malware.
  • Tom’s Honeypot – Low interaction Python honeypot.
  • WebLogic honeypot – Low interaction honeypot to detect CVE-2017-10271 in the Oracle WebLogic Server component of Oracle Fusion Middleware.
  • WhiteFace Honeypot – Twisted based honeypot for WhiteFace.
  • dhp – Simple Docker Honeypot server emulating small snippets of the Docker HTTP API.
  • honeycomb_plugins – Plugin repository for Honeycomb, the honeypot framework by Cymmetria.
  • honeyntp – NTP logger/honeypot.
  • honeypot-camera – Observation camera honeypot.
  • honeypot-ftp – FTP Honeypot.
  • honeytrap – Advanced Honeypot framework written in Go that can be connected with other honeypot software.
  • pyrdp – RDP man-in-the-middle and library for Python 3 with the ability to watch connections live or after the fact.
  • troje – Honeypot that runs each connection with the service within a seperate LXC container.
• Distributed Honeypots
  • DemonHunter – Low interaction honeypot server.
• Anti-honeypot stuff
  • kippo_detect – Offensive component that detects the presence of the kippo honeypot.
• ICS/SCADA honeypots
  • Conpot – ICS/SCADA honeypot.
  • GasPot – Veeder Root Gaurdian AST, common in the oil and gas industry.
  • SCADA honeynet – Building Honeypots for Industrial Networks.
  • gridpot – Open source tools for realistic-behaving electric grid honeynets.
  • scada-honeynet – Mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.
• Other/random
  • Damn Simple Honeypot (DSHP) – Honeypot framework with pluggable handlers.
  • NOVA – Uses honeypots as detectors, looks like a complete system.
  • OpenFlow Honeypot (OFPot) – Redirects traffic for unused IPs to a honeypot, built on POX.
  • OpenCanary – Modular and decentralised honeypot daemon that runs several canary versions of services that alerts when a service is (ab)used.
  • ciscoasa_honeypot A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability.
  • miniprint – A medium interaction printer honeypot.
• Botnet C2 tools
  • Hale – Botnet command and control monitor.
  • dnsMole – Analyses DNS traffic and potentionaly detect botnet command and control server activity, along with infected hosts.
• IPv6 attack detection tool
  • ipv6-attack-detector – Google Summer of Code 2012 project, supported by The Honeynet Project organization.
• Dynamic code instrumentation toolkit
  • Frida – Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android.
• Tool to convert website to server honeypots
  • HIHAT – Transform arbitrary PHP applications into web-based high-interaction Honeypots.
• Malware collector
  • Kippo-Malware – Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database.
• Distributed sensor deployment
  • Community Honey Network – CHN aims to make deployments honeypots and honeypot management tools easy and flexible. The default deployment method uses Docker Compose and Docker to deploy with a few simple commands.
  • Modern Honey Network – Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.
• Network Analysis Tool
  • Tracexploit – Replay network packets.
• Log anonymizer
  • LogAnon – Log anonymization library that helps having anonymous logs consistent between logs and network captures.
• Low interaction honeypot (router back door)
  • Honeypot-32764 – Honeypot for router backdoor (TCP 32764).
  • WAPot – Honeypot that can be used to observe traffic directed at home routers.
• honeynet farm traffic redirector
  • Honeymole – Deploy multiple sensors that redirect traffic to a centralized collection of honeypots.
• HTTPS Proxy
  • mitmproxy – Allows traffic flows to be intercepted, inspected, modified, and replayed.
• System instrumentation
  • Sysdig – Open source, system-level exploration allows one to capture system state and activity from a running GNU/Linux instance, then save, filter, and analyze the results.
  • Fibratus – Tool for exploration and tracing of the Windows kernel.
• Honeypot for USB-spreading malware
  • Ghost-usb – Honeypot for malware that propagates via USB storage devices.
• Data Collection
  • Kippo2MySQL – Extracts some very basic stats from Kippo’s text-based log files and inserts them in a MySQL database.
  • Kippo2ElasticSearch – Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster).
• Passive network audit framework parser
  • Passive Network Audit Framework (pnaf) – Framework that combines multiple passive and automated analysis techniques in order to provide a security assessment of network platforms.
• VM monitoring and tools
  • Antivmdetect – Script to create templates to use with VirtualBox to make VM detection harder.
  • VMCloak – Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox.
  • vmitools – C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine.
• Binary debugger
  • Hexgolems – Pint Debugger Backend – Debugger backend and LUA wrapper for PIN.
  • Hexgolems – Schem Debugger Frontend – Debugger frontend.
• Mobile Analysis Tool
  • Androguard – Reverse engineering, Malware and goodware analysis of Android applications and more.
  • APKinspector – Powerful GUI tool for analysts to analyze the Android applications.
• Low interaction honeypot
  • Honeyperl – Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc.
  • T-Pot – All in one honeypot appliance from telecom provider T-Mobile
• Honeynet data fusion
  • HFlow2 – Data coalesing tool for honeynet/network analysis.
• Server
  • Amun – Vulnerability emulation honeypot.
  • Artillery – Open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
  • Bait and Switch – Redirects all hostile traffic to a honeypot that is partially mirroring your production system.
  • Bifrozt – Automatic deploy bifrozt with ansible.
  • Conpot – Low interactive server side Industrial Control Systems honeypot.
  • Heralding – Credentials catching honeypot.
  • HoneyWRT – Low interaction Python honeypot designed to mimic services or ports that might get targeted by attackers.
  • Honeyd – See honeyd tools.
  • Honeysink – Open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.
  • Hontel – Telnet Honeypot.
  • KFSensor – Windows based honeypot Intrusion Detection System (IDS).
  • LaBrea – Takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
  • MTPot – Open Source Telnet Honeypot, focused on Mirai malware.
  • SIREN – Semi-Intelligent HoneyPot Network – HoneyNet Intelligent Virtual Environment.
  • TelnetHoney – Simple telnet honeypot.
  • UDPot Honeypot – Simple UDP/DNS honeypot scripts.
  • Yet Another Fake Honeypot (YAFH) – Simple honeypot written in Go.
  • arctic-swallow – Low interaction honeypot.
  • glutton – All eating honeypot.
  • go-HoneyPot – Honeypot server written in Go.
  • go-emulators – Honeypot Golang emulators.
  • honeymail – SMTP honeypot written in Golang.
  • honeytrap – Low-interaction honeypot and network security tool written to catch attacks against TCP and UDP services.
  • imap-honey – IMAP honeypot written in Golang.
  • mwcollectd – Versatile malware collection daemon, uniting the best features of nepenthes and honeytrap.
  • potd – Highly scalable low- to medium-interaction SSH/TCP honeypot designed for OpenWrt/IoT devices leveraging several Linux kernel features, such as namespaces, seccomp and thread capabilities.
  • portlurker – Port listener in Rust with protocol guessing and safe string display.
  • slipm-honeypot – Simple low-interaction port monitoring honeypot.
  • telnet-iot-honeypot – Python telnet honeypot for catching botnet binaries.
  • telnetlogger – Telnet honeypot designed to track the Mirai botnet.
  • vnclowpot – Low interaction VNC honeypot.
• IDS signature generation
  • Honeycomb – Automated signature creation using honeypots.
• Lookup service for AS-numbers and prefixes
  • CC2ASN – Simple lookup service for AS-numbers and prefixes belonging to any given country in the world.
• Data Collection / Data Sharing
  • HPfriends – Honeypot data-sharing platform.
    • hpfriends – real-time social data-sharing – Presentation about HPFriends feed system
  • HPFeeds – Lightweight authenticated publish-subscribe protocol.
• Central management tool
  • PHARM – Manage, report, and analyze your distributed Nepenthes instances.
• Network connection analyzer
  • Impost – Network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons.
• Honeypot deployment
  • Modern Honeynet Network – Streamlines deployment and management of secure honeypots.
• Honeypot extensions to Wireshark
  • Wireshark Extensions – Apply Snort IDS rules and signatures against packet capture files using Wireshark.
• Client
  • CWSandbox / GFI Sandbox
  • Capture-HPC-Linux
  • Capture-HPC-NG
  • Capture-HPC – High interaction client honeypot (also called honeyclient).
  • HoneyBOT
  • HoneyC
  • HoneySpider Network – Highly-scalable system integrating multiple client honeypots to detect malicious websites.
  • HoneyWeb – Web interface created to manage and remotely share Honeyclients resources.
  • Jsunpack-n
  • MonkeySpider
  • PhoneyC – Python honeyclient (later replaced by Thug).
  • Pwnypot – High Interaction Client Honeypot.
  • Rumal – Thug’s Rumāl: a Thug’s dress and weapon.
  • Shelia – Client-side honeypot for attack detection.
  • Thug – Python-based low-interaction honeyclient.
  • Thug Distributed Task Queuing
  • Trigona
  • URLQuery
  • YALIH (Yet Another Low Interaction Honeyclient) – Low-interaction client honeypot designed to detect malicious websites through signature, anomaly, and pattern matching techniques.
• Honeypot
  • Deception Toolkit
  • IMHoneypot
• PDF document inspector
  • peepdf – Powerful Python tool to analyze PDF documents.
• Hybrid low/high interaction honeypot
  • HoneyBrid
• SSH Honeypots
  • Blacknet – Multi-head SSH honeypot system.
  • Cowrie – Cowrie SSH Honeypot (based on kippo).
  • DShield docker – Docker container running cowrie with DShield output enabled.
  • HonSSH – Logs all SSH communications between a client and server.
  • HUDINX – Tiny interaction SSH honeypot engineered in Python to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
  • Kippo – Medium interaction SSH honeypot.
  • Kippo_JunOS – Kippo configured to be a backdoored netscreen.
  • Kojoney2 – Low interaction SSH honeypot written in Python and based on Kojoney by Jose Antonio Coret.
  • Kojoney – Python-based Low interaction honeypot that emulates an SSH server implemented with Twisted Conch.
  • LongTail Log Analysis @ Marist College – Analyzed SSH honeypot logs.
  • Malbait – Simple TCP/UDP honeypot implemented in Perl.
  • MockSSH – Mock an SSH server and define all commands it supports (Python, Twisted).
  • cowrie2neo – Parse cowrie honeypot logs into a neo4j database.
  • go-sshoney – SSH Honeypot.
  • go0r – Simple ssh honeypot in Golang.
  • gohoney – SSH honeypot written in Go.
  • hived – Golang-based honeypot.
  • hnypots-agent) – SSH Server in Go that logs username and password combinations.
  • honeypot.go – SSH Honeypot written in Go.
  • honeyssh – Credential dumping SSH honeypot with statistics.
  • hornet – Medium interaction SSH honeypot that supports multiple virtual hosts.
  • ssh-auth-logger – Low/zero interaction SSH authentication logging honeypot.
  • ssh-honeypot – Fake sshd that logs IP addresses, usernames, and passwords.
  • ssh-honeypot – Modified version of the OpenSSH deamon that forwards commands to Cowrie where all commands are interpreted and returned.
  • ssh-honeypotd – Low-interaction SSH honeypot written in C.
  • sshForShits – Framework for a high interaction SSH honeypot.
  • sshesame – Fake SSH server that lets everyone in and logs their activity.
  • sshhipot – High-interaction MitM SSH honeypot.
  • sshlowpot – Yet another no-frills low-interaction SSH honeypot in Go.
  • sshsyrup – Simple SSH Honeypot with features to capture terminal activity and upload to asciinema.org.
  • twisted-honeypots – SSH, FTP and Telnet honeypots based on Twisted.
• Distributed sensor project
  • DShield Web Honeypot Project
• A pcap analyzer
  • Honeysnap
• Network traffic redirector
  • Honeywall
• Honeypot Distribution with mixed content
  • HoneyDrive
• Honeypot sensor
  • Honeeepi – Honeypot sensor on a Raspberry Pi based on a customized Raspbian OS.
• File carving
  • TestDisk & PhotoRec
• Behavioral analysis tool for win32
  • Capture BAT
• Live CD
  • DAVIX – The DAVIX Live CD.
• Spamtrap
  • Mail::SMTP::Honeypot – Perl module that appears to provide the functionality of a standard SMTP server.
  • Mailoney – SMTP honeypot, Open Relay, Cred Harvester written in python.
  • SendMeSpamIDS.py – Simple SMTP fetch all IDS and analyzer.
  • Shiva – Spam Honeypot with Intelligent Virtual Analyzer.
    • Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running
  • SpamHAT – Spam Honeypot Tool.
  • Spamhole
  • honeypot – The Project Honey Pot un-official PHP SDK.
  • spamd
• Commercial honeynet
  • Cymmetria Mazerunner – Leads attackers away from real targets and creates a footprint of the attack.
• Server (Bluetooth)
  • Bluepot
• Dynamic analysis of Android apps
  • Droidbox
• Dockerized Low Interaction packaging
  • Docker honeynet – Several Honeynet tools set up for Docker containers.
  • Dockerized Thug – Dockerized Thug to analyze malicious web content.
  • Dockerpot – Docker based honeypot.
  • Manuka – Docker based honeypot (Dionaea and Kippo).
  • honey_ports – Very simple but effective docker deployed honeypot to detect port scanning in your environment.
  • mhn-core-docker – Core elements of the Modern Honey Network implemented in Docker.
• Network analysis
  • Quechua
• SIP Server
  • Artemnesia VoIP
• IOT Honeypot
  • HoneyThing – TR-069 Honeypot.
  • Kako – Honeypots for a number of well known and deployed embedded device vulnerabilities.
• Honeytokens
  • CanaryTokens – Self-hostable honeytoken generator and reporting dashboard; demo version available at CanaryTokens.org.
  • Honeybits – Simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs and honeytokens across your production servers and workstations to lure the attacker toward your honeypots.
  • Honeyλ (HoneyLambda) – Simple, serverless application designed to create and monitor URL honeytokens, on top of AWS Lambda and Amazon API Gateway.
  • dcept – Tool for deploying and detecting use of Active Directory honeytokens.
  • honeyku – Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).

Honeyd Tools

• Honeyd plugin
  • Honeycomb
• Honeyd viewer
  • Honeyview
• Honeyd to MySQL connector
  • Honeyd2MySQL
• A script to visualize statistics from honeyd
  • Honeyd-Viz
• Honeyd stats
  • Honeydsum.pl

Network and Artifact Analysis

• Sandbox
  • Argos – Emulator for capturing zero-day attacks.
  • COMODO automated sandbox
  • Cuckoo – Leading open source automated malware analysis system.
  • Pylibemu – Libemu Cython wrapper.
  • RFISandbox – PHP 5.x script sandbox built on top of funcall.
  • dorothy2 – Malware/botnet analysis framework written in Ruby.
  • imalse – Integrated MALware Simulator and Emulator.
  • libemu – Shellcode emulation library, useful for shellcode detection.
• Sandbox-as-a-Service
  • Hybrid Analysis – Free malware analysis service powered by Payload Security that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
  • Joebox Cloud – Analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities.
  • VirusTotal – Analyze suspicious files and URLs to detect types of malware, and automatically share them with the security community.
  • malwr.com – Free malware analysis service and community.

Data Tools

• Front Ends
  • DionaeaFR – Front Web to Dionaea low-interaction honeypot.
  • Django-kippo – Django App for kippo SSH Honeypot.
  • Shockpot-Frontend – Full featured script to visualize statistics from a Shockpot honeypot.
  • Tango – Honeypot Intelligence with Splunk.
  • Wordpot-Frontend – Full featured script to visualize statistics from a Wordpot honeypot.
  • honeyalarmg2 – Simplified UI for showing honeypot alarms.
  • honeypotDisplay – Flask website which displays data gathered from an SSH Honeypot.
• Visualization
  • Acapulco – Automated Attack Community Graph Construction.
  • Afterglow Cloud
  • Afterglow
  • Glastopf Analytics – Easy honeypot statistics.
  • HoneyMalt – Maltego tranforms for mapping Honeypot systems.
  • HoneyMap – Real-time websocket stream of GPS events on a fancy SVG world map.
  • HoneyStats – Statistical view of the recorded activity on a Honeynet.
  • HpfeedsHoneyGraph – Visualization app to visualize hpfeeds logs.
  • Kippo stats – Mojolicious app to display statistics for your kippo SSH honeypot.
  • Kippo-Graph – Full featured script to visualize statistics from a Kippo SSH honeypot.
  • The Intelligent HoneyNet – Create actionable information from honeypots.
  • ovizart – Visual analysis for network traffic.

Guides

• T-Pot: A Multi-Honeypot Platform
• Honeypot (Dionaea and kippo) setup script
• Deployment
  • Dionaea and EC2 in 20 Minutes – Tutorial on setting up Dionaea on an EC2 instance.
  • Using a Raspberry Pi honeypot to contribute data to DShield/ISC – The Raspberry Pi based system will allow us to maintain one code base that will make it easier to collect rich logs beyond firewall logs.
  • honeypotpi – Script for turning a Raspberry Pi into a HoneyPot Pi.
• Research Papers
  • Honeypot research papers – PDFs of research papers on honeypots.
  • vEYE – Behavioral footprinting for self-propagating worm detection and profiling.