/awesome-honeypots

an awesome list of honeypot resources

Primary LanguagePythonArtistic License 2.0Artistic-2.0

Awesome Honeypots Awesome Honeypots

A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects.

There is no pre-established order of items in each category, the order is for contribution. If you want to contribute, please read the guide.

Discover more awesome lists at sindresorhus/awesome.

Contents

Related Lists

Honeypots

  • Database Honeypots

    • Delilah - Elasticsearch Honeypot written in Python (originally from Novetta).
    • ESPot - Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.
    • Elastic honey - Simple Elasticsearch Honeypot.
    • MongoDB-HoneyProxy - MongoDB honeypot proxy.
    • NoSQLpot - Honeypot framework built on a NoSQL-style database.
    • mysql-honeypotd - Low interaction MySQL honeypot written in C.
    • MysqlPot - MySQL honeypot, still very early stage.
    • pghoney - Low-interaction Postgres Honeypot.
    • sticky_elephant - Medium interaction postgresql honeypot.

  • Web honeypots

    • EoHoneypotBundle - Honeypot type for Symfony2 forms.
    • Glastopf - Web Application Honeypot.
    • Google Hack Honeypot - Designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.
    • Laravel Application Honeypot - Simple spam prevention package for Laravel applications.
    • Nodepot - NodeJS web application honeypot.
    • Servletpot - Web application Honeypot.
    • Shadow Daemon - Modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl, and Python apps.
    • StrutsHoneypot - Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers.
    • WebTrap - Designed to create deceptive webpages to deceive and redirect attackers away from real websites.
    • basic-auth-pot (bap) - HTTP Basic Authentication honeypot.
    • bwpot - Breakable Web applications honeyPot.
    • django-admin-honeypot - Fake Django admin login screen to notify admins of attempted unauthorized access.
    • drupo - Drupal Honeypot.
    • honeyhttpd - Python-based web server honeypot builder.
    • phpmyadmin_honeypot - Simple and effective phpMyAdmin honeypot.
    • shockpot - WebApp Honeypot for detecting Shell Shock exploit attempts.
    • smart-honeypot - PHP Script demonstrating a smart honey pot.
    • Snare/Tanner - successors to Glastopf
      • Snare - Super Next generation Advanced Reactive honeypot.
      • Tanner - Evaluating SNARE events.
    • stack-honeypot - Inserts a trap for spam bots into responses.
    • tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study
    • WordPress honeypots
      • HonnyPotter - WordPress login honeypot for collection and analysis of failed login attempts.
      • HoneyPress - Python based WordPress honeypot in a Docker container.
      • wp-smart-honeypot - WordPress plugin to reduce comment spam with a smarter honeypot.
      • wordpot - WordPress Honeypot.

  • Service Honeypots

    • ADBHoney - Low interaction honeypot that simulates an Android device running Android Debug Bridge (ADB) server process.
    • AMTHoneypot - Honeypot for Intel's AMT Firmware Vulnerability CVE-2017-5689. x - Ensnare - Easy to deploy Ruby honeypot.
    • HoneyPy - Low interaction honeypot.
    • Honeygrove - Multi-purpose modular honeypot based on Twisted.
    • Honeyport - Simple honeyport written in Bash and Python.
    • Honeyprint - Printer honeypot.
    • Lyrebird - Modern high-interaction honeypot framework.
    • MICROS honeypot - Low interaction honeypot to detect CVE-2018-2636 in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (MICROS).
    • RDPy - Microsoft Remote Desktop Protocol (RDP) honeypot implemented in Python.
    • SMB Honeypot - High interaction SMB service honeypot capable of capturing wannacry-like Malware.
    • Tom's Honeypot - Low interaction Python honeypot.
    • WebLogic honeypot - Low interaction honeypot to detect CVE-2017-10271 in the Oracle WebLogic Server component of Oracle Fusion Middleware.
    • WhiteFace Honeypot - Twisted based honeypot for WhiteFace.
    • dhp - Simple Docker Honeypot server emulating small snippets of the Docker HTTP API.
    • honeycomb_plugins - Plugin repository for Honeycomb, the honeypot framework by Cymmetria.
    • honeyntp - NTP logger/honeypot.
    • honeypot-camera - Observation camera honeypot.
    • honeypot-ftp - FTP Honeypot.
    • honeytrap - Advanced Honeypot framework written in Go that can be connected with other honeypot software.
    • pyrdp - RDP man-in-the-middle and library for Python 3 with the ability to watch connections live or after the fact.
    • troje - Honeypot that runs each connection with the service within a separate LXC container.

  • Distributed Honeypots

  • Anti-honeypot stuff

    • kippo_detect - Offensive component that detects the presence of the kippo honeypot.

  • ICS/SCADA honeypots

    • Conpot - ICS/SCADA honeypot.
    • GasPot - Veeder Root Gaurdian AST, common in the oil and gas industry.
    • SCADA honeynet - Building Honeypots for Industrial Networks.
    • gridpot - Open source tools for realistic-behaving electric grid honeynets.
    • scada-honeynet - Mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.

  • Other/random

    • Damn Simple Honeypot (DSHP) - Honeypot framework with pluggable handlers.
    • NOVA - Uses honeypots as detectors, looks like a complete system.
    • OpenFlow Honeypot (OFPot) - Redirects traffic for unused IPs to a honeypot, built on POX.
    • OpenCanary - Modular and decentralised honeypot daemon that runs several canary versions of services that alerts when a service is (ab)used.
    • ciscoasa_honeypot A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability.
    • miniprint - A medium interaction printer honeypot.

  • Botnet C2 tools

    • Hale - Botnet command and control monitor.
    • dnsMole - Analyses DNS traffic and potentionaly detect botnet command and control server activity, along with infected hosts.

  • IPv6 attack detection tool

    • ipv6-attack-detector - Google Summer of Code 2012 project, supported by The Honeynet Project organization.

  • Dynamic code instrumentation toolkit

    • Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android.

  • Tool to convert website to server honeypots

    • HIHAT - Transform arbitrary PHP applications into web-based high-interaction Honeypots.

  • Malware collector

    • Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database.

  • Distributed sensor deployment

    • Community Honey Network - CHN aims to make deployments honeypots and honeypot management tools easy and flexible. The default deployment method uses Docker Compose and Docker to deploy with a few simple commands.
    • Modern Honey Network - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.

  • Network Analysis Tool

  • Log anonymizer

    • LogAnon - Log anonymization library that helps having anonymous logs consistent between logs and network captures.

  • Low interaction honeypot (router back door)

    • Honeypot-32764 - Honeypot for router backdoor (TCP 32764).
    • WAPot - Honeypot that can be used to observe traffic directed at home routers.

  • honeynet farm traffic redirector

    • Honeymole - Deploy multiple sensors that redirect traffic to a centralized collection of honeypots.

  • HTTPS Proxy

    • mitmproxy - Allows traffic flows to be intercepted, inspected, modified, and replayed.

  • System instrumentation

    • Sysdig - Open source, system-level exploration allows one to capture system state and activity from a running GNU/Linux instance, then save, filter, and analyze the results.
    • Fibratus - Tool for exploration and tracing of the Windows kernel.

  • Honeypot for USB-spreading malware

    • Ghost-usb - Honeypot for malware that propagates via USB storage devices.

  • Data Collection

    • Kippo2MySQL - Extracts some very basic stats from Kippo’s text-based log files and inserts them in a MySQL database.
    • Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster).

  • Passive network audit framework parser

  • VM monitoring and tools

    • Antivmdetect - Script to create templates to use with VirtualBox to make VM detection harder.
    • VMCloak - Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox.
    • vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine.

  • Binary debugger

  • Mobile Analysis Tool

    • Androguard - Reverse engineering, Malware and goodware analysis of Android applications and more.
    • APKinspector - Powerful GUI tool for analysts to analyze the Android applications.

  • Low interaction honeypot

    • Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc.
    • T-Pot - All in one honeypot appliance from telecom provider T-Mobile

  • Honeynet data fusion

    • HFlow2 - Data coalesing tool for honeynet/network analysis.

  • Server

    • Amun - Vulnerability emulation honeypot.
    • Artillery - Open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
    • Bait and Switch - Redirects all hostile traffic to a honeypot that is partially mirroring your production system.
    • Bifrozt - Automatic deploy bifrozt with ansible.
    • Conpot - Low interactive server side Industrial Control Systems honeypot.
    • Heralding - Credentials catching honeypot.
    • HoneyWRT - Low interaction Python honeypot designed to mimic services or ports that might get targeted by attackers.
    • Honeyd - See honeyd tools.
    • Honeysink - Open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.
    • Hontel - Telnet Honeypot.
    • KFSensor - Windows based honeypot Intrusion Detection System (IDS).
    • LaBrea - Takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
    • MTPot - Open Source Telnet Honeypot, focused on Mirai malware.
    • SIREN - Semi-Intelligent HoneyPot Network - HoneyNet Intelligent Virtual Environment.
    • TelnetHoney - Simple telnet honeypot.
    • UDPot Honeypot - Simple UDP/DNS honeypot scripts.
    • Yet Another Fake Honeypot (YAFH) - Simple honeypot written in Go.
    • arctic-swallow - Low interaction honeypot.
    • glutton - All eating honeypot.
    • go-HoneyPot - Honeypot server written in Go.
    • go-emulators - Honeypot Golang emulators.
    • honeymail - SMTP honeypot written in Golang.
    • honeytrap - Low-interaction honeypot and network security tool written to catch attacks against TCP and UDP services.
    • imap-honey - IMAP honeypot written in Golang.
    • mwcollectd - Versatile malware collection daemon, uniting the best features of nepenthes and honeytrap.
    • potd - Highly scalable low- to medium-interaction SSH/TCP honeypot designed for OpenWrt/IoT devices leveraging several Linux kernel features, such as namespaces, seccomp and thread capabilities.
    • portlurker - Port listener in Rust with protocol guessing and safe string display.
    • slipm-honeypot - Simple low-interaction port monitoring honeypot.
    • telnet-iot-honeypot - Python telnet honeypot for catching botnet binaries.
    • telnetlogger - Telnet honeypot designed to track the Mirai botnet.
    • vnclowpot - Low interaction VNC honeypot.

  • IDS signature generation

    • Honeycomb - Automated signature creation using honeypots.

  • Lookup service for AS-numbers and prefixes

    • CC2ASN - Simple lookup service for AS-numbers and prefixes belonging to any given country in the world.

  • Data Collection / Data Sharing

  • Central management tool

    • PHARM - Manage, report, and analyze your distributed Nepenthes instances.

  • Network connection analyzer

    • Impost - Network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons.

  • Honeypot deployment

  • Honeypot extensions to Wireshark

    • Wireshark Extensions - Apply Snort IDS rules and signatures against packet capture files using Wireshark.

  • Client

  • Honeypot

  • PDF document inspector

    • peepdf - Powerful Python tool to analyze PDF documents.

  • Hybrid low/high interaction honeypot

  • SSH Honeypots

    • Blacknet - Multi-head SSH honeypot system.
    • Cowrie - Cowrie SSH Honeypot (based on kippo).
    • DShield docker - Docker container running cowrie with DShield output enabled.
    • HonSSH - Logs all SSH communications between a client and server.
    • HUDINX - Tiny interaction SSH honeypot engineered in Python to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
    • Kippo - Medium interaction SSH honeypot.
    • Kippo_JunOS - Kippo configured to be a backdoored netscreen.
    • Kojoney2 - Low interaction SSH honeypot written in Python and based on Kojoney by Jose Antonio Coret.
    • Kojoney - Python-based Low interaction honeypot that emulates an SSH server implemented with Twisted Conch.
    • LongTail Log Analysis @ Marist College - Analyzed SSH honeypot logs.
    • Malbait - Simple TCP/UDP honeypot implemented in Perl.
    • MockSSH - Mock an SSH server and define all commands it supports (Python, Twisted).
    • cowrie2neo - Parse cowrie honeypot logs into a neo4j database.
    • go-sshoney - SSH Honeypot.
    • go0r - Simple ssh honeypot in Golang.
    • gohoney - SSH honeypot written in Go.
    • hived - Golang-based honeypot.
    • hnypots-agent) - SSH Server in Go that logs username and password combinations.
    • honeypot.go - SSH Honeypot written in Go.
    • honeyssh - Credential dumping SSH honeypot with statistics.
    • hornet - Medium interaction SSH honeypot that supports multiple virtual hosts.
    • ssh-auth-logger - Low/zero interaction SSH authentication logging honeypot.
    • ssh-honeypot - Fake sshd that logs IP addresses, usernames, and passwords.
    • ssh-honeypot - Modified version of the OpenSSH deamon that forwards commands to Cowrie where all commands are interpreted and returned.
    • ssh-honeypotd - Low-interaction SSH honeypot written in C.
    • sshForShits - Framework for a high interaction SSH honeypot.
    • sshesame - Fake SSH server that lets everyone in and logs their activity.
    • sshhipot - High-interaction MitM SSH honeypot.
    • sshlowpot - Yet another no-frills low-interaction SSH honeypot in Go.
    • sshsyrup - Simple SSH Honeypot with features to capture terminal activity and upload to asciinema.org.
    • twisted-honeypots - SSH, FTP and Telnet honeypots based on Twisted.

  • Distributed sensor project

  • A pcap analyzer

  • Network traffic redirector

  • Honeypot Distribution with mixed content

  • Honeypot sensor

    • Honeeepi - Honeypot sensor on a Raspberry Pi based on a customized Raspbian OS.

  • File carving

  • Behavioral analysis tool for win32

  • Live CD

    • DAVIX - The DAVIX Live CD.

  • Spamtrap

  • Commercial honeynet

    • Cymmetria Mazerunner - Leads attackers away from real targets and creates a footprint of the attack.

  • Server (Bluetooth)

  • Dynamic analysis of Android apps

  • Dockerized Low Interaction packaging

    • Docker honeynet - Several Honeynet tools set up for Docker containers.
    • Dockerized Thug - Dockerized Thug to analyze malicious web content.
    • Dockerpot - Docker based honeypot.
    • Manuka - Docker based honeypot (Dionaea and Kippo).
    • honey_ports - Very simple but effective docker deployed honeypot to detect port scanning in your environment.
    • mhn-core-docker - Core elements of the Modern Honey Network implemented in Docker.

  • Network analysis

  • SIP Server

  • IOT Honeypot

    • HoneyThing - TR-069 Honeypot.
    • Kako - Honeypots for a number of well known and deployed embedded device vulnerabilities.

  • Honeytokens

    • CanaryTokens - Self-hostable honeytoken generator and reporting dashboard; demo version available at CanaryTokens.org.
    • Honeybits - Simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs and honeytokens across your production servers and workstations to lure the attacker toward your honeypots.
    • Honeyλ (HoneyLambda) - Simple, serverless application designed to create and monitor URL honeytokens, on top of AWS Lambda and Amazon API Gateway.
    • dcept - Tool for deploying and detecting use of Active Directory honeytokens.
    • honeyku - Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).

Honeyd Tools

Network and Artifact Analysis

  • Sandbox

    • Argos - Emulator for capturing zero-day attacks.
    • COMODO automated sandbox
    • Cuckoo - Leading open source automated malware analysis system.
    • Pylibemu - Libemu Cython wrapper.
    • RFISandbox - PHP 5.x script sandbox built on top of funcall.
    • dorothy2 - Malware/botnet analysis framework written in Ruby.
    • imalse - Integrated MALware Simulator and Emulator.
    • libemu - Shellcode emulation library, useful for shellcode detection.

  • Sandbox-as-a-Service

    • Hybrid Analysis - Free malware analysis service powered by Payload Security that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
    • Joebox Cloud - Analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities.
    • VirusTotal - Analyze suspicious files and URLs to detect types of malware, and automatically share them with the security community.
    • malwr.com - Free malware analysis service and community.

Data Tools

  • Front Ends

    • DionaeaFR - Front Web to Dionaea low-interaction honeypot.
    • Django-kippo - Django App for kippo SSH Honeypot.
    • Shockpot-Frontend - Full featured script to visualize statistics from a Shockpot honeypot.
    • Tango - Honeypot Intelligence with Splunk.
    • Wordpot-Frontend - Full featured script to visualize statistics from a Wordpot honeypot.
    • honeyalarmg2 - Simplified UI for showing honeypot alarms.
    • honeypotDisplay - Flask website which displays data gathered from an SSH Honeypot.

  • Visualization

Guides