From 4da6603d419505db83d648488705092180865e9d Mon Sep 17 00:00:00 2001 From: jose nazario Date: Fri, 19 Jun 2015 07:19:39 -0400 Subject: [PATCH] start organizing --- README.md | 182 ++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 150 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index ae2a947..c8e6c22 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,8 @@ A curated list of awesome honeypots, tools, components and much more. The list i A related list for many of us is [awesome-pcaptools](https://github.com/caesar0301/awesome-pcaptools), useful in network traffic analysis. +## Honeypots + - Database Honeypots - [Elastic honey](https://github.com/jordan-wright/elastichoney) - [mysql](https://github.com/schmalle/MysqlPot) @@ -20,6 +22,9 @@ A related list for many of us is [awesome-pcaptools](https://github.com/caesar03 - [Servletpot](http://github.com/schmalle/servletpot) - [Nodepot](http://github.com/schmalle/Nodepot) - [Google Hack Honeypot](http://ghh.sourceforge.net) + - [smart-honeypot](https://github.com/freak3dot/smart-honeypot) + - [PHPHop](http://rstack.org/phphop/) + - [wp-smart-honeypot](https://github.com/freak3dot/wp-smart-honeypot) - Service Honeypots - [Kippo](https://github.com/desaster/kippo) - Medium interaction SSH honeypot @@ -33,103 +38,131 @@ A related list for many of us is [awesome-pcaptools](https://github.com/caesar03 - [Conpot](https://github.com/glastopf/conpot) - [scada-honeynet](http://www.digitalbond.com/tools/scada-honeynet/) - [SCADA honeynet](http://scadahoneynet.sourceforge.net) + - Deployment - [Dionaea and EC2 in 20 Minutes](http://andrewmichaelsmith.com/2012/03/dionaea-honeypot-on-ec2-in-20-minutes/) -- Visualization - - [HoneyMap](https://github.com/fw42/honeymap) - - [HoneyMalt](https://github.com/SneakersInc/HoneyMalt) + - Data Analysis - [Kippo-Graph](http://bruteforce.gr/kippo-graph) - [Kippo stats](https://github.com/mfontani/kippo-stats) + - Other/random - [NOVA](https://github.com/DataSoft/Nova) uses honeypots as detectors, looks like a complete system - [Mantrap / Symantec Decoy Server](http://www.systemhouse.com/symantec/sds.htm) - [BigEye](http://violating.us/projects/bigeye/) - [BackOfficer Friendly](http://www.nfr.com/resource/backOfficer.php) + - Proxy honeypot - [Proxypot](http://proxypot.spamteam.nl) + - Open Relay Spam Honeypot - [SpamHAT](https://github.com/miguelraulb/spamhat) + - Botnet C2 monitor - [Hale](http://github.com/pjlantz/Hale) + - IPv6 attack detection tool - [ipv6-guard](https://www.honeynet.org/gsoc2012/slot8) - [ipv6-attack-detector](https://github.com/mzweilin/ipv6-attack-detector/) -- PHP honeypot - - [smart-honeypot](https://github.com/freak3dot/smart-honeypot) - - [PHPHop](http://rstack.org/phphop/) + - Honeypot Database - [Manuka](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCgQFjAB&url=https%3A%2F%2Fstaff.washington.edu%2Fdittrich%2Ftalks%2Fieee-ia-manuka.ppt&ei=nS1fVdDjJeL9ywP5soG4Cg&usg=AFQjCNGTVLU6WQe04DdUd1jzVx3Fmwi6Xg&bvm=bv.93990622,d.bGQ) + - Research Paper - [vEYE](http://link.springer.com/article/10.1007%2Fs10115-008-0137-3) + - Honeynet statistics - [HoneyStats](http://sourceforge.net/projects/honeystats/) + - Visual analsysis for network traffic - [Picviz](http://www.wallinfire.net/picviz) + - dynamic code instrumentation toolkit - [Frida](http://www.frida.re) + - Front-end for dionaea - [DionaeaFR](https://github.com/rubenespadas/DionaeaFR) + - Tool to convert website to server honeypots - [HIHAT](http://hihat.sourceforge.net/) + - Malware collector - [Kippo-Malware](http://bruteforce.gr/kippo-malware) + - Sebek in QEMU - [Qebek](https://projects.honeynet.org/sebek/wiki/Qebek) + - Malware Simulator - [imalse](https://github.com/hbhzwj/imalse) + - Distributed sensor deployment - [Sombria](http://www.lac.co.jp/business/sns/intelligence/sombria_e.html) - [Smarthoneypot](http://smarthoneypot.com) + - Network Analysis Tool - [Tracexploit](https://code.google.com/p/tracexploit/) + - Log anonymizer - [LogAnon](http://code.google.com/p/loganon/) + - server - [Honeysink](http://www.honeynet.org/node/773) + - Botnet traffic detection - [dnsMole](https://code.google.com/p/dns-mole/) + - Low interaction honeypot (router back door) - [Honeypot-32764](https://github.com/knalli/honeypot-for-tcp-32764) + - honeynet farm traffic redirector - [Honeymole](https://web.archive.org/web/20120122130150/http://www.honeynet.org.pt/index.php/HoneyMole) + - IDS signature generator - [Nebula](http://nebula.carnivore.it/) + - Fake wireless access point - [FakeAP](http://www.blackalchemy.to/project/fakeap/) + - HTTPS Proxy - [mitmproxy](http://mitmproxy.org/) + - spamtrap - [Jackpot Mailswerver](http://jackpot.uk.net/) + - System instrumentation - [Sysdig](http://www.sysdig.org) + - Honeypot for USB-spreading malware - [Ghost-usb](https://code.google.com/p/ghost-usb-honeypot/) + - Data Collection - [Kippo2MySQL](http://bruteforce.gr/kippo2mysql) - [Kippo2ElasticSearch](http://bruteforce.gr/kippo2elasticsearch) -- Honeyd viewer - - [Honeyview](http://honeyview.sourceforge.net/) + - Passive network audit framework parser - [pnaf](https://github.com/jusafing/pnaf) -- Honeyd to MySQL connector - - [Honeyd2MySQL](http://bruteforce.gr/honeyd2mysql) + - VM Introspection - [VIX virtual machine introspection toolkit](http://assert.uaf.edu/research/vmi.html) - [xenaccess](https://code.google.com/p/xenaccess/) - [vmscope](http://cs.gmu.edu/~xwangc/Publications/RAID07-VMscope.pdf) - [vmitools](http://libvmi.com/) + - Binary debugger - [Hexgolems - Schem Debugger Frontend](https://github.com/hexgolems/schem) - [Hexgolems - Pint Debugger Backend](https://github.com/hexgolems/pint) + - Mobile Analysis Tool - [APKinspector](https://github.com/honeynet/apkinspector/) - [Androguard](https://code.google.com/p/androguard/) + - Low interaction honeypot - [Honeypoint](http://microsolved.com/?page_id=69) - [Honeyperl](http://sourceforge.net/projects/honeyperl/) + - Honeynet data fusion - [HFlow2](https://projects.honeynet.org/hflow) + - Server - [Tiny Honeypot](http://www.alpinista.org/thp/ -> http://web.archive.org/web/20090606073121/http://www.alpinista.org/files/thp/) - [Nephenthes](http://nepenthes.carnivore.it//) @@ -137,9 +170,7 @@ A related list for many of us is [awesome-pcaptools](https://github.com/caesar03 - [Kippo](https://github.com/desaster/kippo) - [KFSensor](http://www.keyfocus.net/kfsensor/) - [Honeytrap](http://honeytrap.carnivore.it/) - - [Honeyd](https://github.com/provos/honeyd) - - Bootable honeyd - - [HOACD](http://www.honeynet.org.br/tools/) + - [Honeyd](https://github.com/provos/honeyd) Also see [more honeyd tools](#honeyd) - [Honeeebox](http://honeeebox.net) - [Glastopf](http://glastopf.org/) - [DNS Honeypot](https://github.com/jekil/UDPot) @@ -151,74 +182,91 @@ A related list for many of us is [awesome-pcaptools](https://github.com/caesar03 - [Bait and Switch](http://baitnswitch.sourceforge.net) - [Artillery](https://github.com/trustedsec/artillery/) - [Amun](http://amunhoney.sourceforge.net) + - VM cloaking script - [Antivmdetect](https://github.com/nsmfoo/antivmdetection) -- Honeyd ported to Windows - - [Winhoneyd](http://www2.netvigilance.com/winhoneyd) + - IDS signature generation - [Honeycomb](http://www.cl.cam.ac.uk/~cpk25/honeycomb/) + - Multiple - [Honeeepi](https://redmine.honeynet.org/projects/honeeepi/wiki) + - Web interface to packet analyzer - [OpenWitness](https://github.com/oguzy/openwitness) + - lookup service for AS-numbers and prefixes - [CC2ASN](http://www.cc2asn.com/) + - Data Collection / Analysis Tool - [Carniwwwhore](http://carnivore.it/2010/11/27/carniwwwhore) -- Wordpress spam honeypot - - [wp-smart-honeypot](https://github.com/freak3dot/wp-smart-honeypot) + - Web interface (for Thug) - [Rumal](https://github.com/pdelsante/rumal) + - Snort binary carving - [Pehunter](http://src.carnivore.it/pehunter/) + - Data Collection / Data Sharing - [HPfriends](http://hpfriends.honeycloud.net/#/home) - [HPFeeds](https://github.com/rep/hpfeeds/) + - PE-executables analyses - [Xandora](http://www.xandora.net/xangui/) + - Distributed spam tracking - [Project Honeypot](https://www.projecthoneypot.org) + - Python bindings for libemu - [Pylibemu](https://github.com/buffer/pylibemu) -- Client honeypot - - [Pwnypot](https://github.com/shjalayeri/pwnypot) + - Controlled-relay spam honeypot - [Shiva](https://github.com/shiva-spampot/shiva) + - Visualization Tool - [Webviz](not working) - [Glastopf Analytics](https://github.com/vavkamil/Glastopf-Analytics) - [Afterglow Cloud](http://afterglow.secviz.org/) - [Afterglow](http://afterglow.sourceforge.net/) + - central management tool - [PHARM](http://www.nepenthespharm.com/) + - Network connection analyzer - [Impost](http://impost.sourceforge.net/) + - Virtual Machine Cloaking - [VMCloak](https://github.com/jbremer/vmcloak) -- A script to visualize statistics from honeyd - - [Honeyd-Viz](http://bruteforce.gr/honeyd-viz) + - Honeypot deployment - [Modern Honeynet Network](http://threatstream.github.io/mhn/) - [SurfIDS](http://ids.surfnet.nl/) -- Honeyd UI - - [Honeyd configuration GUI](http://www.citi.umich.edu/u/provos/honeyd/ch01-results/1/) + - Honeynet analysis tool - [Honeynet Security Console](http://www.activeworx.org/programs/hsc/index.htm) + - Automated malware analysis system - [Cuckoo](http://www.cuckoosandbox.org/) - [Anubis](https://anubis.iseclab.org/) + - Low interaction - [mwcollectd](http//git.mwcollect.org/mwcollectd) + - Low interaction honeypot on USB stick - [Honeystick](http://www.ukhoneynet.org/research/honeystick-howto/) + - Honeypot extensions to Wireshark - [Whireshark Extensions](https://www.honeynet.org/project/WiresharkExtensions) + - Data Analysis Tool - [HpfeedsHoneyGraph](https://github.com/yuchincheng/HpfeedsHoneyGraph) - [Acapulco](https://github.com/hgascon/Acapulco4HNP) + - Telephony honeypot - [Zapping Rachel](https://seanmckaybeck.com/2014/08/17/zapping-rachel/) + - Client + - [Pwnypot](https://github.com/shjalayeri/pwnypot) - [MonkeySpider](http://monkeyspider.sourceforge.net) - [Capture-HPC-NG](https://github.com/CERT-Polska/HSN-Capture-HPC-NG) - [Wepawet](http://wepawet.cs.ucsb.edu/about.php) @@ -235,13 +283,17 @@ A related list for many of us is [awesome-pcaptools](https://github.com/caesar03 - [Capture-HPC-Linux](https://redmine.honeynet.org/projects/linux-capture-hpc/wiki) - [Capture-HPC](https://projects.honeynet.org/capture-hpc) - [Andrubis](https://anubis.iseclab.org/) + - Commercial high interaction honeypot - [Countertack Scout](http://www.countertack.com/countertack-scout) + - Visual analysis for network traffic - [ovizart-ng](https://github.com/honeynet/ovizart-ng) - [ovizart](https://github.com/honeynet/ovizart) + - Binary Management and Analysis Framework - [Viper](http://viper.li/) + - Honeypot - [Single-honeypot](http://sourceforge.net/projects/single-honeypot/) - [Honeyd For Windows](http://www.securityprofiling.com/honeyd/honeyd.shtml) @@ -249,54 +301,77 @@ A related list for many of us is [awesome-pcaptools](https://github.com/caesar03 - [IMHoneypot](https://github.com/glastopf/imhoneypot) - [Deception Toolkit](http://www.all.net/dtk/dtk.html) - [Cybercop Sting](http://www.nai.com/international/uk/asp_set/products/tns/ccsting_intro.asp) + - PDF document inspector - [peepdf](https://code.google.com/p/peepdf/) + - Distribution system - [Thug Distributed Task Queuing](https://thug-distributed.readthedocs.org/en/latest/index.html) + - HoneyClient Management - [HoneyWeb](https://code.google.com/p/gsoc-honeyweb/) + - Network Analysis - [HoneyProxy](http://honeyproxy.org/) + - Hybrid low/high interaction honeypot - [HoneyBrid](http://honeybrid.sourceforge.net) + - Sebek on Xen - [xebek](https://code.google.com/p/xebek/) + - SSH Honeypot - [Kojoney](http://kojoney.sourceforge.net/) + - Glastopf data analysis - [Glastopf Analytics](https://github.com/vavkamil/Glastopf-Analytics) + - Distributed sensor project - [DShield Web Honeypot Project](https://sites.google.com/site/webhoneypotsite/) - [Distributed Web Honeypot Project](http://projects.webappsec.org/w/page/29606603/Distributed%20Web%20Honeypots) + - a pcap analyzer - [Honeysnap](https://projects.honeynet.org/honeysnap/) + - Client Web crawler - [HoneySpider Network](https://github.com/CERT-Polska/hsn2-bundle) + - network traffic redirector - [Honeywall](https://projects.honeynet.org/honeywall/) + - Honeypot Distribution with mixed content - [HoneyDrive](http://bruteforce.gr/honeydrive) + - Honeypot sensor - [Dragon Research Group Distro](https://www.dragonresearchgroup.org/drg-distro.html) + - File carving - [TestDisk & PhotoRec](http://www.cgsecurity.org/) + - File and Network Threat Intelligence - [VirusTotal](http://virustotal.com) + - data capture - [Sebek](https://projects.honeynet.org/sebek/) + - SSH proxy - [HonSSH](https://github.com/tnich/honssh) + - Anti-Cheat - [Minecraft honeypot](http://www.curse.com/bukkit-plugins/minecraft/honeypot) + - behavioral analysis tool for win32 - [Capture BAT](https://www.honeynet.org/node/315) + - Live CD - [DAVIX](http://davix.secviz.org) + - Spamtrap - [Spampot.py](http://woozle.org/%7Eneale/src/python/spampot.py) - [Spamhole](http://www.spamhole.net/) - [spamd](http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html) - [SMTPot.py](http://llama.whoi.edu/smtpot.py) + - Commercial honeynet - [Specter](http://www.specter.com/default50.htm) - [Smoke Detector](http://palisadesys.com/products/smokedetector/) @@ -305,36 +380,79 @@ A related list for many of us is [awesome-pcaptools](https://github.com/caesar03 - [PacketDecoy](http://palisadesys.com/products/packetdecoy/) - [NetFacade](http://www22.verizon.com/fns/solutions/netsec/netsec_netfacade.html) - [Netbait](http://www.netbaitinc.com) + - Server (Bluetooth) - [Bluepot](http://code.google.com/p/bluepot/) -- Honeyd stats - - [Honeydsum.pl](http://www.honeynet.org.br/) + - Dynamic analysis of Android apps - [Droidbox](https://code.google.com/p/droidbox/) + - Dockerized Low Interaction packaging - [Manuka](https://github.com/andrewmichaelsmith/manuka) + - Network analysis - [Quechua](https://bitbucket.org/zaccone/quechua) + - Sebek data visualization - [Sebek Dataviz](http://www.honeynet.org/gsoc/project4) + - Threat Intel feed aggregator / network grapher - [Malcom](http://malcom.io) -- Sandbox - - [Argos](http://www.few.vu.nl/argos/) + - SIP Server - [Artemnesia VoIP](http://artemisa.sourceforge.net) -- Honeyd plugin - - [Honeycomb](http://www.honeyd.org/tools.php) -- Sandbox-as-a-Service - - [malwr.com](http://malwr.com) + - Botnet C2 monitoring - [botsnoopd](http://botsnoopd.mwcollect.org) + - low interaction - [mysqlpot](https://github.com/schmalle/mysqlpot) + - Malware collection - [Honeybow](http://honeybow.mwcollect.org/) -- sandbox + +## Honeyd Tools + +- Honeyd plugin + - [Honeycomb](http://www.honeyd.org/tools.php) + +- Honeyd viewer + - [Honeyview](http://honeyview.sourceforge.net/) + +- Honeyd to MySQL connector + - [Honeyd2MySQL](http://bruteforce.gr/honeyd2mysql) + +- Bootable honeyd + - [HOACD](http://www.honeynet.org.br/tools/) + +- Honeyd ported to Windows + - [Winhoneyd](http://www2.netvigilance.com/winhoneyd) + +- A script to visualize statistics from honeyd + - [Honeyd-Viz](http://bruteforce.gr/honeyd-viz) + +- Honeyd UI + - [Honeyd configuration GUI](http://www.citi.umich.edu/u/provos/honeyd/ch01-results/1/) + +- Honeyd stats + - [Honeydsum.pl](http://www.honeynet.org.br/) + +## Network and Artifact Analysis + +- Sandbox - [PHPSandbox](http://www.fieryprophet.com/phpsandbox) - [RFISandbox](http://monkey.org/~jose/software/rfi-sandbox/) - [dorothy2](https://github.com/m4rco-/dorothy2) - [COMODO automated sandbox](https://help.comodo.com/topic-72-1-451-4768-.html) + +- Sandbox + - [Argos](http://www.few.vu.nl/argos/) + +- Sandbox-as-a-Service + - [malwr.com](http://malwr.com) + +## Visualiation Tools + +- Visualization + - [HoneyMap](https://github.com/fw42/honeymap) + - [HoneyMalt](https://github.com/SneakersInc/HoneyMalt) \ No newline at end of file