.travis.yml | ||
awesome-check.py | ||
CONTRIBUTING.md | ||
LICENSE | ||
README_CN.md | ||
README.md |
Awesome Honeypots
A curated list of awesome honeypots, tools, components and much more. The list is divided into categories such as web, services, and others, focusing on open source projects.
There is no pre-established order of items in each category, the order is for contribution. If you want to contribute, please read the guide.
Discover more awesome lists at sindresorhus/awesome.
Sections
Related Lists
- awesome-pcaptools, useful in network traffic analysis.
- awesome-malware-analysis, with some overlap here for artifact analysis.
Honeypots
-
Database Honeypots
- Delilah - An Elasticsearch Honeypot written in Python.
- ESPot - An Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.
- Elastic honey - A Simple Elasticsearch Honeypot.
- MongoDB-HoneyProxy - A MongoDB honeypot proxy.
- NoSQLpot - The NoSQL Honeypot Framework.
- mysql-honeypotd - Low interaction MySQL honeypot written in C.
- mysql - A mysql honeypot, still very very early stage.
-
Web honeypots
- Bukkit Honeypot Honeypot - A honeypot plugin for Bukkit.
- EoHoneypotBundle - Honeypot type for Symfony2 forms.
- Glastopf - Web Application Honeypot.
- Google Hack Honeypot - designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.
- Laravel Application Honeypot - Honeypot - Simple spam prevention package for Laravel applications.
- Nodepot - A nodejs web application honeypot.
- Servletpot - Web application Honeypot.
- Shadow Daemon - A modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl & Python apps.
- WebTrap - Designed to create deceptive webpages to deceive and redirect attackers away from real websites.
- basic-auth-pot bap - http Basic Authentication honeyPot.
- django-admin-honeypot - A fake Django admin login screen to notify admins of attempted unauthorized access.
- honeyhttpd - a Python-based web server honeypot builder.
- phpmyadmin_honeypot - - A simple and effective phpMyAdmin honeypot.
- shockpot - WebApp Honeypot for detecting Shell Shock exploit attempts.
- smart-honeypot - PHP Script demonstrating a smart honey pot.
- Snare/Tanner - successors to Glastopf
- stack-honeypot - Inserts a trap for spam bots into responses.
- WordPress honeypots
- HonnyPotter - A WordPress login honeypot for collection and analysis of failed login attempts.
- HoneyPress - python based WordPress honeypot in a docker container.
- wp-smart-honeypot - WordPress plugin to reduce comment spam with a smarter honeypot.
- wordpot - A WordPress Honeypot.
-
Service Honeypots
- AMTHoneypot - Honeypot for Intel's AMT Firmware Vulnerability CVE-2017-5689.
- Ensnare - Easy to deploy Ruby honeypot.
- HoneyPy - A low interaction honeypot.
- Honeygrove - A multi-purpose modular honeypot based on Twisted.
- Honeyport - A simple honeyport written in Bash and Python.
- Honeyprint - Printer honeypot.
- Lyrebird - A modern high-interaction honeypot framework.
- MICROS honeypot - low interaction honeypot to detect CVE-2018-2636 in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (MICROS).
- RDPy - A Microsoft Remote Desktop Protocol (RDP) honeypot in python.
- SMB Honeypot - High interaction SMB service Honeypot capable of capturing wannacry like Malware.
- Tom's Honeypot - Low interaction Python honeypot.
- WebLogic honeypot - low interaction honeypot to detect CVE-2017-10271 in the Oracle WebLogic Server component of Oracle Fusion Middleware.
- honeycomb_plugins - The plugin repository for Honeycomb, the honeypot framework by Cymmetria.
- honeyntp - NTP logger/honeypot.
- honeypot-camera - observation camera honeypot.
- honeytrap - Advanced Honeypot framework written in Go. Can be connected up with other Honeypot software.
- troje - a honeypot built around lxc containers. It will run each connection with the service within a seperate lxc container.
-
Distributed Honeypots
- DemonHunter - Low interaction Honepot Server.
-
Anti-honeypot stuff
- kippo_detect - This is not a honeypot, but it detects kippo. (This guy has lots of more interesting stuff)
-
ICS/SCADA honeypots
- Conpot - ICS/SCADA honeypot.
- GasPot - Veeder Root Gaurdian AST, common in the oil and gas industry.
- SCADA honeynet - Building Honeypots for Industrial Networks.
- gridpot - Open source tools for realistic-behaving electric grid honeynets .
- scada-honeynet - mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.
-
Other/random
- DSHP - Damn Simple HoneyPot with pluggable handlers.
- NOVA uses honeypots as detectors, looks like a complete system.
- OFPot - OpenFlow Honeypot, redirects traffic for unused IPs to a honeypot. Built on POX.
- Open Canary - A low interaction honeypot intended to be run on internal networks.
- OpenCanary - Modular and decentralised honeypot.
-
Botnet C2 tools
-
IPv6 attack detection tool
- ipv6-attack-detector - Google Summer of Code 2012 project, supported by The Honeynet Project organization.
-
Dynamic code instrumentation toolkit
- Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android.
-
Tool to convert website to server honeypots
- HIHAT - Transform arbitrary PHP applications into web-based high-interaction Honeypots.
-
Malware collector
- Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database.
-
Distributed sensor deployment
- ADHD - Active Defense Harbinger Distribution (ADHD) is a Linux distro based on Ubuntu LTS. It comes with many tools aimed at active defense preinstalled and configured.
- Modern Honey Network - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.
- Smarthoneypot - custom honeypot intelligence system that is simple to deploy and easy to manage.
-
Network Analysis Tool
- Tracexploit - replay network packets.
-
Log anonymizer
- LogAnon - log anonymization library that helps having anonymous logs consistent between logs and network captures.
-
Low interaction honeypot (router back door)
- Honeypot-32764 - Honeypot for router backdoor (TCP 32764).
-
honeynet farm traffic redirector
- Honeymole - eploy multiple sensors that redirect traffic to a centralized collection of honeypots.
-
HTTPS Proxy
- mitmproxy - allows traffic flows to be intercepted, inspected, modified and replayed.
-
System instrumentation
-
Honeypot for USB-spreading malware
- Ghost-usb - honeypot for malware that propagates via USB storage devices.
- Honeystick - low interaction honeypot on USB stick
-
Data Collection
- Kippo2MySQL - extracts some very basic stats from Kippo’s text-based log files (a mess to analyze!) and inserts them in a MySQL database.
- Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster).
-
Passive network audit framework parser
- pnaf - Passive Network Audit Framework.
-
VM monitoring and tools
- Antivmdetect - Script to create templates to use with VirtualBox to make vm detection harder.
- VMCloak - Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox.
- vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine.
- vmscope - Monitoring of VM-based.
-
Binary debugger
- Hexgolems - Pint Debugger Backend - A debugger backend and LUA wrapper for PIN.
- Hexgolems - Schem Debugger Frontend - A debugger frontend.
-
Mobile Analysis Tool
- Androguard - Reverse engineering, Malware and goodware analysis of Android applications ... and more.
- APKinspector - APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
-
Low interaction honeypot
- Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc.
-
Honeynet data fusion
- HFlow2 - data coalesing tool for honeynet/network analysis.
-
Server
- Amun - vulnerability emulation honeypot.
- Artillery - open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
- Bait and Switch - redirects all hostile traffic to a honeypot that is partially mirroring your production system.
- Bifrozt - Automatic deploy bifrozt with ansible.
- Conpot - ow interactive server side Industrial Control Systems honeypot.
- Heralding - A credentials catching honeypot.
- HoneyWRT - low interaction Python honeypot designed to mimic services or ports that might get targeted by attackers.
- Honeyd Also see more honeyd tools.
- Honeysink - open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.
- Hontel - Telnet Honeypot.
- KFSensor - Windows based honeypot Intrusion Detection System (IDS).
- LaBrea - takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
- MTPot - Open Source Telnet Honeypot, focused on Mirai malware.
- SIREN - Semi-Intelligent HoneyPot Network - HoneyNet Intelligent Virtual Environment.
- TelnetHoney - A simple telnet honeypot.
- UDPot Honeypot - Simple UDP / DNS honeypot scripts.
- arctic-swallow - a low interaction honeypot.
- glutton - All eating honeypot.
- honeytrap - a low-interaction honeypot and network security tool written to catch attacks against TCP and UDP services.
- mwcollectd - a versatile malware collection daemon, uniting the best features of nepenthes and honeytrap.
- portlurker - Port listener / honeypot in Rust with protocol guessing and safe string display.
- slipm-honeypot - A simple low-interaction port monitoring honeypot.
- telnetlogger - A Telnet honeypot designed to track the Mirai botnet.
- vnclowpot - A low interaction VNC honeypot.
-
IDS signature generation
- Honeycomb - Automated signature creation using honeypots.
-
Lookup service for AS-numbers and prefixes
- CC2ASN - A simple lookup service for AS-numbers and prefixes belonging to any given country in the world.
-
Web interface (for Thug)
- Rumal - Thug's Rumāl: a Thug's dress & weapon.
-
Data Collection / Data Sharing
- HPfriends - Honeypot data-sharing platform.
- hpfriends - real-time social data-sharing - Presentation about HPFriends feed system
- HPFeeds - lightweight authenticated publish-subscribe protocol.
- HPfriends - Honeypot data-sharing platform.
-
central management tool
- PHARM - Manage , Report, Analyze your distributed Nepenthes instances.
-
Network connection analyzer
- Impost - a network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons.
-
Honeypot deployment
- Modern Honeynet Network - makes deploying and managing secure honeypots extremely simple.
-
Honeypot extensions to Wireshark
- Whireshark Extensions - support applying Snort IDS rules and signatures against pcap files.
-
Client
- CWSandbox / GFI Sandbox
- Capture-HPC-Linux
- Capture-HPC-NG
- Capture-HPC - a high interaction client honeypot (also called honeyclient).
- HoneyBOT
- HoneyC
- Jsunpack-n
- MonkeySpider
- PhoneyC - Python honeyclient (later replaced by Thug)
- Pwnypot - High Interaction Client Honeypot
- Shelia - a client-side honeypot for attack detection
- Thug - Python low-interaction honeyclient
- Trigona
- URLQuery
- YALIH (Yet Another Low Interaction Honeyclient) - a low Interaction Client honeypot designed to detect malicious websites through signature, anomaly and pattern matching techniques
-
Honeypot
-
PDF document inspector
- peepdf - Powerful Python tool to analyze PDF documents
-
Distribution system
-
HoneyClient Management
-
Hybrid low/high interaction honeypot
-
SSH Honeypots
- Cowrie - Cowrie SSH Honeypot (based on kippo)
- DShield docker - Docker container running cowrie with DShield output enabled.
- HUDINX - tiny interaction SSH honeypot engineered in Python to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
- Kippo_JunOS - Kippo configured to be a backdoored netscreen.
- Kippo - Medium interaction SSH honeypot
- LongTail Log Analysis @ Marist College - analyzed SSH honeypot logs
- Kojoney
- Kojoney2 - low interaction SSH honeypot written in Python. Based on Kojoney by Jose Antonio Coret
- hornet - Medium interaction SSH Honeypot that supports multiple virtual hosts
- ssh-honeypot - Fake sshd that logs ip addresses, usernames, and passwords.
- ssh-honeypotd - A low-interaction SSH honeypot written in C.
- sshesame - A fake SSH server that lets everyone in and logs their activity.
- sshhipot - High-interaction MitM SSH honeypot
- sshlowpot - Yet another no-frills low-interaction ssh honeypot in Go.
- sshsyrup - A simple SSH Honeypot with features to capture terminal activity and upload to asciinema.org
-
Distributed sensor project
-
A pcap analyzer
-
Client Web crawler
-
Network traffic redirector
-
Honeypot Distribution with mixed content
-
Honeypot sensor
- [Honeeepi] (https://redmine.honeynet.org/projects/honeeepi/wiki) - Honeeepi is a honeypot sensor on Raspberry Pi which based on customized Raspbian OS.
-
File carving
-
Sebek
-
SSH proxy
-
Behavioral analysis tool for win32
-
Live CD
- DAVIX - The DAVIX Live CD
-
Spamtrap
- Mail::SMTP::Honeypot - perl module that appears to provide the functionality of a standard SMTP server
- Mailoney - SMTP honeypot, Open Relay, Cred Harvester written in python.
- SendMeSpamIDS.py Simple SMTP fetch all IDS and analyzer
- Shiva - Spam Honeypot with Intelligent Virtual Analyzer
- SpamHAT - Spam Honeypot Tool
- Spamhole
- honeypot - The Project Honey Pot un-official PHP SDK
- spamd
-
Commercial honeynet
- Cymmetria Mazerunner - MazeRunner leads attackers away from real targets and creates a footprint of the attack.
-
Server (Bluetooth)
-
Dynamic analysis of Android apps
-
Dockerized Low Interaction packaging
- Docker honeynet - Several Honeynet tools set up for Docker containers.
- Dockerized Thug - A dockerized Thug to analyze malicious web content.
- Dockerpot - A docker based honeypot.
- Manuka - Docker based honeypot (Dionaea & Kippo).
- mhn-core-docker - Core elements of the Modern Honey Network implemented in Docker.
-
Network analysis
-
SIP Server
-
IOT Honeypot
- HoneyThing - TR-069 Honeypot
-
Honeytokens
- CanaryTokens -
- Honeybits - A simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs & honeytokens across your production servers and workstations to lure the attacker toward your honeypots.
- Honeyλ - honeyLambda 'serverless trap' is a simple, serverless application designed to create and monitor URL honeytokens, on top of AWS Lambda and Amazon API Gateway.
- dcept - A tool for deploying and detecting use of Active Directory honeytokens.
Honeyd Tools
-
Honeyd plugin
-
Honeyd viewer
-
Honeyd to MySQL connector
-
A script to visualize statistics from honeyd
-
Honeyd UI
- Honeyd configuration GUI - application used to configure the honeyd daemon and generate configuration files
-
Honeyd stats
Network and Artifact Analysis
-
Sandbox
- Argos - An emulator for capturing zero-day attacks
- COMODO automated sandbox
- Cuckoo - he leading open source automated malware analysis system.
- Pylibemu - A Libemu Cython wrapper.
- RFISandbox - a PHP 5.x script sandbox built on top of funcall
- dorothy2 - A malware/botnet analysis framework written in Ruby
- imalse - Integrated MALware Simulator and Emulator.
- libemu - Shellcode emulation library, useful for shellcode detection.
-
Sandbox-as-a-Service
- Hybrid Analysis - a free malware analysis service powered by Payload Security that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
- Joebox Cloud - analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities.
- VirusTotal
- detux.org - Multiplatform Linux Sandbox.
- malwr.com - free malware analysis service and community.
Data Tools
-
Front Ends
- DionaeaFR - Front Web to Dionaea low-interaction honeypot.
- Django-kippo - Django App for kippo SSH Honeypot.
- Shockpot-Frontend - a full featured script to visualize statistics from a Shockpot honeypot.
- Tango - Honeypot Intelligence with Splunk.
- Wordpot-Frontend - a full featured script to visualize statistics from a Wordpot honeypot.
- honeyalarmg2 - Simplified UI for showing honeypot alarms.
- honeypotDisplay - A flask website which displays data I've gathered with my SSH Honeypot.
-
Visualization
- Acapulco - Automated Attack Community Graph Construction.
- Afterglow Cloud
- Afterglow
- Glastopf Analytics - easy honeypot statistics
- HoneyMalt - Maltego tranforms for mapping Honeypot systems.
- HoneyMap - Real-time websocket stream of GPS events on a fancy SVG world map.
- HoneyStats - A statistical view of the recorded activity on a Honeynet.
- HpfeedsHoneyGraph - a visualization app to visualize hpfeeds logs.
- Kippo stats - Mojolicious app to display statistics for your kippo SSH honeypot.
- Kippo-Graph - a full featured script to visualize statistics from a Kippo SSH honeypot.
- Sebek Dataviz - Sebek data visualization.
- The Intelligent HoneyNet - The Intelligent Honey Net Project attempts to create actionable information from honeypots.
- ovizart - visual analysis for network traffic.
Guides
-
Deployment
- Dionaea and EC2 in 20 Minutes - a tutorial on setting up Dionaea on an EC2 instance
- Using a Raspberry Pi honeypot to contribute data to DShield/ISC - The Raspberry Pi based system will allow us to maintain one code base that will make it easier to collect rich logs beyond firewall logs.
- honeypotpi - Script for turning a Raspberry Pi into a HoneyPot Pi
-
Research Papers
- Honeypot research papers - PDFs of research papers on honeypots
- vEYE - behavioral footprinting for self-propagating worm detection and profiling.