Collection Of Awesome Honeypots

A curated list of awesome honeypots, tools, components and much more. The list is divided into categories such as web, services, and others, focusing on open source projects.

Honeypots

• Database Honeypots
  
  • Elastic honey - A Simple Elasticsearch Honeypot
  • mysql - A mysql honeypot, still very very early stage
  • A framework for nosql databases ( only redis for now) - The NoSQL Honeypot Framework
  • ESPot - ElasticSearch Honeypot
• Web honeypots
  
  • Glastopf - Web Application Honeypot
  • phpmyadmin_honeypot - - A simple and effective phpMyAdmin honeypot
  • servlet - Web application Honeypot
  • Nodepot - A nodejs web application honeypot
  • basic-auth-pot bap - http Basic Authentication honeyPot
  • Shadow Daemon - A modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl & Python apps
  • Servletpot - Web application Honeypot
  • Google Hack Honeypot - designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.
  • smart-honeypot - PHP Script demonstrating a smart honey pot
  • HonnyPotter - A WordPress login honeypot for collection and analysis of failed login attempts.
  • wp-smart-honeypot - WordPress plugin to reduce comment spam with a smarter honeypot
  • wordpot - A WordPress Honeypot
  • Bukkit Honeypot Honeypot - A honeypot plugin for Bukkit
  • Laravel Application Honeypot - Honeypot - Simple spam prevention package for Laravel applications
  • stack-honeypot - Inserts a trap for spam bots into responses
  • EoHoneypotBundle - Honeypot type for Symfony2 forms
  • shockpot - WebApp Honeypot for detecting Shell Shock exploit attempts
• Service Honeypots
  
  • Kippo - Medium interaction SSH honeypot
  • honeyntp - NTP logger/honeypot
  • honeypot-camera - observation camera honeypot
  • troje - a honeypot built around lxc containers. It will run each connection with the service within a seperate lxc container.
  • slipm-honeypot - A simple low-interaction port monitoring honeypot
  • HoneyPy - A low interaction honeypot
  • Ensnare - Easy to deploy Ruby honeypot
  • RDPy - A Microsoft Remote Desktop Protocol (RDP) honeypot in python
• Anti-honeypot stuff
  
  • kippo_detect - This is not a honeypot, but it detects kippo. (This guy has lots of more interesting stuff)
• ICS/SCADA honeypots
  
  • Conpot - ICS/SCADA honeypot
  • scada-honeynet - mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices
  • SCADA honeynet - Building Honeypots for Industrial Networks
• Deployment
  
  • Dionaea and EC2 in 20 Minutes - a tutorial on setting up Dionaea on an EC2 instance
  • honeypotpi - Script for turning a Raspberry Pi into a Honey Pot Pi
• Data Analysis
  
  • Kippo-Graph - a full featured script to visualize statistics from a Kippo SSH honeypot
  • Kippo stats - Mojolicious app to display statistics for your kippo SSH honeypot
• Other/random
  
  • NOVA uses honeypots as detectors, looks like a complete system.
  • Open Canary - A low interaction honeypot intended to be run on internal networks.
  • libemu - Shellcode emulation library, useful for shellcode detection.
• Open Relay Spam Honeypot
  
  • SpamHAT - Spam Honeypot Tool
• Botnet C2 monitor
  
  • Hale - Botnet command & control monitor
• IPv6 attack detection tool
  
  • ipv6-attack-detector - Google Summer of Code 2012 project, supported by The Honeynet Project organization
• Research Paper
  
  • vEYE - behavioral footprinting for self-propagating worm detection and profiling
• Honeynet statistics
  
  • HoneyStats - A statistical view of the recorded activity on a Honeynet
• Dynamic code instrumentation toolkit
  
  • Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android
• Front-end for dionaea
  
  • DionaeaFR - Front Web to Dionaea low-interaction honeypot
• Tool to convert website to server honeypots
  
  • HIHAT - ransform arbitrary PHP applications into web-based high-interaction Honeypots
• Malware collector
  
  • Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database
• Sebek in QEMU
  
  • Qebek - QEMU based Sebek. As Sebek, it is data capture tool for high interaction honeypot
• Malware Simulator
  
  • imalse - Integrated MALware Simulator and Emulator
• Distributed sensor deployment
  
  • Smarthoneypot - custom honeypot intelligence system that is simple to deploy and easy to manage
  • Modern Honey Network - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management
  • ADHD - Active Defense Harbinger Distribution (ADHD) is a Linux distro based on Ubuntu LTS. It comes with many tools aimed at active defense preinstalled and configured
• Network Analysis Tool
  
  • Tracexploit - replay network packets
• Log anonymizer
  
  • LogAnon - log anonymization library that helps having anonymous logs consistent between logs and network captures
• server
  
  • Honeysink - open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network
• Botnet traffic detection
  
  • dnsMole - analyse dns traffic, and to potentionaly detect botnet C&C server and infected hosts
• Low interaction honeypot (router back door)
  
  • Honeypot-32764 - Honeypot for router backdoor (TCP 32764)
• honeynet farm traffic redirector
  
  • Honeymole - eploy multiple sensors that redirect traffic to a centralized collection of honeypots
• HTTPS Proxy
  
  • mitmproxy - allows traffic flows to be intercepted, inspected, modified and replayed
• spamtrap
  
  • SendMeSpamIDS.py Simple SMTP fetch all IDS and analyzer
• System instrumentation
  
  • Sysdig - open source, system-level exploration: capture system state and activity from a running Linux instance, then save, filter and analyze
• Honeypot for USB-spreading malware
  
  • Ghost-usb - honeypot for malware that propagates via USB storage devices
• Data Collection
  
  • Kippo2MySQL - extracts some very basic stats from Kippo’s text-based log files (a mess to analyze!) and inserts them in a MySQL database
  • Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster)
• Passive network audit framework parser
  
  • pnaf - Passive Network Audit Framework
• VM Introspection
  
  • VIX virtual machine introspection toolkit - VMI toolkit for Xen, called Virtual Introspection for Xen (VIX)
  • vmscope - Monitoring of VM-based High-Interaction Honeypots
  • vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine
• Binary debugger
  
  • Hexgolems - Schem Debugger Frontend - A debugger frontend
  • Hexgolems - Pint Debugger Backend - A debugger backend and LUA wrapper for PIN
• Mobile Analysis Tool
  
  • APKinspector - APKinspector is a powerful GUI tool for analysts to analyze the Android applications
  • Androguard - Reverse engineering, Malware and goodware analysis of Android applications ... and more
• Low interaction honeypot
  
  • Honeypoint - platform of distributed honeypot technologies
  • Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc
• Honeynet data fusion
  
  • HFlow2 - data coalesing tool for honeynet/network analysis
• Server
  
  • LaBrea - takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
  • Kippo - SSH honeypot
  • KFSensor - Windows based honeypot Intrusion Detection System (IDS)
  • Honeyd Also see more honeyd tools
  • Glastopf - Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications
  • DNS Honeypot - Simple UDP honeypot scripts
  • Conpot - ow interactive server side Industrial Control Systems honeypot
  • Bifrozt - High interaction honeypot solution for Linux based systems
  • Beeswarm - Honeypot deployment made easy
  • Bait and Switch - redirects all hostile traffic to a honeypot that is partially mirroring your production system
  • Artillery - open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods
  • Amun - vulnerability emulation honeypot
• VM cloaking script
  
  • Antivmdetect - Script to create templates to use with VirtualBox to make vm detection harder
• IDS signature generation
  
  • Honeycomb
• lookup service for AS-numbers and prefixes
  
  • CC2ASN
• Web interface (for Thug)
  
  • Rumal - Thug's Rumāl: a Thug's dress & weapon
• Data Collection / Data Sharing
  
  • HPfriends - data-sharing platform
  • HPFeeds - lightweight authenticated publish-subscribe protocol
• Distributed spam tracking
  
  • Project Honeypot
• Python bindings for libemu
  
  • Pylibemu - A Libemu Cython wrapper
• Controlled-relay spam honeypot
  
  • Shiva - Spam Honeypot with Intelligent Virtual Analyzer
    • Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running
• Visualization Tool
  
  • Glastopf Analytics
  • Afterglow Cloud
  • Afterglow
• central management tool
  
  • PHARM
• Network connection analyzer
  
  • Impost
• Virtual Machine Cloaking
  
  • VMCloak
• Honeypot deployment
  
  • Modern Honeynet Network
  • SurfIDS
• Automated malware analysis system
  
  • Cuckoo
  • Anubis
  • Hybrid Analysis
• Low interaction
  
  • mwcollectd
• Low interaction honeypot on USB stick
  
  • Honeystick
• Honeypot extensions to Wireshark
  
  • Whireshark Extensions
• Data Analysis Tool
  
  • HpfeedsHoneyGraph
  • Acapulco
• Telephony honeypot
  
  • Zapping Rachel
• Client
  
  • Pwnypot
  • MonkeySpider
  • Capture-HPC-NG
  • Wepawet
  • URLQuery
  • Trigona
  • Thug
  • Shelia
  • PhoneyC
  • Jsunpack-n
  • HoneyC
  • HoneyBOT
  • CWSandbox / GFI Sandbox
  • Capture-HPC-Linux
  • Capture-HPC
  • Andrubis
• Visual analysis for network traffic
  
  • ovizart
• Binary Management and Analysis Framework
  
  • Viper
• Honeypot
  
  • Single-honeypot
  • Honeyd For Windows
  • IMHoneypot
  • Deception Toolkit
• PDF document inspector
  
  • peepdf
• Distribution system
  
  • Thug Distributed Task Queuing
• HoneyClient Management
  
  • HoneyWeb
• Network Analysis
  
  • HoneyProxy
• Hybrid low/high interaction honeypot
  
  • HoneyBrid
• Sebek on Xen
  
  • xebek
• SSH Honeypot
  
  • Kojoney
  • Cowrie
• Glastopf data analysis
  
  • Glastopf Analytics
• Distributed sensor project
  
  • DShield Web Honeypot Project
  • Distributed Web Honeypot Project
• a pcap analyzer
  
  • Honeysnap
• Client Web crawler
  
  • HoneySpider Network
• network traffic redirector
  
  • Honeywall
• Honeypot Distribution with mixed content
  
  • HoneyDrive
• Honeypot sensor
  
  • Dragon Research Group Distro
  • Honeeepi - Honeeepi is a honeypot sensor on Raspberry Pi which based on customized Raspbian OS.
• File carving
  
  • TestDisk & PhotoRec
• File and Network Threat Intelligence
  
  • VirusTotal
• data capture
  
  • Sebek
• SSH proxy
  
  • HonSSH
• Anti-Cheat
  
  • Minecraft honeypot
• behavioral analysis tool for win32
  
  • Capture BAT
• Live CD
  
  • DAVIX
• Spamtrap
  
  • Spampot.py
  • Spamhole
  • spamd
  • Mail::SMTP::Honeypot - perl module that appears to provide the functionality of a standard SMTP server
• Commercial honeynet
  
  • Specter
  • Netbait
• Server (Bluetooth)
  
  • Bluepot
• Dynamic analysis of Android apps
  
  • Droidbox
• Dockerized Low Interaction packaging
  
  • Manuka
  • Dockerized Thug
  • Dockerpot A docker based honeypot.
  • Docker honeynet Several Honeynet tools set up for Docker containers
• Network analysis
  
  • Quechua
• Sebek data visualization
  
  • Sebek Dataviz
• SIP Server
  
  • Artemnesia VoIP
• Botnet C2 monitoring
  
  • botsnoopd
• low interaction
  
  • mysqlpot
• Malware collection
  
  • Honeybow

Honeyd Tools

• Honeyd plugin
  
  • Honeycomb
• Honeyd viewer
  
  • Honeyview
• Honeyd to MySQL connector
  
  • Honeyd2MySQL
• A script to visualize statistics from honeyd
  
  • Honeyd-Viz
• Honeyd UI
  
  • Honeyd configuration GUI - application used to configure the honeyd daemon and generate configuration files
• Honeyd stats
  
  • Honeydsum.pl

Network and Artifact Analysis

• Sandbox
  
  • RFISandbox - a PHP 5.x script sandbox built on top of funcall
  • dorothy2 - A malware/botnet analysis framework written in Ruby
  • COMODO automated sandbox
  • Argos - An emulator for capturing zero-day attacks
• Sandbox-as-a-Service
  
  • malwr.com - free malware analysis service and community
  • detux.org - Multiplatform Linux Sandbox
  • Joebox Cloud - analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities

Data Tools

• Front Ends
  
  • Tango - Honeypot Intelligence with Splunk
  • Django-kippo - Django App for kippo SSH Honeypot
  • Wordpot-Frontend - a full featured script to visualize statistics from a Wordpot honeypot -Shockpot-Frontend - a full featured script to visualize statistics from a Shockpot honeypot
• Visualization
  
• HoneyMap - Real-time websocket stream of GPS events on a fancy SVG world map
• HoneyMalt - Maltego tranforms for mapping Honeypot systems

Source