paralax/awesome-honeypots

A script to visualize statistics from honeyd

• Honeyd-Viz

• Honeydsum.pl

Central management tool

• PHARM - Manage, report, and analyze your distributed Nepenthes instances.

• Honeypot research papersstars14 - PDFs of research papers on honeypots.
• vEYE - Behavioral footprinting for self-propagating worm detection and profiling.

Behavioral analysis tool for win32

• Capture BAT

• CanaryTokensstars909 - Self-hostable honeytoken generator and reporting dashboard; demo version available at CanaryTokens.org.
• Honeybitsstars234 - Simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs and honeytokens across your production servers and workstations to lure the attacker toward your honeypots.
• Honeyλ (HoneyLambda)stars474 - Simple, serverless application designed to create and monitor URL honeytokens, on top of AWS Lambda and Amazon API Gateway.
• dceptstars469 - Tool for deploying and detecting use of Active Directory honeytokens.
• honeykustars52 - Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).

Botnet C2 tools

• Halestars162 - Botnet command and control monitor.
• dnsMole - Analyses DNS traffic and potentionaly detect botnet command and control server activity, along with infected hosts.

VM monitoring and tools

• Antivmdetectstars590 - Script to create templates to use with VirtualBox to make VM detection harder.
• VMCloakstars373 - Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox.
• vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine.

Lookup service for AS-numbers and prefixes

• CC2ASN - Simple lookup service for AS-numbers and prefixes belonging to any given country in the world.

Deployment

• Dionaea and EC2 in 20 Minutes - Tutorial on setting up Dionaea on an EC2 instance.
• Using a Raspberry Pi honeypot to contribute data to DShield/ISC - The Raspberry Pi based system will allow us to maintain one code base that will make it easier to collect rich logs beyond firewall logs.
• honeypotpistars30 - Script for turning a Raspberry Pi into a HoneyPot Pi.

SSH Honeypots

• Blacknetstars9 - Multi-head SSH honeypot system.
• Cowriestars3.8k - Cowrie SSH Honeypot (based on kippo).
• DShield dockerstars11 - Docker container running cowrie with DShield output enabled.
• HonSSHstars351 - Logs all SSH communications between a client and server.
• HUDINXstars2 - Tiny interaction SSH honeypot engineered in Python to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
• Kippostars1.4k - Medium interaction SSH honeypot.
• Kippo_JunOSstars9 - Kippo configured to be a backdoored netscreen.
• Kojoney2stars35 - Low interaction SSH honeypot written in Python and based on Kojoney by Jose Antonio Coret.
• Kojoney - Python-based Low interaction honeypot that emulates an SSH server implemented with Twisted Conch.
• Longitudinal Analysis of SSH Cowrie Honeypot Logsstars4 - Python based command line tool to analyze cowrie logs over time.
• LongTail Log Analysis @ Marist College - Analyzed SSH honeypot logs.
• Malbaitstars2 - Simple TCP/UDP honeypot implemented in Perl.
• MockSSHstars113 - Mock an SSH server and define all commands it supports (Python, Twisted).
• cowrie2neostars3 - Parse cowrie honeypot logs into a neo4j database.
• go-sshoneystars26 - SSH Honeypot.
• go0rstars34 - Simple ssh honeypot in Golang.
• gohoneystars9 - SSH honeypot written in Go.
• hivedstars2 - Golang-based honeypot.
• hnypots-agent)stars36 - SSH Server in Go that logs username and password combinations.
• honeypot.gostars23 - SSH Honeypot written in Go.
• honeysshstars9 - Credential dumping SSH honeypot with statistics.
• hornetstars21 - Medium interaction SSH honeypot that supports multiple virtual hosts.
• ssh-auth-loggerstars17 - Low/zero interaction SSH authentication logging honeypot.
• ssh-honeypotstars441 - Fake sshd that logs IP addresses, usernames, and passwords.
• ssh-honeypotstars22 - Modified version of the OpenSSH deamon that forwards commands to Cowrie where all commands are interpreted and returned.
• ssh-honeypotdstars8 - Low-interaction SSH honeypot written in C.
• sshForShitsstars40 - Framework for a high interaction SSH honeypot.
• sshesamestars1.1k - Fake SSH server that lets everyone in and logs their activity.
• sshhipotstars164 - High-interaction MitM SSH honeypot.
• sshlowpotstars11 - Yet another no-frills low-interaction SSH honeypot in Go.
• sshsyrupstars82 - Simple SSH Honeypot with features to capture terminal activity and upload to asciinema.org.
• twisted-honeypotsstars70 - SSH, FTP and Telnet honeypots based on Twisted.

Distributed Honeypots

• DemonHunterstars46 - Low interaction honeypot server.

A pcap analyzer

• Honeysnap

Network traffic redirector

• Honeywall

IOT Honeypot

• HoneyThingstars96 - TR-069 Honeypot.
• Kakostars20 - Honeypots for a number of well known and deployed embedded device vulnerabilities.

Dynamic code instrumentation toolkit

• Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android.

Front Ends

• DionaeaFRstars63 - Front Web to Dionaea low-interaction honeypot.
• Django-kippostars12 - Django App for kippo SSH Honeypot.
• Shockpot-Frontendstars2 - Full featured script to visualize statistics from a Shockpot honeypot.
• Tangostars249 - Honeypot Intelligence with Splunk.
• Wordpot-Frontendstars3 - Full featured script to visualize statistics from a Wordpot honeypot.
• honeyalarmg2stars3 - Simplified UI for showing honeypot alarms.
• honeypotDisplaystars2 - Flask website which displays data gathered from an SSH Honeypot.

• Acapulcostars11 - Automated Attack Community Graph Construction.
• Afterglow Cloudstars16
• Afterglow
• Glastopf Analyticsstars1 - Easy honeypot statistics.
• HoneyMaltstars15 - Maltego tranforms for mapping Honeypot systems.
• HoneyMapstars211 - Real-time websocket stream of GPS events on a fancy SVG world map.
• HoneyStats - Statistical view of the recorded activity on a Honeynet.
• HpfeedsHoneyGraphstars14 - Visualization app to visualize hpfeeds logs.
• Kippo statsstars20 - Mojolicious app to display statistics for your kippo SSH honeypot.
• Kippo-Graph - Full featured script to visualize statistics from a Kippo SSH honeypot.
• The Intelligent HoneyNetstars55 - Create actionable information from honeypots.
• ovizartstars47 - Visual analysis for network traffic.

Honeyd plugin

• Honeycomb

Honeyd viewer

• Honeyview

Honeyd to MySQL connector

• Honeyd2MySQL

Sandbox

• Argos - Emulator for capturing zero-day attacks.
• COMODO automated sandbox
• Cuckoo - Leading open source automated malware analysis system.
• Pylibemustars115 - Libemu Cython wrapper.
• RFISandbox - PHP 5.x script sandbox built on top of funcall.
• dorothy2stars197 - Malware/botnet analysis framework written in Ruby.
• imalsestars12 - Integrated MALware Simulator and Emulator.
• libemustars97 - Shellcode emulation library, useful for shellcode detection.

• Hybrid Analysis - Free malware analysis service powered by Payload Security that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
• Joebox Cloud - Analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities.
• VirusTotal - Analyze suspicious files and URLs to detect types of malware, and automatically share them with the security community.
• malwr.com - Free malware analysis service and community.

Other/random

• Damn Simple Honeypot (DSHP)stars14 - Honeypot framework with pluggable handlers.
• NOVAstars72 - Uses honeypots as detectors, looks like a complete system.
• OpenFlow Honeypot (OFPot)stars20 - Redirects traffic for unused IPs to a honeypot, built on POX.
• OpenCanarystars1.4k - Modular and decentralised honeypot daemon that runs several canary versions of services that alerts when a service is (ab)used.
• ciscoasa_honeypotstars44 A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability.
• miniprintstars185 - A medium interaction printer honeypot.

IPv6 attack detection tool

• ipv6-attack-detectorstars34 - Google Summer of Code 2012 project, supported by The Honeynet Project organization.

Tool to convert website to server honeypots

• HIHAT - Transform arbitrary PHP applications into web-based high-interaction Honeypots.

Malware collector

• Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database.

Distributed sensor deployment

• Community Honey Network - CHN aims to make deployments honeypots and honeypot management tools easy and flexible. The default deployment method uses Docker Compose and Docker to deploy with a few simple commands.
• Modern Honey Networkstars2.2k - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.

Network Analysis Tool

• Tracexploit - Replay network packets.

Log anonymizer

• LogAnon - Log anonymization library that helps having anonymous logs consistent between logs and network captures.

Low interaction honeypot (router back door)

• Honeypot-32764stars15 - Honeypot for router backdoor (TCP 32764).
• WAPotstars9 - Honeypot that can be used to observe traffic directed at home routers.

honeynet farm traffic redirector

• Honeymole - Deploy multiple sensors that redirect traffic to a centralized collection of honeypots.

HTTPS Proxy

• mitmproxy - Allows traffic flows to be intercepted, inspected, modified, and replayed.

System instrumentation

• Sysdig - Open source, system-level exploration allows one to capture system state and activity from a running GNU/Linux instance, then save, filter, and analyze the results.
• Fibratusstars1.5k - Tool for exploration and tracing of the Windows kernel.

Honeypot for USB-spreading malware

• Ghost-usbstars74 - Honeypot for malware that propagates via USB storage devices.

Data Collection

• Kippo2MySQL - Extracts some very basic stats from Kippo’s text-based log files and inserts them in a MySQL database.
• Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster).

Passive network audit framework parser

• Passive Network Audit Framework (pnaf)stars30 - Framework that combines multiple passive and automated analysis techniques in order to provide a security assessment of network platforms.

Binary debugger

• Hexgolems - Pint Debugger Backendstars30 - Debugger backend and LUA wrapper for PIN.
• Hexgolems - Schem Debugger Frontendstars142 - Debugger frontend.

Mobile Analysis Tool

• Androguardstars3.8k - Reverse engineering, Malware and goodware analysis of Android applications and more.
• APKinspectorstars756 - Powerful GUI tool for analysts to analyze the Android applications.

Low interaction honeypot

• Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc.
• T-Potstars3.2k - All in one honeypot appliance from telecom provider T-Mobile

Honeynet data fusion

• HFlow2 - Data coalesing tool for honeynet/network analysis.

Server

• Amun - Vulnerability emulation honeypot.
• Artillerystars314 - Open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
• Bait and Switch - Redirects all hostile traffic to a honeypot that is partially mirroring your production system.
• Bifroztstars4 - Automatic deploy bifrozt with ansible.
• Conpot - Low interactive server side Industrial Control Systems honeypot.
• Heraldingstars316 - Credentials catching honeypot.
• HoneyWRTstars18 - Low interaction Python honeypot designed to mimic services or ports that might get targeted by attackers.
• Honeydstars8 - See honeyd tools.
• Honeysink - Open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.
• Hontelstars152 - Telnet Honeypot.
• KFSensor - Windows based honeypot Intrusion Detection System (IDS).
• LaBrea - Takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
• MTPotstars96 - Open Source Telnet Honeypot, focused on Mirai malware.
• SIRENstars10 - Semi-Intelligent HoneyPot Network - HoneyNet Intelligent Virtual Environment.
• TelnetHoneystars0 - Simple telnet honeypot.
• UDPot Honeypotstars38 - Simple UDP/DNS honeypot scripts.
• Yet Another Fake Honeypot (YAFH)stars6 - Simple honeypot written in Go.
• arctic-swallowstars1 - Low interaction honeypot.
• faprostars1k - Fake Protocol Server.
• gluttonstars171 - All eating honeypot.
• go-HoneyPotstars41 - Honeypot server written in Go.
• go-emulatorsstars8 - Honeypot Golang emulators.
• honeymailstars14 - SMTP honeypot written in Golang.
• honeytrapstars85 - Low-interaction honeypot and network security tool written to catch attacks against TCP and UDP services.
• imap-honeystars17 - IMAP honeypot written in Golang.
• mwcollectd - Versatile malware collection daemon, uniting the best features of nepenthes and honeytrap.
• potdstars27 - Highly scalable low- to medium-interaction SSH/TCP honeypot designed for OpenWrt/IoT devices leveraging several Linux kernel features, such as namespaces, seccomp and thread capabilities.
• portlurkerstars12 - Port listener in Rust with protocol guessing and safe string display.
• slipm-honeypotstars14 - Simple low-interaction port monitoring honeypot.
• telnet-iot-honeypotstars268 - Python telnet honeypot for catching botnet binaries.
• telnetloggerstars227 - Telnet honeypot designed to track the Mirai botnet.
• vnclowpotstars19 - Low interaction VNC honeypot.

IDS signature generation

• Honeycomb - Automated signature creation using honeypots.

Data Collection / Data Sharing

• HPfriends - Honeypot data-sharing platform.
  • hpfriends - real-time social data-sharing - Presentation about HPFriends feed system
• HPFeedsstars198 - Lightweight authenticated publish-subscribe protocol.

Network connection analyzer

• Impost - Network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons.

Honeypot deployment

• Modern Honeynet Network - Streamlines deployment and management of secure honeypots.

Honeypot extensions to Wireshark

• Wireshark Extensions - Apply Snort IDS rules and signatures against packet capture files using Wireshark.

Client

• CWSandbox / GFI Sandbox
• Capture-HPC-Linux
• Capture-HPC-NGstars12
• Capture-HPC - High interaction client honeypot (also called honeyclient).
• HoneyBOT
• HoneyC
• HoneySpider Networkstars29 - Highly-scalable system integrating multiple client honeypots to detect malicious websites.
• HoneyWeb - Web interface created to manage and remotely share Honeyclients resources.
• Jsunpack-nstars145
• MonkeySpider
• PhoneyCstars26 - Python honeyclient (later replaced by Thug).
• Pwnypot - High Interaction Client Honeypot.
• Rumal - Thug's Rumāl: a Thug's dress and weapon.
• Shelia - Client-side honeypot for attack detection.
• Thug - Python-based low-interaction honeyclient.
• Thug Distributed Task Queuing
• Trigona
• URLQuery
• YALIH (Yet Another Low Interaction Honeyclient)stars61 - Low-interaction client honeypot designed to detect malicious websites through signature, anomaly, and pattern matching techniques.

Honeypot

• Deception Toolkit
• IMHoneypotstars11

PDF document inspector

• peepdfstars763 - Powerful Python tool to analyze PDF documents.

Hybrid low/high interaction honeypot

• HoneyBrid

Distributed sensor project

• DShield Web Honeypot Project

Honeypot Distribution with mixed content

• HoneyDrive

Honeypot sensor

• Honeeepi - Honeypot sensor on a Raspberry Pi based on a customized Raspbian OS.

File carving

• TestDisk & PhotoRec

Live CD

• DAVIX - The DAVIX Live CD.

Spamtrap

• Mail::SMTP::Honeypot - Perl module that appears to provide the functionality of a standard SMTP server.
• Mailoneystars222 - SMTP honeypot, Open Relay, Cred Harvester written in python.
• SendMeSpamIDS.pystars15 - Simple SMTP fetch all IDS and analyzer.
• Shivastars123 - Spam Honeypot with Intelligent Virtual Analyzer.
  • Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running
• SpamHATstars23 - Spam Honeypot Tool.
• Spamhole
• honeypotstars2 - The Project Honey Pot un-official PHP SDK.
• spamd

Commercial honeynet

• Cymmetria Mazerunner - Leads attackers away from real targets and creates a footprint of the attack.

Server (Bluetooth)

• Bluepotstars147

Dynamic analysis of Android apps

• Droidbox

Dockerized Low Interaction packaging

• Docker honeynetstars22 - Several Honeynet tools set up for Docker containers.
• Dockerized Thug - Dockerized Thugstars860 to analyze malicious web content.
• Dockerpotstars148 - Docker based honeypot.
• Manukastars21 - Docker based honeypot (Dionaea and Kippo).
• honey_portsstars3 - Very simple but effective docker deployed honeypot to detect port scanning in your environment.
• mhn-core-dockerstars30 - Core elements of the Modern Honey Network implemented in Docker.

Network analysis

• Quechua

SIP Server

• Artemnesia VoIP

ICS/SCADA honeypots

• Conpotstars951 - ICS/SCADA honeypot.
• GasPotstars104 - Veeder Root Gaurdian AST, common in the oil and gas industry.
• SCADA honeynet - Building Honeypots for Industrial Networks.
• gridpotstars44 - Open source tools for realistic-behaving electric grid honeynets.
• scada-honeynet - Mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.

Database Honeypots

• Delilahstars12 - Elasticsearch Honeypot written in Python (originally from Novetta).
• ESPotstars23 - Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.
• Elastic honeystars169 - Simple Elasticsearch Honeypot.
• MongoDB-HoneyProxystars79 - MongoDB honeypot proxy.
• NoSQLpotstars102 - Honeypot framework built on a NoSQL-style database.
• mysql-honeypotdstars18 - Low interaction MySQL honeypot written in C.
• MysqlPotstars23 - MySQL honeypot, still very early stage.
• pghoneystars9 - Low-interaction Postgres Honeypot.
• sticky_elephantstars6 - Medium interaction postgresql honeypot.

Web honeypots

• Express honeypotstars0 - RFI & LFI honeypot using nodeJS and express.
• EoHoneypotBundlestars31 - Honeypot type for Symfony2 forms.
• Glastopfstars462 - Web Application Honeypot.
• Google Hack Honeypot - Designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.
• HellPotstars108 - Honeypot that tries to crash the bots and clients that visit it's location.
• Laravel Application Honeypotstars417 - Simple spam prevention package for Laravel applications.
• Nodepotstars38 - NodeJS web application honeypot.
• PasitheaHoneypotstars0 - RestAPI honeypot.
• Servletpotstars12 - Web application Honeypot.
• Shadow Daemon - Modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl, and Python apps.
• StrutsHoneypotstars69 - Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers.
• WebTrapstars45 - Designed to create deceptive webpages to deceive and redirect attackers away from real websites.
• basic-auth-pot (bap)stars33 - HTTP Basic Authentication honeypot.
• bwpotstars24 - Breakable Web applications honeyPot.
• django-admin-honeypotstars833 - Fake Django admin login screen to notify admins of attempted unauthorized access.
• drupostars55 - Drupal Honeypot.
• honeyhttpdstars19 - Python-based web server honeypot builder.
• honeyupstars16 - An uploader honeypot designed to look like poor website security.
• owa-honeypotstars7 - A basic flask based Outlook Web Honey pot.
• phpmyadmin_honeypotstars65 - Simple and effective phpMyAdmin honeypot.
• shockpotstars53 - WebApp Honeypot for detecting Shell Shock exploit attempts.
• smart-honeypotstars16 - PHP Script demonstrating a smart honey pot.
• Snare/Tanner - successors to Glastopf
  • Snarestars360 - Super Next generation Advanced Reactive honeypot.
  • Tannerstars161 - Evaluating SNARE events.
• stack-honeypotstars23 - Inserts a trap for spam bots into responses.
• tomcat-manager-honeypotstars7 - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study
• WordPress honeypots
  • HonnyPotterstars26 - WordPress login honeypot for collection and analysis of failed login attempts.
  • HoneyPressstars1 - Python based WordPress honeypot in a Docker container.
  • wp-smart-honeypotstars26 - WordPress plugin to reduce comment spam with a smarter honeypot.
  • wordpotstars163 - WordPress Honeypot.

Service Honeypots

• ADBHoneystars131 - Low interaction honeypot that simulates an Android device running Android Debug Bridge (ADB) server process.
• AMTHoneypotstars14 - Honeypot for Intel's AMT Firmware Vulnerability CVE-2017-5689.
• DolosHoneypotstars0 - SDN (software defined networking) honeypot.
• Ensnarestars67 - Easy to deploy Ruby honeypot.
• HoneyPystars425 - Low interaction honeypot.
• Honeygrovestars17 - Multi-purpose modular honeypot based on Twisted.
• Honeyportstars36 - Simple honeyport written in Bash and Python.
• Honeyprintstars15 - Printer honeypot.
• Lyrebird - Modern high-interaction honeypot framework.
• MICROS honeypotstars10 - Low interaction honeypot to detect CVE-2018-2636 in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (MICROS).
• RDPystars1.5k - Microsoft Remote Desktop Protocol (RDP) honeypot implemented in Python.
• SMB Honeypotstars37 - High interaction SMB service honeypot capable of capturing wannacry-like Malware.
• Tom's Honeypotstars18 - Low interaction Python honeypot.
• WebLogic honeypotstars26 - Low interaction honeypot to detect CVE-2017-10271 in the Oracle WebLogic Server component of Oracle Fusion Middleware.
• WhiteFace Honeypotstars3 - Twisted based honeypot for WhiteFace.
• dhpstars20 - Simple Docker Honeypot server emulating small snippets of the Docker HTTP API.
• honeycomb_pluginsstars23 - Plugin repository for Honeycomb, the honeypot framework by Cymmetria.
• honeyntpstars51 - NTP logger/honeypot.
• honeypot-camerastars50 - Observation camera honeypot.
• honeypot-ftpstars22 - FTP Honeypot.
• honeytrapstars1k - Advanced Honeypot framework written in Go that can be connected with other honeypot software.
• pyrdpstars712 - RDP man-in-the-middle and library for Python 3 with the ability to watch connections live or after the fact.
• trojestars44 - Honeypot that runs each connection with the service within a separate LXC container.

Anti-honeypot stuff

• kippo_detectstars50 - Offensive component that detects the presence of the kippo honeypot.