HoneyPot

 

HoneyPot

http://www.honeynet.org/project

Capture BAT
This is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter.

Find out more
Capture-HPC
Capture-HPC is a high-interaction client honeypot framework. Capture-HPC identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system for unauthorized state changes. Developed by Christian Seifert and Ramon Steenson of the New Zealand Chapter.

Find out more
Cuckoo - Automated Malware Analysis
Malware is the raw-material associated with many cybercrime-related activities. Cuckoo is a lightweight solution that performs automated dynamic analysis of provided Windows binaries. It is able to return comprehensive reports on key API calls and network activity.

Current features are:

Retrieve files from remote URLs and analyze them.
Trace relevant API calls for behavioral analysis.
Recursively monitor newly spawned processes.
Dump generated network traffic.
Run concurrent analysis on multiple machines.
Support custom analysis package based on AutoIt3 scripting.
Intercept downloaded and deleted files.
Take screenshots during runtime.
Cuckoo is available from http://www.cuckoobox.org/index.php.

Find out more
Glastopf
Web sites are hacked all the time. Web application, database, and cross-site scripting vulnerabilities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks. Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities. Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily. Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist (and mentored by Thorsten Holz of the German Honeynet Project Chapter). It can be downloaded from the Glastopf trac site at http://trac.glastopf.org/trac. More information on Glastopf can be found on the project site at http://glastopf.org/.

Find out more
Google Hack Honeypot
Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. It is designed to provide reconnaissance against attackers that use search engines as a hacking tool. Developed by Ryan McGeehan & Brian Engert of the Chicago Chapter.

Find out more
High Interaction Honeypot Analysis Toolkit (HIHAT):
This tool transforms arbitrary PHP applications into web-based high-interaction Honeypots. Apart from the possibility to create high-interaction honeypots, HIHAT furthermore comprises a graphical user interface which supports the process of monitoring the honeypot, analysing the acquired data. Last, it generates an IP-based geographical mapping of the attack sources and generates extensive statistics. HIHAT is developed and maintained by Michael Mueter of the Giraffe Chapter.

Find out more
HoneyBow
HoneyBow is a high-interaction malware collection toolkit and can be integrated with nepenthes and the mwcollect Alliance's GOTEK architecture. Developed and maintained by the Chinese Chapter.

Find out more
HoneyC
HoneyC is a low interaction client honeypot framework that allows to find malicious servers on a network. Instead of using a fully functional operating system and client to perform this task, HoneyC uses emulated clients that are able to solicit as much of a response from a server that is necessary for analysis of malicious content. Developed by Christian Seifert of the New Zealand Chapter.

Find out more
Honeyd
This is a low-interaction honeypot used for capturing attacker activity, very flexible. Developed and maintained by Niels Provos of the Global Chapter.

Find out more
Honeymole
Honeymole: This is used for honeypot farms. You deploy multiple sensors that redirect traffic to a centralized collection of honeypots. Developed and maintained by the Portuguese Chapter.

Find out more
Honeysnap
Honeysnap. Primary tool used for extracting and analyzing data from pcap files, including IRC communications. Developed and maintained by Arthur Clune of the UK Chapter.
For more information/questions, please join the mailing list (details on the project home page)

Find out more
Honeystick
Honeystick: This is a bootable Honeynet from a USB device. It includes both the Honeywall and honeypots from a single, portable device. Developed and maintained by the UK Honeynet Project.

Find out more
Honeytrap
This is a tool for observing novel attacks against network services by starting dymanic servers. It performs some basic data analysis and downloads malware automatically. Developed by Tillmann Werner of the Giraffe Chapter.

Find out more
Honeywall CDROM
Honeywall CDROM is our primary high-interaction tool for capturing, controling and analyzing attacks. It creates an architecture that allows you to deploy both low-interaction and high-interaction honeypots, but is designed primarily for high-interaction.
For more information, please see the project TRAC page

Find out more
Pehunter
Pehunter is a snort dynamic preprocessor that grabs Windows executables off the network. It is intended to sit inline in front of high-interactive honeypots. Developed and maintained by Tillmann Werner of the Giraffe Chapter.

Find out more
PhoneyC: A virtual client honeypot
PhoneyC is a virtual client honeypot, meaning it is not a real application but rather an emulated client. By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.

Find out more
PicViz - Data Visualization Tool
Picviz is a parallel coordinates[1] plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize your data and discover interesting results quickly. This way, you can find in million of events malicious things you were not thinking about and that no regex based program would find for you.
 
[1] http://en.wikipedia.org/wiki/Parallel_coordinates

Find out more
Qebek
For the last few years, while low-interaction (LI) honeypot systems like Nepenthes and PHoneyC are getting more and more powerful, the progress of high-interaction (HI) honeypot technology has been somewhat slower. This is especially true for Sebek, the de-facto HI honeypot monitoring tool. Qebek is a QEMU based HI honeypot monitoring tool which aims at improving the invisibility of monitoring the attackers’ activities in HI honeypots.

Our KYT paper on Qebek provides great detail on how to install and use Qebek. Its available at http://honeynet.org/papers/KYT_qebek.

Find out more
Sebek
Sebek is kernel module installed on high-interaction honeypots for the purpose of extensive data collection. It allows administrators to collect activities such as keystrokes on the system, even in encrypted environments. Designed primarily for Win32 and Linux systems.

Find out more
Tracker
Tracker facilitates the identification of abnormal DNS activity. It will find domains that are resolving to a large number of IP's in a short period of time then continue to track those hostname->IP mappings untill either the hostname nolonger responds or the user decides to stop tracking that hostname. Really efficient at finding fast-flux domains and other dodgy A-Record rotations. Tracker is a tool developed by the Honeynet Project Australian Chapter.