A curated list of awesome honeypots, tools, components and much more. The list is divided into categories such as web, services, and others, focusing on open source projects.
There is no pre-established order of items in each category, the order is for contribution. If you want to contribute, please read the guide.
Discover more awesome lists at sindresorhus/awesome.
- awesome-pcaptools, useful in network traffic analysis
- awesome-malware-analysis, with some overlap here for artifact analysis
-
Database Honeypots
- Elastic honey - A Simple Elasticsearch Honeypot
- mysql - A mysql honeypot, still very very early stage
- A framework for nosql databases ( only redis for now) - The NoSQL Honeypot Framework
- ESPot - ElasticSearch Honeypot
-
Web honeypots
- Glastopf - Web Application Honeypot
- phpmyadmin_honeypot - - A simple and effective phpmyadmin honeypot
- servlet - Webapplication Honeypot
- Nodepot - A nodejs web application honeypot
- basic-auth-pot bap - http Basic Authentication honeyPot
- Shadow Daemon - A modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl & Python apps
- Servletpot - Webapplication Honeypot
- Google Hack Honeypot - designed to provide reconaissance against attackers that use search engines as a hacking tool against your resources.
- smart-honeypot - PHP Script demonstrating a smart honey pot
- wp-smart-honeypot - Wordpress plugin to reduce comment spam with a smarter honeypot
- wordpot - A Wordpress Honeypot
- Bukkit Honeypot Honeypot - A honeypot plugin for Bukkit
- Laravel Application Honeypot - Honeypot - Simple spam prevention package for Laravel applications
- stack-honeypot - Inserts a trap for spam bots into responses
- EoHoneypotBundle - Honeypot type for Symfony2 forms
- shockpot - WebApp Honeypot for detecting Shell Shock exploit attempts
-
Service Honeypots
- Kippo - Medium interaction SSH honeypot
- honeyntp - NTP logger/honeypot
- honeypot-camera - observation camera honeypot
- troje - a honeypot built around lxc containers. It will run each connection with the service within a seperate lxc container.
- slipm-honeypot - A simple low-interaction port monitoring honeypot
-
Anti-honeypot stuff
- kippo_detect - This is not a honeypot, but it detects kippo. (This guy has lots of more interesting stuff)
-
ICS/SCADA honeypots
- Conpot - ICS/SCADA honeypot
- scada-honeynet - mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices
- SCADA honeynet - Building Honeypots for Industrial Networks
-
Deployment
- Dionaea and EC2 in 20 Minutes - a tutorial on setting up Dionaea on an EC2 instance
- honeypotpi - Script for turning a Raspberry Pi into a Honey Pot Pi
-
Data Analysis
- Kippo-Graph - a full featured script to visualize statistics from a Kippo SSH honeypot
- Kippo stats - Mojolicious app to display statistics for your kippo SSH honeypot
-
Other/random
- NOVA uses honeypots as detectors, looks like a complete system
- Open Canary - A low interaction honeypot intended to be run on internal networks.
-
Open Relay Spam Honeypot
- SpamHAT - Spam Honeypot Tool
-
Botnet C2 monitor
- Hale - Botnet command & control monitor
-
IPv6 attack detection tool
- ipv6-attack-detector - Google Summer of Code 2012 project, supported by The Honeynet Project organization
-
Research Paper
- vEYE - behavioral footprinting for self-propagating worm detection and profiling
-
Honeynet statistics
- HoneyStats - A statistical view of the recorded activity on a Honeynet
-
Dynamic code instrumentation toolkit
- Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android
-
Front-end for dionaea
- DionaeaFR - Front Web to Dionaea low-interaction honeypot
-
Tool to convert website to server honeypots
- HIHAT - ransform arbitrary PHP applications into web-based high-interaction Honeypots
-
Malware collector
- Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database
-
Sebek in QEMU
- Qebek - QEMU based Sebek. As Sebek, it is data capture tool for high interaction honeypot
-
Malware Simulator
- imalse - Integrated MALware Simulator and Emulator
-
Distributed sensor deployment
- Smarthoneypot - custom honeypot intelligence system that is simple to deploy and easy to manage
- Modern Honey Network - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management
- ADHD - Active Defense Harbinger Distribution (ADHD) is a Linux distro based on Ubuntu LTS. It comes with many tools aimed at active defense preinstalled and configured
-
Network Analysis Tool
- Tracexploit - replay network packets
-
Log anonymizer
- LogAnon - log anonymization library that helps having anonymous logs consistent between logs and network captures
-
server
- Honeysink - open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network
-
Botnet traffic detection
- dnsMole - analyse dns traffic, and to potentionaly detect botnet C&C server and infected hosts
-
Low interaction honeypot (router back door)
- Honeypot-32764 - Honeypot for router backdoor (TCP 32764)
-
honeynet farm traffic redirector
- Honeymole - eploy multiple sensors that redirect traffic to a centralized collection of honeypots
-
IDS signature generator
- Nebula - network intrusion signature generator
-
HTTPS Proxy
- mitmproxy - allows traffic flows to be intercepted, inspected, modified and replayed
-
spamtrap
- SendMeSpamIDS.py Simple SMTP fetch all IDS and analyzer
-
System instrumentation
- Sysdig - open source, system-level exploration: capture system state and activity from a running Linux instance, then save, filter and analyze
-
Honeypot for USB-spreading malware
- Ghost-usb - honeypot for malware that propagates via USB storage devices
-
Data Collection
- Kippo2MySQL - extracts some very basic stats from Kippo’s text-based log files (a mess to analyze!) and inserts them in a MySQL database
- Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster)
-
Passive network audit framework parser
- pnaf - Passive Network Audit Framework
-
VM Introspection
- VIX virtual machine introspection toolkit - VMI toolkit for Xen, called Virtual Introspection for Xen (VIX)
- vmscope - Monitoring of VM-based High-Interaction Honeypots
- vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine
-
Binary debugger
- Hexgolems - Schem Debugger Frontend - A debugger frontend
- Hexgolems - Pint Debugger Backend - A debugger backend and LUA wrapper for PIN
-
Mobile Analysis Tool
- APKinspector - APKinspector is a powerful GUI tool for analysts to analyze the Android applications
- Androguard - Reverse engineering, Malware and goodware analysis of Android applications ... and more
-
Low interaction honeypot
- Honeypoint - platform of distributed honeypot technologies
- Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc
-
Honeynet data fusion
- HFlow2 - data coalesing tool for honeynet/network analysis
-
Server
- Nephenthes - versatile tool to collect malware
- LaBrea - takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
- Kippo - SSH honeypot
- KFSensor - Windows based honeypot Intrusion Detection System (IDS)
- Honeytrap - low-interaction honeypot daemon for observing attacks against network services
- Honeyd Also see more honeyd tools
- Honeeebox - Honeypotting on the Asus EEE
- Glastopf - Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications
- DNS Honeypot - Simple UDP honeypot scripts
- Dionaea - nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls
- Conpot - ow interactive server side Industrial Control Systems honeypot
- Bifrozt - High interaction honeypot solution for Linux based systems
- Beeswarm - Honeypot deployment made easy
- Bait and Switch - redirects all hostile traffic to a honeypot that is partially mirroring your production system
- Artillery - open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods
- Amun - vulnerability emulation honeypot
-
VM cloaking script
- Antivmdetect - Script to create templates to use with VirtualBox to make vm detection harder
-
IDS signature generation
-
lookup service for AS-numbers and prefixes
-
Data Collection / Analysis Tool
-
Web interface (for Thug)
- Rumal - Thug's Rumāl: a Thug's dress & weapon
-
Snort binary carving
-
Data Collection / Data Sharing
-
PE-executables analyses
-
Distributed spam tracking
-
Python bindings for libemu
- Pylibemu - A Libemu Cython wrapper
-
Controlled-relay spam honeypot
- Shiva - Spam Honeypot with Intelligent Virtual Analyzer
-
Visualization Tool
-
central management tool
-
Network connection analyzer
-
Virtual Machine Cloaking
-
Honeypot deployment
-
Honeynet analysis tool
-
Automated malware analysis system
-
Low interaction
-
Low interaction honeypot on USB stick
-
Honeypot extensions to Wireshark
-
Data Analysis Tool
-
Telephony honeypot
-
Client
-
Commercial high interaction honeypot
-
Visual analysis for network traffic
-
Binary Management and Analysis Framework
-
Honeypot
-
PDF document inspector
-
Distribution system
-
HoneyClient Management
-
Network Analysis
-
Hybrid low/high interaction honeypot
-
Sebek on Xen
-
SSH Honeypot
-
Glastopf data analysis
-
Distributed sensor project
-
a pcap analyzer
-
Client Web crawler
-
network traffic redirector
-
Honeypot Distribution with mixed content
-
Honeypot sensor
- Dragon Research Group Distro
- [Honeeepi] (https://redmine.honeynet.org/projects/honeeepi/wiki) - Honeeepi is a honeypot sensor on Raspberry Pi which based on customized Raspbian OS.
-
File carving
-
File and Network Threat Intelligence
-
data capture
-
SSH proxy
-
Anti-Cheat
-
behavioral analysis tool for win32
-
Live CD
-
Spamtrap
- Spampot.py
- Spamhole
- spamd
- SMTPot.py
- Mail::SMTP::Honeypot - perl module that appears to provide the functionality of a standard SMTP server
-
Commercial honeynet
-
Server (Bluetooth)
-
Dynamic analysis of Android apps
-
Dockerized Low Interaction packaging
- Manuka
- Dockerized Thug
- Dockerpot A docker based honeypot.
- Docker honeynet Several Honeynet tools set up for Docker containers
-
Network analysis
-
Sebek data visualization
-
Threat Intel feed aggregator / network grapher
-
SIP Server
-
Botnet C2 monitoring
-
low interaction
-
Malware collection
-
Honeyd plugin
-
Honeyd viewer
-
Honeyd to MySQL connector
-
Bootable honeyd
-
Honeyd ported to Windows
-
A script to visualize statistics from honeyd
-
Honeyd UI
- Honeyd configuration GUI - application used to configure the honeyd daemon and generate configuration files
-
Honeyd stats
-
Sandbox
- RFISandbox - a PHP 5.x script sandbox built on top of funcall
- dorothy2 - A malware/botnet analysis framework written in Ruby
- COMODO automated sandbox
- Argos - An emulator for capturing zero-day attacks
-
Sandbox-as-a-Service
- malwr.com - free malware analysis service and community
- detux.org - Multiplatform Linux Sandbox
- Joebox Cloud - analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities
-
Front Ends
- Tango - Honeypot Intelligence with Splunk
- Django-kippo - Django App for kippo SSH Honeypot
-
Visualization