honeybits - A simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs & honeytokens across your systems to lure the attacker toward your honeypots

  •        15

A simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs & honeytokens across your production servers and workstations to lure the attacker toward your honeypots. Author: Adel "0x4D31" Karimi.




Related Projects

honeyLambda - honeyλ - a simple, serverless application designed to create and monitor fake HTTP endpoints (i

  •    Python

honeyλ allows you to create and monitor fake HTTP endpoints automatically. You can then place these URL honeytokens in e.g. your inbox, documents, browser history, or embed them as {hidden} links in your web pages (Note: honeybits can be used for spreading breadcrumbs across your systems to lure the attackers toward your traps). Depending on how and where you implement honeytokens, you may detect human attackers, malicious insiders, content scrapers, or bad bots. This application is based on Serverless framework and can be deployed in different cloud providers such as Amazon Web Services (AWS), Microsoft Azure, IBM OpenWhisk or Google Cloud (Only tested on AWS; the main function may need small changes to support other providers). If your cloud provider is AWS, it automatically creates HTTP endpoints using Amazon API Gateway and then starts monitoring the HTTP endpoints using honeyλ Lambda function.

honeytrap - Advanced Honeypot framework.

  •    Go

See our documentation on docs.honeytrap.io. Join the honeytrap-users mailing list to discuss all things Honeytrap.

cowrie - Cowrie SSH/Telnet Honeypot

  •    Python

This is the official repository for the Cowrie SSH and Telnet Honeypot effort. Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.

Honeypot - Low interaction honeypot that displays real time attacks

  •    Javascript

Low interaction honeypot application that displays real time attacks in the web-interface. Made just for fun and it is not production ready. Written in Node.js the application listens on 128 most common TCP ports and saves results to the MySQL Database for further analysis.


  •    Perl

Single-honeypot is a powerfull tool, for security interest about the estudies of techniques of breaking systems. This is, a singular or little honeypot for test your networks for hostiles visitors. This made in perl script. Simulate different servi

awesome-threat-detection - A curated list of awesome threat detection and hunting resources


Contributions welcome! Read the contribution guidelines first. To the extent possible under law, Adel "0x4D31" Karimi has waived all copyright and related or neighboring rights to this work.

DCEPT - A tool for deploying and detecting use of Active Directory honeytokens

  •    Python

DCEPT (Domain Controller Enticing Password Tripwire) is a honeytoken-based tripwire for Microsoft Active Directory. Honeytokens are pieces of information intentionally littered on system so they can be discovered by an intruder. The honeytokens are credentials that would only be known by a someone extracting them from memory. A logon attempt using these faux credentials would mean someone was inside the network and is attempting privilege escalation to domain administrator.

conpot - ICS/SCADA honeypot

  •    Python

The build of the documentations source can be found here. There you will also find the instructions on how to install conpot and the FAQ. Navigate to http://MY_IP_ADDRESS to confirm the setup.

dionaea - Home of the dionaea honeypot

  •    Python

Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls.

gretel - Flexible Ruby on Rails breadcrumbs plugin.

  •    Ruby

(TL;DR) Gretel is a Ruby on Rails plugin that makes it easy yet flexible to create breadcrumbs. It is based around the idea that breadcrumbs are a concern of the view, so you define a set of breadcrumbs in config/breadcrumbs.rb (or multiple files; see below) and specify in the view which breadcrumb to use. Gretel also supports semantic breadcrumbs (those used in Google results). Have fun! And please do write, if you (dis)like it – lassebunk@gmail.com.

Honeypot - Simple spam prevention package for Laravel applications

  •    PHP

"Honeypot" method of spam prevention is a simple and effective way to defer some of the spam bots that come to your site. This technique is based on creating an input field that should be left empty by the real users of the application but will most likely be filled out by spam bots. This package creates a hidden DIV with two fields in it, honeypot field (like "my_name") and a honeytime field - an encrypted timestamp that marks the moment when the page was served to the user. When the form containing these inputs invisible to the user is submitted to your application, a custom validator that comes with the package checks that the honeypot field is empty and also checks the time it took for the user to fill out the form. If the form was filled out too quickly (i.e. less than 5 seconds) or if there was a value put in the honeypot field, this submission is most likely from a spam bot.

HoneyPy - A low to medium interaction honeypot.

  •    Python

A low interaction honeypot with the capability to be more of a medium interaction honeypot. Feel free to follow the QuickStart Guide to dive in directly. The main documentation can be found at the HoneyPy Docs site.

SNMP Trap Translator

  •    Perl

SNMP Trap Translator is used to 'translate' traps received from the NET-SNMP / UCD-SNMP snmptrapd trap daemon into easy to understand messages.

trapcc - Computing with traps

  •    C

This is a proof by construction that the Intel MMU's fault handling mechanism is Turing complete. We have constructed an assembler that translates 'Move, Branch if Zero, Decrement' instructions to C source that sets up various processor control tables. After this code has executed, the CPU computes by attempting to fault without ever executing a single instruction. Optionally, the assembler can also generate X86 instructions that will display variables in the VGA frame buffer and will cause control to be transferred between the native (display) instructions and 'weird machine' trap instructions. To read up on the awesome idea of weird machines and their uses, see @sergeybratus's and @halvarflake's work. In short, we are trying to find hidden state and derive computation of it in unexpected places. One practical use of this technique is for code obfuscation - many (kernel) debuggers will break due to the frequent context switches (esp. cooperative debuggers like KGDB) and analyzing the binary is going to be extraordinaly confusing, especially if normal X86 instructions and trap instructions are interleaved to do weird control transfer. Furthermore, out of the many virtual machines only Bochs runs such trap based programs correctly (and there are other tricks to distinguish bochs from a real box).

maltrail - Malicious traffic detection system

  •    Python

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. for known malicious executable), IP address (e.g. for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware). Maltrail is based on the Traffic -> Sensor <-> Server <-> Client architecture. Sensor(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it "monitors" the passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) Server where they are being stored inside the appropriate logging directory (i.e. LOG_DIR described in the Configuration section). If Sensor is being run on the same machine as Server (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. LOG_SERVER described in the Configuration section).

invisible_captcha - :honey_pot: Unobtrusive and flexible spam protection for Rails apps

  •    Ruby

Simple and flexible spam protection solution for Rails applications. Invisible Captcha provides different techniques to protect your application against spambots.

sshesame - A fake SSH server that lets everyone in and logs their activity

  •    Go

This software, just like any other, might contain bugs. Given the popular nature of SSH, you probably shouldn't run it unsupervised as root on a production server on port 22. Use common sense. without actually executing anything on the host.

crummy - Tasty breadcrumbs! Crummy is a simple and tasty way to add breadcrumbs to your Rails applications

  •    Ruby

Crummy is a simple and tasty way to add breadcrumbs to your Rails applications. In your controllers you may add_crumb either like a before_filter or within a method (It is also available to views).

react-breadcrumbs - Automatic breadcrumbs for React-Router

  •    Javascript

React component use to generate a breadcrumb trail (compatible with React Router). The /demo directory provide one example of how this package can be used. See the /demo for the code powering the small site.

Valhala Honeypot

  •    Pascal

Valhala Honeypot is an easy to use honeypot for the Windows System. The programe have the following services: http (web), ftp, tftp, finger, pop3, smtp, echo, daytime, telnet and port forwarding. Some services are real, others are a simulation.