Projects
Overview
This page contains a list of tools and services that we use on a regular basis. Most of these tools have been created by our members and participating GSoc students, but some are also external and not affiliated with the Honeynet Project. We hope you find the below link collection useful. If you see that a specific tool is not listed, but should, feel free to email projects@honeynet.org.
Capture BAT
This is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter.
Capture-HPC
Capture-HPC is a high-interaction client honeypot framework. Capture-HPC identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system for unauthorized state changes. Developed by Christian Seifert and Ramon Steenson of the New Zealand Chapter.
CC2ASN
CC2ASN is an online tool that allows one to lookup ASN and IP address ranges for a specific country.
Cuckoo - Automated Malware Analysis
Malware is the raw-material associated with many cybercrime-related activities. Cuckoo is a lightweight solution that performs automated dynamic analysis of provided Windows binaries. It is able to return comprehensive reports on key API calls and network activity.
Current features are:
- Retrieve files from remote URLs and analyze them.
- Trace relevant API calls for behavioral analysis.
- Recursively monitor newly spawned processes.
- Dump generated network traffic.
- Run concurrent analysis on multiple machines.
- Support custom analysis package based on AutoIt3 scripting.
- Intercept downloaded and deleted files.
- Take screenshots during runtime.
Cuckoo is available from http://www.cuckoobox.org/index.php.
Dionaea - catches bugs
Dionaea is a low-interaction honeypot that captures attack payloads and malware. Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls.
Glastopf
Web sites are hacked all the time. Web application, database, and cross-site scripting vulnerabilities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks. Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities. Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily. Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist (and mentored by Thorsten Holz of the German Honeynet Project Chapter). It can be downloaded from the Glastopf trac site at http://trac.glastopf.org/trac. More information on Glastopf can be found on the project site at http://glastopf.org/.
Google Hack Honeypot
Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. It is designed to provide reconnaissance against attackers that use search engines as a hacking tool. Developed by Ryan McGeehan & Brian Engert of the Chicago Chapter.
HFlow2 - Data Analysis System
Hflow2 is a data coalesing tool for honeynet/network analysis. It allows to coalesce data from snort, p0f, sebekd into a unified cross related data structure stored in a relational database.
There is a paper with a more detailed description can be found http://www.cs.indiana.edu/~cviecco/papers/hflow2.pdf.
High Interaction Honeypot Analysis Toolkit (HIHAT):
This tool transforms arbitrary PHP applications into web-based high-interaction Honeypots. Apart from the possibility to create high-interaction honeypots, HIHAT furthermore comprises a graphical user interface which supports the process of monitoring the honeypot, analysing the acquired data. Last, it generates an IP-based geographical mapping of the attack sources and generates extensive statistics. HIHAT is developed and maintained by Michael Mueter of the Giraffe Chapter.
HoneyBow
HoneyBow is a high-interaction malware collection toolkit and can be integrated with nepenthes and the mwcollect Alliance's GOTEK architecture. Developed and maintained by the Chinese Chapter.
HoneyC
HoneyC is a low interaction client honeypot framework that allows to find malicious servers on a network. Instead of using a fully functional operating system and client to perform this task, HoneyC uses emulated clients that are able to solicit as much of a response from a server that is necessary for analysis of malicious content. Developed by Christian Seifert of the New Zealand Chapter.
Honeyd
This is a low-interaction honeypot used for capturing attacker activity, very flexible. Developed and maintained by Niels Provos of the Global Chapter.
Honeymole
Honeymole: This is used for honeypot farms. You deploy multiple sensors that redirect traffic to a centralized collection of honeypots. Developed and maintained by the Portuguese Chapter.
Honeysnap
Honeysnap. Primary tool used for extracting and analyzing data from pcap files, including IRC communications. Developed and maintained by Arthur Clune of the UK Chapter.
For more information/questions, please join the mailing list (details on the project home page)
Honeystick
Honeystick: This is a bootable Honeynet from a USB device. It includes both the Honeywall and honeypots from a single, portable device. Developed and maintained by the UK Honeynet Project.
Honeytrap
This is a tool for observing novel attacks against network services by starting dymanic servers. It performs some basic data analysis and downloads malware automatically. Developed by Tillmann Werner of the Giraffe Chapter.
Honeywall CDROM
Honeywall CDROM is our primary high-interaction tool for capturing, controling and analyzing attacks. It creates an architecture that allows you to deploy both low-interaction and high-interaction honeypots, but is designed primarily for high-interaction.
For more information, please see the project TRAC page
Kippo - SSH honeypot
Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
libemu - x86 Shellcode Emulation
Libemu is a small library written in C offering basic x86 emulation and shellcode detection. Libemu turns shellcode instructions into function calls the shellcode performs, so an analyst can quickly discern the actions of the shellcode and answer questions whether the shellcode is downloading a program or executing a process. It is the de-facto standard when it comes to analyzing shellcode.
Nebula - An Intrusion Signature Generator
Nebula is a network intrusion signature generator. It can help securing a network by automatically deriving and installing filter rules from attack traces. In a common setup, nebula runs as a daemon and receives attacks from honeypots. Signatures are currently published in Snort format.
nepenthes - the finest collection
Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.
Pehunter
Pehunter is a snort dynamic preprocessor that grabs Windows executables off the network. It is intended to sit inline in front of high-interactive honeypots. Developed and maintained by Tillmann Werner of the Giraffe Chapter.
PhoneyC: A virtual client honeypot
PhoneyC is a virtual client honeypot, meaning it is not a real application but rather an emulated client. By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.
PicViz - Data Visualization Tool
Picviz is a parallel coordinates[1] plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize your data and discover interesting results quickly. This way, you can find in million of events malicious things you were not thinking about and that no regex based program would find for you.
[1] http://en.wikipedia.org/wiki/Parallel_coordinates
Qebek
For the last few years, while low-interaction (LI) honeypot systems like Nepenthes and PHoneyC are getting more and more powerful, the progress of high-interaction (HI) honeypot technology has been somewhat slower. This is especially true for Sebek, the de-facto HI honeypot monitoring tool. Qebek is a QEMU based HI honeypot monitoring tool which aims at improving the invisibility of monitoring the attackers’ activities in HI honeypots.
Our KYT paper on Qebek provides great detail on how to install and use Qebek. Its available at http://honeynet.org/papers/KYT_qebek.
Sebek
Sebek is kernel module installed on high-interaction honeypots for the purpose of extensive data collection. It allows administrators to collect activities such as keystrokes on the system, even in encrypted environments. Designed primarily for Win32 and Linux systems.
Tracker
Tracker facilitates the identification of abnormal DNS activity. It will find domains that are resolving to a large number of IP's in a short period of time then continue to track those hostname->IP mappings untill either the hostname nolonger responds or the user decides to stop tracking that hostname. Really efficient at finding fast-flux domains and other dodgy A-Record rotations. Tracker is a tool developed by the Honeynet Project Australian Chapter.
Trigona Honey-Client
Trigona is a VirtualBox powered honey-client that was designed for high throughput with low False Positive and low False Negative rates.
It is essentially taking the best of High interaction and Low interaction honey-clients and cobbling them together with a couple of Perl scripts.
We are a 501c3 non-profit, all volunteer organization. Consider donating to support our forensic challenges, tools development, and research.