|  | 
        
        
          | _files/owl.gif) 
 | Honeypot & Deception 
        Software 
 |  
        
        
          |  | ![]() 
 ![]() Honeypot Links 
            & Papers 
 
 ![]() 
 _files/yellowbullet.gif) IDS 
            Software 
 Back Officer 
            Friendly
 by NFR Security
 Back 
            Officer Friendly was originally created to detect when anyone 
            attempts a Back Orifice scan against your computer. It has since 
            evolved to detect attempted connections to other services, such as 
            Telnet, FTP, SMTP, POP3 and IMAP2. When BOF receives a connection to 
            one of these services, it will fake replies to the hopeful hacker, 
            wasting the attacker's time, and giving you time to stop them from 
            other mischief.
 
 Bait N Switch 
            Honeypot
 by Team Violating
 The Bait 
            and Switch Honeypot is a multifaceted attempt to take honeypots out 
            of the shadows of the network security model and to make them an 
            active participant in system defense. To do this, we are creating a 
            system that reacts to hostile intrusion attempts by redirecting all 
            hostile traffic to a honeypot that is partially mirroring your 
            production system. Once switched, the would-be hacker is unknowingly 
            attacking your honeypot instead of the real data and your clients 
            and/or users still safely accessing the real system. Life goes on, 
            your data is safe, and you are learning about the bad guy as an 
            added benefit. The system is based on snort, linux's iproute2, 
            netfilter, and custom code for now. We plan on adding additional 
            support in the future if possible.
 
 BigEye
 by Team Violating
 Bigeye, is 
            a network utility (dump), that can be ran in different modes. It can 
            either run as a sniffer, as a tcp/udp/icmp connection logger, bind 
            to a port and listen for tcp/udp incoming connections, or as a 
            honeypot.
 
 FakeAP
 by Black Alchemy 
            Enterprises
 If one 
            access point is good, 53,000 must be better. Black Alchemy's Fake AP 
            generates thousands of counterfeit 802.11b access points. Hide in 
            plain sight amongst Fake AP's cacophony of beacon frames. As part of 
            a honeypot or as an instrument of your site security plan, Fake AP 
            confuses Wardrivers, NetStumblers, Script Kiddies, and other 
            undesirables.
 
 GHH - The "Google Hack" 
            Honeypot
 by Ryan McGeehan et al
 GHH is the 
            reaction to a new type of malicious web traffic: search engine 
            hackers. It is designed to provide reconaissance against attackers 
            that use search engines as a hacking tool against your resources. 
            GHH implements honeypot theory to provide additional security to 
            your web presence. Mirroring the growth of the Google index, the 
            spread of web-based applications such as message boards and remote 
            administrative tools has resulted in an increase in the number of 
            misconfigured and vulnerable web apps available on the Internet. 
            These insecure tools, when combined with the power of a search 
            engine and index which Google provides, results in a convenient 
            attack vector for malicious users. GHH is a tool to combat this 
            threat. GHH emulates a vulnerable web application by allowing itself 
            to be indexed by search engines. It's hidden from casual page 
            viewers, but is found through the use of a crawler or search engine. 
            It does this through the use of a transparent link which isn't 
            detected by casual browsing but is found when a search engine 
            crawler indexes a site.
 
 HOACD
 by Honeynet.BR Project
 HOACD is 
            the implementation of a low-interaction honeypot, based on Honeyd, 
            that runs directly from a CD and stores its logs and configuration 
            files on a hard disk. The CD is bootable and uses: the OpenBSD/i386 
            operating system; the low-interaction honeypot honeyd; and the 
            user-space arp daemon. It is composed of a couple of applications 
            defined by the Brazilian Distributed Honeypots 
            Project.
 
 Honeyd
 by Niels 
            Provos
 Honeyd is a small daemon that creates virtual 
            hosts on a network. The hosts can be configured to run arbitrary 
            services, and their personality can be adapted so that they appear 
            to be running certain operating systems. Honeyd enables a single 
            host to claim multiple addresses on a LAN for network simulation. 
            Honeyd improves cyber security by providing mechanisms for threat 
            detection and assessment. It also deters adversaries by hiding real 
            systems in the middle of virtual systems.
 
 Honeyd Development site
 by Niels 
            Provos
 For description, see Honeyd.
 
 Honeyd for 
            Windows
 by Michael A. Davis (port)
 Windows 
            port of the popular Honeyd software. Honeyd-win32 has all the 
            capabilities of the UNIX version of honeyd with the exception of 
            subsystems. Scripts, proxies, etc are all 100% 
            supported.
 
 Honeynet Security Console for Windows 
            2000/XP
 by Activeworx, Inc.
 Honeynet 
            Security Console is an analysis tool to view events on your personal 
            network or honeynet. It gives you the power to view events from 
            Snort, TCPDump, Firewall, Syslog and Sebek logs. It also allows you 
            to correlate events from each of these data types to have a full 
            grasp of the attackers' actions.
 
 HoneyPerl
 by Brazilian Honeypot 
            Project (HoneypotBR)
 Honeypot 
            software based on perl with many plugins like fakehttp, fakesmtp, 
            fakesquid, faketelnet, etc.
 
 
 
              
              
                | Honeywall 
                  CD-ROM by The Honeynet 
                  Project
 The 
                  Honeywall CDROM combines all the tools and requirements of a 
                  Honeynet gateway on an easy to use, bootable CDROM. The intent 
                  is to make honeynets easier to deploy and customize. You 
                  simply boot off the CDROM, configure it based on your 
                  environment, and you should have a Honeywall gateway ready to 
                  go. The CDROM supports several configuration methods, 
                  including an interactive menu and .iso customization scripts. 
                  The CDROM is an appliance, based on a minimized and secured 
                  Linux OS.
 |  |  HoneyWeb
 by Kevin Tim
 HoneyWeb 
            is a deception based web server like program that can be used as a 
            standalone server or in conjunction with HoneyD to provide request 
            based http header spoofing and page serving. HoneyWed does basic 
            regex comparison to incoming request to determine what associated 
            headers to return. HoneyWeb works in basically two modes 
            "Persistent" and "Non- Persistent". In "Non-persistent" mode 
            HoneyWeb is basically a more intelligent netcat and returns back 200 
            OK for every request, unless defined otherwise, along with the other 
            associated headers for that type of server. In "Persistent" mode 
            HoneyWeb will remember the IP and always return the same version to 
            the same IP for a specified period of time, in addition it will do 
            basic request comparisons betweeen server families to determine if a 
            404 should be sent back or not. HoneyWeb does some bogus request 
            checking and sends back server specific error pages on bogus 
            requests. Attack specific pages can be specified to make HoneyWeb 
            appear more real for interactive attackers. SSL support can be 
            provided with the use of stunnel http://www.stunnel.org. HoneyWeb is 
            written in Python and should run on anything with Pyhton 1.5 and 
            better. It has been tested on W2K inaddition to Linux platforms. 
            HoneyWeb does try to follow the HTTP protocol closely returning 
            errors on improper versions and syntax. HoneyWeb logs request 
            specific info into hw-log files in the log directory. In addition, 
            unmatched requests are logged in the newsigs file.
 
 Impost
 by sickbeatz
 Impost is 
            a network security auditing tool designed to analyze the forensics 
            behind compromised and/or vulnerable daemons. There's two different 
            kinds of operating modes used by Impost; It can either act as a 
            honey pot and take orders from a Perl script controlling how it 
            responds and communicates with connecting clients; or it can operate 
            as a packet sniffer and monitor incoming data to specified 
            destination port supplied by the command-line 
            arguments.
 
 Jackpot 
            Mailswerver
 by Jack Cleaver
 Jackpot is 
            a ready-to-run SMTP relay honeypot, written in pure Java. By running 
            a relay honeypot on your computer, you can make a contribution to 
            the battle against spam email. Jackpot enables you to submit 
            accurately-aimed complaints, with detailed documentation accessible 
            via a built-in web-server. Jackpot is very entertaining to run - you 
            can watch spam getting logged and then blackholed in real-time. You 
            can examine the envelope (HELO) commands used to submit the spam to 
            Jackpot, which is not possible using a simple spamtrap address. The 
            details of spam-runs are saved in comma-delimited files, which you 
            can analyse using simple tools. Jackpot can also store captured 
            spam-data in a single database shared by a community of co-operating 
            honeypots.
 
 KFSensor
 by 
            Keyfocus
 KFSensor is a Windows based honeypot Intrusion 
            Detection System (IDS). It acts as a honeypot to attract and detect 
            hackers and worms by simulating vulnerable system services and 
            trojans. By acting as a decoy server it can divert attacks from 
            critical systems and provide a higher level of information than can 
            be achieved by using firewalls and NIDS alone. KFSensor is designed 
            for use in a Windows based corporate environment and contains many 
            innovative and unique features such as remote management, a Snort 
            compatible signature engine and emulations of Windows networking 
            protocols. With its GUI based management console, extensive 
            documentation and low maintenance, KFSensor provides a cost 
            effective way of improving an organization's network 
            security.
 
 LaBrea Tarpit
 by Tom 
            Liston
 LaBrea is a program that creates a tarpit or, as 
            some have called it a "sticky honeypot". LaBrea takes over unused IP 
            addresses on a network and creates "virtual machines" that answer to 
            connection attempts. LaBrea answers those connection attempts in a 
            way that causes the machine at the other end to get "stuck", 
            sometimes for a very long time.
 
 NetBait
 by NetBait 
            Inc.
 NetBait acts as an additional layer of defense, 
            diverting intruders from your real systems and directing them to 
            controlled computing environments, or pseudo-networks. NetBait 
            creates these environments by projecting a diversionary picture of 
            your network. This picture consists of your real network nodes 
            surrounded by multiples of "fake" NetBait Nodes or "targets", each 
            of which may be configured to present any combination of operating 
            systems, services, and applications.
 
 NetFacade
 by 
            Verizon
 The Verizon NetFacade Intrusion Detection service 
            creates a Honeynet that exists to alert network security or 
            management personnel of an intrusion. In addition, it has a 
            secondary effect of distracting intruders from probing and attacking 
            the real targets on a network. NetFacade simulates a network of 
            hosts running seemingly vulnerable services. A scan of the range of 
            IP addresses the NetFacade is simulating will return information on 
            the simulated services as if they were real networks services 
            running on actual hosts. Since there are no actual users of this 
            virtual network of simulated hosts, all traffic to it is considered 
            to be suspicious. All traffic to the NetFacade Intrusion Detection 
            service on the virtual network is logged and brought to the 
            attention of the Security Administrator(s).
 
 OpenBSD's 
            spamd
 by OpenBSD Team
 spamd 
            (part of OpenBSD) is a fake sendmail-like daemon which rejects false 
            mail. If the pf(4) packet filter is configured to redirect port 25 
            (SMTP) to this daemon, it will attempt to waste the time and 
            resources of the spam sender.
 
 ProxyPot
 by Alan Curry
 An open 
            proxy honeypot (proxypot) is a server that pretends to be an open 
            proxy, taking requests from bad people to do bad things, and 
            responding with a simulation instead of doing the evil deed. The 
            goal is to fool the bad people into thinking they've done their bad 
            thing and got away with it, while actually they didn't do it, and 
            they got caught anyway. The proxypot found here is designed 
            primarily to catch one kind of Internet bad guy: the mail 
            spammer.
 
 Single-Honeypot
 by Luis Wong and Louis 
            Freeze
 No description available.
 
 Smoke 
            Detector
 by Palisade Systems Inc.
 No matter 
            what kind of security tools you currently have in place -- 
            firewalls, intrusion detection systems, authentication -- 
            SmokeDetector can add another valuable layer of protection. Able to 
            mimic up to 19 of the most common server operating systems on one 
            physical box, SmokeDetector will confuse and delay a hacker trying 
            to reach critical information. When SmokeDetector is accessed, that 
            information is logged and an immediate notification is sent to the 
            administrator.
 
 SMTPot.py
 by Karl A. 
            Krueger
 Standalone SMTP honeypot written in Python. This 
            is a (simple) program which pretends to be an open mail relay. 
            Accumulates mail to mailbox files.
 
 Spamhole
 by Dr. Uid
 Spamhole 
            is a fake open SMTP relay, intended to stop (some) spam by 
            convincing spammers that it is delivering spam messages for them, 
            when in fact it is not. When an SMTP client connects to spamhole, 
            the spamhole will emulate an SMTP open relay, happily accepting any 
            email messages that the client wishes to send to it, however rather 
            than actually delivering the messages, it will silently drop 
            them.
 
 Spampot.py
 by Neale 
            Pikett
 Spam honeypot SMTP server. This just sits on port 
            25 of whatever IP you pass in as an argument, and spools every 
            message out to MAILDIR. It tries to look like an old Sendmail 
            server, to maximize chances of being tagged as an open 
            relay.
 
 Specter
 by 
            Netsec
 SPECTER is a smart honeypot or deception system. 
            It simulates a complete machine, providing an interesting target to 
            lure hackers away from the production machines. SPECTER offers 
            common Internet services such as SMTP, FTP, POP3, HTTP and TELNET 
            which appear perfectly normal to the attackers but in fact are traps 
            for them to mess around and leave traces without even knowing that 
            they are connected to a decoy system which does none of the things 
            it appears to do but instead logs everything and notifies the 
            appropriate people. Furthermore, SPECTER automatically investigates 
            the attackers while they are still trying to break in. SPECTER 
            provides massive amounts of decoy content and it generates decoy 
            programs that will leave hidden marks on the attacker's computer. 
            Automated weekly online updates of the honeypot's content and 
            vulnerability databases allow the honeypot to change constantly 
            without user interaction.
 
 SWiSH
 by Canned Ham
 SWiSH is a 
            basic multithreaded SMTP honeypot designed to be run on Windows. A 
            honeypot is generally defined as a system which has been left 
            intentionally vulnerable, in hopes that someone will exploit it. In 
            the case of an SMTP honeypot, the idea is to attract spammers who 
            believe that your honeypot is actually an open SMTP relay. Once a 
            spammer takes your bait, he may pump his garbage into your honeypot, 
            which absorbs the messages instead of delivering them. By running an 
            SMTP honeypot, you can help to curb the flow of spam. There is no 
            GUI, SWiSH is a console application. You must have access to a 
            Windows command prompt in order to use this 
            program.
 
 Symantec Decoy Server (formerly 
            ManTrap)
 by Symantec
 Symantec 
            Decoy Server provides early detection of internal, external, and 
            unknown attacks, unauthorized use of passwords and server access to 
            help prioritize threats, and increase network protection against 
            intrusions. By creating a realistic mock network environment, the 
            solution serves as an attack target in order to protect critical 
            areas of the network. As a supplement to security solutions such as 
            firewalls, it employs advanced decoy technology to enable early 
            detection to divert and confine attacks.
 
 Tiny Honeypot (thp)
 by George 
            Bakos
 thp appears to listen on all ports otherwise not 
            in legitimate use, providing a series of phony responses to attacker 
            commands. Some are very simple, others are somewhat more 
            interactive. The goal isn't to fool a skilled, determined 
            attacker...merely to cloud the playing field with tens of thousands 
            of fake services, all without causing unreasonable stress on the thp 
            host.
 
 The Deception 
            Toolkit
 by Fred Cohen & Associates
 The 
            Deception ToolKit (DTK) is a toolkit designed to give defenders a 
            couple of orders of magnitude advantage over attackers. The basic 
            idea is not new. We use deception to counter attacks. In the case of 
            DTK, the deception is intended to make it appear to attackers as if 
            the system running DTK has a large number of widely known 
            vulnerabilities. DTK's deception is programmable, but it is 
            typically limited to producing output in response to attacker input 
            in such a way as to simulate the behavior of a system which is 
            vulnerable to the attackers method.
 
 User-Mode Linux (UML)
 by Jeff 
            Dike
 User-Mode Linux gives you a virtual machine that 
            may have more hardware and software virtual resources than your 
            actual, physical computer. Disk storage for the virtual machine is 
            entirely contained inside a single file on your physical machine. 
            You can assign your virtual machine only the hardware access you 
            want it to have. With properly limited access, nothing you do on the 
            virtual machine can change or damage your real computer, or its 
            software.
 
 
 |  |