Here you will find honeypot related tools developed by the Honeynet Project
its individuals members. All software created us is OpenSource.
If you are deploying a honeynet, If you identify any bugs, issues, or
have any suggestions with the code on this site, please use our
Bug Server. You can
find all advisories we have released in the Advisories Archives.
NOTE: The Honeynet Project makes no warranties, nor can it be
held responsibe for damages caused by any tools on this website.
Last Updated: 24 April, 2008
High-interaction solutions are honeypots that do not emulate. Instead
they are full operating systems and applications found in many homes
and organizations today. These solutions are more time consuming then
low-interaction solutions, but can potentially capture more types of
information and in greater depth.
- Honeywall CDROM is our primary high-interaction
tool for capturing, controling and analyzing attacks. It creates an architecture
that allows you to deploy both low-interaction and high-interaction honeypots within it.
- Sebek: This is our primary tool to capture attacker activity on
- High Interaction Honeypot Analysis Toolkit (HIHAT):
This tool transforms
arbitrary PHP applications into web-based high-interaction Honeypots. Apart
from the possibility to create high-interaction honeypots, HIHAT furthermore
comprises a graphical user interface which supports the process of
monitoring the honeypot, analysing the acquired data. Last, it generates
an IP-based geographical mapping of the attack sources and generates
extensive statistics. HIHAT is developed and maintained by Michael Mueter
of the German Honeynet Project.
- HoneyBow. HoneyBow is a high-interaction malware
collection toolkit and can be integrated with nepenthes and the mwcollect Alliance's GOTEK architecture.
Developed and maintained by Chinese Honeynet Project.
These are solutions that emulate computers, services, or functionality.
These are easier to deploy, but may be limited in the amount or types
of information they can collect.
- Nepenthes:. This is a low-interaction
honeypot used to automate the collection of malware. Developed and maintained by
the German Honeynet Project.
- Honeyd: This is a low-interaction honeypot
used for capturing attacker activity, very flexible. Developed and maintained by
- Honeytrap: This is a tool for
observing novel attacks against network services by starting dymanic servers. It
performs some basic data analysis and downloads malware automatically. Developed
by Tillmann Werner of the German Honeynet Project.
These are honeypots that initiate connections to a server. These are designed
to identify and capture information on threats to client based applications
(such as a browser or email).
- Capture-HPC is a high-interaction
client honeypot framework. Capture-HPC identifies malicious servers by interacting
with potentially malicious servers using a dedicated virtual machine and observing
its system for unauthorized state changes. Developed by Christian Seifert and
Ramon Steenson of the New Zealand Honeynet Project. To learn more, we highly
encourage you to join the
Capture-HPC public maillist.
- HoneyC is a low interaction client honeypot
framework that allows to find malicious servers on a network. Instead of using a
fully functional operating system and client to perform this task, HoneyC uses
emulated clients that are able to solicit as much of a response from a server
that is necessary for analysis of malicious content. Developed by Christian
Seifert of the New Zealand Honeynet Project.
Tools that help deploy or maintain honeypots and assist in their ability
to gather information.
- Tracker is a tool developed by
the Honeynet Project Australian Chapter.
Tracker facilitates the identification of abnormal DNS
activity. It will find domains that are resolving to a large number of
IP's in a short period of time then continue to track those hostname->IP
mappings untill either the hostname nolonger responds or the user decides
to stop tracking that hostname. Really efficient at finding fast-flux domains
and other dodgy A-Record rotations.
- Pehunter is a snort dynamic
preprocessor that grabs Windows executables off the network. It is intended to sit
inline in front of high-interactive honeypots. Developed and maintained by
Tillmann Werner of the German Honeynet Project.
- Google Hack Honeypot is the reaction
to a new type of malicious web traffic: search engine hackers. It is designed to
provide reconnaissance against attackers that use search engines as a hacking tool.
Developed by Ryan McGeehan & Brian Engert of the Chicago Honeynet Project.
- Honeymole: This is
used for honeypot farms. You deploy multiple sensors that redirect traffic to a
centralized collection of honeypots. Developed and maintained by the Portuguese
- Honeystick: This is a
bootable Honeynet from a USB device. It includes both the Honeywall and honeypots
from a single, portable device. Developed and maintained by the UK Honeynet Project.
Tools used to analyze the data collected by honeyents.
- Honeysnap. Primary tool used for
extracting and analyzing data from pcap files, including IRC communications.
Developed and maintained by Arthur Clune of the UK chapter. To learn more
about Honeysnap, we highly encourage you to join the
Honeysnap public maillist.
- Capture BAT: This is a behavioral
analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor
the state of a system during the execution of applications and processing of documents, which provides
an analyst with insights on how the software operates even if no source code is available. Capture BAT
monitors state changes on a low kernel level and can easily be used across various Win32 operating system
versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ
Chapter. For more information, join the