Here you will find honeypot related tools developed by the Honeynet Project its individuals members. All software created us is OpenSource. If you are deploying a honeynet, If you identify any bugs, issues, or have any suggestions with the code on this site, please use our Bug Server. You can find all advisories we have released in the Advisories Archives.

NOTE: The Honeynet Project makes no warranties, nor can it be held responsibe for damages caused by any tools on this website.

Last Updated: 24 April, 2008

High-Interaction Honeypots
High-interaction solutions are honeypots that do not emulate. Instead they are full operating systems and applications found in many homes and organizations today. These solutions are more time consuming then low-interaction solutions, but can potentially capture more types of information and in greater depth.

• Honeywall CDROM is our primary high-interaction tool for capturing, controling and analyzing attacks. It creates an architecture that allows you to deploy both low-interaction and high-interaction honeypots within it.
• Sebek: This is our primary tool to capture attacker activity on high-interaction honeypots.
• High Interaction Honeypot Analysis Toolkit (HIHAT): This tool transforms arbitrary PHP applications into web-based high-interaction Honeypots. Apart from the possibility to create high-interaction honeypots, HIHAT furthermore comprises a graphical user interface which supports the process of monitoring the honeypot, analysing the acquired data. Last, it generates an IP-based geographical mapping of the attack sources and generates extensive statistics. HIHAT is developed and maintained by Michael Mueter of the German Honeynet Project.
• HoneyBow. HoneyBow is a high-interaction malware collection toolkit and can be integrated with nepenthes and the mwcollect Alliance's GOTEK architecture. Developed and maintained by Chinese Honeynet Project.

Low-Interaction Honeypots
These are solutions that emulate computers, services, or functionality. These are easier to deploy, but may be limited in the amount or types of information they can collect.

• Nepenthes:. This is a low-interaction honeypot used to automate the collection of malware. Developed and maintained by the German Honeynet Project.
• Honeyd: This is a low-interaction honeypot used for capturing attacker activity, very flexible. Developed and maintained by Niels Provos.
• Honeytrap: This is a tool for observing novel attacks against network services by starting dymanic servers. It performs some basic data analysis and downloads malware automatically. Developed by Tillmann Werner of the German Honeynet Project.

Client Honeypots
These are honeypots that initiate connections to a server. These are designed to identify and capture information on threats to client based applications (such as a browser or email).

• Capture-HPC is a high-interaction client honeypot framework. Capture-HPC identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system for unauthorized state changes. Developed by Christian Seifert and Ramon Steenson of the New Zealand Honeynet Project. To learn more, we highly encourage you to join the Capture-HPC public maillist.
• HoneyC is a low interaction client honeypot framework that allows to find malicious servers on a network. Instead of using a fully functional operating system and client to perform this task, HoneyC uses emulated clients that are able to solicit as much of a response from a server that is necessary for analysis of malicious content. Developed by Christian Seifert of the New Zealand Honeynet Project.

Honeypot Infrastructure
Tools that help deploy or maintain honeypots and assist in their ability to gather information.

• Tracker is a tool developed by the Honeynet Project Australian Chapter. Tracker facilitates the identification of abnormal DNS activity. It will find domains that are resolving to a large number of IP's in a short period of time then continue to track those hostname->IP mappings untill either the hostname nolonger responds or the user decides to stop tracking that hostname. Really efficient at finding fast-flux domains and other dodgy A-Record rotations.
• Pehunter is a snort dynamic preprocessor that grabs Windows executables off the network. It is intended to sit inline in front of high-interactive honeypots. Developed and maintained by Tillmann Werner of the German Honeynet Project.
• Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. It is designed to provide reconnaissance against attackers that use search engines as a hacking tool. Developed by Ryan McGeehan & Brian Engert of the Chicago Honeynet Project.
• Honeymole: This is used for honeypot farms. You deploy multiple sensors that redirect traffic to a centralized collection of honeypots. Developed and maintained by the Portuguese Honeynet Project.
• Honeystick: This is a bootable Honeynet from a USB device. It includes both the Honeywall and honeypots from a single, portable device. Developed and maintained by the UK Honeynet Project.

Data Analysis
Tools used to analyze the data collected by honeyents.

• Honeysnap. Primary tool used for extracting and analyzing data from pcap files, including IRC communications. Developed and maintained by Arthur Clune of the UK chapter. To learn more about Honeysnap, we highly encourage you to join the Honeysnap public maillist.
• Capture BAT: This is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter. For more information, join the Capture-BAT maillist.