GlasBlog

Commercial Honeypots

• PatriotBox. A commercial, easy to use low-interaction honeypot designed for windows.
• KFSensor. It acts as a honey pot to attract and detect hackers by simulating vulnerable system services and trojans. The system is highly configurable and features detailed logging, analysis of attack and security alerts. This approach complements other forms of security and adds another defense against the growing security threat faced by all organizations.
• NetBait: A very novel and powerful commercial solution. NetBait can be a product or service. Either way, it operates by redirecting attacks against unused IP space to ‘honeypot farms’.
• ManTrap: By creating a realistic mock network environment, the solution serves as an attack target in order to protect critical areas of the network. As a supplement to security solutions such as firewalls, it employs advanced decoy technology to enable early warning and detection to divert and confine attacks.
  Symantec Decoy Server sensors deliver holistic detection and response and provide detailed information through its system of data collection modules. Every action is recorded for analysis, allowing administrators to understand the threat and implement an appropriate, policy-based response. Advanced filters enable the solution to automatically discard insignificant events, leaving only the data required to respond effectively to any incident.
• Specter: SPECTER is a smart honeypot or deception system. It simulates a complete machine, providing an interesting target to lure hackers away from the production machines. SPECTER offers common Internet services such as SMTP, FTP, POP3, HTTP and TELNET which appear perfectly normal to the attackers but in fact are traps for them to mess around and leave traces without even knowing that they are connected to a decoy system, which does none of the things it appears to do, but instead logs everything and notifies the appropriate people. Furthermore, SPECTER automatically investigates the
  attackers while they are still trying to break in. SPECTER provides massive amounts of decoy content and it generates decoy programs that will leave hidden marks on the attacker’s computer. Automated weekly online updates of the honeypot’s content and vulnerability databases allow the honeypot to change constantly without user interaction.
• NetFacade: The Verizon NetFacade Intrusion Detection service creates a Honeynet that exists to alert network security or management personnel of an intrusion. In addition, it has a secondary effect of distracting intruders from probing and attacking the real targets on a network. NetFacade simulates a network of hosts running seemingly vulnerable services. A scan of the range of IP addresses the NetFacade is simulating will return information on the simulated services as if they were real network services running on actual hosts. Since there are no actual users of this virtual network of simulated hosts, all traffic to it is considered to be suspicious. All traffic to the NetFacade Intrusion Detection service on the virtual network is logged and brought to the attention of the Security Administrator(s).
• PacketDecoy: PacketDecoy is a “honeypot” device designed to attract attackers to server emulations, which mimic common operating systems and services. PacketDecoy intercepts hackers, gathers information about the intruders, and alerts you that unauthorized access has been attempted.
• Sombria: Sombria is a honeypot system comprised of a web server, a firewall and an intrusion detection system that is intended for the sole purpose of network surveillance and research. This combination of surveillance technologies makes it possible to control and watch intruders’ movements closely and in real time as they go about their mission without them even realizing it. New trends in attacks detected through Sombria and all prominent intrusions and worm attacks to which the honeypot system was exposed are released in the form of reports.
• Sandtrap: Sandtrap is a multi-modem wardialer detector (a.k.a. dialup honeypot). It can log incoming calls on up to 16 lines, or in Trap mode, emulate one or more “open modems” by answering a caller with a user-configurable banner and login prompt. It then logs the Caller ID information and the full text of any attempts to log in or hack the system, and sends an alert to warn you of the suspicious activity in real time.

Free Honeypots

• nepenthes: Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.
• HoneyStick: A HoneyStick is a portable honeynet demonstration and incident response tool – an complete OS platform, GenIII honeywall and one or more honeypots on a single bootable USB stick.
• Bait n Switch: The Bait and Switch Honeypot is a multifaceted attempt to take honeypots out of the shadows of the network security model and to make them an active participant in system defense. To do this, we are creating a system that reacts to hostile intrusion attempts by redirecting all hostile traffic to a honeypot that is partially mirroring your production system. Once switched, the would-be hacker is unknowingly attacking your honeypot instead of the real data and your clients and/or users still safely accessing the real system. Life goes on, your data is safe, and you are learning about the bad guy as an added benefit. The system is based on snort, linux’s iproute2, netfilter, and custom code for now. We plan on adding additional support in the future if possible.
• proxypot: The proxypot project aims to intercept spam messages as they are being sent, record the sender’s identity, and provide evidence that can be used to get the spammers kicked off the Internet and thrown in jail.
• Deception Toolkit: DTK, the deception is intended to make it appear to attackers as if the system running DTK has a large number of widely known vulnerabilities. DTK’s deception is programmable, but it is typically limited to producing output in response to attacker input in such a way as to simulate the behavior of a system which is vulnerable to the attackers method.
  DTK simply listens for inputs and provides responses that seem normal (i.e., full of bugs). In the process, it logs what is being done, provides sensible (if not quite perfect) answers, and lulls the attacker into a false sense of (your) insecurity.
• HOACD: HOACD means Honeyd+OpenBSD+Arpd in a CD. It is the implementation of a low-interaction honeypot that runs directly from a CD and stores its logs and configuration files on a hard disk. The CD is bootable and uses the OpenBSD operating system, the low-interaction honeypot daemon honeyd and the user-space arp daemon.
• Honeynet Security Console: Honeynet Security Console is an analysis tool to view events on your personal honeynet. It gives you the power to view events from Snort, TCPDump, Firewall, Syslog and Sebek logs. It also allows you to correlate events from each of these data types to have a full grasp of the attackers’ actions.
• HoneyD: Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses – I have tested up to 65536 – on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.
• HoneyComb: Honeycomb is good at spotting worms. For example, Honeycomb creates detailed signatures for Slammer and Code Red (far more detailed than the typical web server request line) on a typical end-user DSL connection. But the system has lots of other potential uses — it can be applied to any kind of traffic to actively search for signatures when those are currently not available. Examples are all those “Does anyone have a signature for program X”-type of questions on IDS mailing lists — just run this traffic through Honeycomb and see what you get. Spam detection is another potential application that comes to mind.
  The system is an extension of the open-source honeypot honeyd and inspects traffic inside the honeypot; currently it examines protocol headers as well as payload data. Integrating Honeycomb with honeyd has several advantages over a bump-in-the-wire approach.
• HoneyWall: The Honeywall CDROM combines all the tools and requirements of a GenII honeynet gateway on a (hopefully) easy to use, secure, bootable CDROM. The intent is to make honeynets easier to deploy and customize. You simply boot off the CDROM, configure it based on your environment, and you should have a Honeywall gateway ready to go. The CDROM supports several configuration methods, including an interactive menu and .iso customization scripts. The CDROM is an appliance, based on a minimized and secured Linux OS.
• LaBrea Tarpit: LaBrea is a program that creates a tarpit or, as some have called it a “sticky honeypot”. LaBrea takes over unused IP addresses on a network and creates “virtual machines” that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get “stuck”, sometimes for a very long time.
• Sebek: Sebek is a data capture tool designed to capture the attackers activities on a honeypot, without the attacker (hopefully) knowing it. It has two components. The first is a client that runs on the honeypots, its purpose is to capture all of the attackers activities (keystrokes, file uploads, passwords) then covertly send the data to the server. The second component is the server which collects the data from the honeypots. The server normally runs on the Honeywall gateway.
• Tiny Honeypot: Tiny Honeypot (thp) is a simple honey pot program based on iptables redirects and an xinetd listener. It listens on every TCP port not currently in use, logging all activity and providing some feedback to the attacker. The responders are entirely written in Perl, and provide just enough interaction to fool most automated attack tools, as well as quite a few humans, at least for a little while. With appropriate limits (default), thp can reside on production hosts with negligible impact on performance.
• Google Hack Honeypot: Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. GHH is a “Google Hack” honeypot. It is designed to provide reconaissance against attackers that use search engines as a hacking tool against your resources. GHH implements honeypot theory to provide additional security to your web presence.
• HoneyBOT: HoneyBOT is a Windows based medium interaction honeypot solution. HoneyBOT works by opening over 1000 udp and tcp listening sockets on your computer and these sockets are designed to mimic vulnerable services. When an attacker connects to these services they are fooled into thinking they are attacking a real server. The honeypot safely captures all communications with the attacker and logs these results for future analysis. Should an attacker attempt an exploit or upload a rootkit or trojan to the server the honeypot environment will safely store these files on your computer for analysis and submission to antivirus vendors.
• Honeyperl: A Honeypot software based in Perl. There are many plugins developed for many functions like : wingates, telnet, squid, smtp, etc.
• HoneyPoint: The HoneyPoint family of products was created to answer the needs of organizations that were struggling to provide internal network security controls using existing Network and Host based Intrusion Detection Systems. The HoneyPoint strategy is simple, yet powerfully effective. HoneyPoints are flexible pseudo-server applications that are able to emulate thousands of real services such as web, email, database systems and others. Since these pseudo-services are not real applications in use in your organization, there is no reason for anyone to interact with them in any way. Thus, once deployed, any activity to a HoneyPoint is, by default, suspicious. MicroSolved Inc. offers the following HoneyPoint solutions: HoneyPoint Security Server (HPSS), HoneyPoint Personal Edition (HPPE), and HoneyPoint Network Trust Agent (HP:NTA).
• Kojoney: Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.
• spamd: spamd (part of OpenBSD) is a fake sendmail-like daemon which rejects false mail. If the pf(4) packet filter is configured to redirect port 25 (SMTP) to this daemon, it will attempt to waste the time and resources of the spam sender.
• Single-honeypot: Single-honeypot is a powerfull tool, for security interest about the estudies of techniques of breaking systems. This is, a singular or little honeypot for test your networks for hostiles visitors. This made in perl script.
• SWiSH: SWiSH is a basic multithreaded SMTP honeypot designed to be run on Windows. A honeypot is generally defined as a system which has been left intentionally vulnerable, in hopes that someone will exploit it. In the case of an SMTP honeypot, the idea is to attract spammers who believe that your honeypot is actually an open SMTP relay. Once a spammer takes your bait, he may pump his garbage into your honeypot, which absorbs the messages instead of delivering them. By running an SMTP honeypot, you can help to curb the flow of spam. There is no GUI, SWiSH is a console application. You must have access to a Windows command prompt in order to use this program.

Other Programms

• Argos: Argos is a full and secure system emulator designed for use in honeypots. It is based on Qemu, an open source emulator that uses dynamic translation to achieve a fairly good emulation speed.
• FakeAP: Black Alchemy’s Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP’s cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables.
• Impost: Impost is a network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons. There’s two different kinds of operating modes used by Impost; It can either act as a honey pot and take orders from a Perl script controlling how it responds and communicates with connecting clients; or it can operate as a packet sniffer and monitor incoming data to specified destination port supplied by the command-line arguments.

Quellen: honeypots.net