|
|
_files/owl.gif)
|
Honeypot & Deception
Software
|
|
|
![]()
![]() Honeypot Links
& Papers
![]()
_files/yellowbullet.gif) IDS
Software
Back Officer
Friendly
by NFR Security
Back
Officer Friendly was originally created to detect when anyone
attempts a Back Orifice scan against your computer. It has since
evolved to detect attempted connections to other services, such as
Telnet, FTP, SMTP, POP3 and IMAP2. When BOF receives a connection to
one of these services, it will fake replies to the hopeful hacker,
wasting the attacker's time, and giving you time to stop them from
other mischief.
Bait N Switch
Honeypot
by Team Violating
The Bait
and Switch Honeypot is a multifaceted attempt to take honeypots out
of the shadows of the network security model and to make them an
active participant in system defense. To do this, we are creating a
system that reacts to hostile intrusion attempts by redirecting all
hostile traffic to a honeypot that is partially mirroring your
production system. Once switched, the would-be hacker is unknowingly
attacking your honeypot instead of the real data and your clients
and/or users still safely accessing the real system. Life goes on,
your data is safe, and you are learning about the bad guy as an
added benefit. The system is based on snort, linux's iproute2,
netfilter, and custom code for now. We plan on adding additional
support in the future if possible.
BigEye
by Team Violating
Bigeye, is
a network utility (dump), that can be ran in different modes. It can
either run as a sniffer, as a tcp/udp/icmp connection logger, bind
to a port and listen for tcp/udp incoming connections, or as a
honeypot.
FakeAP
by Black Alchemy
Enterprises
If one
access point is good, 53,000 must be better. Black Alchemy's Fake AP
generates thousands of counterfeit 802.11b access points. Hide in
plain sight amongst Fake AP's cacophony of beacon frames. As part of
a honeypot or as an instrument of your site security plan, Fake AP
confuses Wardrivers, NetStumblers, Script Kiddies, and other
undesirables.
GHH - The "Google Hack"
Honeypot
by Ryan McGeehan et al
GHH is the
reaction to a new type of malicious web traffic: search engine
hackers. It is designed to provide reconaissance against attackers
that use search engines as a hacking tool against your resources.
GHH implements honeypot theory to provide additional security to
your web presence. Mirroring the growth of the Google index, the
spread of web-based applications such as message boards and remote
administrative tools has resulted in an increase in the number of
misconfigured and vulnerable web apps available on the Internet.
These insecure tools, when combined with the power of a search
engine and index which Google provides, results in a convenient
attack vector for malicious users. GHH is a tool to combat this
threat. GHH emulates a vulnerable web application by allowing itself
to be indexed by search engines. It's hidden from casual page
viewers, but is found through the use of a crawler or search engine.
It does this through the use of a transparent link which isn't
detected by casual browsing but is found when a search engine
crawler indexes a site.
HOACD
by Honeynet.BR Project
HOACD is
the implementation of a low-interaction honeypot, based on Honeyd,
that runs directly from a CD and stores its logs and configuration
files on a hard disk. The CD is bootable and uses: the OpenBSD/i386
operating system; the low-interaction honeypot honeyd; and the
user-space arp daemon. It is composed of a couple of applications
defined by the Brazilian Distributed Honeypots
Project.
Honeyd
by Niels
Provos
Honeyd is a small daemon that creates virtual
hosts on a network. The hosts can be configured to run arbitrary
services, and their personality can be adapted so that they appear
to be running certain operating systems. Honeyd enables a single
host to claim multiple addresses on a LAN for network simulation.
Honeyd improves cyber security by providing mechanisms for threat
detection and assessment. It also deters adversaries by hiding real
systems in the middle of virtual systems.
Honeyd Development site
by Niels
Provos
For description, see Honeyd.
Honeyd for
Windows
by Michael A. Davis (port)
Windows
port of the popular Honeyd software. Honeyd-win32 has all the
capabilities of the UNIX version of honeyd with the exception of
subsystems. Scripts, proxies, etc are all 100%
supported.
Honeynet Security Console for Windows
2000/XP
by Activeworx, Inc.
Honeynet
Security Console is an analysis tool to view events on your personal
network or honeynet. It gives you the power to view events from
Snort, TCPDump, Firewall, Syslog and Sebek logs. It also allows you
to correlate events from each of these data types to have a full
grasp of the attackers' actions.
HoneyPerl
by Brazilian Honeypot
Project (HoneypotBR)
Honeypot
software based on perl with many plugins like fakehttp, fakesmtp,
fakesquid, faketelnet, etc.
Honeywall
CD-ROM
by The Honeynet
Project
The
Honeywall CDROM combines all the tools and requirements of a
Honeynet gateway on an easy to use, bootable CDROM. The intent
is to make honeynets easier to deploy and customize. You
simply boot off the CDROM, configure it based on your
environment, and you should have a Honeywall gateway ready to
go. The CDROM supports several configuration methods,
including an interactive menu and .iso customization scripts.
The CDROM is an appliance, based on a minimized and secured
Linux OS. |
|
HoneyWeb
by Kevin Tim
HoneyWeb
is a deception based web server like program that can be used as a
standalone server or in conjunction with HoneyD to provide request
based http header spoofing and page serving. HoneyWed does basic
regex comparison to incoming request to determine what associated
headers to return. HoneyWeb works in basically two modes
"Persistent" and "Non- Persistent". In "Non-persistent" mode
HoneyWeb is basically a more intelligent netcat and returns back 200
OK for every request, unless defined otherwise, along with the other
associated headers for that type of server. In "Persistent" mode
HoneyWeb will remember the IP and always return the same version to
the same IP for a specified period of time, in addition it will do
basic request comparisons betweeen server families to determine if a
404 should be sent back or not. HoneyWeb does some bogus request
checking and sends back server specific error pages on bogus
requests. Attack specific pages can be specified to make HoneyWeb
appear more real for interactive attackers. SSL support can be
provided with the use of stunnel http://www.stunnel.org. HoneyWeb is
written in Python and should run on anything with Pyhton 1.5 and
better. It has been tested on W2K inaddition to Linux platforms.
HoneyWeb does try to follow the HTTP protocol closely returning
errors on improper versions and syntax. HoneyWeb logs request
specific info into hw-log files in the log directory. In addition,
unmatched requests are logged in the newsigs file.
Impost
by sickbeatz
Impost is
a network security auditing tool designed to analyze the forensics
behind compromised and/or vulnerable daemons. There's two different
kinds of operating modes used by Impost; It can either act as a
honey pot and take orders from a Perl script controlling how it
responds and communicates with connecting clients; or it can operate
as a packet sniffer and monitor incoming data to specified
destination port supplied by the command-line
arguments.
Jackpot
Mailswerver
by Jack Cleaver
Jackpot is
a ready-to-run SMTP relay honeypot, written in pure Java. By running
a relay honeypot on your computer, you can make a contribution to
the battle against spam email. Jackpot enables you to submit
accurately-aimed complaints, with detailed documentation accessible
via a built-in web-server. Jackpot is very entertaining to run - you
can watch spam getting logged and then blackholed in real-time. You
can examine the envelope (HELO) commands used to submit the spam to
Jackpot, which is not possible using a simple spamtrap address. The
details of spam-runs are saved in comma-delimited files, which you
can analyse using simple tools. Jackpot can also store captured
spam-data in a single database shared by a community of co-operating
honeypots.
KFSensor
by
Keyfocus
KFSensor is a Windows based honeypot Intrusion
Detection System (IDS). It acts as a honeypot to attract and detect
hackers and worms by simulating vulnerable system services and
trojans. By acting as a decoy server it can divert attacks from
critical systems and provide a higher level of information than can
be achieved by using firewalls and NIDS alone. KFSensor is designed
for use in a Windows based corporate environment and contains many
innovative and unique features such as remote management, a Snort
compatible signature engine and emulations of Windows networking
protocols. With its GUI based management console, extensive
documentation and low maintenance, KFSensor provides a cost
effective way of improving an organization's network
security.
LaBrea Tarpit
by Tom
Liston
LaBrea is a program that creates a tarpit or, as
some have called it a "sticky honeypot". LaBrea takes over unused IP
addresses on a network and creates "virtual machines" that answer to
connection attempts. LaBrea answers those connection attempts in a
way that causes the machine at the other end to get "stuck",
sometimes for a very long time.
NetBait
by NetBait
Inc.
NetBait acts as an additional layer of defense,
diverting intruders from your real systems and directing them to
controlled computing environments, or pseudo-networks. NetBait
creates these environments by projecting a diversionary picture of
your network. This picture consists of your real network nodes
surrounded by multiples of "fake" NetBait Nodes or "targets", each
of which may be configured to present any combination of operating
systems, services, and applications.
NetFacade
by
Verizon
The Verizon NetFacade Intrusion Detection service
creates a Honeynet that exists to alert network security or
management personnel of an intrusion. In addition, it has a
secondary effect of distracting intruders from probing and attacking
the real targets on a network. NetFacade simulates a network of
hosts running seemingly vulnerable services. A scan of the range of
IP addresses the NetFacade is simulating will return information on
the simulated services as if they were real networks services
running on actual hosts. Since there are no actual users of this
virtual network of simulated hosts, all traffic to it is considered
to be suspicious. All traffic to the NetFacade Intrusion Detection
service on the virtual network is logged and brought to the
attention of the Security Administrator(s).
OpenBSD's
spamd
by OpenBSD Team
spamd
(part of OpenBSD) is a fake sendmail-like daemon which rejects false
mail. If the pf(4) packet filter is configured to redirect port 25
(SMTP) to this daemon, it will attempt to waste the time and
resources of the spam sender.
ProxyPot
by Alan Curry
An open
proxy honeypot (proxypot) is a server that pretends to be an open
proxy, taking requests from bad people to do bad things, and
responding with a simulation instead of doing the evil deed. The
goal is to fool the bad people into thinking they've done their bad
thing and got away with it, while actually they didn't do it, and
they got caught anyway. The proxypot found here is designed
primarily to catch one kind of Internet bad guy: the mail
spammer.
Single-Honeypot
by Luis Wong and Louis
Freeze
No description available.
Smoke
Detector
by Palisade Systems Inc.
No matter
what kind of security tools you currently have in place --
firewalls, intrusion detection systems, authentication --
SmokeDetector can add another valuable layer of protection. Able to
mimic up to 19 of the most common server operating systems on one
physical box, SmokeDetector will confuse and delay a hacker trying
to reach critical information. When SmokeDetector is accessed, that
information is logged and an immediate notification is sent to the
administrator.
SMTPot.py
by Karl A.
Krueger
Standalone SMTP honeypot written in Python. This
is a (simple) program which pretends to be an open mail relay.
Accumulates mail to mailbox files.
Spamhole
by Dr. Uid
Spamhole
is a fake open SMTP relay, intended to stop (some) spam by
convincing spammers that it is delivering spam messages for them,
when in fact it is not. When an SMTP client connects to spamhole,
the spamhole will emulate an SMTP open relay, happily accepting any
email messages that the client wishes to send to it, however rather
than actually delivering the messages, it will silently drop
them.
Spampot.py
by Neale
Pikett
Spam honeypot SMTP server. This just sits on port
25 of whatever IP you pass in as an argument, and spools every
message out to MAILDIR. It tries to look like an old Sendmail
server, to maximize chances of being tagged as an open
relay.
Specter
by
Netsec
SPECTER is a smart honeypot or deception system.
It simulates a complete machine, providing an interesting target to
lure hackers away from the production machines. SPECTER offers
common Internet services such as SMTP, FTP, POP3, HTTP and TELNET
which appear perfectly normal to the attackers but in fact are traps
for them to mess around and leave traces without even knowing that
they are connected to a decoy system which does none of the things
it appears to do but instead logs everything and notifies the
appropriate people. Furthermore, SPECTER automatically investigates
the attackers while they are still trying to break in. SPECTER
provides massive amounts of decoy content and it generates decoy
programs that will leave hidden marks on the attacker's computer.
Automated weekly online updates of the honeypot's content and
vulnerability databases allow the honeypot to change constantly
without user interaction.
SWiSH
by Canned Ham
SWiSH is a
basic multithreaded SMTP honeypot designed to be run on Windows. A
honeypot is generally defined as a system which has been left
intentionally vulnerable, in hopes that someone will exploit it. In
the case of an SMTP honeypot, the idea is to attract spammers who
believe that your honeypot is actually an open SMTP relay. Once a
spammer takes your bait, he may pump his garbage into your honeypot,
which absorbs the messages instead of delivering them. By running an
SMTP honeypot, you can help to curb the flow of spam. There is no
GUI, SWiSH is a console application. You must have access to a
Windows command prompt in order to use this
program.
Symantec Decoy Server (formerly
ManTrap)
by Symantec
Symantec
Decoy Server provides early detection of internal, external, and
unknown attacks, unauthorized use of passwords and server access to
help prioritize threats, and increase network protection against
intrusions. By creating a realistic mock network environment, the
solution serves as an attack target in order to protect critical
areas of the network. As a supplement to security solutions such as
firewalls, it employs advanced decoy technology to enable early
detection to divert and confine attacks.
Tiny Honeypot (thp)
by George
Bakos
thp appears to listen on all ports otherwise not
in legitimate use, providing a series of phony responses to attacker
commands. Some are very simple, others are somewhat more
interactive. The goal isn't to fool a skilled, determined
attacker...merely to cloud the playing field with tens of thousands
of fake services, all without causing unreasonable stress on the thp
host.
The Deception
Toolkit
by Fred Cohen & Associates
The
Deception ToolKit (DTK) is a toolkit designed to give defenders a
couple of orders of magnitude advantage over attackers. The basic
idea is not new. We use deception to counter attacks. In the case of
DTK, the deception is intended to make it appear to attackers as if
the system running DTK has a large number of widely known
vulnerabilities. DTK's deception is programmable, but it is
typically limited to producing output in response to attacker input
in such a way as to simulate the behavior of a system which is
vulnerable to the attackers method.
User-Mode Linux (UML)
by Jeff
Dike
User-Mode Linux gives you a virtual machine that
may have more hardware and software virtual resources than your
actual, physical computer. Disk storage for the virtual machine is
entirely contained inside a single file on your physical machine.
You can assign your virtual machine only the hardware access you
want it to have. With properly limited access, nothing you do on the
virtual machine can change or damage your real computer, or its
software.
| |
_files/1590593359.01.TZZZZZZZ.jpg)
_files/buynow.gif)
_files/0321166469.01.TZZZZZZZ.jpg)