So you want to build your own honeypot.
Located here are links that will take you to honeypot solutions, or utilities
that allow you to build your own honeypots. This is where the real fun
A commercial, easy to use low-interaction honeypot designed for windows.
- KFSensor. A powerful and
easy to use low-interaction Windows honeypot, designed primarily for detection.
Extensive capabilities, including NetBIOS simulation and interoperability with
Honeyd scripts. Free evaluation copies.
- NetBait: A very novel and powerful
commercial solution. NetBait can be a product or service. Either way, it operates
by redirecting attacks against unused IP space to 'honeypot farms'.
ManTrap: Now called Decoy Server, ManTrap is a high-interaction honeypot sold by
by Symantec. ManTrap is unique in
that it provides complete operating systems for attackers to interact with, capturing
their every action. ManTrap has outstanding data collection capabilities. Currently
only runs on Solaris.
- Specter: Specter is a low-interaction honeypot
designed to run on Windows. It can emulate 13 different operating systems, monitor
up to 14 TCP ports, and has a variety of configuration and notification features. One of
Specter's greatest strengths is its ease of use.
OpenSource / Free Honeypots
- Bubblegum Proxypot. An open
proxy honeypot for deceiving and detecting spammers.
- Jackpot. An open relay honeypot, also aimed at
- BackOfficer Friendly: BOF is
a free Windows based honeypot designed to be used as a burglar alarm. Written by
Marcus Ranum and the NFR folks in 1998, BOF is extremely easy to use and runs on
any Windows platform. However, it is very limited and can listen on only 7 ports.
If you have never installed a honeypot before, this is a great place to start.
- Bait-n-Switch. Not
really a honeypot. Instead, a technology that directs all non-production or unauthorized
traffic to your honeypots. Very powerful concept.
- Bigeye. A low-interaction
honeypot that emulates several servcies.
- HoneyWeb. Emulates different
types of webservers. Can dynamicaly change itself based on the type of requests.
- Deception Toolkit: DTK was the first
OpenSource honeypot, released in 1997. Written by Fred Cohen, DTK is a collection
of Perl scripts and C source code that emulates a variety of listening services.
Its primary purpose is to deceive human attackers. This tool is dated, but one of
the first honeypots ever released.
- LaBrea Tarpit: This
OpenSource honeypot is unqiue in that it is designed to slow down or stop attacks
by acting as a sticky honeypot. It can run on Windows or Unix.
- Honeyd: This is a
powerful, low-interaction OpenSource honeypot, released by Niels Provos in 2002. Honeyd, written in
C and designed for Unix platforms, introduces a variety of new concepts, including the
ability to monitor millions of unused IPs, IP stack spoofing, and simulate hundreds
of operating systems, at the same time. It also monitors all UDP and TCP based ports.
- You can try out Honeyd with the Honeyd Linux Toolkit. A toolkit
containing all the configuration files, precompiled static binaries, and startup scripts
to get Honeyd instantly up and running on your Linux computer. Based on Honeyd 0.5
with patch 001.
- The Brazilian Honeynet Project has developed a
Honeyd bootable CDROM. They are using it for large scale deployments of Honeyd. Its very
exciting stuff, I recommend you check out there work.
- Honeynets: These are
entire networks of systems designed to be compromised. Honeynets are the most
complext of honeypot solutions and have the greatest risk. However, they can
also capture the most information of any honeypot.
- Sendmail SPAM Trap. This honeypot identifies
Spammers and captures their SPAM, without relaying it to any victims. Best of
all, VERY easy to setup!
- Tiny Honeypot. Written by George Bakos,
Tiny Honeypot is unique that it always appear vulnerable. No matter what attack a
hacker lanches, it will appear successful. Great tool for collecting all sorts of
information on the bad guys.