HONEYPOT UTILITIES

ARGOS

http://www.few.vu.nl/argos/

ARGOS IS A FULL AND SECURE SYSTEM EMULATOR DESIGNED FOR USE IN HONEYPOTS. IT IS BASED ON QEMU, AN OPEN SOURCE EMULATOR THAT USES DYNAMIC TRANSLATION TO ACHIEVE A FAIRLY GOOD EMULATION SPEED. ARGOS EXTENDS QEMU TO ENABLE IT TO DETECT REMOTE ATTEMPTS TO COMPROMISE THE EMULATED GUEST OPERATING SYSTEM. USING DYNAMIC TAINT ANALYSIS IT TRACKS NETWORK DATA THROUGHTOUT EXECUTION AND DETECTS ANY ATTEMPTS TO USE THEM IN AN ILLEGAL WAY. WHEN AN ATTACK IS DETECTED THE MEMORY FOOTPRINT OF THE ATTACK IS LOGGED. ARGOS IS THE FIRST STEP TO CREATE A FRAMEWORK THAT WILL USE NEXT GENERATION HONEYPOTS TO AUTOMATICALLY IDENTIFY AND PRODUCE REMEDIES FOR ZERO-DAY WORMS, AND OTHER SIMILAR ATTACKS. NEXT GENERATION HONEYPOTS SHOULD NOT REQUIRE THAT THE HONEYPOT'S IP ADDRESS REMAINS UN-ADVERTISED. ON THE CONTRARY, IT SHOULD ATTEMPT TO PUBLICISE ITS SERVICE AND EVEN ACTIVELY GENERATE TRAFFIC. IN FORMAT HONEYPOTS THIS WAS OFTEN IMPOSSIBLE, BECAUSE MALEVOLENT AND BENEVOLENT TRAFFIC COULD NOT BE DISTINGUISHED. SINCE ARGOS IS EXPLICITLY SIGNALLING EACH POSSIBLY SUCCESSFUL EXPLOIT ATTEMP, WE ARE NOW ABLE TO DIFFERENTIATE MALICIOUS FROM INNOCUOUS TRAFFIC.

BACK OFFICER

http://www.nfr.com/resource/backOfficer.php

KNOWN AS A "HONEY POT" FOR ITS ABILITY TO ATTRACT AND TRAP HACKERS, BACK OFFICER FRIENDLY (BOF) IS A POPULAR FREE DOWNLOAD AVAILABLE EXCLUSIVELY FROM NFR SECURITY, INC. BACK OFFICER FRIENDLY WAS ORIGINALLY CREATED TO DETECT WHEN ANYONE ATTEMPTS A BACK ORIFICE SCAN AGAINST YOUR COMPUTER. IT HAS SINCE EVOLVED TO DETECT ATTEMPTED CONNECTIONS TO OTHER SERVICES, SUCH TELNET, FTP, SMTP, POP3 AND IMAP2. WHEN BOF RECEIVES A CONNECTION TO ONE OF THESE SERVICES, IT WILL FAKE REPLIES TO THE HOPEFUL HACKER, WASTING THE ATTACKER'S TIME, AND GIVING YOU TIME TO STOP THEM FROM OTHER MISCHIEF.

CAPTURE BAT

http://www.nz-honeynet.org/capture-standalone.html

CAPTURE BAT IS A BEHAVIORAL ANALYSIS TOOL OF APPLICATIONS FOR THE WIN32 OPERATING SYSTEM FAMILY. CAPTURE BAT IS ABLE TO MONITOR THE STATE OF A SYSTEM DURING THE EXECUTION OF APPLICATIONS AND PROCESSING OF DOCUMENTS, WHICH PROVIDES AN ANALYST WITH INSIGHTS ON HOW THE SOFTWARE OPERATES EVEN IF NO SOURCE CODE IS AVAILABLE. CAPTURE BAT MONITORS STATE CHANGES ON A LOW KERNEL LEVEL AND CAN EASILY BE USED ACROSS VARIOUS WIN32 OPERATING SYSTEM VERSIONS AND CONFIGURATIONS.
CAPTURE BAT PROVIDES A POWERFUL MECHANISM TO EXCLUDE EVENT NOISE THAT NATURALLY OCCURS ON AN IDLE SYSTEM OR WHEN USING A SPECIFIC APPLICATION. THIS MECHANISM IS FINE-GRAINED AND ALLOWS AN ANALYST TO TAKE INTO ACCOUNT THE PROCESS THAT CAUSE THE VARIOUS STATE CHANGES. AS A RESULT, THIS MECHANISM EVEN ALLOWS CAPTURE TO ANALYZE THE BEHAVIOR OF DOCUMENTS THAT EXECUTE WITHIN THE CONTEXT OF AN APPLICATION, FOR EXAMPLE THE BEHAVIOR OF A MALICIOUS MICROSOFT WORD DOCUMENT.

GHH (THE GOOGLE HACK HONEYPOT)

http://ghh.sourceforge.net/

GHH IS THE REACTION TO A NEW TYPE OF MALICIOUS WEB TRAFFIC: SEARCH ENGINE HACKERS. IT IS DESIGNED TO PROVIDE RECONAISSANCE AGAINST ATTACKERS THAT USE SEARCH ENGINES AS A HACKING TOOL AGAINST YOUR RESOURCES. GHH IMPLEMENTS HONEYPOT THEORY TO PROVIDE ADDITIONAL SECURITY TO YOUR WEB PRESENCE. MIRRORING THE GROWTH OF THE GOOGLE INDEX, THE SPREAD OF WEB-BASED APPLICATIONS SUCH AS MESSAGE BOARDS AND REMOTE ADMINISTRATIVE TOOLS HAS RESULTED IN AN INCREASE IN THE NUMBER OF MISCONFIGURED AND VULNERABLE WEB APPS AVAILABLE ON THE INTERNET. THESE INSECURE TOOLS, WHEN COMBINED WITH THE POWER OF A SEARCH ENGINE AND INDEX WHICH GOOGLE PROVIDES, RESULTS IN A CONVENIENT ATTACK VECTOR FOR MALICIOUS USERS. GHH IS A TOOL TO COMBAT THIS THREAT. GHH EMULATES A VULNERABLE WEB APPLICATION BY ALLOWING ITSELF TO BE INDEXED BY SEARCH ENGINES. IT'S HIDDEN FROM CASUAL PAGE VIEWERS, BUT IS FOUND THROUGH THE USE OF A CRAWLER OR SEARCH ENGINE. IT DOES THIS THROUGH THE USE OF A TRANSPARENT LINK WHICH ISN'T DETECTED BY CASUAL BROWSING BUT IS FOUND WHEN A SEARCH ENGINE CRAWLER INDEXES A SITE.

HIHAT

http://hihat.sourceforge.net/

THE HIGH INTERACTION HONEYPOT ANALYSIS TOOLKIT (HIHAT) ALLOWS TO TRANSFORM ARBITRARY PHP APPLICATIONS INTO WEB-BASED HIGH-INTERACTION HONEYPOTS.

FURTHERMORE A GRAPHICAL USER INTERFACE IS PROVIDED WHICH SUPPORTS THE PROCESS OF MONITORING THE HONEYPOT AND ANALYSING THE ACQUIRED DATA.

FEATURES:

  • AUTOMATICALLY SCANS FOR KNOWN ATTACKS.
  • PROVIDES AN OVERVIEW MODE WHICH ALLOWS YOU TO LOOK FOR NEW INCIDENTS QUICKLY.
  • SUPPORTS DETAILED INFORMATION ABOUT ALL DATA CORRELATED WITH EVERY ACCESS TO THE HONEYPOT.

THIS INCLUDES BUT IS NOT LIMITED TO HTTP-GET, HTTP-POST AND COOKIE DATA.

  • SAVES COPIES OF MALICIOUS TOOLS IN A SECURED PLACE FOR LATER ANALYSIS.
  • PROVIDES A GEOGRAPHICAL, IP-BASED MAPPING ABOUT THE ATTACK SOURCES.
  • GENERATES NUMEROUS STATISTICS ABOUT ALL TRAFFIC RECOGNIZED AT THE SYSTEM.

HOACD

http://www.honeynet.org.br/tools/

HOACD IS THE IMPLEMENTATION OF A LOW-INTERACTION HONEYPOT, BASED ON HONEYD, THAT RUNS DIRECTLY FROM A CD AND STORES ITS LOGS AND CONFIGURATION FILES ON A HARD DISK. THE CD IS BOOTABLE AND USES: THE OPENBSD/I386 OPERATING SYSTEM; THE LOW-INTERACTION HONEYPOT HONEYD; AND THE USER-SPACE ARP DAEMON. IT IS COMPOSED OF A COUPLE OF APPLICATIONS DEFINED BY THE BRAZILIAN DISTRIBUTED HONEYPOTS PROJECT.

HONEYBOT

http://www.atomicsoftwaresolutions.com/honeybot.php

HONEYBOT IS A WINDOWS BASED MEDIUM INTERACTION HONEYPOT SOLUTION. HONEYBOT WORKS BY OPENING OVER 1000 UDP AND TCP LISTENING SOCKETS ON YOUR COMPUTER AND THESE SOCKETS ARE DESIGNED TO MIMIC VULNERABLE SERVICES. WHEN AN ATTACKER CONNECTS TO THESE SERVICES THEY ARE FOOLED INTO THINKING THEY ARE ATTACKING A REAL SERVER. THE HONEYPOT SAFELY CAPTURES ALL COMMUNICATIONS WITH THE ATTACKER AND LOGS THESE RESULTS FOR FUTURE ANALYSIS. SHOULD AN ATTACKER ATTEMPT AN EXPLOIT OR UPLOAD A ROOTKIT OR TROJAN TO THE SERVER THE HONEYPOT ENVIRONMENT WILL SAFELY STORE THESE FILES ON YOUR COMPUTER FOR ANALYSIS AND SUBMISSION TO ANTIVIRUS VENDORS.

HONEYBOW SENSOR

http://honeybow.mwcollect.org/

HONEYBOW SENSOR IS A MALWARE COLLECTION HONEYPOT BASED ON THE HIGH INTERACTION HONEYPOT PRINCIPLE, PUBLISHED UNDER THE GPL LICENSE. IT IS RELEASED UNDER THE NAME OF MWCOLLECT.ORG, AND CAN BE INTEGRATED WITH NEPENTHES SENSORS (BASED ON THE LOW INTERACTION HONEYPOT PRINCIPLE) AND THE MWCOLLECT ALLIANCE'S GOTEK ARCHITECTURE, TO ACHIEVE A MOST INTEGRATED MALWARE COLLECTION SOLUTION.

HONEYD

http://www.citi.umich.edu/u/provos/honeyd/

HONEYD IS A SMALL DAEMON THAT CREATES VIRTUAL HOSTS ON A NETWORK. THE HOSTS CAN BE CONFIGURED TO RUN ARBITRARY SERVICES, AND THEIR PERSONALITY CAN BE ADAPTED SO THAT THEY APPEAR TO BE RUNNING CERTAIN OPERATING SYSTEMS. HONEYD ENABLES A SINGLE HOST TO CLAIM MULTIPLE ADDRESSES ON A LAN FOR NETWORK SIMULATION. HONEYD IMPROVES CYBER SECURITY BY PROVIDING MECHANISMS FOR THREAT DETECTION AND ASSESSMENT. IT ALSO DETERS ADVERSARIES BY HIDING REAL SYSTEMS IN THE MIDDLE OF VIRTUAL SYSTEMS.

HONEYNET SECURITY CONSOLE

http://www.activeworx.org/programs/hsc/index.htm

HONEYNET SECURITY CONSOLE IS AN ANALYSIS TOOL TO VIEW EVENTS ON YOUR PERSONAL NETWORK OR HONEYNET. IT GIVES YOU THE POWER TO VIEW EVENTS FROM SNORT, TCPDUMP, FIREWALL, SYSLOG AND SEBEK LOGS. IT ALSO ALLOWS YOU TO CORRELATE EVENTS FROM EACH OF THESE DATA TYPES TO HAVE A FULL GRASP OF THE ATTACKERS' ACTIONS.

HONEYPERL

http://sourceforge.net/projects/honeyperl/

HONEYPOT SOFTWARE BASED ON PERL WITH MANY PLUGINS LIKE FAKEHTTP, FAKESMTP, FAKESQUID, FAKETELNET, ETC.

HONEYSNAP

http://www.honeynet.org/tools/honeysnap/index.html

HONEYSNAP IS DESIGNED TO BE A COMMAND-LINE TOOL FOR PARSING SINGLE OR MULTIPLE PCAP DATA FILES AND PRODUCING A 'FIRST-CUT' ANALYSIS REPORT THAT IDENTIFIES SIGNIFICANT EVENTS WITHIN THE PROCESSED DATA. THIS PRESENTS SECURITY ANALYSTS WITH A PRE-PREPARED MENU OF HIGH VALUE NETWORK ACTIVITY, AIMED AT FOCUSING MANUAL FORENSIC ANALYSIS AND SAVING SIGNIFICANT INCIDENT INVESTIGATION TIME. ONCE YOU HAVE IDENTIFIED DATA THAT INTERESTS YOU, YOU CAN THEN EMPLOY OTHER TOOLS FOR MORE IN DEPTH ANALYSIS, SUCH AS THE WALLEYE USER INTERFACE TO THE HONEYWALL. HONEYSNAP IS ALSO SUITABLE FOR MANUAL OPERATION OR AUTOMATION VIA CRON.

EXAMPLES OF FUNCTIONALITY INCLUDE:

  • PACKET AND CONNECTION OVERVIEW.
  • FLOW EXTRACTION OF ASCII BASED COMMUNICATIONS.
  • PROTOCOL DECODE OF THE MORE COMMON INTERNET COMMUNICATION PROTOCOLS.
  • BINARY FILE TRANSFER EXTRACTION.
  • FLOW SUMMARY OF INBOUND AND OUTBOUND CONNECTIONS.
  • KEYSTROKE EXTRACTION OF VER2 AND VER 3 SEBEK DATA.
  • IDENTIFICATION AND ANALYSIS OF IRC TRAFFIC, INCLUDING KEYWORD MATCHING.

HONEYSTICK

http://www.ukhoneynet.org/research/honeystick-howto/

HONEYSTICK IS A PORTABLE HONEYNET DEMONSTRATION AND INCIDENT RESPONSE TOOL - AN COMPLETE OS PLATFORM, GENIII HONEYWALL AND ONE OR MORE HONEYPOTS ON A SINGLE BOOTABLE USB STICK.

HONEYWALL CDROM

http://www.honeynet.org/tools/cdrom/

THE HONEYWALL CDROM COMBINES ALL THE TOOLS AND REQUIREMENTS OF A HONEYNET GATEWAY ON AN EASY TO USE, BOOTABLE CDROM. THE INTENT IS TO MAKE HONEYNETS EASIER TO DEPLOY AND CUSTOMIZE. YOU SIMPLY BOOT OFF THE CDROM, CONFIGURE IT BASED ON YOUR ENVIRONMENT, AND YOU SHOULD HAVE A HONEYWALL GATEWAY READY TO GO. THE CDROM SUPPORTS SEVERAL CONFIGURATION METHODS, INCLUDING AN INTERACTIVE MENU AND .ISO CUSTOMIZATION SCRIPTS. THE CDROM IS AN APPLIANCE, BASED ON A MINIMIZED AND SECURED LINUX OS.

IMPOST

http://impost.sourceforge.net/

IMPOST IS A NETWORK SECURITY AUDITING TOOL DESIGNED TO ANALYZE THE FORENSICS BEHIND COMPROMISED AND/OR VULNERABLE DAEMONS. THERE ARE TWO DIFFERENT KINDS OF OPERATING MODES USED BY IMPOST; IT CAN EITHER ACT AS A HONEY POT OR TAKE ORDERS FROM A PERL SCRIPT CONTROLLING HOW IT RESPONDS AND COMMUNICATES WITH CONNECTING CLIENTS; OR IT CAN OPERATE AS A PACKET SNIFFER AND MONITOR INCOMING DATA TO SPECIFIED DESTINATION PORT SUPPLIED BY THE COMMAND-LINE ARGUMENTS.

KFSENSOR

http://www.keyfocus.net/kfsensor/

KFSENSOR IS A WINDOWS BASED HONEYPOT INTRUSION DETECTION SYSTEM (IDS). IT ACTS AS A HONEYPOT TO ATTRACT AND DETECT HACKERS AND WORMS BY SIMULATING VULNERABLE SYSTEM SERVICES AND TROJANS. BY ACTING AS A DECOY SERVER IT CAN DIVERT ATTACKS FROM CRITICAL SYSTEMS AND PROVIDE A HIGHER LEVEL OF INFORMATION THAN CAN BE ACHIEVED BY USING FIREWALLS AND NIDS ALONE. KFSENSOR IS DESIGNED FOR USE IN A WINDOWS BASED CORPORATE ENVIRONMENT AND CONTAINS MANY INNOVATIVE AND UNIQUE FEATURES SUCH AS REMOTE MANAGEMENT, A SNORT COMPATIBLE SIGNATURE ENGINE AND EMULATIONS OF WINDOWS NETWORKING PROTOCOLS. WITH ITS GUI BASED MANAGEMENT CONSOLE, EXTENSIVE DOCUMENTATION AND LOW MAINTENANCE, KFSENSOR PROVIDES A COST EFFECTIVE WAY OF IMPROVING AN ORGANIZATION'S NETWORK SECURITY.

KOJONEY

http://kojoney.sourceforge.net/

KOJONEY IS A LOW LEVEL INTERACTION HONEYPOT THAT EMULATES AN SSH SERVER. THE DAEMON IS WRITTEN IN PYTHON USING THE TWISTED CONCH LIBRARIES. TOGETHER WITH THE KOJONEY DAEMON ARE ALSO DISTRIBUTED SOME OTHER TOOLS, SUCH AS KIP2COUNTRY (IP TO COUNTRY) AND KOJREPORT, A TOOL TO GENERATE REPORTS FROM THE LOG FILES.

LABREA TARPIT

http://packetstormsecurity.org/UNIX/IDS/LaBrea.tgz

LABREA IS PROGRAM THAT CREATES A TARPIT OR, AS SOME HAVE CALLED IT A "STICKY HONEYPOT". LABREA TAKES OVER UNUSED IP ADDRESSES ON A NETWORK AND CREATES "VIRTUAL MACHINES" THAT ANSWER TO CONNECTION ATTEMPTS. LABREA ANSWERS THOSE CONNECTION ATTEMPTS IN A WAY THAT CAUSES THE MACHINE AT THE OTHER END TO GET "STUCK", SOMETIMES FOR A VERY LONG TIME.

NETBAIT

http://www.netbaitinc.com/

NETBAIT ACTS AS AN ADDITIONAL LAYER OF DEFENSE, DIVERTING INTRUDERS FROM YOUR REAL SYSTEMS AND DIRECTING THEM TO CONTROLLED COMPUTING ENVIRONMENTS, OR PSEUDO-NETWORKS. NETBAIT CREATES THESE ENVIRONMENTS BY PROJECTING A DIVERSIONARY PICTURE OF YOUR NETWORK. THIS PICTURE CONSISTS OF YOUR REAL NETWORK NODES SURROUNDED BY MULTIPLES OF "FAKE" NETBAIT NODES OR "TARGETS", EACH OF WHICH MAY BE CONFIGURED TO PRESENT ANY COMBINATION OF OPERATING SYSTEMS, SERVICES, AND APPLICATIONS.

NEPENTHES

http://nepenthes.mwcollect.org/documentation:readme

NEPENTHES IS A LOW INTERACTION HONEYPOT LIKE HONEYD OR MWCOLLECT. LOW INTERACTION HONEYPOTS EMULATE _KNOWN_ VULNERABILITIES TO COLLECT INFORMATION ABOUT POTENTIAL ATTACKS. NEPENTHES IS DESIGNED TO EMULATE VULNERABILTIES WORMS USE TO SPREAD, AND TO CAPTURE THESE WORMS. AS THERE ARE MANY POSSIBLE WAYS FOR WORMS TO SPREAD, NEPENTHES IS MODULAR.

THERE ARE MODULE INTERFACE TO:

  • RESOLVE DNS ASYNCHRONOUS
  • EMULATE VULNERABILITIES
  • DOWNLOAD FILES
  • SUBMIT THE DOWNLOADED FILES
  • TRIGGER EVENTS (SOUNDS ABSTRACT AND IT IS ABSTRACT BUT IS STILL QUITE USEFUL)
  • SHELLCODE HANDLER

PE HUNTER

http://honeytrap.mwcollect.org/pehunter

PE HUNTER IS A LITTLE SNORT PLUGIN (AKA DYNAMIC PREPROCESSOR) FOR EXTRACTING WINDOWS EXECUTABLES (FILES IN PE FORMAT) FROM THE NETWORK STREAM.
TO DO SO, IT FIRST SPOTS A PE HEADER AND THEN USES A SIMPLE HEURISTIK TO CALCULATE THE FILE LENGTH. STARTING AT THE HEADER OFFSET IN A STREAM, THE RESULTING NUMBER OF BYTES IS THEN DUMPED TO A FILE.
THIS TECHNIQUE DOES NOT WORK FOR SOME SPECIALLY CRAFTED BINARIES, E.G., SELF-EXTRACTING ARCHIVES OR PROGRAMS WITH ADDITIONAL DATA AFTER THE END OF THE LAST SECTION SINCE THERE IS NO WAY TO PASSIVELY IDENTIFY SUCH DATA IN A STREAM. HOWEVER, I FOUND IT TO WORK FOR MOST MALWARE OUT THERE. AND THAT IS WHAT PE HUNTER WAS ACTUALLY WRITTEN FOR - SITTING IN FRONT OF HONEYPOTS TO GRAB MALWARE FROM THE WIRE.

SEBEK

http://www.honeynet.org/tools/sebek/

SEBEK IS A DATA CAPTURE TOOL DESIGNED TO CAPTURE ATTACKER'S ACTIVITIES ON A HONEYPOT, WITHOUT THE ATTACKER (HOPEFULLY) KNOWING IT. IT HAS TWO COMPONENTS. THE FIRST IS A CLIENT THAT RUNS ON THE HONEYPOTS, ITS PURPOSE IS TO CAPTURE ALL OF THE ATTACKERS ACTIVITIES (KEYSTROKES, FILE UPLOADS, PASSWORDS) THEN COVERTLY SEND THE DATA TO THE SERVER. THE SECOND COMPONENT IS THE SERVER WHICH COLLECTS THE DATA FROM THE HONEYPOTS.

SANDTRAP

http://www.sandstorm.net/products/sandtrap/

SANDTRAP IS A MULTI-MODEM WARDIALER DETECTOR (A.K.A. DIALUP HONEYPOT). IT CAN LOG INCOMING CALLS ON UP TO 16 LINES, OR IN TRAP MODE, EMULATE ONE OR MORE "OPEN MODEMS" BY ANSWERING A CALLER WITH A USER-CONFIGURABLE BANNER AND LOGIN PROMPT. IT THEN LOGS THE CALLER ID INFORMATION AND THE FULL TEXT OF ANY ATTEMPTS TO LOG IN OR HACK THE SYSTEM, AND SENDS AN ALERT TO WARN YOU OF THE SUSPICIOUS ACTIVITY IN REAL TIME.

SMTP HONEYPOT

http://llama.whoi.edu/smtpot.py

STANDALONE SMTP HONEYPOT WRITTEN IN PYTHON. THIS IS A (SIMPLE) PROGRAM WHICH PRETENDS TO BE AN OPEN MAIL RELAY. ACCUMULATES MAIL TO MAILBOX FILES.

SPAMPOT.PY

http://woozle.org/~neale/src/python/spampot.py

SPAM HONEYPOT SMTP SERVER. THIS JUST SITS ON PORT 25 OF WHATEVER IP YOU PASS IN AS AN ARGUMENT, AND SPOOLS EVERY MESSAGE OUT TO MAILDIR. IT TRIES TO LOOK LIKE AN OLD SENDMAIL SERVER, TO MAXIMIZE CHANCES OF BEING TAGGED AS AN OPEN RELAY.

SPECTER

http://www.specter.com/default50.htm

SPECTER IS A SMART HONEYPOT OR DECEPTION SYSTEM. IT SIMULATES A COMPLETE MACHINE, PROVIDING AN INTERESTING TARGET TO LURE HACKERS AWAY FROM THE PRODUCTION MACHINES. SPECTER OFFERS COMMON INTERNET SERVICES SUCH AS SMTP, FTP, POP3, HTTP AND TELNET WHICH APPEAR PERFECTLY NORMAL TO THE ATTACKERS BUT IN FACT ARE TRAPS FOR THEM TO MESS AROUND AND LEAVE TRACES WITHOUT EVEN KNOWING THAT THEY ARE CONNECTED TO A DECOY SYSTEM WHICH DOES NONE OF THE THINGS IT APPEARS TO DO BUT INSTEAD LOGS EVERYTHING AND NOTIFIES THE APPROPRIATE PEOPLE. FURTHERMORE, SPECTER AUTOMATICALLY INVESTIGATES THE ATTACKERS WHILE THEY ARE STILL TRYING TO BREAK IN. SPECTER PROVIDES MASSIVE AMOUNTS OF DECOY CONTENT AND IT GENERATES DECOY PROGRAMS THAT WILL LEAVE HIDDEN MARKS ON THE ATTACKER'S COMPUTER. AUTOMATED WEEKLY ONLINE UPDATES OF THE HONEYPOT'S CONTENT AND VULNERABILITY DATABASES ALLOW THE HONEYPOT TO CHANGE CONSTANTLY WITHOUT USER INTERACTION.

SWISH

http://shat.net/swish/

SWISH IS A BASIC MULTITHREADED SMTP HONEYPOT DESIGNED TO BE RUN ON WINDOWS. A HONEYPOT IS GENERALLY DEFINED AS A SYSTEM WHICH HAS BEEN LEFT INTENTIONALLY VULNERABLE, IN HOPES THAT SOMEONE WILL EXPLOIT IT. IN THE CASE OF AN SMTP HONEYPOT, THE IDEA IS TO ATTRACT SPAMMERS WHO BELIEVE THAT YOUR HONEYPOT IS ACTUALLY AN OPEN SMTP RELAY. ONCE A SPAMMER TAKES YOUR BAIT, HE MAY PUMP HIS GARBAGE INTO YOUR HONEYPOT, WHICH ABSORBS THE MESSAGES INSTEAD OF DELIVERING THEM. BY RUNNING AN SMTP HONEYPOT, YOU CAN HELP TO CURB THE FLOW OF SPAM. THERE IS NO GUI, SWISH IS A CONSOLE APPLICATION. YOU MUST HAVE ACCESS TO A WINDOWS COMMAND PROMPT IN ORDER TO USE THIS PROGRAM.

TINY HONEYPOT (THP)

http://www.alpinista.org/thp/

THP APPEARS TO LISTEN ON ALL PORTS OTHERWISE NOT IN LEGITIMATE USE, PROVIDING A SERIES OF PHONY RESPONSES TO ATTACKER COMMANDS. SOME ARE VERY SIMPLE, OTHERS ARE SOMEWHAT MORE INTERACTIVE. THE GOAL ISN'T TO FOOL A SKILLED, DETERMINED ATTACKER…MERELY TO CLOUD THE PLAYING FIELD WITH TENS OF THOUSANDS OF FAKE SERVICES, ALL WITHOUT CAUSING UNREASONABLE STRESS ON THE THP HOST.

THE DECEPTION TOOLKIT (DTK)

http://www.all.net/dtk/index.html

THE DECEPTION TOOLKIT (DTK) IS A TOOLKIT DESIGNED TO GIVE DEFENDERS A COUPLE OF ORDERS OF MAGNITUDE ADVANTAGE OVER ATTACKERS. THE BASIC IDEA IS NOT NEW. WE USE DECEPTION TO COUNTER ATTACKS. IN THE CASE OF DTK, THE DECEPTION IS INTENDED TO MAKE IT APPEAR TO ATTACKERS AS IF THE SYSTEM RUNNING DTK HAS A LARGE NUMBER OF WIDELY KNOWN VULNERABILITIES. DTK'S DECEPTION IS PROGRAMMABLE, BUT IT IS TYPICALLY LIMITED TO PRODUCING OUTPUT IN RESPONSE TO ATTACKER INPUT IN SUCH A WAY AS TO SIMULATE THE BEHAVIOR OF A SYSTEM WHICH IS VULNERABLE TO THE ATTACKERS METHOD.

USER-MODE LINUX (UML)

http://user-mode-linux.sourceforge.net/

USER-MODE LINUX GIVES YOU A VIRTUAL MACHINE THAT MAY HAVE MORE HARDWARE AND SOFTWARE VIRTUAL RESOURCES THAN YOUR ACTUAL, PHYSICAL COMPUTER. DISK STORAGE FOR THE VIRTUAL MACHINE IS ENTIRELY CONTAINED INSIDE A SINGLE FILE ON YOUR PHYSICAL MACHINE. YOU CAN ASSIGN YOUR VIRTUAL MACHINE ONLY THE HARDWARE ACCESS YOU WANT IT TO HAVE. WITH PROPERLY LIMITED ACCESS, NOTHING YOU DO ON THE VIRTUAL MACHINE CAN CHANGE OR DAMAGE YOUR REAL COMPUTER, OR ITS SOFTWARE.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License