To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.


Adding a scoring system in peepdf

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it is able to create new PDF files, modify existing ones and obfuscate them.
In addition to providing the tools for analyzing PDF documents, we also wanted to provide some indication about how likely it is that a given PDF file is malicious. Adding such a scoring system in peepdf was one of the projects of Honeynet Google Summer of Code (GSoC) 2015 program, and the student Rohit Dua did a great job.
The scoring system has the goal of giving valuable advice about the maliciousness of the PDF file that’s being analyzed. The first step to accomplish this task is identifying the elements which permit to distinguish if a PDF file is malicious or not, like Javascript code, lonely objects, huge gaps between objects, detected vulnerabilities, etc. The next step is calculating a score out of these elements and test it with a large collection of malicious and not malicious PDF files in order to tweak it. Read more »

mitmproxy: HTTP/2 Support and GSoC 2016

HTTP2 Support for mitmproxy
We are happy to announce the immediate availability of mitmproxy 0.16! As a major new feature, Thomas Kriechbaumer – who joined us as a Google Summer of Code (GSoC) Student last year – contributed a brand new HTTP/2 implementation built on top of hyper-h2. HTTP/2 requests now blend into the mitmproxy UI just like regular HTTP 1 requests, making mitmproxy the first interactive HTTPS proxy with HTTP/2 support! All HTTP/2 features from RFC7540 are supported - including PUSH_PROMISE, RST_STREAM, and as many concurrent streams as you want. We are super excited about the improvements Thomas is bringing us here and we encourage you to try them out. To make a transition as seamless as possible, HTTP/2 needs to be enabled manually for now by passing --http2 to mitmproxy. We plan to remove this requirement with one of the next releases. For a full list of changes, take a look at the changelog posted below!

Google Summer of Code 2016

2012 was a big year for me - being only just out of my freshman year, Honeynet accepted my application as a GSoC Student and I got introduced to the world of free and open-source software development and started contributing to mitmproxy. Long story short, I think this program is one of the major reasons why I am now writing this blog post as one of mitmproxy’s core contributors. Last year, I was in the fortunate position to mentor a student myself - we’re super happy that not only Thomas’ project was a great success, but we also gained a very strong new mitmproxy contributor who is contributing well beyond his GSoC.
I am very happy to announce that we are applying under the umbrella of Honeynet as a GSoC Organization this year again. The last six years’ projects have generated long-lasting successes at Honeynet, so we can’t wait to get in touch with students this year again!
  Read more »

ARTDroid: an easy-to-use framework for hooking under ART

During Google Summer of Code 2015, in the Honeynet Project open-source org, Valerio Costamagna and Cong Zheng (mentor) worked on ARTDroid, an easy-to-use framework for hooking virtual-method under latest Android runtime (ART). Read more »

The Spamhattan Project

Let’s develop a nextgen spamtrap and create intel feeds for .NL
A rising amount of criminals are spreading cryptoware in order to ‘make money’. Cryptoware is ransomware that secretly encrypts files, like documents and pictures, of innocent users. The criminals make money by selling the decryption key. Most of the cryptoware is spread via email. Virus-scanners and anti-spam solutions have a hard time in defending against those threats and often there are no Indicators of Compromise (IoC) that help detecting infected devices in an early phase. Read more »

Improved logging capabilities of dionaea

recently I made fork of dionaea and DionaeaFR. Changes that I did are related with remote logging to relational database. Dionaea honeypot can now log remotely to postgresql database. In DionaeaFR frontend I had to do some changes, so it could support reading data from postgresql.
Links are and
I think that some one could use that so I write this post.  
  Read more »

Frontends for shockpot and wordpot

recently I published forks of shockpot and wordpot on GitHub.  Read more »

Revitalizing a Centralised Honeypot Framework

Bringing the dead back to life
In early 2005 the SURFids Framework, later renamed to SURFcert IDS, was developed ( The unique concept was the centralised detection approach, based on honeypots, with decentralised sensors running OpenVPN. From a marketing perspective ‘IDS’ was chosen in the name, in that age a popular term. Many organisations worldwide have used this open-source framework, however with a last update on the code in 2011, the project slowly died.
In early 2015, several members of the HoneyNED project (, being part of HoneyNet (, decided to revitalize SURFids under a new name: Anansi
Read more »

Conpot 0.5.0 released

The Conpot development team is proud to announce the 0.5.0 release. Highlights of this release are the support for two new protocols and one additional device. Peter Soóky did a major contribution with support for the BACnet protocol, which is used for building automation and control networks, and support for IPMI, which is used an interface to a computer subsystem that provides management and monitoring capabilities independently of the host system's CPU, firmware and operating system (consider the insights you can get from someone exploiting this). As mentioned in an earlier blog post, we also added support to emulate a Guardian AST device. This is based on the research from Kyle Wilhoit and Stephen Hilt.
Another goal of this release was to improve the ease of deployment. Therefore we added a Docker container template. Thanks to our contributors, we also have documentation on how to run Conpot on CentOS.
To avoid some easy fingerprinting, we added the feature to modify the MAC address of the interface Conpot is listening on. So now your hardware address can match the device manufacturer you are intending to emulate.
As with every other release, we tried to improve our test coverage and code quality in order to increase the honeypots stability.

If you are enjoying Conpot, please consider enabling HPFeeds in order to share data with us. We are also looking for new developers to join, so don’t be shy and get in touch!

Cuckoo Sandbox meets Mac OS X

Posting this blogpost on behalf of Dmitry Rodionov.

Hi there! I'm Dmitry Rodionov and this summer I've been working on an OS X analyzer for Cuckoo Sandbox project.

Cuckoo Sandbox

First things first: what is Cuckoo Sandbox? Imagine a box you can put any suspicious program or script into and immediately receive a complete description of what this program is and what it does. Well, that's Cuckoo! Read more »

Syndicate content