Projects

This page contains a list of tools and services that we use on a regular basis. Most of these tools have been created by our members and participating GSoc students, but some are also external and not affiliated with the Honeynet Project. We hope you find the below link collection useful. If you see that a specific tool is not listed, but should, feel free to email projects@honeynet.org.

APKinspector is a static analysis platform for android applications. Think of it as IDAPro for android applications. The video at http://www.youtube.com/watch?v=X538N-x3UUY nicely illustrates APKInspector's capabilities. APKInspector was developed by Cong Zhen as part of GSoc 2011. You can try it out by downloading Android Reverse Engineering virtual machine, which bundels APKinspector as well as additional android malware analysis tools.

This is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter.

Capture-HPC is a high-interaction client honeypot framework. Capture-HPC identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system for unauthorized state changes. Developed by Christian Seifert and Ramon Steenson of the New Zealand Chapter.

CC2ASN is an online tool that allows one to lookup ASN and IP address ranges for a specific country.

Malware is the raw-material associated with many cybercrime-related activities. Cuckoo is a lightweight solution that performs automated dynamic analysis of provided Windows binaries. It is able to return comprehensive reports on key API calls and network activity.

Cuckoobox was originally developed as part of GSoc 2010 by Claudio Guarnieri and has been greatly enhanced in subsequent GSocs under Claudio's leadership.

An online version of cuckoobox is available at http://malwr.com/.

Current features are:

  • Retrieve files from remote URLs and analyze them.
  • Trace relevant API calls for behavioral analysis.
  • Recursively monitor newly spawned processes.
  • Dump generated network traffic.
  • Run concurrent analysis on multiple machines.
  • Support custom analysis package based on AutoIt3 scripting.
  • Intercept downloaded and deleted files.
  • Take screenshots during runtime.

Cuckoo is available from http://www.cuckoosandbox.org.

Dionaea is a low-interaction honeypot that captures attack payloads and malware. Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls.

A VoIP module has been developed as part of GSoc 2011 by PhiBo and can be downloaded from the Dionaea web site.

Droidbox is a dynamic analysis platform for android applications. Droidbox was developed by Patrik Lantz as part of GSoc 2011. You can try it out by downloading Android Reverse Engineering virtual machine, which bundels droidbox as well as additional android malware analysis tools.

Web sites are hacked all the time. Web application, database, and cross-site scripting vulnerabilities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks. Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities. Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily. Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist (and mentored by Thorsten Holz of the German Honeynet Project Chapter). It can be downloaded from the Glastopf trac site at dev.glastopf.org. More information on Glastopf can be found on the project site at http://glastopf.org/.

Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. It is designed to provide reconnaissance against attackers that use search engines as a hacking tool. Developed by Ryan McGeehan & Brian Engert of the Chicago Chapter.

Hflow2 is a data coalesing tool for honeynet/network analysis. It allows to coalesce data from snort, p0f, sebekd into a unified cross related data structure stored in a relational database.

There is a paper with a more detailed description can be found http://www.cs.indiana.edu/~cviecco/papers/hflow2.pdf.

This tool transforms arbitrary PHP applications into web-based high-interaction Honeypots. Apart from the possibility to create high-interaction honeypots, HIHAT furthermore comprises a graphical user interface which supports the process of monitoring the honeypot, analysing the acquired data. Last, it generates an IP-based geographical mapping of the attack sources and generates extensive statistics. HIHAT is developed and maintained by Michael Mueter of the Giraffe Chapter.

HoneyBow is a high-interaction malware collection toolkit and can be integrated with nepenthes and the mwcollect Alliance's GOTEK architecture. Developed and maintained by the Chinese Chapter.

HoneyC is a low interaction client honeypot framework that allows to find malicious servers on a network. Instead of using a fully functional operating system and client to perform this task, HoneyC uses emulated clients that are able to solicit as much of a response from a server that is necessary for analysis of malicious content. Developed by Christian Seifert of the New Zealand Chapter.

This is a low-interaction honeypot used for capturing attacker activity, very flexible. Developed and maintained by Niels Provos of the Global Chapter.

Honeymole: This is used for honeypot farms. You deploy multiple sensors that redirect traffic to a centralized collection of honeypots. Developed and maintained by the Portuguese Chapter.

Sinkholing is one technique that allows security researchers/responders the ability to monitor botnets, as well as proactively deny access to the bots from the botnet herders. Up until the release of HoneySink, all the sinkhole deployments out there have been point solutions with varying degrees of sophistication. All of them are inside jobs, from sinkhole setups that are consisting of DNS plus Apache, to full-blown setups like what Shadowserver employs.

HoneySink was developed by Adam as part of GSoc 2011.

Honeysnap. Primary tool used for extracting and analyzing data from pcap files, including IRC communications. Developed and maintained by Arthur Clune of the UK Chapter.
For more information/questions, please join the mailing list (details on the project home page)

Honeystick: This is a bootable Honeynet from a USB device. It includes both the Honeywall and honeypots from a single, portable device. Developed and maintained by the UK Honeynet Project.

This is a tool for observing novel attacks against network services by starting dymanic servers. It performs some basic data analysis and downloads malware automatically. Developed by Tillmann Werner of the Giraffe Chapter.

Honeywall CDROM is our primary high-interaction tool for capturing, controling and analyzing attacks. It creates an architecture that allows you to deploy both low-interaction and high-interaction honeypots, but is designed primarily for high-interaction.
For more information, please see the project TRAC page

Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.

Libemu is a small library written in C offering basic x86 emulation and shellcode detection. Libemu turns shellcode instructions into function calls the shellcode performs, so an analyst can quickly discern the actions of the shellcode and answer questions whether the shellcode is downloading a program or executing a process. It is the de-facto standard when it comes to analyzing shellcode.

Nebula is a network intrusion signature generator. It can help securing a network by automatically deriving and installing filter rules from attack traces. In a common setup, nebula runs as a daemon and receives attacks from honeypots. Signatures are currently published in Snort format.

Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.

Pehunter is a snort dynamic preprocessor that grabs Windows executables off the network. It is intended to sit inline in front of high-interactive honeypots. Developed and maintained by Tillmann Werner of the Giraffe Chapter.

PhoneyC is a virtual client honeypot, meaning it is not a real application but rather an emulated client. By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.

Download version 0.1 below (a contained readme contains installation instructions):
Sha1: d541a6c27712895f335e7394de7c1506ea1ce592 phoneyc_v0_1_rev1631.tar_.gz

v0.1 feature highlights include:

* Interpretation of useful HTML tags for remote links
- hrefs, imgs, etc ...
- iframes, frames, etc
* Interpretation of scripting languages
- javascript (through spidermonkey)
- supports deobfuscation, remote script sources
* ActiveX vulnerability "modules" for exploit detection
* Shellcode detection and analysis (through libemu)
* Heap spray detection

PhoneyC is hosted on http://code.google.com/p/phoneyc/ from which a development version can be obtained.

For any issues turn to the Google groups: http://groups.google.com/group/phoneyc.

Picviz is a parallel coordinates[1] plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize your data and discover interesting results quickly. This way, you can find in million of events malicious things you were not thinking about and that no regex based program would find for you.
Picviz was greatly enhanced as part of GSoc 2009.
 
[1] http://en.wikipedia.org/wiki/Parallel_coordinates

For the last few years, while low-interaction (LI) honeypot systems like Nepenthes and PHoneyC are getting more and more powerful, the progress of high-interaction (HI) honeypot technology has been somewhat slower. This is especially true for Sebek, the de-facto HI honeypot monitoring tool. Qebek is a QEMU based HI honeypot monitoring tool which aims at improving the invisibility of monitoring the attackers’ activities in HI honeypots.

Qebek was developed by Chengyu Song during GSoc 2010.

Our KYT paper on Qebek provides great detail on how to install and use Qebek. Its available at http://honeynet.org/papers/KYT_qebek.

To obtain Qebek, check out its repository:
svn co https://projects.honeynet.org/svn/sebek/virtualization/qebek/trunk/

Sebek is kernel module installed on high-interaction honeypots for the purpose of extensive data collection. It allows administrators to collect activities such as keystrokes on the system, even in encrypted environments. Designed primarily for Win32 and Linux systems.

Tracker facilitates the identification of abnormal DNS activity. It will find domains that are resolving to a large number of IP's in a short period of time then continue to track those hostname->IP mappings untill either the hostname nolonger responds or the user decides to stop tracking that hostname. Really efficient at finding fast-flux domains and other dodgy A-Record rotations. Tracker is a tool developed by the Honeynet Project Australian Chapter.

Trigona is a VirtualBox powered honey-client that was designed for high throughput with low False Positive and low False Negative rates.

It is essentially taking the best of High interaction and Low interaction honey-clients and cobbling them together with a couple of Perl scripts.

The benefits of High Interaction honey-client's has been that since there is no emulation of software etc. you can catch everything as opposed to a low interaction honey-client where exploits will only be caught if they have been catered for. However the down side of the High Interaction honey-client is that it is a lot slower than a Low Interaction as it requires a full blown virtual machine for each URL analysed as opposed to generally a command-line tool that can pump through a lot of links in a short period of time.

Trigona takes the high throughput of LI honey-clients and the 'catch all' benefits of the HI honey-clients and puts it into one system.

WebViz is a GL visualization project implemented by Oguz as part of GSoc 2011. It allows to easily visualize attack data on a world globe. A demonstration can be found at http://webviz.comu.edu.tr/doc/.

As part of GSoc 2011, Jakub Zawadzki developed a variety of wirkeshark extensions:

  • WireShnork plugin that would support applying Snort IDS rules and signatures against pcap files. This would be useful for network forensic, allowing analysts to automatically colorise packets that match a particular Snort IDS signature.
  • WireshAV plugin that would allow to scan captured files with antiviruses
  • WireBrowse plugin which would allow to access some of wireshark functionality over web browser
  • WireSocks HTTP/SOCKS5 "proxy" plugin that would allow any browser (with proxy support :)) to get the contents of sniffed web pages (with css, images, javascript, and other files) which were saved inside pcap file
  • WireViz GUI plugin which would allow to generate connection graphs with Graphviz