jess LAND
        Sponsored by:       
One eSecurity
JISK Knowledgebase >>    About    News    Essentials    Architecture    FWs    IDS/IPS    Honeypots    Malware    Forensics   
  +  JSS Home    Projects    JSS Community    Events    News    Docs    About    Contact .

JISK > Honeypots > Tools Honeypots Section Map

Honeypots Tools

Content Leader: Jess Garcia - Last Updated: January 28, 2007

Honeypots Tools


  • Back Officer Friendly - Back Officer Friendly was originally created to detect when anyone attempts a Back Orifice scan against your computer.
  • KFSensor - Windows based honeypot Intrusion Detection System (IDS).
  • NetFacade - Creates a Honeynet that alerts network security or management personnel of an intrusion.
  • Specter - SPECTER is a smart honeypot or deception system. It simulates a complete machine, providing an interesting target to lure hackers away from the production machines.
  • Symantec Decoy Server (formerly ManTrap) - Provides early detection of internal, external, and unknown attacks, unauthorized use of passwords and server access to help prioritize threats, etc.


  • HoneyServers
    • Kojoney - Kojoney is a low level interaction honeypot that emulates an SSH server.
    • honeybee - Tool for semi-automatically creating emulators of network server applications.
    • Honeyd - Honeyd is a small daemon that creates virtual hosts on a network. There is a Windows version as well.
    • HoneyPerl - Honeypot software based on perl with many plugins like fakehttp, fakesmtp, fakesquid, faketelnet, etc.
    • HoneyWeb - Deception based web server-like program that can be used as a standalone server or in conjunction with HoneyD to provide request based http header spoofing and page serving.
    • SWiSH - SWiSH is a basic multithreaded SMTP honeypot designed to be run on Windows.
    • Tiny Honeypot (thp) - thp appears to listen on all ports otherwise not in legitimate use, providing a series of phony responses to attacker commands.
    • The Deception Toolkit - DTK is a toolkit designed to give defenders a couple of orders of magnitude advantage over attackers.
    • OpenBSD's spamd - Fake sendmail-like daemon which rejects false mail.
    • ProxyPot - An open proxy honeypot (proxypot) is a server that pretends to be an open proxy, taking requests from bad people to do bad things, and responding with a simulation instead of doing the evil deed.
    • Single-Honeypot - This is, a singular or little honeypot for test your networks for hostiles visitors.
    • - Standalone SMTP honeypot written in Python. This is a (simple) program which pretends to be an open mail relay.
    • Spamhole - Fake open SMTP relay, intended to stop (some) spam by convincing spammers that it is delivering spam messages for them, when in fact it is not.
    • - Spam honeypot SMTP server. This just sits on port 25 of whatever IP you pass in as an argument, and spools every message out to MAILDIR.
  • HoneyClients
    • Honeyclient - Dedicated host that drives specially instrumented applications to access remote servers to see if those servers are behaving in a malicious manner. Specifically, honeyclients can proactively detect exploits against client applications without known signatures.
    • Monkey Spider
    • HoneyC - Low interaction client honeypot that allows to identify malicious servers on the web.
    • Capture - High interaction client honeypot
    • MITRE Honeyclient
    • Email honeyclient
  • Tarpits
    • LaBrea Tarpit - Program that creates a tarpit or, as some have called it a "sticky honeypot".
  • Keyloggers
    • sebek - Sebek is a data capture tool designed to capture the attacker's activities on a honeypot.
  • Wireless
    • FakeAP - Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames.
  • Analysis & Consoles
    • Honeynet Security Console for Windows 2000/XP - Analysis tool to view events on your personal network or honeynet. It gives you the power to view events from Snort, TCPDump, Firewall, Syslog and Sebek logs.
    • HoneySnap - Command-line tool for parsing single or multiple pcap data files and producing a 'first-cut' analysis report that identifies significant events within the processed data.
  • Misc
    • brcontrol - Brcontrol is a set of patches to allow some interaction between a IDS and a firewall (currently snort and linux netfilter). It can help in the creation of aggresive honeypots or other advanced firewall and ids configurations. In can also work as bridge.
    • GHH - The "Google Hack" Honeypot - GHH search engine hackers. It is designed to provide reconaissance against attackers that use search engines as a hacking tool against your resources.
    • HoneyBOT - HoneyBOT is a Windows based medium interaction honeypot solution. HoneyBOT works by opening over 1000 udp and tcp listening sockets on your computer.
    • HoneyMole - The main goal of this tool is to act as a completely Transparent Ethernet Bridge over TCP/IP, tunneling in a safe and easy way network traffic to a remote location without the need of any kernel patches or modules, or even the need to hide routing in the honeypots.
    • HoneyStick - Portable honeynet demonstration and incident response tool - an complete OS platform, GenIII honeywall and one or more honeypots on a single bootable USB stick.
    • Impost - Impost is a network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons.


You may find some other tools referenced at:

Virtualization Technologies

The below are not properly Honeypot tools, but they help in the process of creating self-contained Virtual Honeynets.


  • VMWare - VMware provides virtualization of different operating systems. VMware is multiplatform allowing the execution of Windows, Linux, DOS, BSD, etc. over Linux or Windows.
  • VirtualPC - Virtual PC is a powerful software virtualization solution that allows you to run multiple PC-based operating systems simultaneously on one workstation.


  • User-Mode Linux (UML) - User-Mode Linux provides a virtual machine on Linux.
  • Xen - A virtual machine monitor for x86 that supports execution of multiple guest operating systems with focus on performance and resource isolation.
  • Bochs - Bochs IA-32 Emulator provides a virtual PC that can run operating systems such as Windows, Linux, and BSD.
  • Qemu - A processor emulator that is used to run an x86 Linux Kernel on x86 Linux.Provides documentation, changelogs, benchmarks, supported target- and host-CPUs.

Bootable CDs

  • HOACD - HOACD is the implementation of a low-interaction honeypot, based on Honeyd, that runs directly from a CD and stores its logs and configuration files on a hard disk.
  • Honeywall CD-ROM - The Honeywall CDROM combines all the tools and requirements of a Honeynet gateway on an easy to use, bootable CDROM.
  • HoneyDVD - Bootable DVD which sets up a couple of honeypots - together with the Honeywall CDROM Roo some kind of "instant honeynet".

Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.