honeytrap: Advanced Honeypot framework

Honeytrap

Honeytrap

Honeytrap is a modular framework for running, monitoring and managing honeypots. Using Honeytrap you can use sensors, high interaction and low interaction honeypots together, while still using the same event mechanisms. Honeytrap consists of services, directors, listeners, and channels. It is easy to build new services, attach existing honeypots, extend channels or directors.

Honeytrap has three modes, sensor mode, high- and low interaction mode. The sensor mode just detects traffic, this will be ideally used for detection of movement within your network. Low interaction mode will reply with predefined default responses to requests, following playbooks. High interaction honeypots will use real virtual machines or containers in a contained manner.

Multiple operating systems are supported, like Linux, MacOS, and Windows. Depending on the operating system functionality is available. The LXC director, for example, is only available on Linux

Features

  • Combine multiple services to one honeypot, eg a LAMP server
  • Honeytrap Agent will download the configuration from the Honeytrap Server
  • Use the Honeytrap Agent to redirect traffic out of the network to a seperate network
  • Deploy a large amount agents while having one Honeytrap Server, the configuration will be downloaded automatically and logging centralized
  • Payload detection to determine which service should handle the request, one port can handle multiple protocols
  • Monitor lateral movement within your network with the Sensor listener. The sensor will complete the handshake (in case of tcp), and store the payload
  • Create high interaction honeypots using the LXC or remote hosts directors, traffic will be man-in-the-middle proxied, while information will be extracted
  • Extend honeytrap with existing honeypots (like cowrie or glutton), while using the logging and listening framework of Honeytrap
  • Advanced logging system with filtering and logging to Elasticsearch, Kafka, Splunk, Raven, File or Console
  • Services are easily extensible and will extract as much information as possible
  • Low- to high interaction Honeypots, where connections will be upgraded seamlessly to high interaction

Installation & Tutorial

Copyright (C) 2016-2017 DutchSec (https://dutchsec.com/)