HoneyPot Security Research Framework

A modular, extensible honeypot framework for security research and threat intelligence gathering.

Features

• Real-Time Monitoring Dashboard: Beautiful CLI dashboard with live statistics and event log
• Modular Architecture: Plugin-based service emulation
• 8 Service Honeypots: SSH, Telnet, HTTP, FTP, DNS, MySQL, SMTP, SMB
• Comprehensive Logging: Every action is logged with full context
• Session Recording: Complete replay of attacker activities
• Fake Shell Environment: Simulated Linux environment for post-access monitoring
• Advanced Threat Detection: EternalBlue, SQL injection, DNS tunneling, phishing
• Threat Intelligence: IP tracking, exploit detection, credential harvesting
• Analysis Tools: Built-in tools for analyzing collected data
• SIEM Integration: Export to Splunk, ELK, etc.

Architecture

┌───────────────────────────────────────────────────────────┐
│              Honeypot Core Engine                         │
├───────────────────────────────────────────────────────────┤
│  Service Manager  │  Event System  │  Session Manager     │
├───────────────────────────────────────────────────────────┤
│              Plugin Interface Layer                       │
├───────────────────────────────────────────────────────────┤
│ SSH │ Telnet │ HTTP │ FTP │ DNS │ MySQL │ SMTP │ SMB    │
└───────────────────────────────────────────────────────────┘
           │              │              │              │
           ▼              ▼              ▼              ▼
    ┌──────────────────────────────────────────────────┐
    │         Logging & Storage Engine                 │
    │    Files │ SQLite │ PostgreSQL │ SIEM            │
    └──────────────────────────────────────────────────┘

Services

Network Services

• SSH (Port 2222/22) - Captures credentials, shell commands, post-auth activities
• Telnet (Port 2323/23) - IoT botnet detection, credential harvesting
• FTP (Port 2121/21) - File uploads/downloads, malware distribution detection

Web Services

• HTTP (Port 8080/80) - SQL injection, XSS, path traversal, scanner detection

Database Services

• MySQL (Port 3306) - SQL injection, credential stuffing, database attacks

Email Services

• SMTP (Port 2525/25) - Phishing detection, spam campaigns, email enumeration

Infrastructure Services

• DNS (Port 5454/53) - DNS tunneling, amplification attacks, C2 detection

Windows Services

• SMB (Port 4445/445) - EternalBlue detection, ransomware, lateral movement

Quick Start

Installation

# Install dependencies
pip install -r requirements.txt

# Initialize database
python -m honeypot.cli init

# Run with default configuration
sudo python -m honeypot.cli start --config config/default.yaml

Real-Time Monitoring

Watch attacks happen live with the monitoring dashboard:

# In another terminal, start the monitor
python -m honeypot.cli monitor

The monitor shows:

• Live service status (LIVE/IDLE indicator)
• Real-time attack statistics
• Connections by service
• Top attacking IPs
• Recent events log (auto-updating)
• Keyboard controls footer

Data Management

Clear all collected data when needed:

# Clear with confirmation prompt
python -m honeypot.cli clear

# Clear without confirmation (for scripts)
python -m honeypot.cli clear --force

The clear command will:

• Show statistics before deletion
• Delete all database records (preserves structure)
• Remove all log files
• Remove all session recordings
• Display summary of freed space

Attack Data Analysis

All attack/exploit data is automatically stored in data/db/honeypot.db. Access it via:

# Statistical analysis
python -m honeypot.cli analyze

# Detailed exploit analysis
python analyze_exploits.py

# Direct SQL queries
sqlite3 data/db/honeypot.db "SELECT * FROM events WHERE event_type = 'exploit.detected'"

# Analyze specific attacker
python analyze_exploits.py 192.168.1.100

What's captured when exploits are detected:

• Timestamp and attacker IP
• Exploit type and payload
• Service targeted (SSH, HTTP, MySQL, etc.)
• Full session context
• Login attempts and credentials
• Commands executed
• Files accessed/uploaded

Database tables:

• events - All honeypot activity (connections, exploits, commands)
• credentials - Login attempts and passwords
• commands - Shell commands executed by attackers
• sessions - Complete session timelines
• ip_reputation - IP tracking and reputation scores

Configuration

Edit config/default.yaml to enable/disable services and configure logging:

services:
  ssh:
    enabled: true
    port: 22
  telnet:
    enabled: true
    port: 23
  http:
    enabled: true
    port: 80

Directory Structure

honey-pot/
├── honeypot/               # Main package
│   ├── core/              # Core framework
│   ├── services/          # Service plugins
│   ├── logging/           # Logging engine
│   ├── shell/             # Fake shell environment
│   └── analysis/          # Analysis tools
├── config/                # Configuration files
├── data/                  # Runtime data
│   ├── logs/             # Log files
│   ├── sessions/         # Session recordings
│   └── db/               # Database files
└── scripts/              # Utility scripts

Development

Adding a New Service

1. Create plugin in honeypot/services/
2. Inherit from BaseService
3. Implement required methods
4. Register in config/services.yaml

Example:

from honeypot.core.service import BaseService

class MyService(BaseService):
    def handle_connection(self, socket, address):
        # Your service logic
        pass

Security Considerations

IMPORTANT: This is a honeypot designed to be attacked. Deploy only in isolated environments:

• Separate VLAN/network segment
• No access to production systems
• Firewall rules preventing outbound attacks
• Regular monitoring and updates

License

MIT License - See LICENSE file for details