HoneyBOT

HoneyBOT is a windows based low interaction honeypot solution. Click here to download the latest version.


What is a Honeypot?

A honeypot is a device placed on a computer network specifically designed to capture malicious network traffic. The logging capability of a honeypot is far greater than any other network security tool and captures raw packet level data even including the keystrokes and mistakes made by hackers. The captured information is highly valuable as it contains only malicious traffic with little to no false positives.

Honeypots are becoming one of the leading security tools used to monitor the latest tricks and exploits of hackers by recording their every move so that the security community can more quickly respond to new exploits.


How does it work?

HoneyBOT works by opening a large range of listening sockets on your computer from which a selection of these sockets are designed to mimic vulnerable services. When an attacker connects to these services they are fooled into thinking they are attacking a real server. The honeypot safely captures all communications with the attacker and logs these results for future analysis. Should an attacker attempt an exploit or upload a rootkit or trojan to the server the honeypot environment can safely store these files on your computer for malware collection and analysis purposes. Our test server has captured several thousand trojans and rootkits from these simulated services including:

  • Dabber
  • Devil
  • Kuang
  • MyDoom
  • Netbus
  • Sasser
  • LSASS
  • DCOM (msblast, etc)
  • Lithium
  • Sub7

Honeypot Placement

An organisation may place a honeypot inside their internal network, secured by their perimeter defenses where it should never to be attacked. Any traffic captured on the honeypot in this situation would indicate that another computer inside the network is already infected with a virus or worm, or even that a company employee is attempting to break into the computer.

Another method is to attach the honeypot directly to the internet which normally results in captured malicious network traffic in minutes. A direct connection is the most basic setup for honeypot users and in this scenario the honeypot computer is placed external to your production systems and allocated a public IP address.

The most popular choice of honeypot placement for internet users is to place the honeypot in your network DMZ where all unsolicited internet probes are forwarded to your honeypot computer.


Securing Your Honeypot

A honeypot is intentionally put in harms way so it is critical to carry out some security precautions on your honeypot computer before deployment on any network. This includes updating your operating system with all security updates and patches and using an updated antivirus product. You should also enable the windows firewall with an exception for HoneyBOT. If you are unsure how to secure your computer then don't attempt to deploy a honeypot. More...


HoneyBOT Installation

We suggest that you install HoneyBOT on a dedicated computer with no valuable information or resources required of it. In fact, you want your honeypot to be as free as possible from any legitimate traffic so in broad terms we can consider any traffic to the honeypot to be malicious in nature.

HoneyBOT requires minimum operating system of windows 2000 and at least 128MB RAM is recommended.

 

Donate

Like free software? Please support the ongoing development of HoneyBOT. You can contribute by making a donation here.

Cleveland Weather

Cleveland Weather To see live updates of what the weather is doing at Cleveland check out the Cleveland Weather Station