Skip to content

AbasSec/Honey-Bot

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

HoneyBot Advanced 🍯🛡️

A high-interaction deception system and adversary emulation platform. Built for deep engagement, behavioral profiling, and advanced threat intelligence gathering.

🚀 Advanced Features

  • High-Interaction Deception Environment:
    • Fake stateful SSH filesystem (/etc, /var, /home)
    • Realistic interactive command execution (cd, ls, cat, uname, ps, netstat)
    • Simulated delays and false privilege escalation traps
  • Session-Based Engine: Tracks complete session lifecycles, grouping interactions by deterministic UUIDs for forensic replay.
  • Adversary Profiling: Automatically classifies actors into Scanner, Brute Forcer, or Manual Attacker based on their command variance and authentication patterns.
  • Threat Intelligence Integration: Automated GeoIP location tracking and AbuseIPDB support.
  • Payload Capture & Replay: Every session is recorded in detail. The dashboard allows point-and-click replay of attacker transcripts.
  • SOC-Grade Dashboard: Real-time metrics, interactive charts, session viewers, and live feeds.
  • Data Portability: Export your entire deception database to JSON or CSV via API or Dashboard for SIEM integration.

🏗 Deception Architecture

Adversary --> [ SSH Emulator + Fake FS ] ----+
Adversary --> [ HTTP Catch-all Routes ] -----+---> [ Profiling Engine ] ---> [ SQLite DB ]
Adversary --> [ FTP Sandbox ] ---------------+             |                      |
                                                           v                      v
[ Web Dashboard & Replay System ] <----------------- [ REST API ] <------- [ CLI Tool ]

🛠 Installation & Deployment

Prerequisites

  • Docker & Docker Compose

Quick Start

  1. Clone & Start:
    git clone https://github.com/yourusername/honeybot.git
    cd honeybot
    docker-compose up -d
  2. Access Dashboard: Open http://localhost:5000 in your browser.
  3. Run CLI:
    docker-compose exec honeybot python -m src.cli --help

💻 CLI Usage

The deterministic CLI allows for fast forensic analysis:

Command Description
show-attacks Display recent interactions in a table.
list-ips List all unique attacker IPs and counts.
suspicious-ips List IPs with HIGH or CRITICAL threats.
stats Show overall honeypot statistics.
logs View raw JSON-like logs with filters.

🔗 API & Export Endpoints

Endpoint Method Description
/api/stats GET Global statistics & chart data.
/api/attacks GET Filterable list of recent attacks.
/api/ips GET Adversary profiling, GeoIP, and metadata.
/api/sessions GET Active and historical sessions with behavior tags.
/api/session/<id> GET Full chronological transcript of a session.
/api/export/<fmt> GET Download database as json or csv.

🛡️ Hardening & Security

  • Isolation: Always run within Docker.
  • Sandboxing: The fake SSH filesystem and shell are strictly software-emulated Python dictionaries. No underlying OS commands are executed.
  • Rate-Limiting: Simulated command delays frustrate automated scanners and add realistic texture to manual engagements.

About

Advanced high-interaction deception system and adversary emulation platform.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors