|Project Name||Stars||Downloads||Repos Using This||Packages Using This||Most Recent Commit||Total Releases||Latest Release||Open Issues||License||Language|
|Pyrdp||1,037||2 months ago||48||gpl-3.0||Python|
|RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact|
|Fatt||555||a year ago||2||bsd-3-clause||Python|
|FATT /fingerprintAllTheThings - a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic|
|Chameleon||469||a year ago||3||agpl-3.0||Dockerfile|
|19 Customizable honeypots for monitoring network traffic, bots activities and username\password credentials (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, RDP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres, MySQL, MSSQL, Elastic and ldap)|
|Ad Honeypot Autodeploy||217||9 months ago||3||Shell|
|Deploy a small, intentionally insecure, vulnerable Windows Domain for RDP Honeypot fully automatically.|
|Rdppot||44||4 years ago||agpl-3.0||Python|
|Seahorse||15||2 years ago||1||agpl-3.0||Python|
|ELKFH - Elastic, Logstash, Kibana, Filebeat and Honeypot (HTTP, HTTPS, SSH, RDP, VNC, Redis, MySQL, MONGO, SMB, LDAP)|
|Connlogger||2||3 years ago||mit||Go|
|simple server-side connection logger, useful as a simple honeypot|
Deploy a small, intentionally insecure, vulnerable Windows Domain for RDP Honeypot fully automatically.
Runs on self-hosted virtualization using libvirt with QEMU/KVM (but it can be customized easily for cloud-based solutions).
Used for painlessly set up a small Windows Domain from scratch automatically (without user interaction) for the purpose of RDP Honeypot testing.
Features a Domain Controller, a Desktop Computer and a configured Graylog server for logging the actions of the bad guys.
Packer: download the necessary install media and setup the automated base virtual machine images unattended.
Terraform: provision the libvirt virtualization infrastructure (network + virtual machines) using the packer-prepared virtual machine images.
Ansible: Configure the infrastructure (DC, Desktop, Graylog) automatically, without user interaction.
After going through the Packer+Terraform+Ansible pipeline, the configured Windows Domain should be up and running, you could attach the RDP service of the Desktop to the public internet, and let's monitor the events through the Graylog.
Features of the running system are:
Virtualization needs some power of your host system:
Tested on Ubuntu 18.04 LTS host.
First, clone the repo:
git clone https://github.com/tothi/ad-honeypot-autodeploy cd ad-honeypot-autodeploy
Before starting with Packer, set up the intial passwords (watch for complexity requirements):
Now build the initial images.
Windows Server 2016 and Ubuntu installation media should be downloaded by the Packer script. VirtIO needs to be downloaded by the attached get-virtio.sh script:
Windows 10 should be downloaded manually by getting a temporary
download link and save it to the ISO folder. The download link
could be obtained from here. Select the English (International), 64-bit version and
save the ISO to
For mapping IP locations on a World Map in Graylog, the MaxMind GeoIP
database is needed. Unfortunately due to licensing terms it cannot
be redistributed, so you have to download it manually (after registering)
from the MaxMind site. The free GeoLite2 version should work, get the
"GeoLite2 City" Database in MMDB format (download the GZIP and untar)
and put it at
If you do not have Packer, get the latest version from the packer.io site (download the pre-compiled binary) or try to add the Hashicorp repository to your packaging system (useful for Terrafrom also).
If you are rebuilding the images, do not forget to clean up previous builds:
rm -fr output_*
If you want to re-download the images, remove packer_cache:
rm -fr packer_cache
After these preparing steps, run the Packer builds in parallel:
The images should be ready in a reasonable time (~20-30 mins depending on your host hardware power).
Now the infrastructure can be deployed using Terraform.
Get Terraform (>=0.13) if you do not have it (look at the install methods at Packer, above).
Terraform provider for libvirt should be automatically downloaded from the Terraform Registry during the apply phase.
Enter Terraform folder:
Initialize the working directory (only needed for first time use):
Build and launch the infrastructure ("apply the changes"):
Note, that if the user running
terraform apply is not root, sudo privileges for running
is needed (without password).
After a short time (~2-3 mins),
the network and virtual machines are up and running. If there are any failures,
terraform destroy might not be enough,
manual undefining resources may be necessary.
WARNING: You should take care of protecting your private network. The terraform config (main.tf) provided here just contains a custom firewall rule for my own testing environment (blocking 192.168.0.0/16 destination traffic from the 192.168.3.0/24 honeypot network).
Next is the configuration phase.
Get into the ansible folder:
Recommended installation method is installing the latest Ansible with some required additional dependencies in a Python venv virtualized environment:
python3 -m venv venv . ./venv/bin/activate pip3 install -r requirements.txt
For later use just activate the venv by
deactivate if it is not needed anymore in your
You should put an SSH public key with filename
ssh-keygen) into the ansible
folder for accessing the Ubuntu Graylog machine with the ubuntu user
(ansible will add it to
wordlist.txt file contains some (intentionally weak) passwords
for the populated domain users which can be customized.
Run the configuration phase:
ansible-playbook -i hosts setup-domain.yml -v
After 20-25 mins everything is ready.
|hostname||ip address||operating system||role|
|dc1||192.168.3.100||Windows Server 2016||Domain Controller|
|desktop12||192.168.3.112||Windows 10 (version 2004)||Domain Member Workstation|
|graylog||192.168.3.191||Ubuntu 18.04 LTS||Graylog Server|
|kali||192.168.3.192||Kali Rolling (2022.3)||Offensive Operations|
According to the libvirt network configuration (NAT), the hosts can access the public internet (if your host system allows it).
Accessing the hosts is possible through the host system. Practically using an SSH socks tunnel and proxychains for RDP or WinRM access is very comfortable.
For example, if your libvirt host IP is 192.168.0.10,
create a socks tunnel listening on
ssh 192.168.0.10 -D5000 -NTv
And access the Windows 10 desktop (using an appropriate
configured for the :5000 tunnel):
proxychains xfreerdp /v:192.168.3.112 /u:administrator
Or, access the Graylog web interface listening on :9000 locally on the Graylog Ubuntu server by SSH ProxyJump and custom forward tunnel:
ssh -J 192.168.0.10 [email protected] -NTv -L9000:127.0.0.1:9000
Then open URL
http://localhost:9000 and you reach the Graylog web
For activating the RDP honeypot, just allow public access to 192.168.3.112:3389 (for example with some port forwarding configuration on your router and iptables rules on the host machine; my helper script is rdp_public.sh) and keep watching the Graylog. ;)