Version 25 (modified by cseifert, 11 years ago)


Capture-HPC Client Honeypot / Honeyclient

On August 28th 2008, we have released a new 2.5 version of Capture-HPC. Please refer to the Releases for details.

Capture is a high interaction client honeypot (also called honeyclient). A client honeypot or honeyclient is a security technology that allows one to find malicious servers on a network. Capture identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. If an system state change is detected, since no other activity occurs on the dedicated client machine, the server Capture interacted with is classified as malicious.

High level overview of Capture:

  • Capture Server/Capture? Client architecture allows one to control numerous Capture clients on the localhost as well as remote hosts.
  • Capture's monitors are able to observe the file system, registry, process of a system on a kernel level.
  • Architecture allows Capture to drive various http aware client application. This includes a variety of browsers, but also various office applications and media players.
  • Centralized logs keep track of which links have not been visited and which have, server classifications and state changes incurred by visiting malicious servers.
  • Capture is able to automatically collect malware that might have been placed on a compromised client system.

We have set up a public mailing list for discuss issues around installation & operation, request support, voice feature requests, share your findings, etc. You can subscribe to it via

We would like to thank the following individuals for their support, feedback, and discussions on the Capture-HPC tool:

Armin Garcia, Bing Yuan, David Stirling, David Watson, Devinder Singh, Ian Welch, Jamie Riden, Lance Spitzner, Michael A Davis, Mike Johnson, Ralph Logan, Peter Komisarzcuk, Steve Mumford, Thorsten Holz, Xeno Kovah

Wiki Sitemap: