Capture-HPC Client Honeypot / Honeyclient
On September 2nd 2008, we have released a new 2.5.1 version of Capture-HPC. Please refer to the Releases for details.
Capture is a high interaction client honeypot (also called honeyclient). A client honeypot or honeyclient is a security technology that allows one to find malicious servers on a network. Capture identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system state changes. If an system state change is detected, since no other activity occurs on the dedicated client machine, the server Capture interacted with is classified as malicious.
High level overview of Capture:
- Capture Server/Capture? Client architecture allows one to control numerous Capture clients on the localhost as well as remote hosts.
- Capture's monitors are able to observe the file system, registry, process of a system on a kernel level.
- Architecture allows Capture to drive various http aware client application. This includes a variety of browsers, but also various office applications and media players.
- Centralized logs keep track of which links have not been visited and which have, server classifications and state changes incurred by visiting malicious servers.
- Capture is able to automatically collect malware that might have been placed on a compromised client system as well as generated network traffic.
- Capture is flexible to run on a variety of virtual machine technology. The default installation runs on VMware Server 1.x; instructions to run Capture on VMware's hypervisor ESX and ESXi can be found here ESX (thanks to Lasse Borup for those instructions). Emre Bastuz has posted instructions on how to compile Capture to work with VMware Server 2.x on his blog at http://www.emre.de/wiki/Capture-HPC. Capture is flexible to be extended to function on additional virtual machine technology or even bare metal installations (Chiraag Aval is currently working on changing Capture to run on bare-metal hardware.)
We have set up a public mailing list for discuss issues around installation & operation, request support, voice feature requests, share your findings, etc. You can subscribe to it via https://public.honeynet.org/mailman/listinfo/capture-hpc
We would like to thank the following individuals for their support, feedback, and discussions on the Capture-HPC tool:
Armin Garcia, Bing Yuan, David Stirling, David Watson, Devinder Singh, Ian Welch, Jamie Riden, Lance Spitzner, Michael A Davis, Mike Johnson, Ralph Logan, Peter Komisarzcuk, Steve Mumford, Thorsten Holz, Xeno Kovah, Lasse Borup, Josh Smith