What is HIHAT?

The High Interaction Honeypot Analysis Toolkit (HIHAT) allows to transform arbitrary PHP applications into web-based high-interaction Honeypots. Furthermore a graphical user interface is provided which supports the process of monitoring the Honeypot and analysing the acquired data.

A typical use could be the transformation of PHPNuke, PHPMyAdmin or OSCommerce into a full functional Honeypot, which offers the complete functionality of the application to the users but performs comprehensive logging and monitoring in the background.

Features: HIHAT ...
  • automatically scans for known attacks.
  • detects SLQ-Injections, (Remote) File-Inlcusions, Cross-Site Scripting (XSS), Download attempts for malicious files e.g. with WGET or CURL, Command-Injections, etc.
  • provides an overview mode which allows you to look and scan for new incidents quickly (semi-automatic mode).
  • supports detailed information about all data correlated with every access to the honeypot.
    This includes but is not limited to HTTP-GET, HTTP-POST and COOKIE data.
  • saves copies of malicious tools in a secured place for later analysis.
  • provides a geographical, IP-based mapping about the attack sources. The generated map shows the
    origin of the attacks and offers additional details for each location.
  • generates numerous statistics about all traffic recognized at the system.
  • ...


September 2, 2007: We just added the new section about Transparent Linking, check it out!
August 1, 2007: Version 1.1 is under development...stay tuned!
July 15, 2007: HIHAT Version 1.0 released.


Transparent Linking