spacer TO LEARN THE TOOLS, TACTICS, AND MOTIVES OF THE email the Honeynet Project
About the Project
Our Book


The Know Your Enemy (KYE) series of papers is dedicated to describing the concepts and technology of the Honeynet Project and Research Alliance and sharing the lessons we have learned. The goal is for this information to improve the security of the Internet. Each paper topic must be first approved by our internal Review Board, then all drafts go through a five week review process. You can download the papers and read them offline, or read translated papers here. If you find any errors in the papers, or have any suggestions for improvements or new paper topics, please contact us at [email protected].

NOTE: The Honeynet Project makes no warranties about the concepts or content discussed in these papers.

Creative Commons License

  • FINDINGS: These papers cover what we have learned about cyber threats. Who they are, how they operate, and why. These papers are listed from most current to oldest. We listed this section first as it is the more popular of the two.
  • TECHNOLOGY / TECHNIQUES: These papers cover how we learn what we learn, including papers covering honeynets, Sebek, and analysis techniques. These papers are more technical, and designed for geeks who want to understand, and perhaps even deploy our technology.

WARNING: Not all of these papers are current. Please be sure to check the "Last Modified" date to see when the paper was last updated. Some of our original papers are very old and are posted primarily for historical purposes.



Know Your Enemy Lite: Proxy Threats - Socks v666 - 29 January, 2008
This paper is our first ever "KYE Lite" paper. These are shorter papers that focus on very specific topics. In this paper we discuss: the basic operational concept of how reverse tunnel proxies work, a new customized control protocol in use, the advantages to the criminal community, a detailed example and it's similarities to legacy SOCKS protocols, and how this activity can be further identified including mitigation strategies.

Know Your Enemy: Behind the Scenes of Malicious Web Servers - 7 November, 2007
In this paper, we increase our understanding of malicious web servers through analysis of several web exploitation kits that have appeared in 2006/07: WebAttacker, MPack, and IcePack. Our discoveries will necessitate adjustments on how we think about malicious web servers and will have direct implications on client honeypot technology and future studies..

Know Your Enemy: Malicious Web Servers - 14 August, 2007
In this paper, we take an in-depth look at malicious web servers that attack web browsers and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks. All the malicious web servers identified in this study were found with our client honeypot Capture-HPC.

Know Your Enemy: Fast-Flux Service Networks - 15 July, 2007
This whitepaper details a growing technique within the criminal community called fast-flux networks. This is an architecture that builds more robust networks for malicious activity while making them more difficult to track and shutdown. This is the first KYE paper we are releasing in both .pdf and .html format.

Know Your Enemy: Web Application Threats - 07 February, 2007
This paper provides behind the scenes information on various HTTP-based attacks against web applications, including remote file inclusion and exploitation of the PHPShell application. The paper is based on the research and data collected from the Chicago Honeynet Project, the New Zealand Honeynet Project and the German Honeynet Project during multiple honeypot compromises. Along with the release of this paper, comes new functionality to the Google Hack Honeypot (GHH), used extensively in the paper. GHH now includes an automated malware collection function, as well as remote XML-RPC logging for SSL support.

Know Your Enemy: Phishing - 17 May, 2005
This paper documents how attackers build and use their infrastructure for Phishing based attacks. This highly technical and indepth paper is based on data captured and analyzed from the UK and German Honeynet Project.

Know Your Enemy: Tracking Botnets - 14 March, 2005
This paper documents what Botnets are, who is using them, how, and why. It also introduces the tools 'mwcollect' and 'drone' which can be used for collecting malware and tracking Botnet activity.

Know Your Enemy: Trends - 21 December, 2004
This paper documents how over the past several years, the life expectancy has dramatically increased for unpatched or vulnerable Linux systems. The purpose of this paper is to make you ask "Why is no one hacking Linux anymore?".

Know Your Enemy: Honeynets in Universities - 26 April, 2004
This paper covers how academic institutions can deploy honeynets in their networks. We cover the lessons learned from GA Tech deploying a honeynet on their internal .edu network, how they got permission, and the successes they had. The purpose of this paper is to make it easier for any university or college to deploy a honeynet, for either research or operational activity.

Profiles - Automated Credit Card Fraud - 10 July, 2003
A look at just how easy, automated, and wide spread credit card fraud and identity theft has become, even amongst unskilled individuals.

Know Your Enemy: Motives - 27 June, 2000
This paper studies the motives and psychology of a group of simple attackers, all in their own words.

Know Your Enemy: Statistics - 23 July, 2001
This paper analyzes eleven months of data collected by the Honeynet Project. Based on this data, we demonstrate just how active the blackhat community is. We also demonstrate that it may be possible to predict future attacks.

Know Your Enemy: A Forensics Analysis - 23 May, 2000
This paper studies step by step a successful attack of a system. However, instead of focusing on the tools and tactics used, we  focus on our analysis techniques and how we pieced the information together. The purpose is to give you the  skills necessary to analyze and learn on your own the threats your organization faces.

Know Your Enemy: Worms at War - 7 November, 2000
See how worms probe for and compromise vulnerable Microsoft Windows systems. Based on the first Microsoft honeypot compromised in the Honeynet Project.

Know Your Enemy: III - 27 March, 2000
What happens after the script kiddie gains root. Specifically, how they cover their tracks while they monitor your system.  The paper goes through step by step on a system that was compromised, with system logs and keystrokes to verify each step.

Know Your Enemy: II - 18 June, 2001
How to determine what the enemy is doing by analyzing your system log files. Includes examples based on two commonly used scanning tools, sscan and nmap.

Know Your Enemy - 21 July, 2000
The tools and methodology of the most common black-hat threat on the Internet, the Script Kiddie.  By understanding how they attack and what they are looking for, you can better protect your systems and network.



Know Your Enemy: Honeywall CDROM - 17 May, 2004
This paper introduces you to the concepts of the Honeywall CDROM, a bootable Honeynet gateway. Anyone wanting to deploy a honeynet should seriously consider this solutions, as it standardizes deployments and combines all of our tools, including data control, data capture, and data analysis.

Know Your Enemy: Sebek - 17 November, 2003
A detailed look into one of the Project's primary tools for an attacker's activity on a honeypot, even encrypted activity, such as SSH, burneye, and IPSec. This paper covers what Sebek is, its value, how it works, strengths and weaknesses, and how to analyze data recovered by Sebek.

Know Your Enemy: GenII Honeynets - 10 May, 2005
This papers describes step-by-step how to build, deploy, and test a 2nd generation (GenII) Honeynet using the latest technologies. GenII Honeynets are considered easier to deploy, harder to detect, and safer to maintain then the original GenI technologies.

Know Your Enemy: Honeynets - 10 May, 2005
This paper is an overview of the concepts, values, risks, and issues of Honeynets. This paper does not discuss the technical details of Honeynet technologies.

Know Your Enemy: Defining Virtual Honeynets - 27 January, 2003
This paper defines what a Virtual Honeynet is, its advantages and disadvantages, and the different way they can be deployed.

Know Your Enemy: Learning with User-Mode Linux - 20 December, 2002
This paper explains step by step how to build a GenI virtual Honeynet using OpenSource software. Deploy a complete Honeynet using nothing more than an old 486 computer and free software!

Know Your Enemy: Passive Fingerprinting - 04 March, 2002
This paper details how to passively learn about the enemy, without them knowing about it. Specifically, how to determine the operating system of a remote host using passive sniffer traces only.

Back to Top