Skip to content

joshrendek/threat.gg-agent

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

99 Commits
.github
.github
 
 
docker
docker
 
 
elasticsearch
elasticsearch
 
 
etcd
etcd
 
 
ftp
ftp
 
 
honeypots
honeypots
 
 
internal/ldapserver
internal/ldapserver
 
 
jenkins
jenkins
 
 
kafka
kafka
 
 
kubernetes
kubernetes
 
 
ldap
ldap
 
 
mqtt
mqtt
 
 
mysql
mysql
 
 
openclaw
openclaw
 
 
persistence
persistence
 
 
postgres
postgres
 
 
proto
proto
 
 
rdp
rdp
 
 
redis
redis
 
 
smb
smb
 
 
smtp
smtp
 
 
sshd
sshd
 
 
stats
stats
 
 
telnet
telnet
 
 
updater
updater
 
 
vnc
vnc
 
 
webserver
webserver
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
Gopkg.lock
Gopkg.lock
 
 
Gopkg.toml
Gopkg.toml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
honeypot.conf
honeypot.conf
 
 
honeypot.proto
honeypot.proto
 
 
honeypot.upstart.conf
honeypot.upstart.conf
 
 
main.go
main.go
 
 
testfile
testfile
 
 

Repository files navigation

threat.gg Agent

The honeypot agent for threat.gg, a honeypot-as-a-service platform for collecting and analyzing real-world attack data.

Overview

The agent is a Go binary that runs on honeypot nodes and emulates multiple network services. When attackers connect and interact with these fake services, the agent captures their activity (commands, credentials, payloads) and reports it to the threat.gg server via gRPC.

Supported Honeypots

Service Default Port Description
SSH 22 Captures brute-force credentials, shell commands, proxy requests, and malware drops
PostgreSQL 5432 Emulates a PostgreSQL server, captures authentication attempts and SQL queries
FTP 21 Captures FTP login attempts and file transfer commands
Elasticsearch 9200 Emulates an Elasticsearch REST API, captures search and index requests
HTTP 8080 Web server honeypot capturing HTTP request payloads
Kubernetes API 6443 Emulates the Kubernetes API server
OpenClaw 18789 WebSocket-based honeypot for custom protocol interactions
Kafka 9092 Emulates an Apache Kafka broker, captures client reconnaissance and SASL/PLAIN credentials
VNC 5900 Emulates VNC/RFB handshake and captures auth challenge-response + client preferences

Architecture

Each honeypot implements the honeypots.Honeypot interface (Start() + Name()) and is registered in main.go. Honeypots run concurrently as goroutines, listening on their respective ports.

Captured attack data is sent asynchronously to the threat.gg server via gRPC with TLS and API key authentication. The server stores the data in PostgreSQL and broadcasts events to the real-time dashboard feed via Redis pub/sub.

Building

make build        # Cross-compile static Linux binaries (amd64 + arm64)
make proto        # Regenerate protobuf code from the server's honeypot.proto
make test         # Run tests

Deployment

The agent binary is deployed to honeypot nodes at /root/honeypot and managed via systemd. An auto-updater checks GitHub Releases every 15 minutes for new versions (calver tags).

Configuration

Environment variables:

Variable Description Default
API_KEY API key for server authentication required
GO_ENV Set to development for local testing production
SSH_PORT SSH honeypot port 22
KAFKA_PORT Kafka honeypot port 9092

About

A SSH Server in Go that logs username/password combos

Resources

Readme

License

GPL-3.0 license
Activity

Stars

39 stars

Watchers

2 watching

Forks

12 forks
Report repository

Releases 63

Release 20260322.23409164730 Latest
Mar 22, 2026
+ 62 releases

Packages

 
 
 

Contributors

Languages