Daedric Deception Platform
Advanced Honeypot System with ML-Powered Threat Intelligence
Proprietary Notice: This repository is proprietary and all rights are reserved. Unauthorized use, copying, modification, distribution, or sale is prohibited. Fixed fingerprint:
MEPHALA-FP-2025-eac5a8a58376b2fc1fb6ebef9e5b75c459bc5f8968b6d0ad60c9820a5d018659. For permissions or inquiries, contact[email protected].
βββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββ βββ
βββ ββββ βββββββββββββββββββ βββ βββ ββββββ βββ ββββββ βββ
ββ βββββ ββββββββββββββββββββββββ ββββββββββββββ ββββββββ ββ
ββ βββββββββββββββββ βββββββββββββββββββββββββββ ββββββββ ββ
ββ βββββββββββββββββ βββββββ βββββββββββββββββββ ββββββββ ββ
ββ βββ βββ ββββββββββββββ βββ ββββββ ββββββββββββββ βββ ββ
βββ βββ ββββββββββββββ βββ ββββββ ββββββββββββββ βββ βββ
βββ βββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββ
β DAEDRIC PRINCE OF SECRETS β
β The Webspinner v1.0 β
βββββββββββββββββββββββββββββββββββ
|
Mephala is a high-interaction honeypot that simulates vulnerable network services to trap attackers and harvest intelligence.
ββββββββββββββββ ββββββββββββββββ
β ATTACKER β βββΊ Thinks it's a real server βββΊ TRAPPED βββΊβ MEPHALA DB β
ββββββββββββββββ ββββββββββββββββ
β
Credentials, commands, payloads, β
IPs, techniques, malware samples β
βΌ
ββββββββββββββββ
β DASHBOARD β
β Real-time β
ββββββββββββββββ
Named after the Daedric Prince of secrets, lies, and webs of deceit from The Elder Scrolls V: Skyrim.
Mephala weaves three deadly threads to ensnare intruders:
| Thread | Port | Disguise | What It Captures |
|---|---|---|---|
| π SSH | 2222 |
Linux OpenSSH server | Usernames, passwords, shell commands, session recordings |
| π HTTP | 8080 |
WordPress, phpMyAdmin | SQL injection, XSS attempts, file uploads, request payloads |
| π FTP | 2121 |
vsftpd file server | Credentials, uploaded malware, directory traversal attempts |
β Credential harvesting (username/password capture)
β Fake shell with 25+ Linux commands (ls, cat, wget, curl, etc.)
β Virtual filesystem (/etc/passwd, /etc/shadow, realistic structure)
β Session recording (every keystroke logged)
β Malicious command detection (wget, curl, chmod +x patterns)
β WordPress login simulation (wp-login.php, wp-admin)
β phpMyAdmin honeytokens
β SQL injection detection (UNION, SELECT, DROP, etc.)
β XSS payload capture (<script>, onerror, javascript:)
β RCE attempt detection (;, |, $(), backticks)
β File upload quarantine
β Anonymous and authenticated access
β Passive (PASV) and Active (PORT) mode support
β Uploaded file capture and quarantine
β Directory listing with fake files
β Path traversal detection (../, %2e%2e)
Every attack is analyzed by Mephala's machine learning brain:
βββββββββββββββββββ
Attack βββββββββΊβ PREPROCESSOR βββββ Feature Extraction
ββββββββββ¬βββββββββ (TF-IDF, patterns, IP analysis)
β
βΌ
βββββββββββββββββββ
β CLASSIFIER βββββ Random Forest
β (Random Forest)β Multi-class classification
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β ANOMALY DETECTORβββββ Isolation Forest
β(Isolation Forest)β Zero-day detection
ββββββββββ¬βββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββ
β THREAT CLASSIFICATION β
β + Severity Score (1-10) β
β + Confidence Level β
ββββββββββββββββββββββββββββββββ
| Type | Description | Severity |
|---|---|---|
reconnaissance |
Port scanning, service enumeration | π’ Low |
brute_force |
Credential stuffing, password spraying | π‘ Medium |
sql_injection |
Database manipulation attempts | π΄ High |
xss |
Cross-site scripting payloads | π‘ Medium |
rce |
Remote code execution attempts | β« Critical |
path_traversal |
Directory escape attempts | π High |
credential_theft |
Password/token harvesting | π High |
Real-time visualization of the web's activity:
| View | Description |
|---|---|
| Live Feed | Real-time stream of attacks as they happen |
| World Map | Geographic visualization of attack origins (Leaflet) |
| Timeline | Attack frequency over time (Chart.js) |
| Statistics | Total attacks, unique IPs, severity breakdown |
| Attack Details | Deep dive into individual attack sessions |
| Purpose | Benefit |
|---|---|
| Threat Research | Study real attacker behavior, TTPs, and tools |
| Threat Intelligence | Collect IOCs (IPs, payloads, signatures, malware) |
| Early Warning System | Detect attackers probing your network before they hit real assets |
| Deception Defense | Waste attacker time and resources on fake targets |
| Security Training | Learn attack patterns in a safe, controlled environment |
| SOC Enrichment | Feed captured data into SIEM/SOAR platforms |
mephala/
βββ core/ # β System Core
β βββ base_service.py # Abstract honeypot base class
β βββ config.py # Pydantic configuration management
β βββ database.py # SQLAlchemy async ORM (PostgreSQL/SQLite)
β βββ honeypot.py # Main orchestrator & lifecycle manager
β βββ logger.py # Structured logging (JSON/text)
β
βββ services/ # β Honeypot Services
β βββ ssh_honeypot.py # SSH trap (asyncssh)
β βββ http_honeypot.py # HTTP trap (aiohttp)
β βββ ftp_honeypot.py # FTP trap (asyncio)
β βββ utils/
β βββ fake_filesystem.py # Virtual Linux filesystem
β βββ response_templates.py # Realistic banners & responses
β βββ session_manager.py # Session tracking & statistics
β
βββ ml/ # β Machine Learning Pipeline
β βββ preprocessor.py # Feature extraction (TF-IDF, patterns)
β βββ models.py # Random Forest + Isolation Forest
β βββ trainer.py # Training pipeline with GridSearchCV
β βββ predictor.py # Real-time classification with caching
β
βββ api/ # β REST API (FastAPI)
β βββ server.py # Application factory, CORS, lifespan
β βββ auth.py # JWT authentication (passlib/bcrypt)
β βββ models.py # Pydantic request/response schemas
β βββ routes/
β βββ attacks.py # CRUD endpoints for attacks
β βββ stats.py # Statistics & analytics endpoints
β βββ websocket.py # Real-time WebSocket feed
β
βββ dashboard/ # β Frontend (Vue.js 3)
β βββ src/
β βββ components/ # StatCard, LiveFeed, Charts
β βββ views/ # Dashboard, Attacks, AttackMap
β βββ stores/ # Pinia state management
β βββ services/ # Axios API client
β
βββ docker/ # β Containerization
β βββ Dockerfile # Multi-stage build, non-root user
β βββ docker-compose.yml # Full stack orchestration
β βββ nginx.conf # Reverse proxy configuration
β
βββ scripts/ # β Utilities
βββ setup.sh # Automated environment setup
βββ train_models.py # ML model training CLI
βββ seed_database.py # Test data generation
# Clone the artifact
git clone https://github.com/ind4skylivey/mephala.git
cd mephala
# Configure secrets
cp .env.example .env
nano .env
# Summon the web
cd docker && docker-compose up -d
# Watch the threads
docker-compose logs -f mephala# Clone
git clone https://github.com/ind4skylivey/mephala.git
cd mephala
# Setup environment
chmod +x scripts/setup.sh
./scripts/setup.sh
# Initialize database
alembic upgrade head
# Start services (3 terminals)
python core/honeypot.py # Honeypot traps
uvicorn api.server:app --reload --port 8000 # REST API
cd dashboard && npm install && npm run dev # Dashboard# Obtain JWT token
curl -X POST http://localhost:8000/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "admin123"}'| Method | Endpoint | Description |
|---|---|---|
POST |
/api/v1/auth/login |
Get JWT access token |
GET |
/api/v1/attacks |
List attacks (paginated, filterable) |
GET |
/api/v1/attacks/{id} |
Get attack details with related data |
POST |
/api/v1/attacks/search |
Advanced search with filters |
DELETE |
/api/v1/attacks/{id} |
Delete attack record |
GET |
/api/v1/stats/overview |
Dashboard statistics |
GET |
/api/v1/stats/timeline |
Attack frequency over time |
GET |
/api/v1/stats/geographic |
Geographic distribution |
GET |
/api/v1/stats/top-attackers |
Most active source IPs |
GET |
/api/v1/stats/attack-types |
Attack type distribution |
WS |
/ws/live |
Real-time attack feed |
# Core
MEPHALA_ENV=production
DEBUG=false
# Database (PostgreSQL recommended)
DATABASE_URL=postgresql+asyncpg://mephala:secret@localhost:5432/mephala
# Cache
REDIS_URL=redis://localhost:6379/0
# API Security
API_SECRET_KEY=your-32-char-secret-key
API_ACCESS_TOKEN_EXPIRE_MINUTES=30
# Service Ports
SSH_PORT=2222
HTTP_PORT=8080
FTP_PORT=2121
# Logging
LOG_LEVEL=INFO
LOG_FORMAT=json| Layer | Technology |
|---|---|
| Language | Python 3.10+ |
| Async Framework | asyncio, asyncssh, aiohttp |
| API | FastAPI, Uvicorn |
| Database | PostgreSQL (async), SQLAlchemy 2.0 |
| Cache | Redis |
| ML | scikit-learn (Random Forest, Isolation Forest) |
| Frontend | Vue.js 3, Pinia, Chart.js, Leaflet |
| Containerization | Docker, docker-compose |
| Reverse Proxy | nginx |
# Run all tests
pytest tests/ -v
# With coverage report
pytest tests/ --cov=core --cov=services --cov=ml --cov=api
# Results
============================= 155 passed ==============================How does Mephala compare to other honeypot frameworks?
| Feature | Mephala | Cowrie | T-Pot | Dionaea | HoneyTrap |
|---|---|---|---|---|---|
| SSH Honeypot | β | β | β | β | β |
| HTTP Honeypot | β | β | β | β | β |
| FTP Honeypot | β | β | β | β | β |
| ML Classification | β | β | β | β | β |
| Anomaly Detection | β | β | β | β | β |
| Auto Threat Scoring | β | β | β | β | β |
| Real-time Dashboard | β Vue.js | β | β Kibana | β | β |
| WebSocket Live Feed | β | β | β | β | β |
| REST API | β FastAPI | β | β | β | β |
| Single Codebase | β Python | β Python | β Multi | β C | β Go |
| Modern Async | β asyncio | β Twisted | β | β | β |
| Lightweight | β | β | β Heavy | β | β |
| Easy Deploy | β | β | β |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β π§ ML-POWERED INTELLIGENCE β
β β Random Forest classifier for attack categorization β
β β Isolation Forest for zero-day anomaly detection β
β β Automatic severity scoring (1-10) β
β β Real-time threat classification β
β β
β β‘ MODERN ARCHITECTURE β
β β Pure Python 3.10+ with native asyncio β
β β FastAPI REST endpoints β
β β WebSocket real-time streaming β
β β Vue.js 3 reactive dashboard β
β β
β π― ALL-IN-ONE SOLUTION β
β β SSH + HTTP + FTP in single deployment β
β β No Elasticsearch/Kibana dependency β
β β Lightweight compared to T-Pot (~8GB RAM vs ~256MB) β
β β Single language, single codebase β
β β
β π·οΈ UNIQUE IDENTITY β
β β Skyrim-inspired Daedric aesthetic β
β β Professional documentation β
β β Active development β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- Telnet honeypot
- SMTP honeypot
- MySQL/PostgreSQL honeypot
- Elasticsearch integration
- Slack/Telegram alerting
- MITRE ATT&CK mapping
- Threat feed export (STIX/TAXII)
- Kubernetes Helm chart
β οΈ AUTHORIZED USE ONLY
This tool is intended for:
β Security research on owned infrastructure
β Authorized penetration testing engagements
β Educational and training purposes
β Threat intelligence gathering on controlled networks
Deploy only on networks you own or have explicit written permission to test.
The authors assume no liability for misuse or damage caused by this software.
Unauthorized deployment may violate local laws and regulations.
Business Source License 1.1 (BSL)
Copyright (c) 2024 ind4skylivey
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
ALLOWED β
β β Personal use β
β β Educational use β
β β Security research β
β β Internal company use β
β β Modification and derivatives β
β β
β β NOT ALLOWED (without commercial license) β
β β Offering Mephala as a commercial service β
β β Selling access to honeypot deployments β
β β Reselling threat intelligence data β
β β
β π
CHANGE DATE: January 1, 2028 β
β β Automatically converts to GPL-3.0 β
β β Full open source after this date β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
For commercial licensing inquiries: Contact ind4skylivey
ΰΌΊ MEPHALA ΰΌ»
The Webspinner sees all. The web catches all.
π·οΈ Inspired by The Elder Scrolls V: Skyrim π·οΈ