Open-source lab for adversary and defender perspectives on cyber deception. Deploy a fictitious financial environment (Andesfinance) with configurable deception levels, monitoring (Elastic Stack), and built-in attacker simulation—all via Docker Compose.
This project disseminates both adversary and defender perspectives on cyber deception. It deploys a fictitious production environment with monitoring, multiple deception levels, and an attacker container. The environment simulates a financial organization (Andesfinance) with intentionally vulnerable web services, SSH honeypots, decoy APIs, fake activity generators, and optional high-fidelity deception (banners, tampered executables).
- Configurable deception levels: None, Basic, Complete, Impossible (progressive honeypots, decoys, and anti-forensics).
- Full stack: Node.js frontend/backend, MySQL, custom SSH honeypot, fake activity generator, Elastic Stack (Filebeat, Elasticsearch, Kibana).
- Attacker container: Preloaded with recon and attack scripts (reconnaissance, port scanning, SQL injection, command injection, SSH brute force, data exfiltration).
- Observability: Centralized logs and Kibana dashboards for events, source IPs, and executed commands.
- Cross-platform: Docker Compose; startup scripts for Linux (
startup.sh) and Windows (startup.bat).
This project is licensed under the MIT License. See LICENSE for the full text.
See CHANGELOG.md for version history and notable changes.
Show how an environment looks with:
- ✅ Multiple deployed deception activities
- ✅ Activity monitoring
- ✅ An adversary facing increasing decision-making difficulty
┌────────────────────────────────────────────────────────────────────────────────┐
│ "EXTERNAL" NETWORK │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ Attacker Container │ │
│ │ │ │
│ │ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────────┐ │ │
│ │ │ Scripting │ │ Manual │ │ Recon Tools │ │ │
│ │ │ Attacks │ │ Testing │ │ │ │ │
│ │ │ │ │ (SSH/Web) │ │ (nmap, etc.) │ │ │
│ │ │ Port 5000 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ └─────────────────┘ └─────────────────┘ └─────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────┘
│
│
▼
┌─────────────────────────────────────────────────────────────────────────────────┐
│ DMZ NETWORK │
│ │
│ ┌───────────────────────────────────┐ │
│ │ Frontend │ │
│ │ │ │
│ │ Employee Portal │ │
│ │ Port 3000 │ │
│ └─────────────────────┬─────────────┘ │
│ │ │
│ │ Backend Communication │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ SERVER NETWORK │ │
│ │ │ │
│ │ ┌───────────────┐ ┌──────────────┐ ┌─────────────────────────┐ │ │
│ │ │ Backend │ │ SSH Honeypot │ │ Fake Activity │ │ │
│ │ │ │ │ │ │ Generator │ │ │
│ │ │ Financial API │ │ Port 22 │◄───│ │ │ │
│ │ │ Port 3001 │ │ │ │ │ │ │
│ │ └───────┬───────┘ └──────────────┘ └─────────────────────────┘ │ │
│ │ │ │ │
│ │ │ Database Access │ │
│ │ ▼ │ │
│ │ ┌─────────────────────────────────────────────────────────────────┐ │ │
│ │ │ DATABASE NETWORK │ │ │
│ │ │ │ │ │
│ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │
│ │ │ │ MySQL Database │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ Financial Database │ │ │ │
│ │ │ │ Port 3306 │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ └─────────────────────────────────────────────────────────┘ │ │ │
│ │ └─────────────────────────────────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ MONITOR NETWORK │ │
│ │ │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌─────────────────────────┐ │ │
│ │ │ Filebeat │────│Elasticsearch │────│ Kibana │ │ │
│ │ │ (Log Shipper)│ │ (Storage) │ │ (Visualization) │ │ │
│ │ │ │ │ Port 9200 │ │ Port 5601 │ │ │
│ │ └──────────────┘ └──────────────┘ └─────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────────┘
- Frontend: Andesfinance employee portal (Node.js/Express)
- Backend: Andesfinance financial API
- MySQL: Financial database with sensitive data
- SSH Honeypot: Custom SSH honeypot
- Fake Activity: Fake activity generator
- Elastic Stack: Filebeat + Elasticsearch + Kibana
- Docker Compose: Container orchestration
- Frontend: Accessible from localhost (port 3000) - controlled entry point
- Backend: Only internally accessible - protected from external access
- MySQL: Only internally accessible - isolated database
- SSH Honeypot: Only accessible internally from server network
- Elastic Stack: Accessible from localhost (Port 5601) - monitoring entry point
/cyberdeception-playground/
├── docker-compose.yml # Service orchestration
├── frontend/ # Vulnerable web application
│ ├── Dockerfile # Frontend image
│ ├── package.json # Node.js dependencies
│ ├── server.js # Vulnerable web server
│ ├── start-with-monitor.sh # Startup script with monitoring
│ ├── apk-monitor.sh # APK package monitor
│ ├── wait-for-backend.js # Backend wait script
│ ├── wait-for-mysql.js # MySQL wait script
│ ├── public/ # Static files
│ │ └── index.html # Main page
│ └── config/ # Configuration files
│ ├── access.txt # Access control
│ ├── aws-credentials.json # Fake AWS credentials
│ ├── database.conf # Database configuration
│ ├── environment.env # Environment variables
│ ├── export-test-customer-data.csv # Test data
│ └── export2-employee-database.xlsx # Employee database
├── backend/ # Vulnerable backend API
│ ├── Dockerfile # Backend image
│ ├── package.json # Node.js dependencies
│ ├── server.js # Vulnerable API server
│ ├── deception-endpoints.js # Deception endpoints
│ └── wait-for-mysql.js # MySQL wait script
├── mysql/ # MySQL database
│ ├── Dockerfile # MySQL image
│ ├── init.sql # Basic initialization script
│ ├── init-basic.sql # Basic level initialization
│ ├── init-complete.sql # Complete level initialization
│ ├── init-impossible.sql # Impossible level initialization
│ └── select-init.sh # Initialization selection script
├── ssh-honeypot/ # SSH Honeypot
│ ├── Dockerfile # Honeypot image
│ ├── ssh_honeypot.py # Custom SSH honeypot
│ ├── startup.sh # Startup script
│ ├── config/
│ │ └── userdb.txt # Users and passwords
│ └── logs/ # Honeypot logs
│ ├── ssh_connections.json # Registered SSH connections
│ └── ssh_honeypot.log # Honeypot log
├── fake-activity/ # Fake activity generator
│ ├── Dockerfile # Generator image
│ ├── requirements.txt # Python dependencies
│ └── app.py # Generator application
├── attacker/ # Attacker container
│ ├── Dockerfile # Image with attack tools
│ ├── requirements.txt # Python dependencies
│ └── attack_scripts/ # Automated attack scripts
│ ├── main_attacker.py # Main attack script
│ └── components/ # Attack components
│ ├── base_attacker.py # Base attacker class
│ ├── command_injection.py # Command injection
│ ├── data_exfiltration.py # Data exfiltration
│ ├── port_scanning.py # Port scanning
│ ├── reconnaissance.py # Reconnaissance
│ ├── sql_injection.py # SQL injection
│ ├── ssh_bruteforce.py # SSH brute force
│ └── web_application_discovery.py # Web application discovery
├── filebeat/ # Log collection agent
│ ├── Dockerfile # Filebeat image
│ └── filebeat.yml # Filebeat configuration
├── dashboards/ # Kibana dashboards
│ └── setup-kibana.sh # Kibana configuration script
├── logs/ # System logs
│ ├── backend/ # Backend logs
│ ├── frontend/ # Frontend logs
│ └── mysql/ # MySQL logs
├── scripts/ # Utility scripts
│ ├── startup.bat # Startup script (Windows)
│ └── shutdown.bat # Shutdown script (Windows)
├── LICENSE # Project license
├── README.md # This file
└── README_ES.md # Spanish documentation
- Docker (engine and Compose v2)
- Resources: At least 4 GB RAM; recommended 8 GB for full stack + Elasticsearch
- Ports: 3000 (frontend), 22 (SSH honeypot), 5601 (Kibana), 9200 (Elasticsearch) — backend and MySQL are internal only
- Disk: Sufficient space for Docker images and Elasticsearch data
- Linux: Use
./scripts/startup.sh <level>(bash). - Windows: Use
.\scripts\startup.bat <level>(PowerShell or cmd).
- Runtime: Node.js (frontend, backend), Python (SSH honeypot, fake activity, attacker scripts)
- Databases: MySQL
- Containers: Docker / Docker Compose (all services containerized)
-
Clone the repository
git clone https://github.com/Base4Security/cyberdeception-playground.git cd cyberdeception-playground -
Start the environment with a deception level (see Usage → Parameters).
# Linux / macOS ./scripts/startup.sh <level> # Windows .\scripts\startup.bat <level>
-
Verify services
docker compose ps curl http://localhost:5601 # Kibana curl http://localhost:3000 # Frontend docker exec attacker-tools whoami
The startup script accepts one argument: the deception level.
| Parameter | Description |
|---|---|
none |
No deception; minimal services only. |
basic |
Basic deception: SSH honeypot, fake credentials, decoy files. |
complete |
Full deception: basic + fake activity generator, decoy API endpoints, monitored DB columns. |
impossible |
Maximum deception: complete + modified banners/services, anti-forensics, tampered executables. |
| Activity / Component | None | Basic | Complete | Impossible |
|---|---|---|---|---|
| SSH decoy (honeypot, captures connection attempts) | ❌ | ✅ | ✅ | ✅ |
| Fake credentials in honeypot user database | ❌ | ✅ | ✅ | ✅ |
| Decoy files (attractive fake documents on frontend) | ❌ | ✅ | ✅ | ✅ |
| Fake activity generator (daily usage traces on decoy) | ❌ | ❌ | ✅ | ✅ |
| Decoy API endpoints (deception endpoints in backend) | ❌ | ❌ | ✅ | ✅ |
| Additional DB columns (monitored structure in MySQL) | ❌ | ❌ | ✅ | ✅ |
| Modified banners and "installed" services | ❌ | ❌ | ❌ | ✅ |
| Forced uninstall of recent installation | ❌ | ❌ | ❌ | ✅ |
| Modified key executables | ❌ | ❌ | ❌ | ✅ |
Example 1 — Start with complete deception
./scripts/startup.sh complete
# Wait for services; then open http://localhost:3000 and http://localhost:5601Example 2 — Access the web portal and Kibana
- Andesfinance Portal:
http://localhost:3000— credentialsadmin/admin123 - Kibana:
http://localhost:5601— use "Discover" for events
Example 3 — Run automated attacks from the attacker container
docker exec -it attacker-tools /bin/bash
cd attack_scripts/
python3 main_attacker.pyExample 4 — Manual command-injection test (from attacker container)
docker exec -it attacker-tools /bin/bash
curl -X POST http://frontend:3000/diagnostics -H "Content-Type: application/json" \
-d '{"system_check": "ping", "target_host": "localhost | hostname"}'Example 5 — Shut down (Windows)
.\scripts\shutdown.batThe attacker container includes recon and attack tools (e.g. nmap, curl, Python scripts) to simulate intrusions. See Usage → Usage examples for commands. From inside the container you can run main_attacker.py for automated attacks or use manual curl/SSH commands against the frontend and SSH honeypot.
The dashboard includes:
- Events by Type: Distribution of event types
- Real-time Activity: Activity timeline
- Source IPs: Top IPs attempting access
- Executed Commands: Most frequent commands
- Detailed Logs: Detailed view of all events
- No deception deployment
✅ SSH Decoy: Captures SSH connection attempts ✅ Fake credentials in users db ✅ Decoy files: Attractive fake documents
✅ Basic + ✅ Activity generator on decoy: Daily usage pattern traces ✅ Decoy API endpoints: Decoy API endpoint ✅ Database structure changes: Additional columns in DB especially monitored
✅ Complete + ✅ Changes in banners and "installed" services ✅ Forced uninstallation of recent installation ✅ Changes in key executables: Specially modified executables
Edit fake-activity/app.py:
# Add new users
USERS = ["alice", "bob", "carol", "new_user"]
# Add new commands
COMMANDS = [
"ls -la",
"cat /etc/passwd",
"new_interesting_command"
]Add to docker-compose.yml:
services:
ssh-honeypot-2:
build: ./ssh-honeypot
ports:
- "2224:22"
# ... rest of configurationModify filebeat/filebeat.yml:
output.elasticsearch:
hosts: ["external-siem:9200"]
# ... additional configuration# View logs from all services
docker-compose logs -f
# View logs from a specific service
docker-compose logs -f ssh-honeypot
docker-compose logs -f fake-activity
docker-compose logs -f filebeat- A Practical Guide to Adversary Engagement
- Honeypot Best Practices
- Design of cyber deception strategies from cyber threat intelligence
Contributions are welcome!
- Fork the project
- Create a branch for your feature
- Commit your changes
- Push to the branch
- Open a Pull Request
This project is under the MIT License. See LICENSE for more details.
- Source: https://github.com/Base4Security/cyberdeception-playground
- Read the Docs: The
docs/folder contains Sphinx source (RST). To build on Read the Docs, import the repository at readthedocs.org; the root.readthedocs.yamlanddocs/conf.pyare already configured.
This tool is for authorized security research and education only. Use only in isolated lab environments. The authors are not responsible for misuse or damage.