anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Page: Quick Start
Pages
Archetypes CLI Reference Custom Services Database Drivers Deployment Modes Design Overview Developer Guide Distro Profiles Environment Variables Home INI Config Format Installation Logging and Syslog MazeNET Module Reference Core Module Reference Services Module Reference Web Module Reference Workers Mutation and Randomization Networking MACVLAN IPVLAN OS Fingerprint Spoofing PKI and mTLS Performance Story Quick Start REST API Reference Remote Updates Requirements and Python Versions Roadmap and Known Debt SWARM Mode Security and Stealth Service Bus Service Personas Services Catalog Sponsors Support the Project Systemd Setup Teardown and State Testing and CI Tracing and Profiling Troubleshooting UI Things Web Dashboard Writing a Service Plugin
Clone
1
Quick Start
anti edited this page 2026-04-18 06:03:27 -04:00
Table of Contents

Quick Start

Shortest path from a fresh clone to seeing attacker events roll in. For the full install walkthrough (venv, extras, uninstall) see Installation. For supported interpreters see Requirements and Python Versions.

1. Clone

git clone https://git.resacachile.cl/anti/DECNET
cd DECNET

2. Install

pip install -e .

This registers the decnet console script and auto-discovers all built-in honeypot service plugins.

3. List what is available

decnet services      # all 25 registered honeypot services, with ports and images
decnet archetypes    # machine identity profiles (windows-workstation, linux-server, ...)
decnet distros       # OS distro profiles (debian, ubuntu22, rocky9, alpine, ...)

If decnet services prints a table, you are good to go.

4. Dry run — generate compose, no containers

A dry run writes the docker-compose.yml without starting anything. Use it to confirm the shape of the deployment before putting interfaces into MACVLAN mode.

decnet deploy --mode unihost --deckies 3 --randomize-services --dry-run

5. Full deploy

MACVLAN (and IPvlan) require root. The host NIC is auto-detected, but you can pin it with --interface.

sudo decnet deploy --mode unihost --deckies 5 --interface eth0 --randomize-services

On WiFi (or any NIC whose upstream filters unknown MACs) pass --ipvlan:

sudo decnet deploy --mode unihost --deckies 3 --interface wlp6s0 --ipvlan --randomize-services

To forward every attacker interaction off-box as RFC 5424 syslog:

sudo decnet deploy --mode unihost --deckies 3 --services ssh,smb --log-target 192.168.1.5:5140

See Networking for driver selection and Environment Variables for persistent configuration.

6. Check status

decnet status

Prints a table of every deployed decky with its IP, hostname, services, and container state.

7. First event

Pick any decky IP from decnet status and hit a service. For example:

ssh root@192.168.1.110          # will be captured by the SSH honeypot
nmap -sV 192.168.1.110          # every probed port logs a banner hit

If you passed --log-target, your syslog collector receives an RFC 5424 line for the interaction. If not, the events are captured inside each service container's stdout and (optionally) the bind-mounted log file from --log-file.

8. Tear down

sudo decnet teardown --all            # remove every decky and the MACVLAN network
sudo decnet teardown --id decky-01    # stop and remove a single decky

Next

  • Config File — pin IPs, set per-service personas, use archetype pools.
  • Services — the 25 built-in honeypots and their tunables.
  • Archetypes — one-slug identities that set services + OS fingerprint.
  • OS Fingerprint Spoofing — make nmap -O report the OS you want.

DECNET

User docs
Developer docs
Project meta

DECNET — honeypot deception-network framework. Pre-1.0, active development — use with caution. See Sponsors to support the project. Contact: samuel@securejump.cl