A self-evolving honeypot system for WiFi security monitoring and attack detection.
Potsticker combines WiFi attack detection with adaptive honeypot technology. When attacks are detected, the system dynamically generates deceptive services using an LLM to lure and study attackers.
potsticker/
├── wifi/ # WiFi attack detection and monitoring
├── pots/ # Honeypot Flask server (containerized)
├── ai/ # LLM-powered honeypot evolution
- Real-time detection of deauthentication attacks and WPS brute force attempts
- AI-generated Flask servers with fake credentials, XSS vulnerabilities, and simulated command injection
- Web dashboard for monitoring and controlling detection systems
- Serial communication with FreeWilie board for creating decoy WiFi networks
- Docker-based honeypot services for isolation
Real-time detection of wireless attacks using Scapy packet sniffing.
| File | Description |
|---|---|
wifi.py |
Main WiFiMonitor class with threaded detection for deauth/WPS attacks |
detect_deauth.py |
Detects deauthentication floods (threshold: 10 packets/5 seconds) |
detect_wps_bf.py |
Detects WPS PIN brute force via EAPOL packet analysis |
web_server.py |
Flask web interface (port 6767) with REST API for control |
scap.py |
Low-level packet handler for debugging deauth/EAPOL packets |
trigger_attacks.py |
Test utility to simulate attacks for detection validation |
When an attack is detected:
- Detection triggers callback
- Creates decoy WiFi network via serial (FreeWilie board)
- Connects monitoring system to honeypot network
- Logs attacker activity
Usage:
cd wifi
pip install -r requirements.txt
sudo python wifi.py <interface> # CLI mode
sudo python web_server.py # Web interface at http://localhost:6767Containerized Flask server designed to attract and log attacker reconnaissance.
| File | Description |
|---|---|
main.py |
Base Flask server with access logging |
temptation.py |
Enhanced honeypot with fake creds, XSS, command injection simulation |
access_log.txt |
Logs all endpoint access with IP/timestamp |
Dockerfile |
Python 3.11 slim container configuration |
docker-compose.yaml |
Service definition exposing port 3000 |
Possible Honeypot endpoints:
/robots.txt— Reveals "disallowed" sensitive paths/passwords— Fake credentials JSON/admin,/wp-admin— Fake login portals/search?q=— Reflected XSS vulnerability/ping?host=— Simulated command injection/api/v1/secrets— Fake AWS keys and config
Deployment:
cd pots
docker-compose up -d
# Access at http://localhost:3000Uses Google Gemini to analyze access logs and generate new honeypot configurations.
| File | Description |
|---|---|
main.py |
CLI tool to query Gemini with file context |
prompts/flask_gen.md |
System prompt for generating Flask honeypot code |
How it works:
- Reads honeypot access logs
- Sends logs and template to Gemini
- LLM generates new Flask server with additional lures based on attacker behavior
- Outputs deployable Python code
Usage:
cd ai
export GEMINI_API_KEY="your-key"
uv run main.py <template.py> <access_log.txt> <prompt.md> [output.py]- Python 3.11+
- Docker and Docker Compose
- Root/sudo access (for packet sniffing)
- Scapy-compatible network interface
- (Optional) FreeWilie board for decoy network creation
# Clone the repository
git clone <repo-url> && cd potsticker
# WiFi monitoring
cd wifi && pip install -r requirements.txt
# Honeypot (Docker)
cd ../pots && docker-compose up -d
# AI module
cd ../ai && pip install google-genai python-dotenvTerminal 1 — Start honeypot:
cd pots && docker-compose upTerminal 2 — Start WiFi monitoring web interface:
cd wifi && sudo python web_server.pyTerminal 3 — (Optional) Simulate attacks for testing:
cd wifi && sudo python trigger_attacks.py <interface>| Component | Port | Config File |
|---|---|---|
| WiFi Web UI | 6767 | wifi/web_server.py |
| Honeypot | 3000 | pots/docker-compose.yaml |
| Serial (FreeWilie) | COM3 | wifi/web_server.py |
# For AI module
GEMINI_API_KEY=your-google-genai-api-key| Attack Type | Packets | Time Window | Cooldown |
|---|---|---|---|
| Deauthentication | 10+ | 5 seconds | 30 seconds |
| WPS Brute Force | 10+ | 5 seconds | 30 seconds |
This tool is intended for authorized security testing only. Sending deauthentication packets or monitoring networks without explicit permission is illegal in most jurisdictions. Use only on networks you own or have written authorization to test.