resin

Deploy realistic network services that trap attackers and deliver every interaction to your webhook as JSON.

How it works

Deploy

Single docker compose up -d. One environment variable for your webhook URL. No agents, no cloud dependencies.

Attract

8 realistic services respond with proper protocol handshakes, banners, and error messages. Indistinguishable from real targets.

Capture

Every connection, login attempt, command, and credential gets logged with source IP, MAC address, and full payload data.

Deliver

Events batch every 30 seconds into a single JSON POST to your webhook. Failed deliveries retry automatically.

Device persona: From the network, resin looks like a Siemens DESIGO CC building automation controller - a high-value target that attracts lateral movement, credential spraying, and enumeration attempts.

Trapped services

Port	Protocol	Banner	Captures
21	FTP	vsFTPd 3.0.5	Credentials, directory listing attempts
22	SSH	OpenSSH 8.9p1	Usernames, passwords, key attempts
80/443	HTTP/S	Siemens DESIGO CC v5.0	Login credentials, request paths, user agents
445	SMB	SMB 3.1.1	NTLMv2 hashes, domain names, workstations
161/udp	SNMP	Siemens building controller	Community strings, queried OIDs
3306	MySQL	MariaDB 10.11.6	Usernames, auth packets
6379	Redis	Redis 7.2.4	AUTH passwords, commands

Three commands to deploy

      git clone https://github.com/evait-security/resin.git && cd resin

      echo "WEBHOOK_URL=https://your-endpoint.example.com/hook" > .env

      docker compose up -d

Under the hood

Runtime

Single process

Concurrency

asyncio

Storage

PostgreSQL

DB Connection

Unix socket

Network

Host mode

Dashboard

localhost:1337

No passwords anywhere

PostgreSQL connects via Unix socket with peer auth. No TCP, no credentials to manage or leak.

MAC address capture

Host network mode gives direct access to the ARP table - every event includes the attacker's hardware address when on the same L2 segment.

Non-root container

Runs as unprivileged user with only CAP_NET_BIND_SERVICE. Limits blast radius if a service is compromised.

Webhook payload

{

  "source": "resin",

  "dispatched_at": "2026-05-26T14:30:00+00:00",

  "count": 2,

  "events": [

    {

      "service": "ssh",

      "source_ip": "192.168.1.100",

      "mac_address": "aa:bb:cc:dd:ee:ff",

      "action": "login_attempt",

      "username": "root",

      "password": "toor",

      "timestamp": "2026-05-26T14:29:45.123Z"

    }

  ]

}