setting up a honeypot
- computathug
- Administrator
- Posts: 2693
- Joined: 29 Mar 2007, 16:00
- 17
- Location: UK
- Contact:
thats what we have done but there must be more to it than that surelybad_brain wrote:thuuuuggyyyy....it's Debian, no need to mess around with source files when official packages available...
http://www.us.debian.org/distrib/packag ... h_packages
enter honeyd and voila.....so all you need to do to install is:Code: Select all
apt-get install honeyd
how do we configure add fake ip etc
thug, i got a little status report from tonights experimenting ^^
apparently arpd is beeing an asshole so no use trying with it...
BUT... install farpd....seems to work, apt-get install farpd
also i found a lot of good options with honeyd -help
the config files and nmap prints can be found in /etc/honeypot
The only problem is that when i tried to bind 10.0.0.1 and then ping it....my fucking ISP answered to the ping =| which is making me worry atm xD
i will continue tonight though and i will try to bind using another range (192.168.0.100-120)
EDIT: ok so i managed to find all the files, but i still can't get it to bind, well atleast not answer to ping on the bind address....
EDIT2: time is 00:38 and i just got the bound address to respond to ping, but scanning it with nmap gives no result....will continue to play arround though
apparently arpd is beeing an asshole so no use trying with it...
BUT... install farpd....seems to work, apt-get install farpd
also i found a lot of good options with honeyd -help
the config files and nmap prints can be found in /etc/honeypot
The only problem is that when i tried to bind 10.0.0.1 and then ping it....my fucking ISP answered to the ping =| which is making me worry atm xD
i will continue tonight though and i will try to bind using another range (192.168.0.100-120)
EDIT: ok so i managed to find all the files, but i still can't get it to bind, well atleast not answer to ping on the bind address....
EDIT2: time is 00:38 and i just got the bound address to respond to ping, but scanning it with nmap gives no result....will continue to play arround though
"The best place to hide a tree, is in a forest"
Success!!!
farpd -d 192.168.0.101
honeyd -p nmap.prints -x xprobe2.conf -a nmap.assoc -0 pf.os -f honeyd.conf -d
i didn't work with using log files for me, im having a permission problem atm =P
The only way i could scan the comp was with using nmap -sT -P0 for some reason....nothing else works...so some issues still remain, but i made a great step tonight
EDIT: i found a solution to the nmap scan problem, farpd has to be patched, i will do that MAYBE tonight and see if it works, anyway read about the solution here http://www.honeyd.org/phpBB2/viewtopic.php?t=473
farpd -d 192.168.0.101
honeyd -p nmap.prints -x xprobe2.conf -a nmap.assoc -0 pf.os -f honeyd.conf -d
i didn't work with using log files for me, im having a permission problem atm =P
The only way i could scan the comp was with using nmap -sT -P0 for some reason....nothing else works...so some issues still remain, but i made a great step tonight
EDIT: i found a solution to the nmap scan problem, farpd has to be patched, i will do that MAYBE tonight and see if it works, anyway read about the solution here http://www.honeyd.org/phpBB2/viewtopic.php?t=473
- computathug
- Administrator
- Posts: 2693
- Joined: 29 Mar 2007, 16:00
- 17
- Location: UK
- Contact:
as requested, here is my config ^^ only have one fake IP with a few ports as a test
Code: Select all
create windows
set windows personality "Microsoft Windows XP Professional SP1"
set windows uptime 1728650
set windows maxfds 35
add windows tcp port 139 open
add windows tcp port 137 open
add windows udp port 137 open
add windows udp port 135 open
set windows default tcp action reset
set windows default udp action reset
bind 192.168.0.101 windows
- computathug
- Administrator
- Posts: 2693
- Joined: 29 Mar 2007, 16:00
- 17
- Location: UK
- Contact:
Re: setting up a honeypot
Honeyd Is good I do like it i myself believe it or not was experimenting with it the other day.
But my question to you guys are what exactly are you looking to get out of this?
Me: I had some one do a port scan on my system about 4 days ago and there scans showed up false ports dont know how it happened but it did which lead me to thinking huh i wonder how many other idiots out there would scan this system for ports.
* thinking thinking thinking *** LIGHT BULB ****** *
So i figured setting up a honey pot for some basic ports and believe it or not 2 days later i already got a couple scans of people hitting my box
Now are you doing this just for in general? or just for the hell of it lol
But my question to you guys are what exactly are you looking to get out of this?
Me: I had some one do a port scan on my system about 4 days ago and there scans showed up false ports dont know how it happened but it did which lead me to thinking huh i wonder how many other idiots out there would scan this system for ports.
* thinking thinking thinking *** LIGHT BULB ****** *
So i figured setting up a honey pot for some basic ports and believe it or not 2 days later i already got a couple scans of people hitting my box
Now are you doing this just for in general? or just for the hell of it lol
Re: setting up a honeypot
your honeypot would be considered more of a flytrap - you set your honey pot to listen to anyone scanning on your IP range and log it.
A honeypot is meant to be a trap with a detailed bait - like a file in a certain directory. The idea of the honeypot is to allow a skilled hacker to make many overt acts (evidence of intent to commit a crime), penetration, raiding of files, placing fake admins or backdoors - and log it. This is a specific trap set to catch a hacker - attacking a specfic OS or network.
If I knew of a hacker repeatedly trying to get into my network and being hard to find, I would set a honeypot server on my network. The attacker would think I just put a mirror or backup server on my network when he sees it suddenly pop up in a IP range scan. The honeypot would contact me when my target arrives and help keep the guy busy while I track him - all the while - he is on a bogus server that looks like it hold much legitimate data.
If you are unable to track the intruder you can at least confine him to that server and waste his time.
Some people say honeypots are unethical - that it is entrapment - but really its up to the intruder to use and complete exploitation on a weakly protected server. How far they get into the honeypot shows their skill and intent.
DNR
A honeypot is meant to be a trap with a detailed bait - like a file in a certain directory. The idea of the honeypot is to allow a skilled hacker to make many overt acts (evidence of intent to commit a crime), penetration, raiding of files, placing fake admins or backdoors - and log it. This is a specific trap set to catch a hacker - attacking a specfic OS or network.
If I knew of a hacker repeatedly trying to get into my network and being hard to find, I would set a honeypot server on my network. The attacker would think I just put a mirror or backup server on my network when he sees it suddenly pop up in a IP range scan. The honeypot would contact me when my target arrives and help keep the guy busy while I track him - all the while - he is on a bogus server that looks like it hold much legitimate data.
If you are unable to track the intruder you can at least confine him to that server and waste his time.
Some people say honeypots are unethical - that it is entrapment - but really its up to the intruder to use and complete exploitation on a weakly protected server. How far they get into the honeypot shows their skill and intent.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
Re: setting up a honeypot
update:
Protecting SCADA Systems Through Honeypots
http://it.toolbox.com/blogs/securitymon ... pots-42792" onclick="window.open(this.href);return false;
" Does one really want to wait around until actual attacks are executed against the real systems to learn about attackers and their methods? Probably not.
John Strand produced an excellent little tutorial on setting up a SCADA honeypot for just this purpose a few years ago - attract, record and learn.
In this video, John walks you through a honeyd SCADA setup:
(see link)
"Placing this type of a honeypot on an externally facing network that is many layers away from your actual SCADA systems can provide you with some valuable intelligence:
WHO is interested in your SCADA systems.
WHAT their cyber attack capabilities are.
WHERE they plan on attacking.
HOW they plan on attacking (scripts, input manipulation, brute force, etc)
and possibly... WHY they are interested in your systems.
Read more about this project"
http://scadahoneynet.sourceforge.net/" onclick="window.open(this.href);return false;
SCADA HoneyNet Project: Building Honeypots for Industrial Networks
DNR
Protecting SCADA Systems Through Honeypots
http://it.toolbox.com/blogs/securitymon ... pots-42792" onclick="window.open(this.href);return false;
" Does one really want to wait around until actual attacks are executed against the real systems to learn about attackers and their methods? Probably not.
John Strand produced an excellent little tutorial on setting up a SCADA honeypot for just this purpose a few years ago - attract, record and learn.
In this video, John walks you through a honeyd SCADA setup:
(see link)
"Placing this type of a honeypot on an externally facing network that is many layers away from your actual SCADA systems can provide you with some valuable intelligence:
WHO is interested in your SCADA systems.
WHAT their cyber attack capabilities are.
WHERE they plan on attacking.
HOW they plan on attacking (scripts, input manipulation, brute force, etc)
and possibly... WHY they are interested in your systems.
Read more about this project"
http://scadahoneynet.sourceforge.net/" onclick="window.open(this.href);return false;
SCADA HoneyNet Project: Building Honeypots for Industrial Networks
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.