jammmie999 Posted December 10, 2010 Posted December 10, 2010 Hello Guys, Can any of you point me in the right direction of setting up a honeypot on my network, any tutorials, videos, software etc would be greatly appreciated. Thanks Quote
digininja Posted December 10, 2010 Posted December 10, 2010 I can't off hand but I would suggest making sure you do a lot of research on this before doing it. Every extra thing you put on your network increases the attack surface and if you put on a honeypot and get it wrong you could end up deliberately putting a huge hole into your network. Quote
digip Posted December 10, 2010 Posted December 10, 2010 Yeah, i've been waiting to see Hak5 do a segment on this and suggested it like 2 years ago. My main thing woul dbe to use a VM and then either XP pre SP1, or even an older apache server that is known to have flaws. you will want to deliberately leave some hole open, but don't make anything obvious that it is a honeypot. One such progject, http://www.projecthoneypot.org/about_us.php offers software you can install to catch spammers. Thats just one example of what can be done. Honeynet offers some papers on things pertaining to honeypots: http://www.honeynet.org/papers Another article on how to set one up: http://www.oreillynet.com/pub/a/sysadmin/2006/09/28/honeypots.html I beleive is FreeBSD based, but coudl probably be done in lunix, just not with the exact same libraries for obvious reasons unix vs linux. Quote
digininja Posted December 10, 2010 Posted December 10, 2010 If you did an XP version what would you use it for? Would you want to try to collect tools from it, monitor and learn techniques, try to back trace the attackers? On a recent Exotic Liability podcast they talked about deploying honeypots inside networks to detect attacks and malware trying to escape or probe other systems. Quote
Infiltrator Posted December 11, 2010 Posted December 11, 2010 When deploying a honeypot, you want to ensure that it does not make any direct connection back into your network, or the attacker will use this weakness to exploit your network. You want to ensure that the attacker stays inside that box, so securing the box will be very important. There are a few websites that, sort of walk you through the whole process of deploying a honeypot, I would also recommend watching their videos, they should give you more ideas. www.irongeek.com www.pauldotcom.com Quote
digip Posted December 11, 2010 Posted December 11, 2010 (edited) If you did an XP version what would you use it for? Would you want to try to collect tools from it, monitor and learn techniques, try to back trace the attackers? On a recent Exotic Liability podcast they talked about deploying honeypots inside networks to detect attacks and malware trying to escape or probe other systems. Purely for learning, in my case, what they did to get in, how they get in, what they changed, installed, etc. I've not actually done this yet, but I want to. I'd like a way to take a snapshot, and then compare changes made to the system, like what was done to the registry, back doors, etc. Even gather the programs they installed and where they report to. My website used to get attacked pretty regularly, but luckily never was compromised. Not that it couldn't be done, but I've been lucky enough not to be vulnerable to the attacks in question. Most of the people try RFI attacks, and then move on when nothing gives up the ghost. I've been able to examine error logs and trace them back up the chain in a lot of cases, all the way to the IRC servers they use for their BOT nets, but I have no clue how to control the bot or access its commands, just sit in the channel and watch stuff come across the screen, as it reports sites it found, the links, vuln, etc. I imagine BOT net owners probably already do something similar as a means to take over other botnets, and then use them for themselves, but that is not my intent. Purely academic and curiosity from my standpoint, but I can see where using this even as mentioned on Exotic Liability, in the enterprise network, to capture whats on your corporate lan would be useful. We had a few outbreaks where I used to work. The I Love You Virus, Melissa, and Blaster Worm were 3 I recall getting into the network, but only effecting a small portion of desktops and older windows servers from the lab. It was contained within the first few hours, but took weeks to comb through everything to make sure it hadn't been able to spread. Something I think a honeypot would have helped with had they implemented their own on the network to capture attacks on the lan. Edited December 11, 2010 by digip Quote
Infiltrator Posted December 11, 2010 Posted December 11, 2010 Purely for learning, in my case, what they did to get in, how they get in, what they changed, installed, etc. I've not actually done this yet, but I want to. I'd like a way to take a snapshot, and then compare changes made to the system, like what was done to the registry, back doors, etc. Even gather the programs they installed and where they report to. Same here, I haven't actually deployed one yet, but it would certainly be a very useful tool to deploy and also to help us understand, the techniques and methods used to break into a system. And from that, to learn what they do once they have compromised a system. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.