Jump to content

Honeypot learning


digitalnull
 Share

Recommended Posts

I want to get a honeypot set up on my dmz to observe the different styles of hacks...

My question, what is the best way to log and monitor it without giving away its Identity or having the logs and reports of the hacks deleted?

Anything else I'm missing?

Thanks,

Digitalnull

Link to comment
Share on other sites

Search for the Honey Net project and read everything they have. By putting up a honeypot you are deliberately inviting attackers into your network and it isn't something you want to do lightly as once they are in then they very likely will try to get in further, unless you are 100% sure of the security of the rest of your network then you will get hammered. Also consider what your ISP and local law enforcement will say if they get into your box and then use that as a pivot point to attack others.

If you really want to do it then I'd suggest investing in a throw away VPS with a capped charge each month and full remote reset/wipe functionality, that way if they take it over and start using it as a staging post for downloading things you don't get hit with excess bandwidth charges and when they lock you out you can get back in.

Basically, unless you really know what you are doing with honeypots stay well away. I can't name any off the top of my head but there are groups out there (probably the Honey Net Project) who release data their devices have captured, that is probably a better starting point.

Link to comment
Share on other sites

@digininja What do they (the law enforcers) say to all the people who run open wifi home networks without any security? What did theysay to Michael Jackson when the found his computer full of child porno and backdoor trojans? Think! digitalnull is out to experiment and monitor the area using a honeypot in the DMZ zone on his network. An attacker cannot see or traverse the DMZ unless the system/honeypot is insecure, which I doubt. He can probably use any old distro and watch it using wireshark. Most VoIP adapters are usually set in the DMZ, especially for FIOS and DSL users who are NAT'D. Do you hear of security breachs from VoIP companies? I think he's smart enough to know when to pull the cord...

Link to comment
Share on other sites

@digininja What do they (the law enforcers) say to all the people who run open wifi home networks without any security?

They don't say anything to people who run them but if they are identified as causing malicious traffic then they can get involved. I know of quite a few instances where people have had devices seized by police because they were implicated in things due to attacks originating from their devices. Even if the police come and just interview you, or worse acknowledge that you are innocent but take your devices for forensics, it is a pain that most people wouldn't want to go through.

What did theysay to Michael Jackson when the found his computer full of child porno and backdoor trojans? Think! digitalnull is out to experiment and monitor the area using a honeypot in the DMZ zone on his network. An attacker cannot see or traverse the DMZ unless the system/honeypot is insecure, which I doubt. He can probably use any old distro and watch it using wireshark.

Not sure what point you are trying to make about Jackon, didn't they put a lot of effort into investigating him?

The whole point of honeypots is that they are insecure, if they were secure then people couldn't break into them. You are basically inviting an attacker on to your network and saying "come play". If you are deploying a honeypot correctly then you are doing a lot more than watch it with wireshark. If you do, you won't see much of what is going on you need to have full system monitoring watching all file access, process creation as well as network traffic.

And as for routing back into the DMZ, what device is being used to create the DMZ? Do you trust your ISP provided router to properly implement the DMZ and to not have any vulnerabilities which would allow traversal? I know of a good handful of devices which, once you are on the inside of, you can then own quite easily.

Do you hear of security breachs from VoIP companies? I think he's smart enough to know when to pull the cord...

Yes, I've been on teams that have investigated tens of thousands of pounds of loss caused by VOIP breaches.

And as to whether digitalnul is smart enough to know when to pull the cord, in all honesty, without meeting with him I have no idea. I gave my opinion. There is no way I would run a honeypot on any system of mine which was connected to anything I care about. Running one takes a lot of effort to monitor it and keep on top of it and so unless you shut it down every time you leave the keyboard then you don't know what is going on on it so even if you do know when to pull the cord if you turn it on the go off to work and come home 8 hours later that is 8 hours of potential damage to someones system, be that your own or someone elses who got attacked from your device.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...