Results 1 to 9 of 9

Thread: 'Attacker controlled honeypot' Scenario

  1. #1
    Junior Member loop4me's Avatar
    Join Date
    Mar 2008
    Posts
    54

    Default 'Attacker controlled honeypot' Scenario

    Consider this scenario,
    there are two hosts in the lan, one is ftp server and it has some interesting data which can be gaind with the right ftp access, let say it's a well secured linux based os. The other is xp office box and the attacker gaind access and admin privileges on it remotely, controlling the host through the router that separate the lan and outher world.
    Main idea ,from attacker point of view is to install the 'attacker controlled honeypot' on the xp box that is going to imitate the FTP server on the first box.
    So, if the attacker succeed in fooling the gateway to redirect all trafic intended for the victim (real FTP server box) to his pwnd xp box, the FTP users will end up connecting to the box pwnd by remote attacker and give their username and pass to 'attacker controlled honeypot'.

    I'm trynig to make this setup in my virtual environment. There are few things i'm not familiar with, and i will appreciate some tips. The 'honeypot' that has to be planted on the xp box could be a small program like ,lets say netcat and then it's output could be redirected wherever i want, but the honeyput appearing screen should be like FTP server screen, so i need some kind of 'honeypot like' easy to set up small program, or something like msf modul (if somebody has write something like this).

    The outher way that is probably the right way is to write a small program,
    programing the winsock to act like ftp server ,store the data ,exit on storing pass buffer and stop the arp spoofing process, so that ftp user will be disconected. And when he try to connect again he will be redirected to, i hope to real FTP server.
    I must say that for now i don't have so much time for going into winsock programing, for now.
    So if there is some kind of honeypot right for this purpose...

    I'm hope that my scenario have some sence 'couse if i had time for going through it i will put it in my final exam on my university.

    Every opinion on this is wellcome.

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Nice idea, but way to over complicated. Simply Arp Spoof them so you can read the ftp servers traffic (the passwords are plaintext)

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Three factor scenario (though you can load ettercap onto the box, and it would be easier):

    1. Redirection to XP box FTP service, however you want to do it.
    2. Get a copy of FPort.exe (foundstone - Port redirection), set it up to bounce any connections to XP:FTP to Linux:FTP
    3. Start wireshark.

    It doesn't cover active FTP coming back, which could be a problem, but if the router is controlling, then it probably isn't and passive will be enough.

    I agree with hitthemlow, just change the arp tables and ettercap it.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Edit: Not sure how the double post happened. Site lag. If someone wants to delete this one, go ahead.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Junior Member loop4me's Avatar
    Join Date
    Mar 2008
    Posts
    54

    Default

    Thx for the replys.

    Got the point, but I was thinking that this could be quitter way ,if you will be in abble to automatize the whole process then you don't have to stay connected remotely and make some noizy trafic, examing the packets remotely or something.

    What i had in mind is that the arp spoof rutine could be automated to run at specific time of day ,date ,and the 'honeypot' could collect a 'bunch' of users and pass ,and then just send them all through port 80 to the attackers box, or something like that. Problem is that this is gona be too noizy 'cause the users would not be able to access the real FTP server then.
    What makes this even more complicated to setup the right way.
    It's possibly, but yes it is way to over complicated, i see now.

  6. #6
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    The arp spoof isn't going to deny them access, also I can not think of a single legitimate use for this.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  7. #7
    Junior Member loop4me's Avatar
    Join Date
    Mar 2008
    Posts
    54

    Default

    I'm trynig to make this setup in my virtual environment.
    Also what's wrong in exercise on different setups when we are talking about security?
    And using BT which main page is called 'Offensive Security'.

    Thx again.

  8. #8
    Member cr1spyj0nes's Avatar
    Join Date
    Sep 2008
    Posts
    164

    Default

    i guess this is a start Security and Networking - Blog - Meterpreter Sniffer*Module
    Now we just need a arp module.
    I would rather be hated for what i am,
    Then loved for what i am not.

  9. #9
    Junior Member loop4me's Avatar
    Join Date
    Mar 2008
    Posts
    54

    Default

    cr1spyj0nes, exactly. Thats the good start.

    What i had in mind that Scheduleme Meterpreter Script can be used, or Schtaskabuse Script to transfer the capture.cap to the desired location.
    Again the Security and Networking - Blog - Abusing the Scheduler with Meterpreter show how to do it.

    If i give up from implementing the 'honeypot', what was the main idea, but not so effecient. Then arpspoof can be scheduled too. Uploading some arpspoof program and set start time using msf schedule scripts.
    What gives me idea, that some cleanup tracks scripts could be scheduled too.
    Oh msf is fountain of opportunities.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •