Page 1 of 7 123 ... LastLast
Results 1 to 10 of 63

Thread: honeypots .. any experience?

  1. #1
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default honeypots .. any experience?

    I've been thinking about setting up one or two old computers as a little honeypot and was wondering if anyone here had any experience or could point me in the right direction.

    I know of several tools (honeywall, honeyd etc..) to use to get me started but I haven't managed to find any good information as to how to implement these and get started.

    So far I have a spare Lenovo T42, an old desktop computer and an ISP that gives me 5 public IP's but no knowledge :P

    So if anyone has any good links for me, articles, projects, wiki sites or whatever I would be grateful if you could post them

  2. #2
    Member
    Join Date
    Aug 2007
    Posts
    468

    Default

    Here is a pre-built VMWare Honeyd on Fedora 7 to get you started:

    http://www.vmware.com/appliances/directory/1231

    Also I know it not a honeypot but have a look at B.A.S.E & OSSIM, there was a long thrend on here about it ~3-4 months ago. They are IDS systems and you could place them infront of your Honey-pot system
    .
    Quote Originally Posted by cormega View Post
    I've been thinking about setting up one or two old computers as a little honeypot and was wondering if anyone here had any experience or could point me in the right direction.

    I know of several tools (honeywall, honeyd etc..) to use to get me started but I haven't managed to find any good information as to how to implement these and get started.

    So far I have a spare Lenovo T42, an old desktop computer and an ISP that gives me 5 public IP's but no knowledge :P

    So if anyone has any good links for me, articles, projects, wiki sites or whatever I would be grateful if you could post them

  3. #3
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    thank you sir! that looks like just the thing i need right now!

    gonna check out the other things you mentioned too and give some feedback in this thread..

  4. #4
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default Use one box as a bridge

    I've had some experience setting up honeynets and the way i would suggest is to use one of your boxes as a bridge, with one nic going to the internet and the other going to a switch or directly to the other box you want to get hacked. This setup has several advantages:
    1. the bridge will be transparent and will have no ip, but traffic still has to go through Iptables. So you can still log all of the traffic with tcpdump, while at the same time hopefully remaining undetectable.
    2. You can egress filter on the outbound traffic. I limit the outbound traffic to about 1000 packets per day so that way after the honeypot box does get owned, it wont be used to DOS a children's hospital or something.

  5. #5
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by the_rooster View Post
    I've had some experience setting up honeynets and the way i would suggest is to use one of your boxes as a bridge, with one nic going to the internet and the other going to a switch or directly to the other box you want to get hacked. This setup has several advantages:
    1. the bridge will be transparent and will have no ip, but traffic still has to go through Iptables. So you can still log all of the traffic with tcpdump, while at the same time hopefully remaining undetectable.
    2. You can egress filter on the outbound traffic. I limit the outbound traffic to about 1000 packets per day so that way after the honeypot box does get owned, it wont be used to DOS a children's hospital or something.
    Yes, even better when you add a tap (search for 'snifdet' on this forum, and about half way through the post and on).
    dd if=/dev/swc666 of=/dev/wyze

  6. #6
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    thanks for a lot of helpful replies.. I'm looking forward to testing these things throughout the weekend..

    one quick question though, what would be the best set up for the "bridge" computer?

    can I just as well install any distro here or are there any reccomendations or distro's to avoid?

    EDIT: swc666, a 'snifdet' search returns no results, both with and without the quotes and when searching threads and topics througout the whole forum

    what am I doing wrong ?

  7. #7
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by cormega View Post

    EDIT: swc666, a 'snifdet' search returns no results, both with and without the quotes and when searching threads and topics througout the whole forum

    what am I doing wrong ?
    Oops... typo, should have been sniffdet:

    http://forums.remote-exploit.org/sho...light=sniffdet

    Scan through the post to find relevant info
    dd if=/dev/swc666 of=/dev/wyze

  8. #8
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    thanks for the tip swc666, looks like a useful thread indeed

  9. #9
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    By the way swc666, I read in that thread you tipped me about that you set up a honeypot of your own.. what kind of experiences did you get from that? now I don't think I'll try that hardware hacking you did right there - but setting up a nice honeynet with solid logging and perhaps an IDS would be cool indeed!

    The main reason why I wan't to set up a honepot is because I am very interested and i love the idea of having a honeypot to check up on from time to time to see what is going on... secondly, I'm guessing that having a running honeypot over time will be educational in so many ways..

  10. #10
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by cormega View Post
    By the way swc666, I read in that thread you tipped me about that you set up a honeypot of your own.. what kind of experiences did you get from that? now I don't think I'll try that hardware hacking you did right there - but setting up a nice honeynet with solid logging and perhaps an IDS would be cool indeed!

    The main reason why I wan't to set up a honepot is because I am very interested and i love the idea of having a honeypot to check up on from time to time to see what is going on... secondly, I'm guessing that having a running honeypot over time will be educational in so many ways..
    I set up a naked Win2K box on a DMZ, passively tapped just to see the ugly traffic that popped in/out of it. I didn't do anything deep as far as forensics; basically saw a lot of pwnage of the box as an ad server zombie.
    dd if=/dev/swc666 of=/dev/wyze

Page 1 of 7 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •