Page 2 of 7 FirstFirst 1234 ... LastLast
Results 11 to 20 of 63

Thread: honeypots .. any experience?

  1. #11
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    I'm planning to put W2K on one of the boxes as well, I'm guessing this will attract a lot of stuff, I just hope it won't end up being torn apart by some script kiddies.

    But so far I got BT3 on an old desktop computer which I am planning to use as my bridge, I will take an extra NIC with me home from work today and hopefully I'll get some work done.

    First of all, though, I am a bit unsure as to how I am supposed to set up the NIC's on this bridge. If I understand the rooster completely, the NIC's wont have their own IP address and won't be easily detectable by anyone else, they just forward the traffic in the right direction - incoming or outgoing - right?

    So how do I set up these NICs to just forward traffic like that?

  2. #12
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default use bridge-utils

    Cormega, first off honeynets are an awesome way to learn about security, hacking, and networking in general. I would be happy to share with you experiences and setup info.

    I was using 3 nics with my setup, two for the bridge and one for remote ssh access, since the honeynet was at work. Using bridge-utils, you will make a virtual interface out of two nics. i'll paste below the firewall script below that i was using. I was also running snort_inline with this which is why you'll see "QUEUE" targets where you would expect "ACCEPT" targets. i've only ben working with linux for about a year, so if this script sucks in some way let me know...appreciate the feedback. You dont have to run snort_inline but its fun to see how much actually gets by snort and its good to block low level boring script kiddie stuff.

    I would run a script that had a ton of the sysInternals type tools (fport, procmon...etc) on the honey pot box before you put in out in the wild, so that way you can run the same script after you suspect the box gets jacked so you can compare whats changed in terms of opened ports and new processes...etc. I was also running sebek to capture command line input on the compromised boxes.

    From there you could log traffic with tcpdump either on the outbound nic or the virtual interface bridge. I wrote some java programs to parse the data and sum it up by unique communications (ie src ip and port -> dst ip and port) and email it to me every couple of hours.

    Feel free to pm any questions, or keep this thread going

    Firewall script:

    #/bin/sh
    IPTABLES="/sbin/iptables"
    BRCTL="/usr/sbin/brctl"

    $BRCTL addbr br0
    $BRCTL addif br0 eth0
    $BRCTL addif br0 eth1
    ifconfig eth0 0.0.0.0 promisc up
    ifconfig eth1 0.0.0.0 promisc up
    ifconfig br0 up

    $IPTABLES -F
    $IPTABLES -X
    $IPTABLES -Z
    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT DROP

    ##ethernet filtering
    for f in /proc/sys/net/bridge/bridge-nf-*; do echo "1" > $f; done

    ## Enable IP forwarding
    echo "1" > /proc/sys/net/ipv4/ip_forward

    ## Enable dynamic Ips
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr

    ## Helper modules
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_queue
    /sbin/modprobe ipt_limit
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_state
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
    done
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f
    done
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
    done
    for f in /proc/sys/net/ipv4/conf/*/secure_redirects; do
    echo 1 > $f
    done
    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
    done
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
    done
    echo 200 > /proc/sys/net/ipv4/icmp_ratelimit
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    echo 256 > /proc/sys/net/ipv4/tcp_max_syn_backlog



    # Allow all on loopback
    $IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

    #bridge rules
    ACTIVEIP="192.168.1.129 192.168.1.130 192.168.1.131 192.168.1.132"
    for i in $ACTIVEIP;do
    #$IPTABLES -A FORWARD -s 123.123.123.123 -m physdev --physdev-is-in -j DROP
    $IPTABLES -A FORWARD -i br0 -s $i -m physdev --physdev-is-out -m limit \
    --limit 1000/day --limit-burst 1000 -j QUEUE
    $IPTABLES -A FORWARD -i br0 -s $i -m physdev --physdev-is-out -j DROP
    $IPTABLES -A FORWARD -s $i -d 192.168.1.133 -p udp --dport 1101 -j QUEUE
    $IPTABLES -A FORWARD -s $i -d 192.168.1.133 -j DROP
    $IPTABLES -A FORWARD -s $i -d 123.123.123.213 -j DROP
    $IPTABLES -A FORWARD -s $i -d 123.123.213.213 -j DROP
    $IPTABLES -A FORWARD -s $i -d 222.222.222.222 -j DROP
    done

    $IPTABLES -A FORWARD -m physdev --physdev-is-in -j QUEUE


    #bridge....keep this one...simple config
    #$IPTABLES -A FORWARD -j QUEUE

    #save for eth2
    SAFEIP="123.123.123.123 123.123.123.124"
    for i in $SAFEIP;do
    $IPTABLES -A INPUT -i eth2 -p tcp --dport 22 -s $i -m state --state NEW,ESTABLISHED,RELATED -j QUEUE
    done


    $IPTABLES -A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j QUEUE
    $IPTABLES -A OUTPUT -o eth2 -m state --state ESTABLISHED,RELATED -j QUEUE
    $IPTABLES -A OUTPUT -o eth2 -m state --state NEW -j QUEUE

    $IPTABLES -A FORWARD -i eth2 -o eth2 -m state --state ESTABLISHED,RELATED -j QUEUE


    Script to start and stop the firewall and snort:
    #!/bin/bash
    # processname: snort_inline
    # config: /etc/snort_inline/snort_inline.conf
    BRCTL="/usr/sbin/brctl"
    . /lib/lsb/initfunctions
    [ f
    /usr/local/bin/snort_inline ] || exit 0
    start(){
    # Start daemons.
    echo "Starting ip_queue module:"
    lsmod | grep ip_queue >/dev/null || /sbin/modprobe ip_queue;
    echo "Starting iptables rules:"
    # Put your iptables script with QUEUE targets here.
    /etc/firewall.sh
    echo "Starting snort_inline: "
    /usr/local/bin/snort_inline c
    /etc/snort_inline/snort_inline.conf -Q -D -v
    RETVAL=$?
    echo $RETVAL
    [ $RETVAL = 0 ] && touch /var/lock/subsys/snort_inline
    }
    stop() {
    # Stop daemons.
    echo "Shutting down snort_inline: "
    killall snort_inline
    RETVAL=$?
    echo $RETVAL
    [ $RETVAL = 0 ] && rm -f /var/lock/subsys/snort_inline
    echo "\nRemoving iptables rules:"
    $BRCTL delif br0 eth0
    $BRCTL delif br0 eth1
    ifconfig br0 down
    $BRCTL del br0
    iptables -F
    iptables -X
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    }
    restart(){
    stop
    start
    }
    # Arguments passed.
    case "$1" in
    start)
    start
    ;;
    stop)
    stop
    ;;

  3. #13
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Snort_Inline is a good way to go, however if you build a passive tap as discussed in the sniffdet thread, you can monitor/log traffic with 2 nics tapped into the line going into the pot.
    dd if=/dev/swc666 of=/dev/wyze

  4. #14
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default

    I had not heard of a passive tap before reading this thread. Is there an advantage to using them over creating a bridge with bridge-utils?

  5. #15
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Is there an advantage to using them over creating a bridge with bridge-utils?
    The advantage is that it will be as good as completely undetectable.
    -Monkeys are like nature's humans.

  6. #16
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by the_rooster View Post
    I had not heard of a passive tap before reading this thread. Is there an advantage to using them over creating a bridge with bridge-utils?
    Either way the nics have to be bridged. For the tap setup the cards are running @ Half Duplex. It allows you to plug into the line promiscuously and sniff.
    dd if=/dev/swc666 of=/dev/wyze

  7. #17
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    thank you so much for your post rooster, thats just the sort of detailed info i need to get started.

    I think I'll copy your set up as far as possible once i get started to avoid any newbie mistakes.

    just out of curiosity - how many boxes did you set up in your honepot besides the bridge, and what did you run on them?

    that sysInternal type script sounds like a great idea and i'll remember to do something like that before i go live.. also, i have a computer forensics book in my shelf thats been dusting down for a couple of years now so the plan is that once i decide to take the network down i'll run a forensics investigation on the systems as well..

    that tap swc666 is talking about seems pretty cool as well, I wan't to try that out as well but I'll probably wait a little while before i try it..

    great to see that this thread is staying alive and people are posting experiences and tips because I really need it to get me started..

    unfortunately I probably won't get much done until next week (besides reading this thread) because I'm going away for a couple of days.. but once I'm back I'll start setting up the honeynet piece by piece and post my status here, I almost cant wait to get started

  8. #18
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default

    Yeah the tap is very cool. I had not appreciated the detectability of the bridge structure. I thought having no ip bought me more invisibility than it really does.

    I changed jobs just a little while after setting up this honeynet, so i only got to run a few machines. i'd run 2-3 unpatched xp and 2k3 servers at a time as well a plain ubuntu install for comparison. You'll get a lot more traffic on the windows boxes when you enable/install iis and related services and take down the windows firewall.

  9. #19
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    so I was wondering about borrowing a Cisco Catalyst 2950 switch from work and add it to the mix to make the net appear even more authentic to an intruder, what are your thoughts about that ?

    it might be a bit overkill with a 24 port switch on a honeynet with only three devices though, and the switch I'm talking about is REAL noisy so I haven't really decided yet but I would like some input and see if anyone else would find this to be a helpful addition or not...

  10. #20
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by cormega View Post
    so I was wondering about borrowing a Cisco Catalyst 2950 switch from work and add it to the mix to make the net appear even more authentic to an intruder, what are your thoughts about that ?

    it might be a bit overkill with a 24 port switch on a honeynet with only three devices though, and the switch I'm talking about is REAL noisy so I haven't really decided yet but I would like some input and see if anyone else would find this to be a helpful addition or not...
    I think something that would allow you to set up a DMZ is all you really need.
    dd if=/dev/swc666 of=/dev/wyze

Page 2 of 7 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •