Page 3 of 7 FirstFirst 12345 ... LastLast
Results 21 to 30 of 63

Thread: honeypots .. any experience?

  1. #21
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    ok, so if i just get a simple 5 port switch and set up the honeynet in a DMZ thats all I really need ? kinda nice to know because with 3 computers running and an old switch that sounds like a rusty ford it could get a "bit" annoying to have that stuff running in my 1 bedroom apartement over time

  2. #22
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default

    I forgot, if you can get your hands on a hub instead of a switch, you should do so, cause with a hub you will be able to pick up traffic between your honeypot boxes.

  3. #23
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    I think I can get a hold of a hub actually, I'm almost postive I've seen one laying around at work somewhere. Thanks for the tip...

    By the way, when setting up snort, where would the best place to put this be? I'm guessing the bridge box?

  4. #24
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    OK, so I never got a hold of that HUB but thats not my primary concern right now.

    I am more or less ready to get started but I realize that there are a few technical questions I need to get answered before I go ahead.


    1. I am fortunate enough to have an ISP that provides me with official IP addressing and not NAT addresses - but how important is it to put the honeynet behind an official IP, really?

    2. The plan I have right now is to follow the roosters advice and set up one box as a bridge between the internet and the switch containing the other boxes I want to set up in my honeynet. But since this bridge of mine won't need any IP addresses, and my ISP offers 5 official IP addresses, won't the rest of the boxes behind the bridge take one official IP each - giving the impression that they are not on the same network?

    I mean, my ISP offers an address in the 81.191.xxx.xxx range and I get 5 of those, but what I really want is to put my entire honeynet behind ONE of these addresses, because that would be the most efficient setup, right?

    So how do I solve that, do I set up my W2K box right behind the bridge with a DHCP service and connect the W2K box to the switch so that every other box on the honeynet will get a private IP from this W2K box and at the same time use it as a gateway to the internet?

    I figure that this way would provide the W2K box with an official IP so that it would be the first to be discovered in my network - at the same time using the W2K box as the DHCP server for the rest of the honeynet would lead any hackers further into my network.

    So what do you guys think of my solution so far? If I'm way off here or you have anny suggestions to improve my set up please do not hesitate to post it here.

  5. #25
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default

    For the most part, I think its going to depend on what you want to accomplish. You could tailor your honeynet to test any number of services/configurations and the vulnerabilities that come with them. you could go the dhcp route or the one box per ip. It will be interesting to see what differences in traffic will result. But at the same, you'll probably get a lot of automated garbage regardless.

    To me, one of the biggest challenge is how to make sense of the data being logged. I would see a ton of automated bot zombie scans looking for sql, game hosting services, smb/netbios, ssh, etc. I think you really will need a way of filtering the garbage.

    I saw a couple of perl scripts on honeynet.org (the scan of the month challenges are interesting) where people came up with some pretty neat ways or parsing and summarizing tcpdump capture files. I'm not very proficient in perl (that's some straight voodo script to me) so i rewrote theirs in a language i know.....java. but it took about 150 lines of code for me to do what they were doing in 10 lines.

    So it may be worthwhile just to get anything set up to get a feel for what and how much traffic you can expect just from having a single box connected straight to the internet...well through the bridge of course....if only to get a baseline. then increase the complexity of the network and increase the number of ports/services you want to expose.

  6. #26
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    great tip, thanks.
    I'll follow your advice and start off with a bridge + a W2K box and see where that leads me.

    BTW, you said you ran a script on the linux boxes in your honeynet before putting it out to see what might change once the box got compromised, right?
    Do you have any tips on how to do something similar with the W2k box?

  7. #27
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default

    There was free product called Windows Forensics ToolChest that i was using to collect system info. I think they went commercial with it though. So i made my own script modeled after the way they did it. What you'll get with this is a ton of different little text files containing the output of the .exe listed. Most of them are SysInternals, but all are freely available. Its kind of crude and not very nice looking format wise, but you'll get the info you need to get a picture of what might be changing on the box. I think some of the registry lines might need to be changed depending on the version of windows you are using.

    Run a script like this before you put the box in the open, and then after you suspect you have been compromised. Using this technique i've been able to discover new processes and port open after a compromise.



    @ECHO off


    SET toolpath=c:\WFT\tools\


    %toolpath%mem.exe /p > %1\currently_in_memory.txt
    %toolpath%mem.exe /d > %1\memory_drivers_etc.txt

    :\ /S /OD /TA > %1\file_last_access_time.txt


    %toolpath%psinfo.exe -d -s -h > %1\psinfo.txt
    %toolpath%hostname.exe > %1\hostname.txt
    %toolpath%uname.exe -a > %1\uname.txt

    ver > %1\version.txt
    set > %1\environment.txt

    %toolpath%uptime.exe > %1\uptime.txt
    %toolpath%uptime.exe /a > %1\uptime_historical.txt

    %toolpath%whoami.exe > %1\whoami.txt

    %toolpath%net.exe config rdr > %1\net_config_rdr.txt
    %toolpath%net.exe user > %1\net_user.txt
    %toolpath%net.exe localgroup > %1\net_localgroup.txt
    %toolpath%net.exe accounts > %1\net_accounts.txt
    %toolpath%net.exe accounts /domain > %1\net_accounts_domain.txt

    %toolpath%pslist.exe > %1\pslist.txt

    %toolpath%pstat.exe > %1\pstat.txt

    %toolpath%handle.exe > %1\handle.txt

    %toolpath%handle.exe -a > %1\handle_a.txt

    %toolpath%psservice.exe > %1\psservice.txt

    arp -a > %1\arp.txt

    route print > %1\route.txt

    netstat -an > %1\netstat.txt

    %toolpath%Fport.exe > %1\fport.txt

    %toolpath%openports.exe -path -fport > %1\openports.txt

    sc.exe queryex > %1\sc.txt

    %toolpath%net.exe start > %1\net_start.txt
    %toolpath%net.exe share > %1\net_share.txt
    %toolpath%net.exe use > %1\net_use.txt
    %toolpath%net.exe view > %1\net_view.txt
    %toolpath%net.exe session > %1\net_session.txt

    %toolpath%drivers.exe start > %1\drivers.txt

    %toolpath%nbtstat.exe -n > %1\nbtstat_n.txt
    %toolpath%nbtstat.exe -c > %1\nbtstat_c.txt
    %toolpath%nbtstat.exe -s > %1\nbtstat_s.txt

    %toolpath%promiscdetect.exe share > %1\promiscdetect.txt


    %toolpath%psloglist.exe > %1\psloglist.txt
    %toolpath%psloglist.exe -s system > %1\psloglist_s_system.txt
    %toolpath%psloglist.exe -s application > %1\psloglist_s_application.txt
    %toolpath%psloglist.exe -s security > %1\psloglist_s_security.txt

    %toolpath%diskmap.exe /d0 > %1\diskmap.txt

    %toolpath%ntfsinfo.exe > %1\ntfsinfo.txt

    %toolpath%psfile.exe > %1\psfile.txt


    dir c:\ /S /AH > %1\hidden_files.txt

    %toolpath%streams.exe -s c:\*.* > %1\streams.txt

    %toolpath%efsinfo.exe /S:c:\ /U /R /C > %1\efsinfo.txt

    dir "%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup" > %1\startup.txt


    %toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /S > %1\reg_run.txt
    %toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once /S > %1\reg_runOnce.txt
    %toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx /S > %1\reg_runOnceEx.txt
    %toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services /S > %1\reg_runServices.txt
    %toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce /S > %1\reg_runServicesOnce.txt
    %toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\ /S /S > %1\reg_ShellServiceObjectDelayLoad.txt
    %toolpath%reg.exe query HKLM\Software\Policies\Microsoft\Windows\System\Sc ripts /S > %1\reg_Scripts.txt
    %toolpath%reg.exe query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\ /S > %1\reg_Explorer.txt

    %toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /S > %1\reg_runHKCU.txt
    %toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once /S > %1\reg_runOnceHKCU.txt
    %toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx /S > %1\reg_runOnceExHKCU.txt
    %toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services /S > %1\reg_runServicesHKCU.txt
    %toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce /S > %1\reg_runServicesOnceHKCU.txt
    %toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\Shell /S > %1\reg_shellHKCU.txt
    %toolpath%reg.exe query HKCU\Software\Policies\Microsoft\Windows\System\Sc ripts /S > %1\reg_ScriptsHKCU.txt
    %toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\ /S > %1\reg_ExplorerHKCU.txt
    %toolpath%reg.exe query "HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}" /S > %1\reg_ExplorerBars.txt
    %toolpath%reg.exe query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs" /S /S > %1\reg_ExplorerTypedURLS.txt
    %toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\RunMRU /S > %1\reg_ExplorerVersion.txt
    %toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ComDlg32\OpenSaveMRU /S > %1\reg_OpenSaveMRU.txt
    %toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uni nstall /S > %1\reg_Uninstall.txt


    %toolpath%autorunsc.exe -a -d -e -s -w > %1\autorunsc.txt

    %toolpath%psloggedon.exe > %1\psloggedon.txt

  8. #28
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    thanks for more assistance, rooster - i really appreciate the help you are giving me.

    so I've decided to split the project into several parts instead of trying to implement a complete professional honeynet all at once.

    part one is just the bridge box and the w2k box, will check processes, services files etc before and after to see what has changed during the attack of the box.

    Since the W2K box will be rather out of date and unpatched I have estimated a 7 day period for the first part - this should be enough to generate some (un)wanted action on the box and give me some activity to analyze afterwards.

    for part 2 i will implement snort, add another box to the honeynet (probably a linux box of some sort) and patch up the W2K box a bit to make it a bit harder to hack. I haven't decided on the uptime of this net yet but I'm guessing 20 days at least, probably more.

    now if that works like I hope I will take on some forensics challenges and see what I can learn from the activites on both boxes while I take some time to think about whether or not to take the project to a third stage with more boxes in a more advanced environment..


    either way, part 1 will start in a day or two and I'm really looking forward to see what might happen

  9. #29
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    either way, part 1 will start in a day or two and I'm really looking forward to see what might happen
    A honeypot/-net is something that I have been interested in setting up for quite a while already, but have kept postponing due to the lack of extra hardware to set aside for the task.

    Once you get your project started I for one would therefore be really interested in hearing a bit about your findings, either in this thread or a new one.
    -Monkeys are like nature's humans.

  10. #30
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Yeah, I've been playing with the idea myself for quite a while and now I'm fortunate enough to be able to borrow most of the equipment I need from my employer so I decided to get started.


    I will share anything of interest in this forum, I am also considering creating a new thread to make it easier to keep track of my findings and the current status of my honeynet project..

    if I create a new thread, the link for it will be posted here - if I don't create a new thread I will just post everything of interest in this thread..

Page 3 of 7 FirstFirst 12345 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •