honeypots .. any experience?

[imported_=Tron=]

I will share anything of interest in this forum, I am also considering creating a new thread to make it easier to keep track of my findings and the current status of my honeynet project..

if I create a new thread, the link for it will be posted here - if I don't create a new thread I will just post everything of interest in this thread..

Great to hear, even though I fear that if you do find something interesting it will only fuel my interest in carrying out the same test myself I have also been thinking about adding an additional open, or probably WEP encrypted, wireless access point to my planned honeynet. Not to sniff passwords or anything like that, probably would just cut off wan access completely anyway and intercept what type of internet pages my “visitors” would try to access. But mainly to check how widespread the cracking and exploitation of WEP encrypted networks are over where I live. For this I would naturally need a quite powerful AP, but since I live in a rather densely populated area I do figure that even with a normal AP placed by the window with a parabolic reflector attached to the antenna I would reach quite a lot of people around me.

However, I do think a new thread would be the best way to go as your findings might spawn some additional discussions that would not fit well under the heading of the current thread.

[lund99]

However, I do think a new thread would be the best way to go as your findings might spawn some additional discussions that would not fit well under the heading of the current thread.

I think your right, I'll probably create one thread to keep track of the status of the honeynet project while keeping this thread moving with the discussion of a proper honeynet setup and the support questions relatet to that matter.

I really hope I find something to make you decide to create a honeynet of your own because it would be nice to track the progress of other peoples honeynets as well and be able to compare findings.

That WEP idea of yours sounds interesting, though. It could generate some really interesting results if your wifi is able to cover a large and densely populatet area.. Have you given any thought to how you would monitor and log the wifi? I'm just wondering if you would use whatever feature is implemented in your AP or if you had anything else in mind..

[imported_=Tron=]

That WEP idea of yours sounds interesting, though. It could generate some really interesting results if your wifi is able to cover a large and densely populatet area.. Have you given any thought to how you would monitor and log the wifi? I'm just wondering if you would use whatever feature is implemented in your AP or if you had anything else in mind..

I really haven’t given it so much thought yet as it is still all in planning state until I get some spare cash. I would probably start with checking out what kind of modded firmwares there are out there and how extensive log features they provide. I believe that this would be the easiest way to implement it as the router could take care of all the work itself.

On the other hand I would still need a tap between the router and my honeynet, as I naturally would want my guests to be able to access the rest of my honeynet using the wlan connection, and be able to track their actions. The logs of this tap would also most likely be easier to read out some interesting information from as they would not be littered with botnet spam or other kind of automated attacks.

[lund99]

Sounds like a great idea and you would not have to worry about all the annying botnet scans and script kiddie attemps at all, but if you would get any hits past your AP is another question.. maybe if you made your AP appear to be part of an enterprise network by giving it a SSID designated to make any nearby hackers interested.

But, back to my W2K box - I've set it up wit IIS now and I'm guessing this will be the primary entry point for any hackers that will give it a shot - now I understand that IIS can write pretty detailed activity logs and that I can select what to log and not to log.
I've read that IIS's default logging setup does not log commands that are run from cmd.exe if a hacker manages to gain shell access through this service - does anyone know how to enable such logging so I can read any commands entered if a hacker manages to spawn a command shell throug IIS?

[the_rooster]

I've only played around with it a little bit, but you can use Sebek for that. Its a client/server app designed to capture cmd.exe usage. The client gets installed on you w2k box and sends UDP packets to the third interface of you bridge box where the server side of the app is listening. The client is supposed to be very difficult to detect and the server side has a variety of logging options.

You will see firewall rules related to it in the script i posted for allowing the honeypot boxes to send UDP on port 1101 to the third interface, and nothing else. which reminds me you may want that big old noisy switch you mentioned earlier to segment off your third interface for remote access and make the honeypot boxes have to go through the bridge to get to it so that can you drop everything else.

[lund99]

thanks for the tip - i will definitely look into it later on today.

I decided not to go for the Cisco switch, at least for part one of the honeynet.
The main reason is that I don't think its too necesarry for such a small honeynet, maybe I will reconsider it for part 2 or 3 if i get that far but for now I'll settle with a normal 5 port linksys switch since there is only one machine on the honeynet side of the bridge so far.

But I'm getting real close now the first part of the honeynet will go live either after work today or tomorrow. I know its been a slow progress but I've had a lot to do at work so I haven't had the motivation to sit in front of a computer on my spare time when I do it at work for 8-12 hours a day

Either way, the current status is that I'll have to gather some tools and create a forensic script much like the one the_rooster posted earlier to run before the w2k box goes online and after - and I'll have to configure tcpdump on my bridge to get the traffic logs going smoothly. On top of that I'll also look into sebek later on today to see how it is set up and if it doesen't look too complex I'll also add that to the mix.

[lund99]

So I made the mistake of having my W2K box online for about 5 mins yesterday and it was all that was needed for the Alexa toolbar to install itself and also the regfix.com spam message to appear ( check : http://phorums.com.au/archive/index.php/t-149887.html )

That kind of messed up my project a bit since I haven't had the chance to run any forensic scripts yet to get the info I want from a clean W2K box.
But do you think I should reinstall W2K on this box to get it right? I'm not sure if these two spyware/spam incidents will have too much effect on the computer setup.

Either way I downloaded Spybot and removed it quickly.

I also consider immunizing the W2K box with spybot to avoid as much spam of this sort as possible, considering that I really want a real live person taking control of the box and not just a ton of spyware.. what do you think ?

[imported_=Tron=]

I think that you will probably be fine after a sweep with a few anti-spyware programs. After all, as you say, you are not interested in the damage done by bots so this incident should not spoil your project in any way. But on the other hand, if you want to make sure that you start off a absolutely clean plate reinstalling W2K won’t really take too long.

I think that it is a good idea to set up the box with some sort of live anti-spyware program to filter out a bit of all the spam and bot traffic. Just make sure that it doesn’t implement any anti-intrusion features as you probably want to make it as easy as possible for any 1337 hacker to get in

[imported_BaconZombie]

After you clean your Win2K box, I'd run CloneZilla or VMWare converter and great a base image you can revert to.

Also have a look at AutoPatcher 2000 so you can patch the box to what every level you want without putting it on the network ;)

[lund99]

I decided to re-install to have a completely spyware free machine to put online, all thats left for me now is to check out sebek like the rooster suggested. get snort_inline up and running on the bridge and get a tcpdump going there as well.. I'm hoping that I can finish all of this today and put the system online because I'm getting somewhat impatient here

but thanks for the replies, when I'm done reinstalling - I will put spybot on the W2K to avoid most of the bot traffic but thats all.. like Tron says, I don't wanna give the 1337's too much trouble

and I will definitely check out the CloneZilla and VMWare converter as well, that sounds like some real useful tools for a project like this considering I'll have to reinstall each time I move the project to the next stage

EDIT:

progress is a slow process indeed

the_rooster is giving me great help via PM to understand his scripts better to make everything right, however a power failure set me back yesterday and I did not get to do half of what I expected so I'm still not quite ready to put the honeynet online but I'm gonna focus all my time and energy this weekend on this project and hopefully I will have a nice little honey running by tomorrow or sunday


UPDATE:

just a quick status update here, I'm pretty far behind my planned schedule due to some unforseen setbacks but I'm not too far away from setting the project online either.

what I've done so far.

put snort_inline on my bridge box
adopted the firewall script the_rooster posted on page 2 and also the stop/start script he made for snort & iptables
put sebek on the w2k box
put sebek on the bridge (not completely configured yet)
I reinstalled W2k on the box and installed spybot to avoid annoying spam bot traffic.
installed 3 NICS on my bridge, one is dedicated for SSH, the other two are for the bridge

what still needs completion:

sebek configuration on host & guest
fine tuning the_roosters scripts as they are not written for BT3 (the first script works fine(almost) but the second script gives an error in the line where it tries to run /lib/lsb/linitfunctions as this is not the proper path for BT3 or it might not be on BT3 at all. I'm not sure what initfunctions is so this part remains to be resolved)
write the forensic script that I'm supposed to run on the W2k box before its put online, half of this job is done already and I don't expect any major challenges here

on top of this I'm having some issues with the firewall script the_rooster supplied me with, when I run it it blocks any incoming/outgoing connections because of the IPTABLES rules - I thought this would not be the case once snort_inline was in place but it still is.. even the eth2 nic i've dedicated for SSH sessions is blocked so I can't control the bridge remotely either... hope to work this out soon..

anyway, that was an update for those of you that are following this thread.. I know I said I would have the honeypot online by now, but - well, I'm not that skilled with linux/BT3 yet so I've had a lot of unnecessary setbacks that would not be an issue if I knew my way around linux a bot better..
but I'm hoping that working on this project will help me along the way, though