Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: Honeynet project status thread

  1. #1
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default Honeynet project status thread

    OK, So I finally got the thing going and decided it was best to create a thread dedicated to the status of my project and keep the other one going as a Q&A thread.

    Right now I've just deployed a virtual honeynet using VMWARE Workstation consisting of one unpatched windows 2000 proffessional guest and one Honeywall guest.

    As it is just launched, there's nothing to report yet but I will keep you posted about whatever I might find interesting, stay tuned

    Also I'd appreciate all support & traffic to my blog, The Honeyproject


    EDIT: Windows 2000 Pro unpatched was a hilarious little experiment which got infected by thousands of worms in a matter of minutes. That project was scrapped within hours and I moved on to a Windows 2003 x64 enterprise on and Honeywall, still under VMWare.

  2. #2
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    You may also want to look at nepenthes http://nepenthes.mwcollect.org/download bit over my head but..

  3. #3
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    yeah, I'll try too look into that, but i gotta take it one step at a time so it'll probably take a while

  4. #4
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    Let me know if you get into it there is a site that tracks the bins but you have to be a member and I never could get anywhere with it .. basicly if you could rev the code then you got the latest bleeding 0day malware and that's no good for skids

    I also watch this a while back .. also search videos for malware and honeypots you get some crazy ideas

    http://video.google.com/videoplay?do...57023578163321
    http://video.google.com/videoplay?do...42832546263615

  5. #5
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Quote Originally Posted by operat0r View Post
    Let me know if you get into it there is a site that tracks the bins but you have to be a member and I never could get anywhere with it .. basicly if you could rev the code then you got the latest bleeding 0day malware and that's no good for skids

    I also watch this a while back .. also search videos for malware and honeypots you get some crazy ideas

    http://video.google.com/videoplay?do...57023578163321
    http://video.google.com/videoplay?do...42832546263615
    I think that it might be a bit out of my league for the moment But I will definitely look into it once I get a better understanding of the different topics involved with honeynets.

    Thanks for the idea though, operat0r, and I will check out those vids in a little while..


    I actually ditched my entire honeynet yesterday It turned out that monitoring an unpatched W2K machine was no fun as it got compromised by worms etc in about three minutes.

    I actually tried to do a fresh w2k install and just go straight to windows update to get it patched & protected and it still got compromised before the first patch had begun downloading

    Therefore I'm moving on to a little more complex set-up.

    To give you the basics of my new honeynet, it will look somethin like this (keep in mind these are all VMWare machines):

    First of all I got the honeywall to monitor and log, and if necessary - control the amount of data which is able to leave the honeypot.

    The honeypot I'm about to implement now is a W2003 x64 enterprise, fully patched and updated.

    Also, I'm considering putting one last box into the mix - this time I want a Linux box of some sort and I want it to be vulnerable to exploits etc but I don't want it to be open for worm traffic etc (which I suspect won't be as big of an issue with Linux as it was with w2k anyway).. But since I'm not sure what distro and which version to use here, I was hoping you guys had some suggestions for me?


    Anyway, be sure to follow my blog The HoneyProject as this is where I will post most of the info regarding my honeynet, the data captured, screens etc..

    I will naturally keep this thread moving as well, but it is easier to publish it all in one location so that is why I decided to start a blog in the first place.

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Hey, I just happened across this: http://www.snort.org/dl/contrib/patc...it_and_switch/

    thought you might be interested in it.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    wow, cool concept! thanks a lot for the heads-up streaker

    if that project turns out to work it could definitely be a huge success!

    thanks a lot to everyone tipping me about things like these and everyone who has helped me out with my project so far - without remote-exploit.org I wouldn't even know where to begin

  8. #8
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Something that should be of interest to you is the talk Alex Muentz gave at The Last Hope, explaining some pertinent legal information for honeypot/net operators.

    Do an internet search for "Botnet Research, Mitigation and the Law" for the video recording... you might in for a surprise
    dd if=/dev/swc666 of=/dev/wyze

  9. #9
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    Thanks for all the feedback I will definitely check out all of your tips once I get the time

    Right now I'm kinda swamped (is that a term??) with getting myself used to working with Honeywall, understanding snort data and managing my honeypot

    Below is an excerpt from a a post I just made on my blog - the screen shot I'm referring to in the post below can be found on my site

    OK, just to give you an impression of what a snort incident looks like when you review it from the Honeywall Walleye GUI.

    What you see here is nothing special, just an automated SQL Worm attempt, logged by snort, which is implemented in Honeywall.
    There are several sub features from this menu, you can download the flow in .pcap format to analyze in Wireshark or get more details from the snort data.

    So far this is the only traffic I have seen as well, and it will probably remain like this for a little while.
    I will keep updating regularly as I learn more about the usage of Honeywall, Snort and Walleye - Hopefully I will, in the end, be able to release a complete guide showing how to setting up a virtual honeynet and analyzing data.


    But that little project will probably take its time as I want to learn as much as possible on my own before I start writing any guides

  10. #10
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by cormega View Post
    Thanks for all the feedback I will definitely check out all of your tips once I get the time

    Right now I'm kinda swamped (is that a term??) with getting myself used to working with Honeywall, understanding snort data and managing my honeypot

    Below is an excerpt from a a post I just made on my blog - the screen shot I'm referring to in the post below can be found on my site
    Well once again, I would research the legal implications first of running a honeynet so that you do not accidentally commit several felonies (assuming you are from the U.S. that is).
    dd if=/dev/swc666 of=/dev/wyze

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •