Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fun Things To Do With Your Honeypot System

Posted by ryuzaki0 on from the more-than-just-keeping-bees dept.

An anonymous reader writes "Whitedust is running an interesting article on honeypots and their uses. From the article: 'Most papers deal with the potential gains a honeypot can give you, and the proper way to monitor a honeypot. Not very many of them deal with the honeypots themselves... Honeypots can be used to ensnare and beguile potential hackers; entice them to give you more research information, and actively defend your production network."" From the article: "Once an attacker has taken all the trouble to set up shop on your honeypot, he'll probably want to see what else there is to play with. If your honeypot is like most traditional honeypots, there's not much for an attacker to do once he gets in. What you really want if for the attacker to transfer down all the other toys in his arsenal so you can have a copy as well. Giving an attacker additional targets with various operating systems and services can help him decide to give you his toys. The targets can be real, but you'll get almost as much mileage if they're simulated. A good place to start is to put a phantom private network up hung off the back of the honeypot."

10 of 136 comments (clear)

  1. Nice... by Anonymous Coward · · Score: 2, Interesting
    Nice article.



    What with the rumours that Mckinnon was caught by a US Military Honeypot it's interesting to read what can be done with sych systems.

  2. And a fun way to get free warze. by LWATCDR · · Score: 5, Interesting

    Just put on unpatched Win 98 box naked on the Internet and a wait. You will soon have a hard drive full of porn and warze.

    Actually it sounds like fun. Throw up VMWare and a few images and you could make an enter virtual network for a hacker to go nuts over.
    Add in a PDP-11 Emulator, some hacked NASA and Air Force sites, a fake database or two, some Word documents showing that the US has a secert base in the middle of the everglades.....
    could be fun.
    Sounds like a great Hacker DnD game. Get a bunch of people to set up these things and the game is too find out what the is going on. :)

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
    1. Re:And a fun way to get free warze. by tfried · · Score: 3, Interesting

      A place, I once worked at, had a dozen or so entirely unpatched Win98 boxes connected directly to the net - for years. And guess what? Of course I wouldn't have trusted those boxes one inch, but I've never heard of any hacking troubles with those boxes, either (ok, neither IE nor Outlook were used on those computers, but other than that, no protection at all).

      Yes, Win98 may be seriously vulnerable in hundreds of ways (even though it has hardly any networking functionality), but it just isn't targetted nowadays, in my experience. Try the same thing with WinXP, and you're compromised in less than a minute.

    2. Re:And a fun way to get free warze. by winkydink · · Score: 2, Interesting

      Actually, a lot of malware is already vmware-aware and avoids hosts running windows under vmware. More and more getting this functionality every day.

      --

      "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    3. Re:And a fun way to get free warze. by GC · · Score: 2, Interesting

      That is a load of crap, though I admit it will probably depend on your IP range.

      I routinely check a few Class-Cs and it takes around 5 minutes for a scan to appear on our firewall logs. Mostly 1433 port these days, which Win98 will quite hapilly drop.

      After about 30 minutes I *might* get a port 139 scan, which many Win98 installations will *still* drop.

      Cut the crap and the Microsoft bashing, I'm much more concerned about the spate of port 22 scans, and the brute force ssh password attacks going on right now.

    4. Re:And a fun way to get free warze. by Cid+Highwind · · Score: 2, Interesting
      Cut the crap and the Microsoft bashing, I'm much more concerned about the spate of port 22 scans, and the brute force ssh password attacks going on right now.


      Fail2ban is your friend. Throttle those ssh botnets down to a few login attempts per hour and eventually the operator will go after a less secure target.
      --
      0 1 - just my two bits
  3. Heh. by Renraku · · Score: 2, Interesting

    Give them a virus that you wrote. Put a bunch of what appear to be self-extracting zip files in a directory and attach a virus to the extractor. Give them fun names, too. Like Montauk Project, Philadelphia Experiment, Roswell, etc.

    --
    Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
    1. Re:Heh. by Jeremi · · Score: 2, Interesting
      Give them a virus that you wrote.


      On that note, has anyone done any security audits of the popular remote-exploit tools? It would be fun to write a "special" version of wu-ftpd 1.0 (or whatever) that recognizes when a particular tool is trying to exploit it, and responds by taking advantage of a bug in that tool to give you a root shell on the attacker's machine.... ;^)

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
  4. Re:Like I Have That Kind of Time by Ant+P. · · Score: 2, Interesting

    Sounds like a good idea for a livecd, actually.

  5. That was my experience in late-90s as well by billstewart · · Score: 4, Interesting
    I used to have a lab with a DSL like and a couple of quasi-honeypot machines on it. The Win95 (or was it Win98?) machine was never bothered; the RedHat 6 machine kept getting brutally attacked every week so after a few rebuilds I named it "kenny". Now, the Windows machine was partly not bothered because it wasn't doing anything interesting enough to be very vulnerable - there wasn't a web or FTP server, it wasn't sharing any disks or printers, I usually used Netscape browsers instead of IE, and if you did break in all you'd get for your trouble was a Windows machine. I had another Linux box on the network that was always running a scrolling tcpdump (AFAIK nobody ever bothered it - I had fewer services installed on it because it only had 500MB disk), and could see a variety of interesting traffic.
    • One week I saw it sending lots of pings to a university in Sweden. I checked with the admin there, who said it looked like my machine had been infected with Stacheldraht DDOS client and was reporting back to an infected machine at his site, and told me how to clean it up.
    • Another week the pings were to Washington University in St. Louis. I forget whether their machine had attacked mine or mine had attacked theirs, but either way it seemed appropriate since they'd probably used wuftpd to break in to my machine. Cleaned it up again.
    • Another week I did a "find" looking for something under root's home directory, and found a whole ~/.something directory I didn't recognize. I did an "ls", which couldn't find that directory - they'd replaced /bin/ls, but forgot to update the date stamp on the file, and also forgot to update the date stamp on /bin/ps. "ps" was hacked to not report the processes they were running from their hidden ~/.whatever directory - but "ls" wasn't hacked to hide things in /proc :-). So I cleaned up their semi-clever little rootkit.
    • After I cleaned up one of the latter two attacks, their next act was an "rm -rf /" on poor Kenny. Stupid thugs; at least they could have tried something interesting.
    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks