Designed as a trap for attackers who try to access the network.
Any interaction with a honeypot points to a malicious activity.
E.g. free proxy servers, VPNs, WiFis...
Can be used by law enforcements to e.g. get IP of attackers, or malicious people to blackmail you.
IDP (intrusion detection prevention) systems or admins can redirect intruders to a virtual machine as honeypot.
Low-interaction honeypots
Mimic small number of applications and services that run on a system or network.
Capture information about network probes and worms.
Medium-interaction honeypots
Mimic real operating system, applications and services
Capture more data compared to low-interaction honeypots
High-interaction honeypots
Run real operating systems and applications
Gather information about the techniques and tools used in the attack.
Production honeypots
Mimic the organizations real production network allowing more attacks
Helps network admins to take preventive measures to reduce the probability of an attack
Differs from high-interaction honeypots as they do not run real operating systems or applications.
Research honeypots
High-interaction honeypots
Mainly used by security analysis and researchers
Goal is to understand how the attack was performed
Goal is to avoid being trapped in a honeypot
Tools are used to detect honeypots that are installed on the network.
Well configured honeypot is nearly impossible to detect.
Best to target specific IPs known ahead of time to be valid machines.
Some giveaways (see discussions , paper ):
They can be to good too obviously insecure e.g. sitting near DMZ.
No network traffic
Unrealistic configurations e.g. IIS server on Linux, file names, drivers (e.g. VMWare defaults) etc.
Attacker can detect if it's running in a VM, disrupt the VM.
Performance degradation or fails under a sustained attack because of e.g. insufficient bandwidth.
Logging instructions affects total execution time of hacker commands.
There are some attempts to automate such as Honeypot Hunter (commercial scanner) or using machine learning .
Setting up a proxy server as honeypot
🤗 This walkthrough is out of scope to to get better understanding, unrelated to exam.
Setup the honeypot
Install squidyum install squid
Start squid: systemctl start quid
Start automatically on reboot (good for cloud machines): systemctl enable quid
Configure in vim /etc/squid/squid.conf:
Has ACL (access list) rules to e.g. allow source ip ranges and ports for access
People can now use the proxy server with its public ip and port 3128 as default.
It will be detected by automated crawlers on internet that's looking for e.g. vulnerabilities.
Monitor the traffic using sniffing tools such as tcpdumpWireshark
Create a named pipe (aka FIFO) file: mkfifo myPipe.fifo
Redirect proxy server logs to a local file
ssh root@<proxy-server-ip> "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > myPipe.fifo
-s 0: sets snapshots length to default 262144 bytes to take-U: unbuffered, dump anything-n: don't convert addresses to names-w: write file instead of parsing and printing them out.
-: means standard output, so it writes to standard output.
-i eth0: capture traffic on eth0 interfacenot port 22: filter out own connection to the server
Run wireshark-gtk -k -i myPipe.fifo to start wireshark
You can now use proxy using e.g. Firefox and see the traffic.
You can’t perform that action at this time.