Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Fun Things To Do With Your Honeypot System

Posted by Zonk on Sun Jul 30, 2006 01:27 PM
from the more-than-just-keeping-bees dept.
Security IT
An anonymous reader writes "Whitedust is running an interesting article on honeypots and their uses. From the article: 'Most papers deal with the potential gains a honeypot can give you, and the proper way to monitor a honeypot. Not very many of them deal with the honeypots themselves... Honeypots can be used to ensnare and beguile potential hackers; entice them to give you more research information, and actively defend your production network."" From the article: "Once an attacker has taken all the trouble to set up shop on your honeypot, he'll probably want to see what else there is to play with. If your honeypot is like most traditional honeypots, there's not much for an attacker to do once he gets in. What you really want if for the attacker to transfer down all the other toys in his arsenal so you can have a copy as well. Giving an attacker additional targets with various operating systems and services can help him decide to give you his toys. The targets can be real, but you'll get almost as much mileage if they're simulated. A good place to start is to put a phantom private network up hung off the back of the honeypot."
+ -
story

Related Stories

[+] The BBC's Honeypot PC 344 comments
Alex Pontin writes, "This article from the BBC shows how vulnerable XP Home really is. Using a highly protected XP Pro machine running VMWare, the BBC hosted an unprotected XP Home system to simulate what an 'average' home PC faces when connected to the internet." From the article: "Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software." The machine was attacked within seconds of being connected to the Internet, and at no time did more than 15 minutes elapse between attacks.
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Fun Things To Do With Your Honeypot System 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • In addition to all of the things on the network I normally have to do at the office let me set up an entire phantom network just to "jack" with hackers. Yeah, I'll get right on that.
    • Sounds like a good idea for a livecd, actually.
      • No I get the point. I was making a joke, but I still thing it's silly. Why don't you just secure your network and you don't have to worry about it. Unless I worked for a security company or network vendor I wouldn't waste my time trying to score a hacker's toolkit. Unless I'm running something that's home made I don't really need to honeypot it. The # of "real" hackers out there compared to script kiddies is very small. I can download the script kiddie tools myself if I want. Nice AC post by the way.

        • Re:Think you missed the point... (Score:5, Funny)

          by heinousjay (683506) on Sunday July 30 2006, @01:52PM (#15812452) Journal
          Why don't you just secure your network and you don't have to worry about it

          Oh, is that all? Good to see you've boiled network security down to a single step. I'd say write a book, but it would only have one page so that's probably a waste of your time.
        • Many business network connections are made of vanilla parts - a web server, Pix or Checkpoint firewall, a VPN appliance for employees to connect from home, mostly static web pages or decorative Flash navigation. Pretty boring, and not much point in breaking in unless you want somewhere to run a zombie server or you're a skr1p7 k1dd13 who still thinks scribbing on websites is way 1337 k3wl. At most there's a pre-packaged e-commerce server that lets you order things with credit cards, but you could have got

        • Re:Think you missed the point... (Score:4, Insightful)

          by mcrbids (148650) on Monday July 31 2006, @12:03AM (#15815111) Journal
          Why don't you just secure your network and you don't have to worry about it.

          In my life, I've identified a few key words that are highly accurate in ferreting out people who waste time. One of these is "paradigm". Those who wax poetic about "paradigm" are typically those who haven't bothered to figure out how things work, and are trying to convince you to do whatever it is that they think might work.

          Big waste - RUN!

          I've come to discover that "just" is a key word. It positively identifies those who have no idea what they're talking about. The most rediculous, inane, and useless activities I've ever seen all started with the word "just" in the job description. Like:

          "Solar power is feasible - just bring down the cost of manufacturing"...

          or,

          "Sex is no big deal - just get a girlfriend"... (big one for many who peruse these boards)

          or,

          "The software works great - we just need to change a few basic assumptions..."

          So, watch that word, "just". It usually fortells major catastrophe and certainly unrealistic expectations!

  • What is Honeypot (Score:3, Informative)

    by in2mind (988476) on Sunday July 30 2006, @01:31PM (#15812329) Homepage
    For those who dont know what a honeypot is: [From Wikipedia.]

    ____________________________________________
    Honeypot is literally the term for a container of honey but is used in several different ways, often playing off the image of sweetness being used as a lure:

    * A computer system set up as a trap for attackers; see Honeypot (computing)
    * Traps designed to catch conventional criminals; see honey trap

    • A honey trap is fun to prepare, but beware of actually beeing exploited. To limit damage, it will help to put a transparent firewall in front of the honeypot and start blocking (perhaps allow a few outbound connections, and then block). You don't want your owned honeyput as a base of attack, do you? The OpenBSD [openbsd.org] packet filter [openbsd.org] has the needed funcionality using an OS that does not have a few local root kernel exploits a month.
      • I understand it's customary not to RTFA before commenting. However for those amongst us, who do break that rule from time to time, the TFA is actually discussing that very issue in the paragraph "Traffic Mangling":

        Once you've got the Wiley hacker attacking your honeypot, the last thing you want to do is let him attack the rest of your network from the honeypot, or worse, attack someone else's network. A good line of defense in this instance is traffic mangling.

        Traffic mangling requires an inline box

  • Nice... (Score:2, Interesting)

    by Anonymous Coward
    Nice article.



    What with the rumours that Mckinnon was caught by a US Military Honeypot it's interesting to read what can be done with sych systems.

  • And a fun way to get free warze. (Score:5, Interesting)

    by LWATCDR (28044) on Sunday July 30 2006, @01:43PM (#15812407) Homepage Journal
    Just put on unpatched Win 98 box naked on the Internet and a wait. You will soon have a hard drive full of porn and warze.

    Actually it sounds like fun. Throw up VMWare and a few images and you could make an enter virtual network for a hacker to go nuts over.
    Add in a PDP-11 Emulator, some hacked NASA and Air Force sites, a fake database or two, some Word documents showing that the US has a secert base in the middle of the everglades.....
    could be fun.
    Sounds like a great Hacker DnD game. Get a bunch of people to set up these things and the game is too find out what the is going on. :)

    • A place, I once worked at, had a dozen or so entirely unpatched Win98 boxes connected directly to the net - for years. And guess what? Of course I wouldn't have trusted those boxes one inch, but I've never heard of any hacking troubles with those boxes, either (ok, neither IE nor Outlook were used on those computers, but other than that, no protection at all).

      Yes, Win98 may be seriously vulnerable in hundreds of ways (even though it has hardly any networking functionality), but it just isn't targetted now

      • Re:And a fun way to get free warze. (Score:4, Insightful)

        by Clovert Agent (87154) on Sunday July 30 2006, @03:05PM (#15812830)
        A place, I once worked at, had a dozen or so entirely unpatched Win98 boxes connected directly to the net - for years.

        I seriously doubt it - not if you mean "in the last several years". Any unprotected box hanging directly off the net will be scanned and fingerprinted within minutes if not seconds of connecting, and exploited automatically. Botnets aren't kiddies' toys anymore: they're very professionally run and your unpatched '98 box is just grist for the mill.

        About five years ago I timed scans off a dialup connection in, let's say, a hostile part of the world - average of around 20 seconds from connect to scan. It hasn't gotten any better since.

        • That is a load of crap, though I admit it will probably depend on your IP range.

          I routinely check a few Class-Cs and it takes around 5 minutes for a scan to appear on our firewall logs. Mostly 1433 port these days, which Win98 will quite hapilly drop.

          After about 30 minutes I *might* get a port 139 scan, which many Win98 installations will *still* drop.

          Cut the crap and the Microsoft bashing, I'm much more concerned about the spate of port 22 scans, and the brute force ssh password attacks going on right now.
          • Cut the crap and the Microsoft bashing, I'm much more concerned about the spate of port 22 scans, and the brute force ssh password attacks going on right now.


            Fail2ban [sourceforge.net] is your friend. Throttle those ssh botnets down to a few login attempts per hour and eventually the operator will go after a less secure target.
          • http://www.csc.liv.ac.uk/~greg/sshdfilter/ [liv.ac.uk]

            Get this and your ssh brute force attack worries will be over. They're only popular because ssh tends not to block repeated attempts by default, and many other avenues have been closed to the crackers. So make sure you block this particular route.

      • That was my experience in late-90s as well (Score:5, Interesting)

        by billstewart (78916) on Sunday July 30 2006, @05:32PM (#15813521) Journal
        I used to have a lab with a DSL like and a couple of quasi-honeypot machines on it. The Win95 (or was it Win98?) machine was never bothered; the RedHat 6 machine kept getting brutally attacked every week so after a few rebuilds I named it "kenny". Now, the Windows machine was partly not bothered because it wasn't doing anything interesting enough to be very vulnerable - there wasn't a web or FTP server, it wasn't sharing any disks or printers, I usually used Netscape browsers instead of IE, and if you did break in all you'd get for your trouble was a Windows machine. I had another Linux box on the network that was always running a scrolling tcpdump (AFAIK nobody ever bothered it - I had fewer services installed on it because it only had 500MB disk), and could see a variety of interesting traffic.
        • One week I saw it sending lots of pings to a university in Sweden. I checked with the admin there, who said it looked like my machine had been infected with Stacheldraht DDOS client and was reporting back to an infected machine at his site, and told me how to clean it up.
        • Another week the pings were to Washington University in St. Louis. I forget whether their machine had attacked mine or mine had attacked theirs, but either way it seemed appropriate since they'd probably used wuftpd to break in to my machine. Cleaned it up again.
        • Another week I did a "find" looking for something under root's home directory, and found a whole ~/.something directory I didn't recognize. I did an "ls", which couldn't find that directory - they'd replaced /bin/ls, but forgot to update the date stamp on the file, and also forgot to update the date stamp on /bin/ps. "ps" was hacked to not report the processes they were running from their hidden ~/.whatever directory - but "ls" wasn't hacked to hide things in /proc :-). So I cleaned up their semi-clever little rootkit.
        • After I cleaned up one of the latter two attacks, their next act was an "rm -rf /" on poor Kenny. Stupid thugs; at least they could have tried something interesting.
    • Actually, a lot of malware is already vmware-aware and avoids hosts running windows under vmware. More and more getting this functionality every day.
        • No, the emulation's fine, vmware was never designed to be undetectable, instead it was designed to provide a stable host-machine-hardware-independant machine... ie, if I installed Windows (known for not coping with motherboard/chipset changes well at all) in vmware on one machine, and move the virtual machine to another completely different set up machine, it will still run with no problems and no driver changes required. This is one of the things that makes vmware such a great tool.

          This means that you can

    • Just one problem - (Score:4, Insightful)

      by njdj (458173) on Sunday July 30 2006, @03:16PM (#15812877)

      a fake database or two, some Word documents showing that the US has a secert base in the middle of the everglades....

      You'll then get pulled in by Homeland Security and shipped to Gitmo for revealing that the US has a secret base in the middle of the Everglades.

    • Re:And a fun way to get free warze. (Score:4, Informative)

      by Anonymous Coward on Sunday July 30 2006, @03:31PM (#15812946)
      I'm surprised a /.'er would recommend VMware, with XEN the clear winner in the honeypot niche. Just check out The Potemkin Honeyfarm [honeyblog.org] for more info... These guys are actually able to deploy an image is less than a second and do all sorts of whacky business to delude hackers into believing they're roaming the internet freely :-)
    • Sure, there are worse places to get warez, but the type of people who crack into a site to get a place to store warez are _not_ the types of sources you'd want to trust.

      • Re:And a fun way to get free warze. (Score:4, Insightful)

        by Joe U (443617) on Sunday July 30 2006, @03:19PM (#15812894) Homepage Journal
        And if he corrects it to read:

        "Thou shall not use any programming language that works on only one OS. "

        Then it's a typographical error, most likely a soft-broken 'Y' key, and the joke falls apart. Making fun of someone with a broken keyboard is just mean. He might be on his way to CompUSA right now for all you know.

        Now, if he corrects it to read:

        "Thou shall not use a programming language that works on only one OS. "

        Then it's grammatical, and the joke will hold up. The world will be safe from poor grammar. You will have fulfilled your destiny. Crush the lesser races, conquer the galaxy, unimaginable power, unlimited rice pudding...Etcetera, etcetera...

        (or not)

        • Re:Idiot (Score:3, Funny)

          by Anonymous Coward
          Do you have so much time on your hands that you find it amusing to prattle on about common spelling errors? Or does it some how make you feel superior to spot a misused "an" and point it out to the whole world as is "see, this person is an idiot, whereas I am a superior human!". Good lord, get a life.

          Errors:
          1. "Somehow" is one word.
          2. as is "see, this person is an idiot As is?
          3. a superior human!". With the type of English that one uses in the U.S., sentence-ending punctuation is usually contai

        • Re:Idiot (Score:2, Insightful)

          by udderly (890305)
          Dude (or Dudette), are you new here? Didn't you realize that correcting other people and then feeling superior is what /. is all about. Heck, it's one big "I'm smarter than you" pissing contest.
        • You do, which is why the poster has corrected their sig to say 'a' instead of 'an'. You (as I) didn't see the reply pointing out the 'an' until it was fixed, making it look as if the reply suggested using 'an' instead of 'a', but a lil extra thought makes it obvious that it was the other way round.

        • Re:And a fun way to get free warze. (Score:5, Funny)

          by NormalVisual (565491) on Sunday July 30 2006, @09:27PM (#15814560)
          That reminds me of a joke I heard years ago:

          A new Harvard freshman was lost and looking for the library. He approached what obviously was an upperclassman, and asked "Excuse me, could you please tell me where the library is at?" The upperclassman looked down his nose at the freshman, and replied, "My good sir, here at Harvard we do *not* end our sentences with a preposition." The freshman is a bit taken aback, and rephrases his question: "Okay, could you please tell me where the library is at, asshole?"

          There aren't too many grammar jokes out there, so I guess you have to take them as you can get them.

  • NASA (Score:4, Funny)

    by wootest (694923) on Sunday July 30 2006, @02:05PM (#15812510)
    Host NASA servers [slashdot.org]? :)

  • a fake shell (Score:5, Funny)

    by Per Wigren (5315) on Sunday July 30 2006, @02:13PM (#15812558) Homepage
    Something funnier (IMHO) would be to write a simple wrapper over the shell which gives crazy error messages and other things:
    root@honeypot:~# whoami
    I have no idea.
    root@honeypot:~# ls
    PRESS PLAY ON TAPE
    root@honeypot:~#
    and so on... :)

  • Most people.. (Score:5, Funny)

    by dubbreak (623656) on Sunday July 30 2006, @02:13PM (#15812561)
    Most people use their honey pots for surfing the web, checking email and sometimes playing games.

  • Heh. (Score:3, Interesting)

    by Renraku (518261) on Sunday July 30 2006, @02:28PM (#15812636) Homepage
    Give them a virus that you wrote. Put a bunch of what appear to be self-extracting zip files in a directory and attach a virus to the extractor. Give them fun names, too. Like Montauk Project, Philadelphia Experiment, Roswell, etc.
    • what makes you think they would run your SFX zip files? AFAIK every archive app can unpack SFX files as well as regular compressed files

    • Re:Heh. (Score:3, Interesting)

      by Jeremi (14640)
      Give them a virus that you wrote.


      On that note, has anyone done any security audits of the popular remote-exploit tools? It would be fun to write a "special" version of wu-ftpd 1.0 (or whatever) that recognizes when a particular tool is trying to exploit it, and responds by taking advantage of a bug in that tool to give you a root shell on the attacker's machine.... ;^)

  • Risk to others (Score:5, Insightful)

    by Anonymous Coward on Sunday July 30 2006, @02:30PM (#15812649)
    What if someone uses the trojans, etc. they install on your honeypot to launch an attack on some other site? Since your express purpose is to watch what they do, you can't claim ignorance.

    Are you liable for any damages?
    Are you causing problems for law enforcement or other sysadmins by helping the attacker obscure their identity?

    Seems like you would need to filter outbound traffic VERY carefully. It would be almost impossible to do this without the attacker knowing -- they'd realize it was a honeypot and get the hell out of there.
    • What if someone uses the trojans, etc. they install on your honeypot to launch an attack on some other site?


      I'd say that a proper honeypot would simulate the other site as well. Once you've taken the blue pill, there's no escape... ;^)

  • pr0n (Score:4, Funny)

    by Khashishi (775369) on Sunday July 30 2006, @03:48PM (#15813046) Journal
    Just fill the honeypot with pr0n and there will be plenty for the hacker to play with.
  • Make sure that everything rlogs to an append-only hardened blackbox with a high securelevel. Preferably obsd. Also, make sure you have banners that will hold up in court. A honeypot is not something to be viewed as 'extra work' for a network administrator, but ESSENTIAL when combined with a few IDS sensors. It is the way to keep on top of your overall network security, and gives you a few extra IP blocks to add to your overall firewall ruleset. If you are really lucky, you will bring down some asshat that t

  • Fun things to put on honeypots (Score:5, Funny)

    by Animats (122034) on Sunday July 30 2006, @04:23PM (#15813200) Homepage
    • Call up a venture capitalist friend and ask for some rejected business plans for really stupid business ideas. Put them on your honeypot.
    • Get some publicly available geophysical data for real oil wells, and change all the locations to somewhere else with comparable geology but no oil.
    • Get some rejected porno images from people in the industry. Buy the reproduction rights. Put Digimarc watermarks on them. Wait for them to reappear elsewhere. Sue. Profit.

  • Bad advice (Score:3, Insightful)

    by frovingslosh (582462) on Sunday July 30 2006, @04:24PM (#15813204)
    from the aericle:

    Simulated traffic can be used in conjunction with simulated targets....If you want to really see what the attacker is all about, simulate traffic that looks like someone trading MP3s, or traffic that looks like someone transferring business documents. If the attacker spends most of his time looking at the MP3 traffic, he is probably pretty harmless. If he spends his time looking at the documents, he is probably pretty dangerous.

    Yea, right. Great advice, right up to the day that the RIAA and their FBI thugs come breaking down your door and taking every computer that you own and anything else they want too, because the hacker that broke into your system and saw all that traffice was an RIAA hacker.

  • "Fun Things To Do With Your Honeypot System"

    non-Geek: "Is this a sexual reference? I don't get it...are they talking about that weird cyber thing?"

  • "From The Article" (Score:3, Insightful)

    by jonabbey (2498) * <jonabbey@ganymeta.org> on Sunday July 30 2006, @04:50PM (#15813314) Homepage
    Zonk, is it necessary to edit down what your submitters give you and take half of the post to include part of the referenced article?
  • Too bad you can't trace the hackers back to the source and order a hit squad on them ... well, maybe in Russia.

  • It's all fun and games... (Score:4, Insightful)

    by JustJake (130239) on Sunday July 30 2006, @07:59PM (#15814168)
    until someone uses your honeypot as a platform to attack someone else. Or were you thinking that bad guys never use machines under their control in this manner?

    Who are these security people with so much free time that they can monitor a honeynet for hours on end and create bogus traffic to move across it in order to entertain a bored 16-year-old hacker from who knows where? Every serious professional I know is up to his eyeballs in real work.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.