Fun Things To Do With Your Honeypot System 136
An anonymous reader writes "Whitedust is running an interesting article on honeypots and their uses. From the article: 'Most papers deal with the potential gains a honeypot can give you, and the proper way to monitor a honeypot. Not very many of them deal with the honeypots themselves... Honeypots can be used to ensnare and beguile potential hackers; entice them to give you more research information, and actively defend your production network."" From the article: "Once an attacker has taken all the trouble to set up shop on your honeypot, he'll probably want to see what else there is to play with. If your honeypot is like most traditional honeypots, there's not much for an attacker to do once he gets in. What you really want if for the attacker to transfer down all the other toys in his arsenal so you can have a copy as well. Giving an attacker additional targets with various operating systems and services can help him decide to give you his toys. The targets can be real, but you'll get almost as much mileage if they're simulated. A good place to start is to put a phantom private network up hung off the back of the honeypot."
Like I Have That Kind of Time (Score:3, Insightful)
Re:Think you missed the point... (Score:2, Insightful)
Re:Think you missed the point... (Score:5, Funny)
Oh, is that all? Good to see you've boiled network security down to a single step. I'd say write a book, but it would only have one page so that's probably a waste of your time.
Re:Think you missed the point... (Score:1)
Haha owned.
Re:Think you missed the point... (Score:2)
Supposed to be "pwn3d"
Most cool business networks are semi-homemade (Score:2)
Re:Think you missed the point... (Score:4, Insightful)
In my life, I've identified a few key words that are highly accurate in ferreting out people who waste time. One of these is "paradigm". Those who wax poetic about "paradigm" are typically those who haven't bothered to figure out how things work, and are trying to convince you to do whatever it is that they think might work.
Big waste - RUN!
I've come to discover that "just" is a key word. It positively identifies those who have no idea what they're talking about. The most rediculous, inane, and useless activities I've ever seen all started with the word "just" in the job description. Like:
"Solar power is feasible - just bring down the cost of manufacturing"...
or,
"Sex is no big deal - just get a girlfriend"... (big one for many who peruse these boards)
or,
"The software works great - we just need to change a few basic assumptions..."
So, watch that word, "just". It usually fortells major catastrophe and certainly unrealistic expectations!
Nice point on language (Score:1)
Re:Think you missed the point... (Score:2)
Just today I had somebody asking "Have you seen the email about that little problem?" I replied that no, I hadn't, but I had seen the one about the bloody big problem.
In defense of 'Paradigm' (Score:1)
Re:Like I Have That Kind of Time (Score:2)
Re:Like I Have That Kind of Time (Score:3, Interesting)
What is Honeypot (Score:3, Informative)
____________________________________________
Honeypot is literally the term for a container of honey but is used in several different ways, often playing off the image of sweetness being used as a lure:
* A computer system set up as a trap for attackers; see Honeypot (computing)
* Traps designed to catch conventional criminals; see honey trap
Re:What is Honeypot (Score:2, Informative)
Re:What is Honeypot (Score:2)
Re:What is Honeypot (Score:1)
Re:What is Honeypot (Score:2, Funny)
Nice... (Score:2, Interesting)
What with the rumours that Mckinnon was caught by a US Military Honeypot it's interesting to read what can be done with sych systems.
And a fun way to get free warze. (Score:5, Interesting)
Actually it sounds like fun. Throw up VMWare and a few images and you could make an enter virtual network for a hacker to go nuts over.
Add in a PDP-11 Emulator, some hacked NASA and Air Force sites, a fake database or two, some Word documents showing that the US has a secert base in the middle of the everglades.....
could be fun.
Sounds like a great Hacker DnD game. Get a bunch of people to set up these things and the game is too find out what the is going on.
Re:And a fun way to get free warze. (Score:1, Funny)
Thou shall not program computers in any language until having mastered the one you speak and write in.
Re:And a fun way to get free warze. (Score:2)
Re:And a fun way to get free warze. (Score:1)
Re:And a fun way to get free warze. (Score:2)
Re:And a fun way to get free warze. (Score:4, Insightful)
"Thou shall not use any programming language that works on only one OS. "
Then it's a typographical error, most likely a soft-broken 'Y' key, and the joke falls apart. Making fun of someone with a broken keyboard is just mean. He might be on his way to CompUSA right now for all you know.
Now, if he corrects it to read:
"Thou shall not use a programming language that works on only one OS. "
Then it's grammatical, and the joke will hold up. The world will be safe from poor grammar. You will have fulfilled your destiny. Crush the lesser races, conquer the galaxy, unimaginable power, unlimited rice pudding...Etcetera, etcetera...
(or not)
Re:And a fun way to get free warze. (Score:1)
I take this to mean you do not program computers in any language? After all, you have not mastered English either. You left a dangling preposition. The correct way to phrase this is:
Thou shalt not program computers in any language until having mastered the one in which you speak and write.
Re:And a fun way to get free warze. (Score:5, Funny)
A new Harvard freshman was lost and looking for the library. He approached what obviously was an upperclassman, and asked "Excuse me, could you please tell me where the library is at?" The upperclassman looked down his nose at the freshman, and replied, "My good sir, here at Harvard we do *not* end our sentences with a preposition." The freshman is a bit taken aback, and rephrases his question: "Okay, could you please tell me where the library is at, asshole?"
There aren't too many grammar jokes out there, so I guess you have to take them as you can get them.
Re:And a fun way to get free warze. (Score:2)
Re:And a fun way to get free warze. (Score:1)
Re:Idiot (Score:3, Funny)
Errors:
1. "Somehow" is one word.
2. as is "see, this person is an idiot As is?
3. a superior human!". With the type of English that one uses in the U.S., sentence-ending punctuation is usually contai
Re:Idiot (Score:2, Insightful)
Re:And a fun way to get free warze. (Score:1)
Re:And a fun way to get free warze. (Score:3, Interesting)
A place, I once worked at, had a dozen or so entirely unpatched Win98 boxes connected directly to the net - for years. And guess what? Of course I wouldn't have trusted those boxes one inch, but I've never heard of any hacking troubles with those boxes, either (ok, neither IE nor Outlook were used on those computers, but other than that, no protection at all).
Yes, Win98 may be seriously vulnerable in hundreds of ways (even though it has hardly any networking functionality), but it just isn't targetted now
Re:And a fun way to get free warze. (Score:4, Insightful)
I seriously doubt it - not if you mean "in the last several years". Any unprotected box hanging directly off the net will be scanned and fingerprinted within minutes if not seconds of connecting, and exploited automatically. Botnets aren't kiddies' toys anymore: they're very professionally run and your unpatched '98 box is just grist for the mill.
About five years ago I timed scans off a dialup connection in, let's say, a hostile part of the world - average of around 20 seconds from connect to scan. It hasn't gotten any better since.
Re:And a fun way to get free warze. (Score:3, Interesting)
I routinely check a few Class-Cs and it takes around 5 minutes for a scan to appear on our firewall logs. Mostly 1433 port these days, which Win98 will quite hapilly drop.
After about 30 minutes I *might* get a port 139 scan, which many Win98 installations will *still* drop.
Cut the crap and the Microsoft bashing, I'm much more concerned about the spate of port 22 scans, and the brute force ssh password attacks going on right now.
Re:And a fun way to get free warze. (Score:2, Interesting)
Fail2ban [sourceforge.net] is your friend. Throttle those ssh botnets down to a few login attempts per hour and eventually the operator will go after a less secure target.
Shameless plug (Score:2)
Get this and your ssh brute force attack worries will be over. They're only popular because ssh tends not to block repeated attempts by default, and many other avenues have been closed to the crackers. So make sure you block this particular route.
Re:And a fun way to get free warze. (Score:2)
Just this past weekend I had to switch providers, and of course verify the connection without a router or other firewall in between me and the outside world.
Firewall software on the laptop picked up 139 attempts within the first 60 seconds. Within 5 minutes I had well over a dozen common ports being probed: the usual NetBIOS ports, 1433, 1434, 21, 80, 23, 69, and a few others.
Didn't see a single port 22 attempt in the 5 hours I left the laptop "naked". Haven't bothered to check the r
Re:And a fun way to get free warze. (Score:2)
Re:And a fun way to get free warze. (Score:1)
They can try all the passwords they want but they simply won't be able to login. you could also change the port which SSH runs on and tar-pit any ip ranges which give you constant trouble (It's really fun to see bot's stay for hours on end trying to check a single login).
Re:And a fun way to get free warze. (Score:1)
Surely, someone must have made tools to beat 20 seconds - I mean, it's gone five years.
Re:And a fun way to get free warze. (Score:1)
That was my experience in late-90s as well (Score:5, Interesting)
Re:And a fun way to get free warze. (Score:3, Interesting)
Re:And a fun way to get free warze. (Score:1)
Re:And a fun way to get free warze. (Score:1)
No, the emulation is better than good if leaving signs like VM video card strings in place keeps the script kiddies away.
Re:And a fun way to get free warze. (Score:3, Insightful)
This means that you can
Re:And a fun way to get free warze. (Score:2)
Re:And a fun way to get free warze. (Score:2)
Re:And a fun way to get free warze. (Score:2)
But calling for a "better emulator" because you are using a tool for a purpose outside of the one it was designed for is a bit rude. It's a bit like asking for a better spreadsheet than Excel because you are having trouble writing a book with it. Not quite the right tool for the job.
VMware does a nice job of hosting a guest operating system inside another. They don't try to hide the
Re:And a fun way to get free warze. (Score:2)
BTW: is it copyright infringement if you redistribute a hacker's tools without his permission? Could the hacker use the DMCA as well?
Just one problem - (Score:4, Insightful)
a fake database or two, some Word documents showing that the US has a secert base in the middle of the everglades....
You'll then get pulled in by Homeland Security and shipped to Gitmo for revealing that the US has a secret base in the middle of the Everglades.
Re:Just one problem - (Score:1)
I'm just sick of seeing crap like this everywhere I turn... Yeah, you hate Bush, you feel cheated, you think the war is all about the oil.. whatever. The fact is that half the crap th
Re:Just one problem - (Score:1, Insightful)
Dude, there are two things wrong with this:
Really, Bush and his handlers have run your country into the ground, d
Re:And a fun way to get free warze. (Score:4, Informative)
Re:And a fun way to get free warze. (Score:2)
Yeah, like you'd trust *those* warez... (Score:2)
Re:And a fun way to get free warze. Raises (Score:2)
But, I like the part about a secret base in the Everglades.
What would be cool is faking a database of chupacabra-human mutagenics data claiming the efficacy of a new breed of supersoldier.
Re:And a fun way to get free warze. Raises (Score:2)
In the late 60s everyone thought SSTs where going to be the next big thing. So they started to build a replacment of the Miami air port 50 miles west of Miami out in the Everglades... Well the EPA came and stopped it but not before a HUGE runway, control tower, and many parts of the terminal where built.
Airlines used to use it for practice since it is a huge modern airport in the middle o
NASA (Score:4, Funny)
a fake shell (Score:5, Funny)
Re:a fake shell (Score:3, Funny)
Re:a fake shell (Score:1)
Re:a fake shell (Score:2)
Re:a fake shell (Score:2)
'You are number six.'
$whoareyou
'That would be telling.'
Re:a fake shell (Score:2)
Re:a fake shell (Score:2)
ssh root@dahmer.vistech.net
password: password
You might want to Nmap the machine first, there's something screwy with it though.
Most people.. (Score:5, Funny)
Heh. (Score:3, Interesting)
Re:Heh. (Score:2)
Re:Heh. (Score:3, Interesting)
On that note, has anyone done any security audits of the popular remote-exploit tools? It would be fun to write a "special" version of wu-ftpd 1.0 (or whatever) that recognizes when a particular tool is trying to exploit it, and responds by taking advantage of a bug in that tool to give you a root shell on the attacker's machine....
Risk to others (Score:5, Insightful)
Are you liable for any damages?
Are you causing problems for law enforcement or other sysadmins by helping the attacker obscure their identity?
Seems like you would need to filter outbound traffic VERY carefully. It would be almost impossible to do this without the attacker knowing -- they'd realize it was a honeypot and get the hell out of there.
Re:Risk to others (Score:2)
I'd say that a proper honeypot would simulate the other site as well. Once you've taken the blue pill, there's no escape...
pr0n (Score:4, Funny)
Re:pr0n (Score:1)
no longer honeypot (Score:1)
or a hive?
this has endless potential
I feel a little ashamed now
the model is based on a Bee.o.wolf cluster (Score:1)
Not exactly, the model is based on a Bee.o.wolf cluster
Yes the hive organization is like that of Bee.ORG
POT! Ok, this explains everything :)
Really, yea you should, but then I guess so should I. ... place this one :)
"Oh Papa I am so 'shamed"
Wabi-Sabi
Matthew
Honeypot considerations (Score:2, Informative)
Fun things to put on honeypots (Score:5, Funny)
Bad advice (Score:3, Insightful)
Simulated traffic can be used in conjunction with simulated targets....If you want to really see what the attacker is all about, simulate traffic that looks like someone trading MP3s, or traffic that looks like someone transferring business documents. If the attacker spends most of his time looking at the MP3 traffic, he is probably pretty harmless. If he spends his time looking at the documents, he is probably pretty dangerous.
Yea, right. Great advice, right up to the day that the RIAA and their FBI thugs come breaking down your door and taking every computer that you own and anything else they want too, because the hacker that broke into your system and saw all that traffice was an RIAA hacker.
Re:Bad advice (Score:1)
Re:Bad advice (Score:2)
Consider how this one looks to a visiting non-Geek (Score:5, Funny)
non-Geek: "Is this a sexual reference? I don't get it...are they talking about that weird cyber thing?"
Re:Consider how this one looks to a visiting non-G (Score:2, Funny)
"From The Article" (Score:3, Insightful)
Re:"From The Article" (Score:2)
It's not like anyone was interested enough to RTFA in the first place, so why quote from it?
Tis a pity ... (Score:2)
It's all fun and games... (Score:4, Insightful)
Who are these security people with so much free time that they can monitor a honeynet for hours on end and create bogus traffic to move across it in order to entertain a bored 16-year-old hacker from who knows where? Every serious professional I know is up to his eyeballs in real work.
Obligatory (Score:1)
Undressing the ladies (Score:2)
Honey can lead to infant botulism (Score:5, Funny)
Re:Honey can lead to infant botulism (Score:1)
Re:Honey can lead to infant botulism (Score:1)
The "no honey for babies" thing makes as much sense as the "no aspirin for children" thing. Some kid died from an ultra-rare syndrome and the parents decided to make the death "meaningful" by going on a crusade against a usually-harmless substance. Breast milk is much better than honey, anyway.
Re:Honey can lead to infant botulism (Score:2)
True, but I'll be damned if I can find a place that will sell it to me. For now I guess I'll just stick with soda.
Re:Honey can lead to infant botulism (Score:2)
Re:Honey can lead to infant botulism (Score:2)
Re:Honey can lead to infant botulism (Score:1)
Re:Honey can lead to infant botulism (Score:1)
Re:Honey can lead to infant botulism (Score:1)