
The article is intended for specialists in the field of information security, as well as for a wide audience of users who are interested in methods of protection against cyber threats. Readers can learn about different types of hacks, their use and significance in today’s environment of increased cyber activity. You will learn about the latest techniques to deceive attackers and intelligence gathering techniques that will help improve the security of your network.
Honeypots are a type of Internet security resources that are used as bait for attackers to entice them to infiltrate a network for any illegal use. Such decoys are usually configured to study the attacker’s activity on the network in order to create more robust defenses. A honeypot does not carry any valuable data as it is a fake host that helps log network traffic.
Key combinations entered by an attacker
The attacker’s IP address
Usernames and various privileges used by the attacker.
Data to which the attacker: gained access, deleted, changed.
Correspond to a very limited number of services and programs, both in the system and in the network. This type of decoy can be used to trace ports and services:
UDP
TCP
ICMP
To study attacks that can happen in real time, fake:
databases
data
files, etc.
Examples of low-interaction tools:
Honeytrap
Spectre
KFsensor, etc.
Based on the simulation of real-time operating systems and have all their applications and services, just like the target network. Usually more information is collected because their goal is to stop the attacker, which allows more time to respond adequately to the threat.
Examples of a few tools with medium engagement:
Cowrie
HoneyPy etc.
Is a truly vulnerable piece of software that is typically found in a production system where it interacts with various applications. Such hanipots are more difficult to maintain, but they provide more useful information.
An example of a hanipot with a high level of interaction:
honeynet
It usually simulates the real production environment of the organization, which makes the attacker think it is real and spend more time using it. As soon as an attacker tries to find vulnerabilities, the organization will be alerted, so any kind of attack can be prevented earlier.
Production baits. Such hotspots are usually installed in the real production network of the organization. They also help to find any internal vulnerability or attack as they are inside the network.
Research lures. Decoys with a high degree of interaction, but unlike the usual ones, they are designed to investigate various government or military organizations in order to gain more information about the behavior of the attackers.
Lures for malware. Used to intercept malicious programs in the network. The goal is to attract an attacker or any malicious software.
Email bait. Are false email addresses. Emails received by any attacker can be tracked and inspected. Can be used to prevent phishing emails.
Lures in the form of databases. There are real vulnerable databases that usually involve attacks like SQL injection. Designed to trick attackers into thinking they may contain sensitive information, such as bank card details.
Lures for spiders. Installed to intercept various crawlers and spiders that tend to steal important information from web applications.
Spam decoys. Are rogue mail servers that attract spammers to exploit vulnerable email elements.
Honeynets. Nothing but a network of decoys that are installed in a virtual isolated environment along with various tools to record the actions of attackers and understand potential threats.
Windows
Android
Linux
Consider the famous downloadable HoneyBOT decoy here.
Run Kali Linux as the attack machine and Windows as the host machine.
Let’s first run an nmap scan on the host machine with no bait installed.
nmap -sV 192.168.1.17
Now we will install HoneyBOT in Windows and configure it. Click so to continue.
Mark all the necessary parameters in the bait and click “Apply”.
Let’s add an email address to receive reports on the performance of our bait.
If desired, logs can be saved in CSV format.
The attacking machine performs an nmap scan, which reveals a lot of fake services. All this thanks to the presence of a honeypot in the system.
Let’s try to connect to FTP.
A log appears with the attacker’s IP address and the port to which he was connected.
Here you can see a detailed report about the connection created by the attacker.
Likewise, an SSH connection was initiated via port 22 from another OS.
Now it can be seen that a connection log was also created for the same purpose, for which 22 ports are used.
Honeypot can also be installed on Android smartphones. In this case, we will use HosTaGe, which we downloaded from Google Play.
When the program starts, we see a message saying that everything looks safe.
Now let’s check the IP address of your Android device and get started.
Now let’s return to Kali Linux, from which we will conduct an nmap scan of the Android device’s IP address.
A threat message will appear on the Android device when the nmap scan starts.
A log will be created, thanks to which we can see the IP address of the attacker’s system and the ports that were attacked.
On Linux, we will demonstrate the Pentbox honeypot, which can be easily installed on Ubuntu.
wget http://downloads.sourceforge.net/project/pentbox18realised/pentbox-1.8.tar.gz tar -zxvf pentbox-1.8.tar.gz
After installation, we will immediately try to use it. Select network tools and honeypot to set up the trap, and manual configuration allows you to configure everything to your liking.
./pentbox.rb
It is now possible to open a fake port and insert a fake message, as well as save logs. It can be seen that the bait was activated on the required port. Similarly, it can be activated manually for other ports.
Power on the attacker’s machine and scan the host machine with nmap. The results of open ports and services are shown below.
Here, the attacker tries to connect to the host machine using telnet.
With each intrusion attempt, a warning is displayed and a log is created, which records the attacker’s IP address and port.