This document discusses various honeypot tools and the findings from deploying them. It begins with an introduction to honeypots and what they are used for. It then discusses specific low and high interaction honeypots like Dionaea, Kippo, Amun and Thug. For each honeypot, it provides statistics on IP addresses, login attempts, files uploaded and malware captured. It also analyzes these findings through tools like Wireshark and virus total. Overall, the document aims to educate about honeypot tools and share the results from the author's own honeypot deployments.
2. Interactive portion intro
Whoami
What is a Honeypot?
Different Honeypots
Why Honeypots?
Things I discovered
Stratagem
Interactive portion end results
3. Interactive portion
SSID – FBI Mobile
IP address – 192.168.2.5
User ID – bsides
The password is…detroit (told you it was easy)
19. Dionaea stats
Started 3/7/2013
Stopped 3/9/2013
Started 3/12/2013
Stopped 3/14/2013
Graphs are courtesy of DionaeaFR
tool
20. Dionaea stats
• Don’t forget to add your API key from VirusTotal to your
config file!!
• If you don’t add the API key, then the pretty visualization tool can’t do
it’s job and you have to do manually!!!
33. Kippo stats
Accounts that used 123456 as
password
User ID Tries
root 7
ftpuser 3
oracle 3
andy 2
info 2
jeff 2
site 2
test 2
webmaster 2
areyes 1
brian 1
“7 successful logons? But your chart says 27 used the password of
123456?! WTF?”
35. Kippo stats
File downloaded
psyBNC 2.3.2
------------
This program is useful for people who cannot be on irc all the time.
Its used to keep a connection to irc and your irc client connected, or
also allows to act as a normal bouncer by disconnecting from the irc
server when the client disconnects.
36. Kippo
Started 5/31/2013
Stopped 6/1/2013
IP addresses
• Unique IP addresses - 20
• Maximum password attempts – 1098
• Successful logins – 16
• Replay scripts – 4
•Files uploaded - 1
42. Kippo stats
File downloaded
#!/usr/bin/perl
#
# ShellBOT by: devil__
Discovered: June 3, 2005
Updated: April 30, 2010 3:46:09 AM
Type: Trojan
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows
NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
Backdoor.Shellbot is a detection name used by Symantec to identify malicious
software programs that share the primary functionality of enabling a remote
attacker to have access to or send commands to a compromised computer.
As the name suggests, these threats are used to provide a covert channel
through which a remote attacker can access and control a computer. The
Trojans vary in sophistication, ranging from those that only allow for limited
functions to be performed to those that allow almost any action to be carried
out, thus allowing the remote attacker to almost completely take over control
of a computer.
Backdoor.Shellbot
Risk Level 1: Very Low
43. Kippo stats
Replay script – 20130602-105723-5678.log
Upload a tar.gz and trips a Python reply script
59. Resources
• A host at $IP ($location)tried to log into my honeypot's fake Terminal
Services server
• GET-based RFI attack from $IP ($location)
• A host at $IP ($location)tried to log into my honeypot's fake MSSQL
Server
http://inguardians.com/