Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HoneyPots
Hands-on session
By :
(1)Rushikesh Kulkarni
(2)Samarth Suresh
General understanding :
Honeypots are network connected
devices that look very vulnerable and
attractive in the eyes of a ...
(1)A group of such Honeypots are called Honeynets. They
are multiple systems that are present on a network all of
which ar...
Why do they exist?
(1)Leaves a vulnerable system
on your network.
(2)Designing a system for the
task is tedious.
(3)Expens...
Main reasons for existence :
(1) You realise the different types of attacks that can be implemented
and hence develop more...
Types of honeypots:
(1)Database Honeypots
Databases are most vulnerable to sqli attacks. So the most
databases today inclu...
Types of honeypots:
(3) Malware Honeypot :
Make a copy of the existing malware and test it by running
the existing malware...
Based on interaction with an attacker :
(1)Low interaction Honeypot :
Simulate only the services frequently requested by t...
Hands on Session
(1)Working with
HoneyDrive
(2)Working with
Pentbox.
PentBox
Penetration Testing Tool
Programmed in Ruby , it is a
security kit that will help ethical
hackers to perform their...
Installation in
Linux:
(1)Download the file in
browser. Url is :
https://sourceforge.net/proje
cts/pentbox18realised/files...
(1)Select Auto Configuration starts the honeypot service
on Port 80 which is the Web Service port.
Question :
Access Denied but are we missing
something ?
(1)Get statement specifies what the user is trying to extract from during the request. The default is
favicon.ico
(2)Host ...
Question :
(1)What if the user tries to insert a query while pinging?
(1)Will the request be seen at the admin side?
Answer :
Yes. It will be.
This helps us to track the user’s activity .
Step 2 : Manual Configuration
Question :
What is port 23 used for ?
How do you ping to port 23?
Task :
Setup a Honeypot service on port 22.
HoneyDrive
(1) Linux distro.
(2) Virtual appliance with Xubuntu
(3)It is the premier honeypot OS, it has about 10 pre conf...
The most importants file, the README file on desktop
contains all the details to the configurations of the various
honeypo...
Kippo
Kippo is a medium interaction SSH Honeypot written in
Python.
The main job of Kippo is to log brute force attacks on...
Interesting features of Kippo :
(1)Fake filesystem with ability to add/remove files. The
system resembles a Debian 5.0 ins...
To start Kippo :
(1)Browser to your /honeydrive/kippo folder.
(2)Start kippo using the command ./start.sh
(3)You will rece...
To test Kippo :
(1)Open another terminal and try to ssh your localhost.
(2)Once you ping it , it asks for a password.
(3)D...
Task 1 : CHANGE THE PASSWORD FOR AN
ATTACKER
Description : The default password was
‘123456’, add another password as
‘ano...
Answer :
Browse to /honeydrive/kippo/data/userdb.txt
Add another line to the file
root:0:anonymousclub
Save and exit. Now ...
Where do you think the details of the entire
configuration for the honeypot are stored?
Just browse to kippo.cfg in the sa...
Kippo-Graph - The tool for analysing the attacker.
(1)Go to your web browser and type in
http://localhost/kippo-graph/
(2)...
Based on the understanding of the filesystem, complete the
following task.
Task : Modify the fake filesystem to add a new ...
Honeypots
Honeypots
Honeypots
Honeypots
Upcoming SlideShare
Loading in …5
×

Honeypots

641 views

Published on

Hands on session conducted by Anonymous Club at BMSCE

Published in: Technology
  • Get access to 16,000 woodworking plans, Download 50 FREE Plans...  https://bit.ly/2SyPceJ
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • The #1 Woodworking Resource With Over 16,000 Plans, Download 50 FREE Plans... ▲▲▲ http://tinyurl.com/yy9yh8fu
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Want to preview some of our plans? You can get 50 Woodworking Plans and a 440-Page "The Art of Woodworking" Book... Absolutely FREE ♥♥♥ http://ishbv.com/tedsplans/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Great presentation
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Honeypots

  1. 1. HoneyPots Hands-on session By : (1)Rushikesh Kulkarni (2)Samarth Suresh
  2. 2. General understanding : Honeypots are network connected devices that look very vulnerable and attractive in the eyes of a hacker but the sole reason for their existence is that they are meant to be hacked. The honeypot can also be referred as a computer security mechanism. So basically, the system is designed to intentionally have vulnerabilities.
  3. 3. (1)A group of such Honeypots are called Honeynets. They are multiple systems that are present on a network all of which are vulnerable and can be hacked (2)Honeynets can also contain real time applications and services in order to attract the hacker to exploit the system. (3)These applications are given attractive names like finance or important documents,etc.
  4. 4. Why do they exist? (1)Leaves a vulnerable system on your network. (2)Designing a system for the task is tedious. (3)Expensive while building commercial honeypots.
  5. 5. Main reasons for existence : (1) You realise the different types of attacks that can be implemented and hence develop more secure and reliable networks. (1) Develop an alert system during the process of breaching the network. (1) To have an in depth study of the activities of the hackers. (1) Diverting the user from the original application, hence giving the hacker the misconception that he/she managed to hack the system.
  6. 6. Types of honeypots: (1)Database Honeypots Databases are most vulnerable to sqli attacks. So the most databases today include the honeypot architecture.Intruder runs through a trap database while the web application still remains functional. (1)Email traps also called Spam-traps Used for collecting spam messages. The honeypot detects a message is spam and hence further blocks that email address from sending it to another user on the same network.
  7. 7. Types of honeypots: (3) Malware Honeypot : Make a copy of the existing malware and test it by running the existing malware vectors. This can be used for scanning of USB’s to test for malware. (4) Pure honeypot : Full copy of a production system. For example : Make an instance of a working application and redirect the attacker to a fake database.
  8. 8. Based on interaction with an attacker : (1)Low interaction Honeypot : Simulate only the services frequently requested by the attackers. Is mainly used to just alert. (2) Medium interaction Honeypot : Offers more activity than low interaction honeypots and less than high. (3) High interaction Honeypot : Imitates the activities of a real system. Offers a wide variety of services to the attacker. Lets the user interact as much as possible with the OS. Commercially expensive.
  9. 9. Hands on Session (1)Working with HoneyDrive (2)Working with Pentbox.
  10. 10. PentBox Penetration Testing Tool Programmed in Ruby , it is a security kit that will help ethical hackers to perform their job more easily. Compatible with Windows,Linux , MacOS. Open source.
  11. 11. Installation in Linux: (1)Download the file in browser. Url is : https://sourceforge.net/proje cts/pentbox18realised/files/l atest/download (2)Extract the zipped file using Tar -xvf filename (3) Go to the folder and start Pentbox. (pentbox.rb)
  12. 12. (1)Select Auto Configuration starts the honeypot service on Port 80 which is the Web Service port.
  13. 13. Question : Access Denied but are we missing something ?
  14. 14. (1)Get statement specifies what the user is trying to extract from during the request. The default is favicon.ico (2)Host is the IP address (3)User-Agent : Name of the Browser followed by the Linux OS. Gecko is the browser engine used by Mozilla (4)Accept : The type of the data the user wants to receive. (5)Accept language - Language in which the data will be received. (6)Connection : Type of connection . Persistent or Non-persistent. If persistent then connection is not closed after every request.
  15. 15. Question : (1)What if the user tries to insert a query while pinging? (1)Will the request be seen at the admin side?
  16. 16. Answer : Yes. It will be. This helps us to track the user’s activity .
  17. 17. Step 2 : Manual Configuration
  18. 18. Question : What is port 23 used for ? How do you ping to port 23?
  19. 19. Task : Setup a Honeypot service on port 22.
  20. 20. HoneyDrive (1) Linux distro. (2) Virtual appliance with Xubuntu (3)It is the premier honeypot OS, it has about 10 pre configured honeypot software packages such as Kippo SSH, Dionaea malware honeypots,Honeyd,etc. (4) More than 90 tools present for malware analysis,forensics and network monitoring tools.
  21. 21. The most importants file, the README file on desktop contains all the details to the configurations of the various honeypots and the malware scanning tools. The paths, passwords,etc are all stored in the README file.
  22. 22. Kippo Kippo is a medium interaction SSH Honeypot written in Python. The main job of Kippo is to log brute force attacks on the system, collect the entire information about the entire shell interaction made by the attacker. Kippo consists of a fake filesystem, tricking the attacker into thinking that it is a legitimate one.
  23. 23. Interesting features of Kippo : (1)Fake filesystem with ability to add/remove files. The system resembles a Debian 5.0 installed (2)Adding contents to important files like passwords,databases,etc. (3)Session logs are stored and complete analysis of the user is done using kippo-graph.
  24. 24. To start Kippo : (1)Browser to your /honeydrive/kippo folder. (2)Start kippo using the command ./start.sh (3)You will receive a message which says kippo running in background. (4)Kippo successfully started.
  25. 25. To test Kippo : (1)Open another terminal and try to ssh your localhost. (2)Once you ping it , it asks for a password. (3)Default password is ‘123456’. (4)On entering password the symbol root@svr03 shows you have successfully entered the fake filesystem. (5)Browse through the fake file system and explore the files. (6)Check nmap to see port 22 running.
  26. 26. Task 1 : CHANGE THE PASSWORD FOR AN ATTACKER Description : The default password was ‘123456’, add another password as ‘anonymousclub’ and ssh into your localhost. Clue : Where do you think passwords would be stored?!
  27. 27. Answer : Browse to /honeydrive/kippo/data/userdb.txt Add another line to the file root:0:anonymousclub Save and exit. Now ssh back to check if working.
  28. 28. Where do you think the details of the entire configuration for the honeypot are stored? Just browse to kippo.cfg in the same kippo folder. It contains all the details to configure the honeypot.
  29. 29. Kippo-Graph - The tool for analysing the attacker. (1)Go to your web browser and type in http://localhost/kippo-graph/ (2) Select on Kippo-graph. (3) Select on Kippo-input. (4) Select on Kippo-playlog. (5) Select on Kippo-IP.
  30. 30. Based on the understanding of the filesystem, complete the following task. Task : Modify the fake filesystem to add a new file or directory to the system such that every time an attacker tries to ssh into the system, it will show your created file system. Clue: Recall how the fake filesystem is actually built using python script and pickle.

×