It’s a question fit for networking teams, security teams, and especially CISOs, which is, “What’s in your network?” Would you even know? How would you know? As networks continue to become more complex with applications, virtualization, and devices, these questions can be very difficult to answer. To help answer these questions there certainly has also been an explosion of fancy new solutions in the marketplace to monitor activity on a network. However, in addition to those great monitoring tools, I’d like to suggest implementing a simple concept that has been around in information security for quite a while. Every enterprise should consider running good old fashioned honeypots.
If this is the first time you are reading about honeypots in the context of security, it’s really quite simple. A honeypot is a computer on the network that is intended to look like it has a legitimate production purpose, but it is really there to act as a sort of tripwire for malicious activity. Since no legitimate users would be directed to the honeypot, any traffic hitting the honeypot is likely not legitimate. A honeypot can be configured to look like anything on the network, e.g. print server, web server, file server, etc., so when an attacker is probing the network and comes across a honeypot they think they’ve found a legitimate target.
The value of running a honeypot shouldn’t be underestimated, even if you’re running some of the new AI and machine learning endpoint security solutions available today. Honeypots can be very inexpensive to deploy and maintain, and since they really should receive very little traffic, any log or alert from a honeypot is of high value. Any alert will contain information that is indicative of either malicious traffic (you want to know about that!) or a misconfigured system on the network (you still want to know about that!). There are no false positives here. This information helps you find bad things lurking on your network, but it can also enable you to assist operations when something has been misconfigured.
A honeypot is not just a network security sensor solution, it is also a component of your broader approach to applying network security. Going through the process of implementing a honeypot can actually help you to become more familiar with what your network looks like – from both a topology and behavior perspective. Having a better understanding of your network puts you in a better position to defend it. Also, those cases where you’ve identified misconfigured systems are opportunities to bridge relations with operation teams by providing additional value.
Ultimately however, to the detriment of an attacker, your network should be a really noisy place. The attacker wants to be stealthy, but if your network is layered with noisy bumps and misleading routes, you’re raising the risk to the attacker. When you increase the risk to the attacker you’re also increasing what it actually costs the attacker to be successful, which makes you a less attractive target.
If you are interested, and i hope you are, in adding honeypots as a layer in your approach to network security I have some resources to help you get you started. The first resource is an open source honeypot I’ve created called HoneyPy. Intended to be easy to configure and deploy, HoneyPy can be a great tool to help get your feet wet. To accompany HoneyPy, I’ve also authored getting started guides, in blog form, on my personal blog site. The guides cover some additional basics on honeypot concepts, but also instructions on how to get up and running with HoneyPy. The contents are as follows:
Part 1 – Covers installing, running, and configuring HoneyPy.
Part 2 – Covers services and service profiles.
Part 3 – Covers plugins and loggers.
There is a fourth post on another project called HoneyDB, which leverages honeypots in more of a research capacity. Research is an additional area of value honeypots provide. If you are not in a position to deploy honeypots in an enterprise network, then I encourage you to explore honeypots from a research perspective.
How to Set-Up HoneyPot and How to Avoid Them
A honeypot is a computer system that looks enticing to a hacker. It looks important and vulnerable, enough that the hacker attempts to break in. It is used to entrap hackers and as a way to study the techniques of hackers by the security community. As a hacker, it is important to know that these exist and the risks one bears if you get entrapped in one.
Here, we will be setting up a honeypot. If you leave it up and running, you can observe others hackers practicing their art. In addition, we will do some recon on the honeypot to see what it looks like from the attacker’s perspective.
It’s important to the hacker to know what these honeypots look like from the outside in order to avoid them and avoid a long prison sentence of hard labor and living on gruel three times a day.
There are a number of honeypots on the market including honeynet, honeyd, Tiny Honeypot, NetBait, and ManTrap, but we will be using a commercial honeypot, KFSensor, for Windows.
KFSensor will enable us to have an authentic Windows system hosting it and we can use our Kali Linux system to do recon on it. One of the things we want to accomplish in this tutorial is to identify ways to detect a honeypot and then run far, far away.
Let’s open a browser and navigate to www.kfsensor.com, then download and install the software. It’s a 30-day trial, so we have a month to play with it for free.
Once it is installed, right-click on the KFSensor icon and “run as administrator”. You should get a set up wizard like this.
After going through a few more screens in the wizard choosing the defaults, you come to the screen below that allows you to choose the native services. Let’s choose all of them.
Then, choose your domain name. You might want to make it sound enticing. The default is networksforu.com, but I made mine firstfinanacial.com hoping to make the hacker think it’s a financial website.
Next, you can choose an email address where you want to send the alerts.
Finally, we have a few options to choose. Let’s go with the defaults, but note the final option. Here it allows us to capture the packets so that we can analyze the attacks with a tool like Wireshark or other protocol analyzer. It warns you, though, that packet captures can take up a lot of disk space; if you’re trying to catch or study a hacker, it’s necessary. We’ll leave it disabled for now.
When you have completed the wizard, click Finish and you should have an application that looks like this.
Now that we have our honeypot setup, let’s take the approach of the hacker. Just as if we were doing recon on a potential target, let’s use nmap to scan that system. Let’s do a SYN scan:
- nmap -sS 192.168.1.102
As you can see, we find numerous ports open. As a hacker, this is a big RED FLAG. Few commercial web servers would leave all these ports open. Not in 2014!
If we go back to the honeypot, we can see that we set off an alert for a port scan in the purple highlighted area. Remember that a SYN scan does not complete a 3-way handshake, but most intrusion detection systems consider many packets coming in rapid succession from one IP to be a “possible port scan”. This is one reason why it is often advisable to slow your scan down with nmap’s built-in speed controls.
In an earlier guide, I showed you how to use nikto to find vulnerabilities in web servers. Let’s use it here against this honeypot.
- ./nikto.pl -h 192.168.1.102
Our results tell us that this system is a default install of Microsoft’s IIS 7 server. Another RED FLAG that this might be a honeypot.
Lastly, let’s try a banner grab. We can connect with netcat to port 80 and then try to grab the web server banner, if there is one.
- nc 192.168.1.102 80
- HEAD / HTTP/1.0
As you can see, we were able to grab the banner identifying the web server as Microsoft’s IIS 7.5.
There is NO single telltale sign of a honeypot, but there are few things to keep in mind.
- The age-old adage, “if it is too good to be true, it probably is”, applies as well to hacking. Those sites that seem extraordinarily easy to hack are likely traps.
- Look for unusual services and ports open. Most internet-facing systems are stripped of any unnecessary services. If it has lot of unusual services and ports open, these are meant to attract attackers and it may be a honeypot.
- If it is a default install, it may be a honeypot.
- If there is little or no activity, it may be a honeypot.
- If you see directories with names such a “social security numbers” or “credit card numbers”, it may be a honeypot.
- If you see very little software installed, it may be a honeypot.
- If there is a lot of free space on the hard drive, it may be a honeypot.