HoneyPots

Hands-on session

By :
(1) Rushikesh Kulkarni
(2) Samarth Suresh
General understanding :

Honeypots are network connected

devices that look very vulnerable and
attractive in the eyes of a hacker but the
sole reason for their existence is that they
are meant to be hacked. The honeypot
can also be referred as a computer
security mechanism.
So basically, the system is designed to
intentionally have vulnerabilities.
(1)A group of such Honeypots are called Honeynets. They
are multiple systems that are present on a network all of
which are vulnerable and can be hacked

(2)Honeynets can also contain real time applications and

services in order to attract the hacker to exploit the
system.

(3)These applications are given attractive names like

finance or important documents,etc.
Why do they exist?
(1)Leaves a vulnerable system
on your network.
(2)Designing a system for the
task is tedious.
(3)Expensive while building
commercial honeypots.
Main reasons for existence :
(1) You realise the different types of attacks that can be implemented
and hence develop more secure and reliable networks.

(1) Develop an alert system during the process of breaching the

network.

(1) To have an in depth study of the activities of the hackers.

(1) Diverting the user from the original application, hence giving the
hacker the misconception that he/she managed to hack the system.
Types of honeypots:
(1)Database Honeypots
Databases are most vulnerable to sqli attacks. So the most
databases today include the honeypot architecture.Intruder
runs through a trap database while the web application still
remains functional.
(1)Email traps also called Spam-traps
Used for collecting spam messages.
The honeypot detects a message is spam and hence further
blocks that email address from sending it to another user on
the same network.
Types of honeypots:
(3) Malware Honeypot :
Make a copy of the existing malware and test it by running
the existing malware vectors. This can be used for scanning
of USB’s to test for malware.

(4) Pure honeypot :

Full copy of a production system. For example : Make an
instance of a working application and redirect the attacker to
a fake database.
Based on interaction with an attacker :
(1)Low interaction Honeypot :
Simulate only the services frequently requested by the
attackers. Is mainly used to just alert.

(2) Medium interaction Honeypot :

Offers more activity than low interaction honeypots and less
than high.

(3) High interaction Honeypot :

Imitates the activities of a real system. Offers a wide variety of
services to the attacker. Lets the user interact as much as
possible with the OS. Commercially expensive.
 Hands on Session

(1)Working with
HoneyDrive
(2)Working with
Pentbox.
 Programmed in Ruby , it is a
security kit that will help ethical
hackers to perform their job more

PentBox easily.

Compatible with Windows,Linux ,

MacOS.

Penetration Testing Tool Open source.

 Installation in
Linux:
(1) Download the file in
browser. Url is :
https://sourceforge.net/proje
cts/pentbox18realised/files/l
atest/download
(2) Extract the zipped file using
Tar -xvf filename
(3) Go to the folder and start
Pentbox. (pentbox.rb)
(1)Select Auto Configuration starts the honeypot service
on Port 80 which is the Web Service port.
Question :

Access Denied but are we missing

something ?
(1)Get statement specifies what the user is trying to extract from during the request. The default is
favicon.ico
(2)Host is the IP address
(3)User-Agent : Name of the Browser followed by the Linux OS. Gecko is the browser engine used
by Mozilla
(4)Accept : The type of the data the user wants to receive.
(5)Accept language - Language in which the data will be received.
(6)Connection : Type of connection . Persistent or Non-persistent. If persistent then connection is not
closed after every request.
Question :

(1)What if the user tries to insert a query while pinging?

(1)Will the request be seen at the admin side?

Answer :

Yes. It will be.

This helps us to track the user’s activity .

Step 2 : Manual Configuration
Question :

What is port 23 used for ?

How do you ping to port 23?

Task :

Setup a Honeypot service on port 22.

HoneyDrive

(1) Linux distro.

(2) Virtual appliance with Xubuntu

(3)It is the premier honeypot OS, it has about 10 pre configured

honeypot software packages such as Kippo SSH, Dionaea malware
honeypots,Honeyd,etc.
(4) More than 90 tools present for malware analysis,forensics and
network monitoring tools.
The most importants file, the README file on desktop
contains all the details to the configurations of the various
honeypots and the malware scanning tools.

The paths, passwords,etc are all stored in the README

file.
Kippo

Kippo is a medium interaction SSH Honeypot written in

Python.

The main job of Kippo is to log brute force attacks on the

system, collect the entire information about the entire shell
interaction made by the attacker.

Kippo consists of a fake filesystem, tricking the attacker into

thinking that it is a legitimate one.
Interesting features of Kippo :
(1)Fake filesystem with ability to add/remove files. The
system resembles a Debian 5.0 installed
(2)Adding contents to important files like
passwords,databases,etc.
(3)Session logs are stored and complete analysis of the
user is done using kippo-graph.
To start Kippo :

(1)Browser to your /honeydrive/kippo folder.

(2)Start kippo using the command ./start.sh
(3)You will receive a message which says kippo running in
background.
(4)Kippo successfully started.
To test Kippo :

(1)Open another terminal and try to ssh your localhost.

(2)Once you ping it , it asks for a password.
(3)Default password is ‘123456’.
(4)On entering password the symbol root@svr03 shows you
have successfully entered the fake filesystem.
(5)Browse through the fake file system and explore the files.
(6)Check nmap to see port 22 running.
Task 1 : CHANGE THE PASSWORD FOR AN
ATTACKER

Description : The default password was

‘123456’, add another password as
‘anonymousclub’ and ssh into your localhost.

Clue : Where do you think passwords would be

stored?!
Answer :

Browse to /honeydrive/kippo/data/userdb.txt

Add another line to the file

root:0:anonymousclub

Save and exit. Now ssh back to check if

working.
Where do you think the details of the entire
configuration for the honeypot are stored?

Just browse to kippo.cfg in the same kippo

folder. It contains all the details to configure the
honeypot.
Kippo-Graph - The tool for analysing the attacker.

(1)Go to your web browser and type in

http://localhost/kippo-graph/

(2) Select on Kippo-graph.

(3) Select on Kippo-input.

(4) Select on Kippo-playlog.

(5) Select on Kippo-IP.

Based on the understanding of the filesystem, complete the
following task.

Task : Modify the fake filesystem to add a new file or directory

to the system such that every time an attacker tries to ssh
into the system, it will show your created file system.

Clue: Recall how the fake filesystem is actually built using

python script and pickle.