CyberMoransđ€
Today, We set up a system to attract hackersđ so we can catch and analyze their actions against usđ Since nearly all of the hackers around the world target Windows serversđ for all of their known flaws and vulnerabilities, we will set up a Windows system to do just that đ
A honeypot is a computer system that looks very attractive to a hackerđ€š It looks important and vulnerable, enough that the hacker attempts to break in. It is used to entrap hackers and as a way to study the techniques of hackers by the security analystsđ€« In a moment, we will set up a honeypot. When left running, we can observe other hackersđ practicing their art on you đ€
There are a number of honeypots on the market including Google Hack Honeypot, Nodepot, honeynet, honeyd, Tiny Honeypot, NetBait, kipo, cowrite, ManTrap...etc but we will be using KFSensor, for Windowsđ
Navigate to đ www.kfsensor.com đ then download and install the software. It's a 30-day trial, so we have a month to play with it for free đ
Next, right-click on the KFSensor icon and "run as administrator". You should get a set up wizard like so đ
You end up to the screen below that allows you to choose the native services. Select all of them đ
Choose your domain name and make it juicyđ€Ą for them hackersđ The default is networksforum.com, but I made mine Supercrypto.com hoping to make the hacker think it's a crypto website. This stuff gives hackers raging bonersđđ„Ž. Then enter an email address where you want to send the alerts đ
Lastly, A few options to choose. Let's go with the defaults, but NOT the final option. Here it allows us to capture the packets so that we can analyze the attacksđ§ with a tool like Wireshark or other protocol analyzer. It warns you, that packet captures can take up a lot of disk space; if you're trying to catch or study a hackerđ, it's necessary đ
When you have completed the wizard, click Finish and you should have an application that looks like this đ
When there is an event it will set off an alert for a port scan in a purple highlighted area. Most intrusion detection systems đconsider many packets coming in rapid succession from one IP to be a "possible port scan". This is one reason why it is often advisable to slow your scan down with nmap's built-in speed controlsđ
đ So what info can KFSensor give you to understand the attacks?
đ Some Obvious Signs of a Honeypot
There is NO single telltale sign of a honeypot, however, few things to keep in mind.
đ Those sites that seem extraordinarily easy to hack are likely traps.
đ Look for unusual services and ports open. Most internet-facing systems are stripped of any unnecessary services. If it has lot of unusual services and ports open, these are meant to attract attackers and it may be a honeypot.
đ If it is a default install, it may be a honeypot.
đ If there is little or no activity, it may be a honeypot.
đ If you see directories with names such a "social security numbers" or "credit card numbers", it may be a honeypot.
đ If you see very little software installed, it may be a honeypot.
đ If there is a lot of free space on the hard drive, it may be a honeypot.
đ If it is affiliated to a law enforcement agency with default configurations
đ If it is a system that seems too outdated compared to the rest of the orgs infrastructure...
đ If it has all 65k+ ports are open, thats a definite red flag
....ETC
đConclusion đ€
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware, vulnerabilities as well as hacking vectors, stories, tutorials and other Infosec stuff...đ
Follow me on twitter for daily Infosec Memes and shenanigansđ
Morans,
Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! đđ đȘ