CyberMorans🤗
Today, We set up a system to attract hackers😈 so we can catch and analyze their actions against us😎 Since nearly all of the hackers around the world target Windows servers🙄 for all of their known flaws and vulnerabilities, we will set up a Windows system to do just that 🚀
A honeypot is a computer system that looks very attractive to a hacker🤨 It looks important and vulnerable, enough that the hacker attempts to break in. It is used to entrap hackers and as a way to study the techniques of hackers by the security analysts🤫 In a moment, we will set up a honeypot. When left running, we can observe other hackers😈 practicing their art on you 🤭
There are a number of honeypots on the market including Google Hack Honeypot, Nodepot, honeynet, honeyd, Tiny Honeypot, NetBait, kipo, cowrite, ManTrap...etc but we will be using KFSensor, for Windows😌
Navigate to 👉 www.kfsensor.com 👈 then download and install the software. It's a 30-day trial, so we have a month to play with it for free 👇
Next, right-click on the KFSensor icon and "run as administrator". You should get a set up wizard like so 👇
You end up to the screen below that allows you to choose the native services. Select all of them 👇
Choose your domain name and make it juicy🤡 for them hackers😈 The default is networksforum.com, but I made mine Supercrypto.com hoping to make the hacker think it's a crypto website. This stuff gives hackers raging boners🍌🥴. Then enter an email address where you want to send the alerts 😌
Lastly, A few options to choose. Let's go with the defaults, but NOT the final option. Here it allows us to capture the packets so that we can analyze the attacks🧐 with a tool like Wireshark or other protocol analyzer. It warns you, that packet captures can take up a lot of disk space; if you're trying to catch or study a hacker😈, it's necessary 👇
When you have completed the wizard, click Finish and you should have an application that looks like this 👇
When there is an event it will set off an alert for a port scan in a purple highlighted area. Most intrusion detection systems 😎consider many packets coming in rapid succession from one IP to be a "possible port scan". This is one reason why it is often advisable to slow your scan down with nmap's built-in speed controls😈
🚀 So what info can KFSensor give you to understand the attacks?
🚀 Some Obvious Signs of a Honeypot
There is NO single telltale sign of a honeypot, however, few things to keep in mind.
👉 Those sites that seem extraordinarily easy to hack are likely traps.
👉 Look for unusual services and ports open. Most internet-facing systems are stripped of any unnecessary services. If it has lot of unusual services and ports open, these are meant to attract attackers and it may be a honeypot.
👉 If it is a default install, it may be a honeypot.
👉 If there is little or no activity, it may be a honeypot.
👉 If you see directories with names such a "social security numbers" or "credit card numbers", it may be a honeypot.
👉 If you see very little software installed, it may be a honeypot.
👉 If there is a lot of free space on the hard drive, it may be a honeypot.
👉 If it is affiliated to a law enforcement agency with default configurations
👉 If it is a system that seems too outdated compared to the rest of the orgs infrastructure...
👉 If it has all 65k+ ports are open, thats a definite red flag
....ETC
🚀Conclusion 🤖
Subscribe to receive notifications of similar posts 😜 where we will be reverse engineering malware, vulnerabilities as well as hacking vectors, stories, tutorials and other Infosec stuff...😋
Follow me on twitter for daily Infosec Memes and shenanigans😝
Morans,
Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! 😋👊 💪
Comments