What is Wireshark?

  What is Wireshark?

Wireshark is the most common network protocol analyzer. In addition to being a free and an open source packet following the terms of the GNU General Public License(GPL), we mainly use it when it comes to network troubleshooting, analysis, software and communications protocol development, and education. It shows its user what is happening on their network at a microscopic level. A majority of commercial and non-profit organizations, government agencies, and educational institutions use Wireshark.

History:

In 1998 Gerald Combs, a computer science graduate of the University of Missouri-Kansas City, started a project and named it Ethereal. It was the basic foundation of Wireshark. having this name since 2006 when Combs started to work with CACE Technologies while holding the copyright of most of the project’s code. The rest of the code was opened for any modification under the GPL Terms. Then, volunteer contributions of network experts around the universe added to the project, making it as famous and widely used as it is nowadays.

Because Combs did not own the Ethereal trademark he decided to change its name into Wireshark. It was not until 2010 when Riverbed Technology purchased CACE Technologies to become the main sponsor of Wireshark. There are several contributors –around 600 authors– to this product; still, Combs is the essential responsible for maintaining the overall code and executing new version releases of Wireshark.

Wireshark won several awards for its vital role in today’s network security. It got an award for the Most Important Open-Source App of All-Time by eWeek. Moreover, it won the Editor’s Choice award from PC Magazine. In addition, Insecure.Org network security tools survey ranked as a top packet sniffer.

The functionality of Wireshark:

Similar to tcpdump, a common packet analyzer, Wireshark allows us to analyze network packets but with the aid of a graphical front-end and some extra integrated sorting and filtering options. A Network Interface Controller(NIC) is put into this mode if it does support promiscuous mode. This is usually in order to visualize all the traffic on the interface not merely the interface’s configured addresses and broadcast/multitask traffic.

However, to get the entire network traffic, other techniques such as port mirroring and network taps are utilized. This is done along with using the promiscuous mode on a port. This is attributed to the fact that a port does not necessarily get all the network traffic.

Wireshark 1.4 and later has the ability to put wireless network interface controllers into monitor mode. If some packets are captured by a remote machine and sent to Wireshark, protocols of type TZSP or OmniPeek’s protocol – where OmniPeek is another packet analyzer- are analyzed at the time they were captured on their remote machines.

What features does Wireshark include?

In fact, Wireshark offers a large set of features. In the following points, I will attempt to summarize the features that

Wireshark offers:

  • Wireshark is a network analyzer that inspects Hundreds of protocols.
  • It allows both offline analysis and live captures.
  • It could run on diverse operating systems such as Microsoft Windows, Linux, macOS, Sun Solaris, and several other platforms.
  • A graphical user interface (GUI) is supported using QT widget toolkit, which enables us to browse captured network data, or in the non-GUI version, TTY-mode TShark utility could be utilized for the same purpose as well.
  • It offers sufficient Voice over Internet Protocol(VoIP) analysis. We can even play the media flow when decoding such captured traffic.
  • Wireshark uses pcap to capture packets.
  • It generates Capture files in gzip format, which is easily decompressed.
  • Such captured files could be programmatically edited or altered to the “editcap” programming with the help of some command-line switches.
  • It allows the traffic capturing of Raw Universal Serial Bus(USB).
  • Wireshark is able to capture packets from ns OPNET Modeler, NetSim, and some other network simulation tools.
  • It supports Read/Write of many capture file formats such as tcpdump (libpcap) which is the native network trace file format, Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer, Sniffer Pro, NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix k12xx, Visual Networks Visual UpTime, WildPacketsEtherPeek/TokenPeek/AiroPeek and several other formats.
  • It reads Live Data through different means such as Ethernet IEEE 802.11, PPP/HDLC, ATM, loopback, Bluetooth, FDDI, and many others.
  • The decryption is supported for many protocols including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
  • Application of Coloring rules to the packet list allows for quick and easy analysis. See section Color Coding for further details.
  • One can ensure that only the triggered traffic becomes analyzed by applying particular filters, timers, and other settings.
  • XML, PostScript, CSV or plain text are all the types that output is exported and formatted.

Security Policies:

In general, there is no need for certain security privileges to allow us to utilize neither Wireshark or TShark. Nowadays, only requires to have tcpdump or dumpcap, given special privileges, and run on a machine to capture traffic with no need for any further privileges for the user.

But how can a superuser grant the aforementioned required privileges to a user? The answer basically lies in the fact that tcpdump or dumpcap which come with Wireshark should have special privileges for them to capture packets into a file. This file would require the opening of Wireshark for analysis with seriously restricted privileges. Even wireless networks could harness Aircrack wireless security tools and capture IEEE 802.11 frames to further read the resulting tcpdump dumpcap files with running Wireshark afterward.

Why do we need to restrict the users from privileges to freely run Wireshark and use its tools? This is basically because capturing traffic calls an enormous number of protocol dissectors, which could most probably arise a network security risk. Since there is a potential of finding a bug in one of these dissectors and thereby exploiting it, this puts the entire security system at a great risk. That is why running Ethereal/Wireshark in the past required superuser privileges for one to be responsible for what can potentially be affected.

Filtering Packets:

Sometimes we need to capture specific traffic packets such as traffic which a program sends when phoning home. While a large number of captured packets in a network, one has to close down all other applications using the network in order to get some specific traffic type. At this point emerges the importance of Wireshark’s filters. At the top of the window, there is a filter box at which we can simply type a certain filter name in order to apply this filter and then we should click Apply, or press Enter alternatively. For instance, to see only DNS packets, we type “DNS” in the filter box. Wireshark helps auto-complete a filter name while writing its name in the filter box.

Color Coding:

The colors Green, Blue, and Black distinguish the type of captured packets. Conventionally, green color indicates Transmission Control Protocol (TCP) traffic. Dark blue, on the other hand, is Name System (DNS) traffic, whereas light blue demonstrates User Datagram Protocol (UDP) traffic. Black shows TCP packets with problems such as being out-of-order.

References:

https://en.wikipedia.org/wiki/Wireshark

https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/amp/

https://www.wireshark.org/

https://wiki.wireshark.org/

http://sectools.org/

https://www.quora.com/unanswered/What-security-policies-can-you-check-using-Wireshark

Elsewhere, check out my other post about Metaspoilt.

 

Pentester Candidate Program – June 2018

Pentester Candidate Program June 2018

On the 4th  of June 2018, InfoSec Addicts will launch the Pentester Candidate Program. This program is designed to satisfy the basic requirements of a penetration tester. The program will cover the most common technical and soft skill requirements. Top candidates will later receive job interviews for a remote penetrating testing job. This is through partnership with several penetration testing firms

Top candidates may receive interview opportunities for a cleared penetration testing position. This is more so for those with a US Security Clearance and who live in either the DC, Maryland or Virginia areas.

This is the real chance more so for those who REALLY want to become pentesters. It is the perfect combination of hands-on training, mentorship, and a real job opportunity.

Pentester opportunity just ahead

What is covered in the pentester program?

This program is hard, though rewarding. It will cover the following subject areas:

  • Command-Line Kung Fu
    • Linux Command-Line Fundamentals
    • Windows Command-Line Fundamentals
  • Network & Web App Penetration Testing
    • Scoping a penetration test
    • Performing a Penetration Test
    • Reporting penetration test findings
  • Ultimate Hacklab
    • Developing a solid attack process for lab environments
    • Scripting for challenge lab exams
    • Exploit development
    • Privilege escalation

 

  • Preparing for a job as a Penetration Tester
    • Resume assistance
    • Assistance with building a portfolio based on this program
    • Mock interview
    • Interviews with up to 10 Penetration Testing firms for top candidates
    • Interviews with up to 5 DoD contractors for top cleared candidates

Pentester tools.

What is the actual class schedule?

June classes

https://infosecaddicts.com/network-pentesting-night-school/
    + 11th and 13th of June 2018 from 7pm to 9pm ($200 if purchased separately)

https://infosecaddicts.com/linux-infosec-professionals-comptia/
    + 12th and 14th of June 2018 from 7pm to 9pm ($200 if purchased separately)

https://infosecaddicts.com/burp-suite-workshop/
    + 18th and 20th of June 2018 from 7pm to 9pm ($200 if purchased separately)

https://infosecaddicts.com/ultimate-hacklab-oscp-lpt-ecppt/
    + 25th and 27th of June 2018 from 7pm to 9pm ($200 if purchased separately)

 

How is the pentester program delivered?

Candidates will receive a set of tasks each Monday. They are to complete the tasks by Sunday at midnight EST. The tasks include:

  • Reading
  • Watching videos
  • Lab exercises to perform

On Thursdays from 7-8pm EST, a career development class (focused resume development, portfolio development, mock interviews, and discussions with potential employers).

On Saturdays from 4-6pm EST, a live online training session/QA period will be held.

 

What are the prerequisites for the pentester program?

This program is more about desire. More so, it is about work ethic and ability to work in a team environment. Although Technical ability is important, it is not the most required attribute. That being said, candidates should have:

  • Familiarity with both Windows, Linux, and VMWare
  • Familiarity with basic programming concepts
  • Ability to commit 8-12 hours per week to the program

What do you receive?

  • Access to the training program
  • Weekly group mentoring sessions with Joe McCray
  • Monthly chances to speak with hiring managers and team leads. These are managers from security consulting firms. This will happen for each month of the program
  • Log book of all of your labs. This is a technical walk-through document demonstrating your proficiency to companies you interview with
  • A letter of reference from Joe McCray
  • Top candidates are guaranteed interviews with consulting firms and DoD contracting companies.

Candidates will have a chance to take ANY and AS MANY classes that they want from InfoSec Addicts. This will come as part of this program. Most notably, as many as 20 classes are held per month.

This program will run for 1 month only. It will run for the entire month of June 2018. Interviews for top candidates will occur later in the month of June 2018.

Please fill out the form below to sign up for this program.

$200.00Select options

 

 

pentester

PowerShell For InfoSec Professionals

PowerShell For InfoSec Professionals June2018

The simple fact is if you are going to be attacking or defending modern environments with newer operating systems (Windows 10, Server 2016) – you need Powershell!

There is no getting around it, and the sooner you drink the Powershell Koolaid the better InfoSec Professional you will be.

PowerShell

What will we be doing you ask – check this out:

 

Fundamentals:

  • Simple programming fundamentals
  • Cmdlets
  • Variables
  • WMI Objects

 

Security tasks with Powershell:

  • PowerShell Tool Development
  • PCAP Parsing and Sniffing
  • Malware Analysis

 

Pentesting tasks:

  • Ping Sweeping
  • Port Scanning
  • Enumerating Hosts/Networks
  • Download & Execute
  • Parsing Nmap scans
  • Parsing Nessus scan

 

 

Tool development:

  • Programming logic for security tasks
  • Tool structure
  • …..and of course, integrating with Metasploit, and other security tools

PowerShell

Students will receive

  • 20 hours of CPEs
  • Courseware slides
  • Lab Manual

Class Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

 

 

 

Support

Each student will receive access to an InfoSec Addicts Group for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.

 

Class Schedule

18th and 20th of June 2018 from 7pm to 9pm EST

Fill out this form below to sign up for the class.

$200.00Select options

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

CYBERWAR: Advanced Offensive Cyber Operations

CYBERWAR: Advanced Offensive Cyber Operations

I’m writing this post to let you know that the new night class version of CyberWar: Advanced Offensive Cyber Operations course which is ready to go. I’d l love if you’d signup for this class – This is one superb class! Offensive Cyber Operations Here is the CyberWar: Advanced Offensive Cyber Operations course outline.

Advanced Scanning & Enumeration

Attack Methodology

Identifying vulnerabilities

Using NMap NSE scripts

Writing your own NMap NSE scripts

Advanced Metasploit

Auxiliary modules

Post modules

Writing your own Auxiliary modules

Writing your own Post modules

Attacking Web Apps & Databases

Attacking Web Apps (ASPX, and PHP)

Web App – Tricky SQL Injections

Dealing with Web Application Firewalls

Attacking Big Data Solutions

 

Final Mission:

Students will attack the servers in the lab environment. These servers are much harder to penetrate than standard servers in the typical production environment. Similarly, these vulnerabilities are difficult to exploit (on purpose) – this particular class is designed with several complex targets to help students prepare for the OSCP exam network challenge certification.

Lab Network Access

Strategic Security now has a penetration tester’s target practice lab environment. Targets in the lab network will change on the 1st of every month. Students have the option to purchase 1 or 3 months access to the lab environment. Offensive Cyber Operations Students will receive

  • 30 hours of CPEs
  • Several virtual machines
  • Courseware slides
  • Lab Manual
  • Lab access

Class Videos

Students will receive all class recordings via their emails. This will help them keep up with the class even if they have to miss time or even a whole day.

Support

Each student will have access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Groups are where students can ask questions outside of the regular class hours. Additionally, this is where they can work with other students on lab exercises, homework, and challenges. A Strategic Security class mentor will be assigned to the InfoSec Addicts Group to answer questions (allow one day for responses). Likewise, a Customer Relationship Manager will get assigned to the class to manage questions and support issues.

Class Schedule

4th and 6th of June 2018 from 7pm to 9pm EST

 

Class Cost

The class cost is $200 with 1 month of lab access.

 

Register to attend the class:

Fill out this form to sign up for the class.

$200.00Select options

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

Ultimate Hacklab – Self Paced (SP)

Ultimate hacklab – Self Paced (SP) – prep for hacking challenge lab exams like OSCP, LPT, eCPPT, and soon even the new CEH is going to be a hacking challenge lab as well.

If you really want to know what it takes to pass hack lab challenge-based exams like OSCP, LPT, eCPPT then ultimate hacklab is for you and it’s only $50.

The InfoSec Addicts Ultimate hacklab – Self Paced (SP) – is best way for you to practice the skills required for almost any hands-on lab based penetration testing/ethical hacking certification.

The Ultimate hacklab – Self Paced (SP) – gives you the opportunity to follow along with a structured and very detailed training program, and/or make your way through the labs and just ask for help whenever you get stuck. You can run almost any tool and try almost attack in the environment. The class is self-paced. You can sign-up ANYTIME, and start IMMEDIATELY.

The program outlines how to create your own lab environment or you can connect to the InfoSec Addicts lab environment with almost any platform (Windows, Mac OS X, Kali Linux, other Linux distros) to go through the lab exercises.

Class syllabus:

  • Module 1: Connecting via VPN to the lab network
    • Connecting to the VPN with Windows
    • Connecting to the VPN with Mac OS X
    • Connecting to the VPN with Linux
    • Connecting to the VPN with Kali
  • Module 2: Scanning
    • Nmap
    • Net-Discover
  • Module 3: Module X: Enumeration
    • nmap NSE
    • rpcinfo/showmount
    • nbtstat
    • enum4linux
  • Module 4: Brute-forcing
    • Hydra
    • Medussa
  • Module 5: Vulnerability Scanning
    • Nessus
    • OpenVas
  • Module 6: Attacking web servers/web apps
    • Manual XSS/SQL Injection/LFI/RFI
    • Nikto
    • Dirbuster
    • Burp Suite
    • w3af
    • Arachni
  • Module 7: Compiling/Modifying Exploit code
    • Compiling code in Windows
    • Compiling code in Linux
    • Finding offsets
    • Changing out shellcode
  • Module 8: Client-Side Exploitation
    • Metasploit
    • Social Engineering Toolkit
  • Module 9: Transferring files
    • FTP
    • TFTP
    • VBscript
    • Debug,exe
    • wget/linux/bitsadmin
    • PowerShell
  • Module 10: Privilege Escalation
    • Linux
      • SUID binaries
      • Shell escapes
    • Windows
      • Identifying vulnerable services/misconfigurations
      • beR00t.exe
  • Module 11: Data-mining a compromised host
  • Module 12: Hashcracking
  • Module 13: Pivoting
    • Netcat/Socat pivot
    • SSH Pivot
    • Metasploit pivot
  • Module 14: Lateral movement
    • psexec
    • smbexec
    • winexe
  • Module 15: Data Exfiltration
    • ICMP Tunneling
    • DNS Tunneling
  • Module 16: Reporting

 

Lab Network Access

Targets in the lab network will change on the 1st of every month. Students have the option to purchase 3 months access to the lab environment.

 

Students will receive:

  • Up to 124 hours of CPEs (24 CPE for the actual training and the rest come from labs and challenges completed by the students)
  • Several virtual machines
  • Courseware access
  • Lab Manual
  • Lab access

 

Class Videos

Each course module has a corresponding video that demonstrates the task being performed. So you can see each individual lesson’s skill or task that is being described actually being performed.

Support

Each student will have access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Additionally, this is where they can work with other students on lab exercises, homework, and challenges. An InfoSec Addicts class mentor will be assigned to the group to answer questions (allow one day for responses). Likewise, a Customer Relationship Manager will get assigned to the class to manage questions and support issues.

 

Class Schedule

The class is self-paced. You can sign-up ANYTIME, and start IMMEDIATELY.

Fill out this form below to sign up for the class.

$50.00Select options

 

 

Was sick, my mother passed away, but now I’m back on track

I want to thank all of you well wishers. The last few months have been crazy for me. I’ve been in and out of the hospital several times, my mother passed away a few days ago, my birthday was on the day I burried my mother (Mother’s Day).

My mother was very sick so honestly her passing was a painful but good thing as her suffering is finally over. My family got together and had a celebration of her life instead of a funeral.

Python

So again to all of you thank you.

My medical issues are under control now, and we’ve dealt with my mother’s passing so I’m back to work next week.

I’ll be teaching Advanced Metasploit, and Python as night classes so I decided to bundle them for $100 (they are usually $100 each).

Click here to register for this class bundle for only $100

https://infosecaddicts.com/next-level-metasploit/
Next-Level Metasploit 21st and 23rd of May 2018
– Mon, May 21, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 23, 2018 7:00 PM – 9:00 PM EDT

Python

This is an advanced Metasploit course that will focus on the fundamentals of Ruby (specifically for Metasploit), metasploit automation, and writing auxilliary modules and exploits for Metasploit.

 

https://infosecaddicts.com/python-infosec-professionals/
Python for InfoSec Professionals 28th and 30th of May 2018
– Mon, May 28, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 30, 2018 7:00 PM – 9:00 PM EDT

Python

This is a Python for security professionals course. In this course I’ll be covering both log and pcap analysis with Python, as well as network/web app testing with Python.

This course is really designed for people that are NOT very comfortable with programming.

 

Class Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

Support

Each student will receive access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.

 

Class Schedules

Next-Level Metasploit 21st and 23rd of May 2018

– Mon, May 21, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 23, 2018 7:00 PM – 9:00 PM EDT

Python for InfoSec Professionals 28th and 30th of May 2018

– Mon, May 28, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 30, 2018 7:00 PM – 9:00 PM EDT

 

Click here to register for this class bundle for only $100

 

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

Ultimate Defensive Cyber Bundle – log analysis, malware analysis, and packet analysis

There is just no getting around it. If you really want to be able to protect today’s networks you’ve gotta be a defensive cyber analysis guru. That means you’ve got to know log analysis, malware analysis, and packet analysis.

Don’t worry buddy – I’ve got EXACTLY what you need. It’s a 3-day course that is 100% hands-on. That means….

ABSOLUTELY NO DEATH BY POWERPOINT!!!!!

This class is all labs, real logs, and live malware.
log analysis, malware analysis, packet analysis

All you need is a Linux virtual machine for this class. You can use Kali Linux, or any modern Linux distribution or you can download my Linux virtual machine from here:
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
user: infosecaddicts
pass: infosecaddicts

If you are worried that you aren’t strong enough in Linux for and you want to prepare for this class you can watch and do the following videos before the start of the class on Monday:
https://www.youtube.com/playlist?list=PL6gx4Cwl9DGCkg2uj3PxUWhMDuTw3VKjM

Students will receive

  • 40 hours of CPEs (certificate of completion upon sending in class homework)
  • Linux virtual machines
  • Lab manual

Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time, or even a whole day.

Support

Students can request help via email based trouble ticketing system (allow 24 hours for a response). Just send an email to [email protected] with any issues or concerns that you may have.

Schedule

  • Monday 9th April (6:00 pm EST – 10:00 pm EST)
  • Wednesday 11th April (6:00 pm EST – 10:00 pm EST)

Course Cost

This course bundle cost $100 for access

$100.00Select options

Low level of interaction honeypots

 

 

 

Honeypots could be categorized according to the level of interaction with the system into three main categories: low level of interaction, medium level of interaction, and high level of interaction. I will discuss the low level of interaction honeypots in this article.

honeypots

When using these type of honeypots, it is not possible to receive a large amount of data from such a honeypot system compared to the other systems where more and more amounts of data could be collected from them. The advantages of this type of honeypots are given neatly in the following points:

  • They have very limited interaction with the system. This implies that there is no high risk that could arise from an attacker from dealing with this honeypot type of system. To illustrate, there is no operating system in place for an attacker can interact with.
  • The main usage of this type of honeypots is that any traffic coming into the network could be easily identified and captured by such honeypots. Also, new viruses and new worms are identifiable by such honeypots as well.
  • Getting this type of honeypot configured and installed into the network is a simple task. Understanding this type of honeypots and dealing with them from the organization’s perspective is equally easy.
  • The most used honeypot in this category of low-level interaction honeypots is what is referred to as Honeyd. This is considered as a really important honeypot when it comes to the low level of interaction honeypots. The latest and most stable version is 1.5c, which was released back in 2007. I will talk about Honeyd more in detail. This will include how to use them in practice and modern approaches to using them in another article to be published soon. So stay tuned! 😊

In a nutshell, through this type of honeypots, there are only one or more services that have to be simple and available for the attacker to interact with. All communication attempts with any particular services such as a web or SSH server are logged and investigated afterward. These types of honeypots are considered as simple daemons that help a network administrator get to monitor any attempts of attacks on the system in a passive manner. The host operating system, in this case, is for sure free of any vulnerabilities that could be possibly exploited by an attacker. Thus, this makes such kinds of honeypots safe and secure from the organization point of view. On the other hand, this type of honeypots cannot be used for the sake of simulating a complex environment where interaction is a must, such as a Simple Mail Transfer Protocol (SMTP) server.

Security risks of using the low level of interaction honeypots?

honeypots

When dealing with low interactive honeypots like Honeyd, there are some security risks. These risks mainly lie in the fact that it is really simple to get to know that a Honeyd is a trap. A Honeyd is easy to detect even when we do not configure our honeypot with our settings. The reason for that is a honeyd drops all the connections until it becomes impossible for it to deal with them anymore. Even when SYN package is not that good, the connections get terminated.

This information could assist any attacker in finding out that the targeted system is not a real one but a honeypot trap system. When an attacker checks the connections of the system, he will be capable of discovering that he fell into a trap, not a real system. Things are very clear in this case. Dropped connections are easily detected by the monitoring tools which an attacker uses, and these dropped connections imply the fakeness of such honeypot systems.

Low interaction honeypots get services emulated by an operating system, yet they are not real services. This very basic information becomes of valuable use for an attacker who wants to draw his conclusions about the fakeness of a website. Complicated services cannot get handled using such low interaction honeypots as well. Hence, breaking the system with the use of this technique becomes powerful. What an attacker needs to do is to merely look for information throughout the network. This is because, in the case of low interaction honeypots, the network stack is the one which we deal with.

Another major problem of low level of interaction honeypots is the fact that they depend on the resources of the system that they are deployed on. Removing such resources, as a result, leads to a great notable feature which is latency. This could be checked through a ping test where the response will occur much later than how it was before getting the resources of the system removed. The system will hardly reply with an answer to our ping. This could indicate that the attacker is dealing with a Honeyd or Nepenthes. We can even use these approaches to detect the type of honeypot which we just deployed.

Leaving the deployed low interaction honeypot open for several days in a row is also a great way to come up with some important conclusions. The requests that are received by our honeypot should be greatly taken care of such that any responses by our system should be believable and make sense to the attacker. The attacker should be fooled by the responses to the extreme that they believe that it is an actual running system. Nevertheless, when it comes to low interaction honeypots, SSH server is up and running while there are no generated replies or answers when talking to port 22. This trivially indicates that the system is not a real one because its responses are not appropriate, making the system not secure in the first place.

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

 

What are the levels of interactions in honeypots?

Honeypots could be categorized according to their aims such as prevention, detection, and of course response. In addition to that, we can categorize them according to their level of interaction with the real systems. This level of interaction determines the intensity of the interaction between an attacker and the systems of an organization’s network. To elaborate more on this point, if a honeypot has a high level of interaction, then this implies that the attacker can interact much more critically with the system, opposed to low levels of interaction where the attacker will not interact with the real systems in a critical manner. If we need to collect much more amounts of data, then a high level of interaction is recommended. On the contrary, this aspect comes with its risks which make the high levels of interactions really dangerous parts of the network. This is, of course, an undesirable feature which we need to abolish. In general, we have three categories for the levels of interaction: low interaction, medium interaction, and high interaction.

The most common type of classification is based on the level of interaction which is provided to the malicious user by the honeypot. The more interactive an environment is presented, the closer the honeypot becomes to the actual targets of an attack. This translates to potentially gathering more accurate information. The downside is that the more realistic honeypots present greater challenges to configure and setup.

honeypots

An organization should decide on which level of interaction works best for its purposes and goals out of the configured honeypots inside its network. I will explain the three levels of interactions in detail throughout the following three points; I will advise when each level of interaction is useful and when it should be avoided.

  1. Low level of interaction:

An example is Honeyd. I talked about this in another article titled “low level of interaction honeypots.”

  1. Medium level of interaction honeypots:

This is a more advanced type of honeypot where more information could be available if used. Despite the fact these type of honeypots still don’t contain an operating system which could simply get exploited, there is a bigger chance that attacks could get through the system using this sort of honeypots. The problem arises from the fact that there exist many more security holes through which an attacker could simply get into the system and exploit it. Obtaining much more information and more attacks from the hackers that are complicated is possible in this case. The following honeypot names could be used to exemplify the medium level of interaction honeypots that are infamously in use nowadays: Mwcollect, honeytrap, and Nepenthes. I will also talk about some of these honeypots in another article and implement them in practice.

To summarize what was mentioned regarding medium interaction honeypots, they are used to get some collections of software-emulated such that an attacker could become more convinced that it is, in fact, the actual system while he just accessed a honeypot system. In this case, the host operating system is still shielded. Nevertheless, getting a collection of software-emulated through the honeypot as we desire is not, in fact, a simple task at all. The reason for that lies in the fact that the response of such emulated collection of software should be almost identical to the response of the same actual programs. Still, we, of course, do not need to raise any real security issues here for these programs; otherwise, there is a real danger. Finally, the possibility of comprising the system exists here in fact with a higher percentage. This is basically because the vulnerable points that are kept for the attackers are considerable, and he can exploit a hole in the actual system to perform his malicious activity.

  1. High level of interaction honeypots:

honeypots

This type of honeypots is considered the most advanced type of honeypots in general. First of all, these types of honeypots contain an operating system. What does this imply? We can simply infer that an attacker can possibly undertake anything on such an advanced honeypot system. However, an organization, in this case, is capable of getting more and more data about the attack type, source, and nature indeed.

This type of honeypots allows the user to have no restrictions to perform whatever tasks and actions that are desired by him. From this point comes the real danger of using such honeypots inside an organization. They are also very time-consuming honeypots to configure and implement. Moreover, it is much more difficult to be able to maintain such type of honeypots for a long time.  The most common name in this category of honeypots is Honeywell. This is a very important high level of interaction honeypot. I will also come back to it in another article and see how it could be configured in practice.

So, as I just mentioned, in this type of honeypots, actual instances of programs are used, not merely the emulations of them. An administrator has to choose this type of honeypots if he needs to grant an attacker root access to the machine and analyze how he will react then, and what actions he wished to do. The risk of implementing this type of honeypots is high. It is, in fact, the riskiest type of honeypot, yet it grants an administrator the greatest potential to get data collected about the attack and the attacker as well. Supervision of such honeypots is a must since such types of honeypots could become a zombie or a jumping point to perform more attacks on the systems inside the network.

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

 

Ultimate hacklab – prep for hacking challenge lab exams like OSCP, LPT, eCPPT

Ultimate hacklab – prep for hacking challenge lab exams like OSCP, LPT, eCPPT, and soon even the new CEH is going to be a hacking challenge lab as well.

If you really want to know what it takes to pass hack lab challenge-based exams like OSCP, LPT, eCPPT then ultimate hacklab is for you.

The InfoSec Addicts ultimate hacklab is best way for you to practice the skills required for almost any hands-on lab based penetration testing/ethical hacking certification.

The ultimate hacklab gives you the opportunity to follow along with a structured and very detailed training program, and/or make your way through the labs and just ask for help whenever you get stuck. You can run almost any tool and try almost attack in the environment.

You can connect to the lab environment with almost any platform (Windows, Mac OS X, Kali Linux, other Linux distros).

Class syllabus:

  • Module 1: Connecting via VPN to the lab network
    • Connecting to the VPN with Windows
    • Connecting to the VPN with Mac OS X
    • Connecting to the VPN with Linux
    • Connecting to the VPN with Kali
  • Module 2: Scanning
    • Nmap
    • Net-Discover
  • Module 3: Module X: Enumeration
    • nmap NSE
    • rpcinfo/showmount
    • nbtstat
    • enum4linux
  • Module 4: Brute-forcing
    • Hydra
    • Medussa
  • Module 5: Vulnerability Scanning
    • Nessus
    • OpenVas
  • Module 6: Attacking web servers/web apps
    • Manual XSS/SQL Injection/LFI/RFI
    • Nikto
    • Dirbuster
    • Burp Suite
    • w3af
    • Arachni
  • Module 7: Compiling/Modifying Exploit code
    • Compiling code in Windows
    • Compiling code in Linux
    • Finding offsets
    • Changing out shellcode
  • Module 8: Client-Side Exploitation
    • Metasploit
    • Social Engineering Toolkit
  • Module 9: Transferring files
    • FTP
    • TFTP
    • VBscript
    • Debug,exe
    • wget/linux/bitsadmin
    • PowerShell
  • Module 10: Privilege Escalation
    • Linux
      • SUID binaries
      • Shell escapes
    • Windows
      • Identifying vulnerable services/misconfigurations
      • beR00t.exe
  • Module 11: Data-mining a compromised host
  • Module 12: Hashcracking
  • Module 13: Pivoting
    • Netcat/Socat pivot
    • SSH Pivot
    • Metasploit pivot
  • Module 14: Lateral movement
    • psexec
    • smbexec
    • winexe
  • Module 15: Data Exfiltration
    • ICMP Tunneling
    • DNS Tunneling
  • Module 16: Reporting

 

Lab Network Access

Targets in the lab network will change on the 1st of every month. Students have the option to purchase 3 months access to the lab environment.

 

Training Sessions and Final Mission:

Students will attack the servers and workstations in a different lab environment than the April training environment. These servers are much harder to penetrate than standard servers in the typical production environment. Similarly, these vulnerabilities are difficult to exploit (on purpose).

 

Students will receive

  • Up to 40 hours of CPEs (6 CPE for the actual training and the rest come from labs and challenges completed by the students)
  • Several virtual machines
  • Courseware slides
  • Lab Manual
  • Lab access

 

Class Videos

Students will receive all class recordings via their emails. This will help them keep up with the class even if they have to miss time or even a whole day.

Support

Each student will have access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Groups are where students can ask questions outside of the regular class hours. Additionally, this is where they can work with other students on lab exercises, homework, and challenges. A Strategic Security class mentor will be assigned to the InfoSec Addicts Group to answer questions (allow one day for responses). Likewise, a Customer Relationship Manager will get assigned to the class to manage questions and support issues.

 

Class Schedule

June 25th and 27th 2018 from 7pm to 10pm EST

Fill out this form below to sign up for the class.

$200.00Select options

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

Saturday Hackathon

In order to book this event please check the event website mention bellow.

Advantages vs Disadvantages of Honeypots

 

Honeypots are unique because they allow a security researcher to see and record what actions a malicious user takes on a compromised computer without necessarily interfering or revealing to the attacker that they are being monitored. Because of this invisibility, valuable intelligence can be gathered about the actual strategies of an attacker. A honeypot can be configured to be either proactive or reactive to attacks, depending on the needs of the person who set it up.

What are the real advantages of a honeypot?

There are several benefits that a company can basically get out of configuring a honeypot inside their system. While there are many solutions to security problems that are available in the software market, honeypots still have unique benefits and really useful purposes. The benefits could be summarized in the following points:

Ø  Any attacks could be easily captured using honeypots. Also, information about the attack type could be recognized such that weakness points become well known to the security administrators. This could be discovered using the logs which are created by a honeypot. In addition to that, if the laws do not interfere with it, additional information about the source of the attack and the attacker could be identified by using the honeypot technology.

Ø  Administrators become practically familiar with new threats and modern methods of attacks. They take notice of the new attacks and further gain knowledge of how to defend a system against these attacks. Many solutions become practically possible even before the attack infects a machine in the organization. By looking at the behavior of malicious activity in the system, and through examining them well, many more attacks become understandable by the time they get their effect on the network in the very first place.

Ø  When a honeypot captures traffic, it does not capture the entire traffic such that it becomes bulky and tedious to analyze and investigate through its captured traffic. On the other hand, it merely takes care of the incoming malicious traffic and notifies the network administrator of it. This is much easier for the investigation process when analyzing any malicious traffic is a must. This aspect, in fact, makes honeypots extremely useful in practice.

Ø  From the above-mentioned point where we discussed that only malicious traffic gets captured by a honeypot, there is no need for a huge amount of storage at all. In practice, any dedicated computer could become the honeypot system without an urgent need to buy many more resources and allocate budget to deploy the honeypot technology within an organization.

Ø  The configuration of honeypots is very easy and installing it does not have any complications. This is basically complemented with a simple algorithm that does not have any complexity. Moreover, for the installation purposes on a system, there is no need to get some other software programs updated, installed, or modified by the time a honeypot gets installed.

Ø  We should know by now that any malicious activity is recognizable by a honeypot. However, in addition to that, new tools for detecting attacks are also captured by honeypots. Deploying a honeypot in a system gives the administrator a solid idea of how there are various points of view that they could look at the same problem to find several security solutions for the same problem according to each perspective.

Are there any disadvantages of a honeypot?

Everything in life has advantages and disadvantages, and we have to find the balance between them both before deciding if it is worth for or not. In fact, there are some points that could be simply considered as pitfalls for using honeypots in general. The following points give us an intuition of how many problems we can use after using honeypots.

Ø  Information is only captured when an attack is performed. On the other hand, if there is no attack occurring on the system, then there will be no captured data at all.

Ø  The captured malicious traffic is only collected when the attack is targeted at the honeypot machine. Nonetheless, if the target of the attack was another machine rather than the honeypot machine, then we are in really big trouble. Such systems will get infected by the malicious code without having the honeypot notifying us about such activity in the first place.

Ø  Honeypots are sometimes distinguishable from other real systems that we have in our system. Of course, this is a big problem that could be tackled such that even experienced hackers cannot distinguish between honeypot systems and real systems using fingerprinting.

Ø  A very unwanted result is that a not careful organization could end up having lies really in the fact that an attacker may depend on a honeypot and exploit it as a zombie to attack other systems within the network and get them compromised, causing really big trouble for the entire organization.

 

What is the system configuration for using a honeypot?

First of all, let’s agree with the idea that a honeypot has the capability to either work on its own or work in a group with some other honeypots in the system. In the case that there are several honeypots, we basically refer to this group of honeypots as a honeyfarm. It may be suggested to configure a honeypot alone without having to configure other many honeypots because this will make things much easier in the configuration and installation process.

Nevertheless, it turned out that having only one honeypot is not that effective nor powerful when compared to having a honeyfarm although it may be hard to configure this honeyfarm of honeypots. Furthermore, having only one honeypot is prone to have some unintended failures, many more than the number of such failures when having a honeyfarm. The reason for that lies in the fact that there is no ability for one honeypot on its own to load balance and also, they lack the redundancy of a group of cooperating servers.

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

How can we Define a Honeypot?

 

How can we define honeypots?

A honeypot is essentially a computer system. In this computer system, there exists files and directories just like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap for it to investigate his actions and follow his behavior. In fact, a honeypot is not an actual system yet; it is a fake system. The difference between a honeypot and other security systems lies in the fact that a variety of security problems could be tackled at once using diverse approaches available on honeypots. On the contrary, other usual security systems are used to tackle one certain problem through a proposed solution. An instance of this point could be simply seen in the scenario when a compromised system could be investigated after having a log of malicious activity. At the same time, new threats could be recognized through implementing a honeypot in a network and hence attempt to tackle these problems and overcome them effectively.

 

Honeypots are indistinguishable from the actual production servers to an outside attacker. Thus, they will not behave any differently when attacking them. However, the network security team can monitor the honeypots for recorded attacks and later analyze them. The honeypots can also help to absorb attacks directed against the real server.

 

What is the motivation behind a honeypot?

The honeypot idea is mainly derived from a great interest in the field of computer security. The implementation of a honeypot requires that one is interested to know the workflow of security systems and to build a solid knowledge of how the protection of a company could be achieved and how security flaws in a system can be very risky for the entire system and organization. A network administrator shall be ready for great work ahead while implementing the honeypot system in a network. Being aware of the system and network architecture and the modifications that could be applied to them is a very crucial step beforehand. The output is examined through some reliable forensic science tools. In the meanwhile, several problems will be encountered, and the administrator has to make sure he can solve them before putting the honeypot in the system. Facing such problems beforehand will be very important for the administrator. This ensures that at a later that time, although the conditions may be intense, the system will be handled quickly, and losses will be easily recovered. Therefore, good knowledge of examining security problems and forensic science information is a must.

 

What should be done before applying a honeypot to the real production system?

A network administrator should carry out some research by the time he thinks of applying the honeypot concept in the network. He has to be sure that the created honeypot is secured such that it has no leaks into the actual system. Otherwise, it will make a real disaster. On the other hand, he has to make sure that a hacker has no knowledge about being trapped into a honeypot. He has also to be aware of the maximum amount of information available for an attacker to get through the honeypot implementation. Also, it is good to know the behavior of an attacker when he knows that he is in a trap. Will that attacker just give up hacking and stop his actions? It is also really important for a network administrator to be knowledgeable of the location where the honeypot should be deployed in the network and the amount of information he can get.

Laws always play a role in everything in life. Therefore, it is also advisable that a network administrator should be aware of the restrictions applied on implementing honeypots; especially if his organization is in the European Union (EU) or the United State of America (USA). There are certain rules and regulations which govern the process of obtaining information of an attacker or tracking him back. Therefore, a network administrator should abide by these rules by not fully tracking the attacker, and at the same, he should be respectful of the laws in every single way.

What is the description of our problem?

 When we build a good honeypot, we expect to attract several attackers into the fake system and let them take control over the intentional flaws left in there. When we trace the hacker, it is not guaranteed for sure whether we will be the ones who have the control. Thus, we don’t know that much about the security of a honeypot. We are not sure whether the attacker, in fact, knows that it is a fake system. We also doubt whether the attacker is aware of the great importance of acquiring information about the system flaws. We need to be very specific and certain about the actual limits that an attacker has whenever he gets the control over the honeypot system. It will be disappointing if the attacker can even exploit the honeypot itself and seize a flaw in it to get to the system and do what he wants in the system. The entire system will be compromised when an attacker gets to this devastating point. Another entitled problem is that an attacker may recognize that it is a trap and then stop hacking or pretend that he is hacking. In that time, it is no longer beneficial to have the installed honeypot anymore, and it is not useful either to use our forensics tool to investigate the system. A very important aspect to consider when using honeypots is to be sure about the answers for all these questions and attempt to get our honeypots to be more secure and be assured that hacking the honeypot by the attacker will not yield any useful data for him about the actual system. A good network administrator should play the role of a hacker once and of a forensic examiner on another occasion or simultaneously do the same of course with his own team. Very accurate results could be acquired depending on various tools used for hacking and forensics.

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

 

What are the Types of Honeypots?

 

A honeypot is essentially a computer system. In this computer system, there exists some files and directories like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap and investigate his actions and follow his behavior. In fact, a honeypot is not an actual system but an intentionally made fake system.

 What are the types of honeypots?

 

Looking at the aims of honeypots and their levels of interactions, it is possible for us to group them into two main types: Research honeypots and Production honeypots:

  1. Research honeypots:

Military, research and government organizations mainly depend on these types of honeypots. A huge amount of data is contained in this type of honeypots. These honeypots are familiar with any new threats, and Blackhat motives could easily be recognized through such honeypots. While the main benefit of research honeypots is to understand how a system could become more secure, these types of honeypots cannot give any valuable data about increasing the security of an organization and its vulnerabilities.

  1. Production honeypots:

These types of honeypots are mainly utilized for the sake of getting an organization to become more protected against any potential attacks. The implementation of such honeypots is performed mainly inside the organization’s production network itself. The aim for them is to help increase the overall security for an organization at the end of the day.

Through such honeypots, a limited amount of data is captured such that honeypots that are lowly interactive are used. In this process, the behavior of an attacker is monitored very carefully by the proper forensics tools, such that any possible risks may be lowered and hence the organization becomes more secure consequently. These types of honeypots are the ones that are mostly used in practice, yet sometimes they may represent a risk for the organization themselves.

One thing that matters about these types of honeypots is where and how they are to be implemented by network administrators. Remember that the implementation of honeypots is essentially within a real network and system. Testing these sorts of honeypots usually yields several unexpected actions or problems.

Consequently, some other systems inside an organization may be put in danger when implementing these honeypots in the network. For an administrator, he should be fully aware that other systems will be possibly misused through the honeypots. As a result of that, he should make sure that all other systems inside the organization are secured enough after deploying the features of the honeypot. Otherwise, some great problem is to be faced by the entire organization eventually.

How to categorize honeypots according to the type of data collection?

There is, in fact, a way to classify honeypots, depending mainly on the type of data that is collected by the honeypot concerning a certain attack. A honeypot can be set up to detect and record one or more types of data: events (things that happen which change something in the honeypot), attacks (attempts by a malicious user to exploit a vulnerability), and intrusions (successful attacks that penetrate the honeypot). There is no judgment over how important a type of data is over another. However, most honeypots can display some information from each data category of the groups as mentioned earlier. In fact, all of these categories are really important for a security administrator to understand an attack and know the vulnerabilities of a system.

 

Is the usage of honeypots considered legal or not?

There are some legal issues that one should be fully aware of by the time he gets to deploy a honeypot inside an organization network or so. In fact, such legal issues are variant according to the governing rules and according to the country where a honeypot is to be deployed and configured. The regulations determine many different aspects, but mainly they care much about three main aspects which are the security of data, data collection, and the way in which honeypots are used in an organization.

These diverse laws mainly rely heavily on the quality of the data captured by a honeypot and on the person who is implementing and deploying the honeypot inside the network in the first place. The main significant issue when it comes to legalizing the usage of honeypots rely on the type of collected data and the content of it. This makes it harder for someone to determine whether using honeypots is considered a legal aspect. This is because legalizing it or not mainly depends on what the data is intended to be used for after collecting it. This mainly leaves us with several steps that one should carefully consider by the time he deploys a honeypot inside the network.

A lot of questions and approaches should be asked during the experiment as well. Things are no different when it comes to using a honeypot for a company, or for home, yet for a company, there are several other responsibilities that a network administrator should consider and take care of greatly. A network administrator is responsible for both the country laws and the company laws that come next.

It is a must to abide by these laws to remain in legal status. While some companies allow experimenting almost everything inside the company, many more other companies put several restrictions on experimenting such things within the company. By the time a honeypot is deployed, someone has to be sure about the answers of the legality of honeypots inside the company and the country as well. One has to ask the responsible ones to make sure that what he is doing does not violate current rules set by either the country or of course the company. In this regard, there are in fact three main legal issues that should be considered regarding using honeypots. The three are privacy, entrapment and civil liability

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf

 

 

FREE Introduction to Burp Suite webinar

Burp Suite

In this FREE webinar, Joe McCray will cover the basics of Burp Suite, and how to perform common web app penetration testing tasks with it. This webinar is designed for people with little to no web app penetration testing experience.

This webinar will be held on the 1st of March, 2018 1:00 PM – 2:00 PM EST

Click the link below to sign up for this webinar:

https://attendee.gotowebinar.com/register/2243147045145300994

 

Phases and Usages of a Honeypot

 

 

 

 

 

How can we define honeypots?

A honeypot is essentially a computer system. In this computer system, there exists some files and directories like any other usual computer system. A honeypot aims to attract an attacker to fall into its trap and investigate his actions and follow his behavior. In fact, a honeypot is not an actual system yet; it is a fake intentionally made system. The difference between a honeypot and other security systems lies in the fact that a variety of security problems could be tackled at once using diverse approaches by depending on honeypots.

On the contrary, other usual security systems are used to tackle one certain problem through a proposed solution. An instance of this point could be simply seen in the scenario when a compromised system is investigated after having a log of malicious activity. At the same time, new threats could be recognized through implementing a honeypot in a network and hence an attempt to tackle these problems and overcome them effectively.

To an outside attacker, the honeypots are indistinguishable from the actual production servers. Thus, the servers will not behave any differently when attacking them. However, the network security team can monitor the honeypots for recorded attacks and later analyze them. The honeypots can also help to absorb attacks directed against the real server.

 

What is the motivation behind a honeypot?

The honeypot idea is mainly derived from a great interest in the field of computer security as a whole. The implementation of a honeypot requires that one is interested to know the workflow of security systems and to build a solid knowledge of how the protection of a company could be achieved and how security flaws in a system may be very risky for the entire system and organization. A network administrator shall be ready for a great work ahead of him while implementing the honeypot system in a network. Being aware of the system and network architecture and the modifications that could be applied to them is a very crucial step beforehand.

The output shall be examined through some reliable forensic science tools. In the meanwhile, several problems will be encountered, and the administrator has to make sure he can solve them before putting the honeypot in the system. Facing such problems before actually facing them, in reality, will be very important for the administrator. Of course, at that time, although the conditions may be intense, the system will be handled quickly, and losses will be easily recovered. Therefore, good knowledge of both examination of security problems and forensic science information is a must.

 

What should be done before applying a honeypot to the real production system?

In fact, there has to be some research carried out by the network administrator by the time he even thinks of applying the honeypot concept in the network. He has to be sure that the created honeypot is secured such that it has no leaks into the actual system. Otherwise, it will make a real disaster. On the other hand, he has to make sure that a hacker has no knowledge about being trapped into a honeypot.

He has also to be aware of the maximum amount of information available for an attacker to get through the honeypot implementation. Also, it is good to know the behavior of an attacker when he knows that he is in a trap. Will that attacker just give up hacking and stop his actions? It is also really important for a network administrator to be knowledgeable of the location where the honeypot should be deployed in the network and the amount of information he can get.

Laws always play a role in everything in life. Therefore, it is also advisable that a network administrator should be aware of the restrictions applied on implementing honeypots especially if his organization is in the European Union (EU) or the United State of America (USA). There are certain rules and regulations which govern the process of obtaining information of an attacker or tracking him back. Therefore, a network administrator should abide by these rules by not fully tracking the attacker, and at the same, he should be respectful of the laws in every single way.

 

What is the description of our problem? 

When we build a good honeypot, we expect to attract several attackers into the fake system and let them take control over the intentional flaws left in there. When we trace the hacker, it is not guaranteed for sure that we will be the ones who have the control. Thus, we don’t know much about the security of a honeypot. We are not sure whether the attacker, in fact, knows that it is a fake system.

Additionally, we doubt whether the attacker is aware of the great importance of acquiring information about the system flaws. We need to be very specific and certain about the actual limits that an attacker has whenever he gets the control over the honeypot system. It will be disappointing if the attacker can even exploit the honeypot itself and seize a flaw in it to get to the system and do what they want in the system.

The entire system will be compromised when an attacker gets to this devastating point. Another entitled problem is that an attacker may recognize that it is a trap and then stop hacking or pretend that he is hacking. During such a time, it is no longer beneficial to have the installed honeypot anymore, and it is not useful either to use our forensics tool to investigate the system.

A very important aspect to consider when using honeypots is to be sure about the answers for all these questions and attempt to get our honeypots to be more secure and be assured that hacking the honeypot by the attacker will not yield any useful data for him about the actual system. A good network administrator should play the role of a hacker once and of a forensic examiner on another occasion or simultaneously of course with his own team. Very accurate results may be outputted then by depending on various tools for hacking and forensics purposes.

 

Resources:

http://www.diva-portal.org/smash/get/diva2:327476/fulltext01

https://www2.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic12-final/report.pdf