Author Topic: Detect Honeypot or IDS on the target. (Read 1112 times)

hack3rcon · « **on:** June 22, 2015, 01:37:27 pm »

Hello.
Is it possible to find Honeypot on the target?

Tnx

P!X3LTR0N · « **Reply #1 on:** June 22, 2015, 03:13:05 pm »

Follow the bear.

nozzlechunks · « **Reply #2 on:** June 22, 2015, 03:17:31 pm »

Yep.

...

...

...

When I set up honey pots, they are usually running SSH or FTP, and they usually have default or shit credits on purpose. I do this cuz I don't give a shit about password lists or source IPs... I want to see what scripts they are running and what files they are pulling down to escalate/traverse and what their botnet infra looks like. I might even poke at their infrastructure.

Next, I give it an enticing name, like REGISTER or CONFIDENTIAL or SECRET, so the assholes might bother to manually poke around. Generally, those folks don't find shit. I've been thinking about about throwing in some macro docs to honey badger their asses, but ehhhh, lot of work, and i'm not dumb enough to poke the bear for drivebye shit.

So to summarize, if you think you've just hacked the Gibson with admin:admin, and the hostname is recognizably retarded, and you don't find shit on the endpoint (either user files or useful services running), then rest assured, I have logs that show you're dumb. Errr, I mean, you've found a honey pot.

On IDS... I haven't seen a lot of host-based IDS, just network IDS. In that case, you are not gonna' detect it, because all your network traffic is being replicated to the IDS off the beaten path... that is, IDS generally doesn't sit between you and your target. Instead, it's getting aggregate logs from everywhere. IPS is probably easier to "detect" but I'm gonna' go ahead and let you figure how how/why.

proxx · « **Reply #3 on:** June 22, 2015, 03:47:19 pm »

- Search for honeypot IP's , published lists exists

- Do a seatch query for the IP addr and see if it is listed on the webs somewhere.
- As alway's if something is too good to be true it probably is.

I ran a couple honeypots just for phun also with default creds etc.
Weird thing is that I often got a valid login from mostly asian IP addr. and hardly any actual post-login action.
This is curious and the bot(s) attacking me are probably have 1 central hosts that does the post login attempts .

I noticed that the password lists that 'they' used to attack those boxes are insanly stupid (see post).
https://evilzone.org/hacking-and-security/1-day-of-running-a-ssh-honeypot/msg90236/#msg90236

Anyway.
A nice start would be to get some out-of-the-box honey applications and fingerprint those to see if you can make a distinction.
If that works you can smack some code together that can do the fingerprinting (nmap scripting engine comes to mind.)

nozzlechunks · « **Reply #4 on:** June 22, 2015, 04:03:36 pm »

Interesting stuffs. I also had mostly Asian IPs and the worst.wordlists.evar. But I actually got a bunch of post-login activity logs lying around. I'll threadjack the shit out of this thread (I was looking for excuse to talk about honeypots) and post some of my findings once I'm done with work.

proxx · « **Reply #5 on:** June 22, 2015, 04:15:53 pm »

Quote from: nozzlechunks on June 22, 2015, 04:03:36 pm

Interesting stuffs. I also had mostly Asian IPs and the worst.wordlists.evar. But I actually got a bunch of post-login activity logs lying around. I'll threadjack the shit out of this thread (I was looking for excuse to talk about honeypots) and post some of my findings once I'm done with work.

I would rather have you using my thread for it since this is the wrong topic for such material.
Please do share these findings.

hack3rcon · « **Reply #6 on:** June 23, 2015, 09:39:45 am »

Quote from: proxx on June 22, 2015, 03:47:19 pm

- Search for honeypot IP's , published lists exists
- Do a seatch query for the IP addr and see if it is listed on the webs somewhere.
- As alway's if something is too good to be true it probably is.

I ran a couple honeypots just for phun also with default creds etc.
Weird thing is that I often got a valid login from mostly asian IP addr. and hardly any actual post-login action.
This is curious and the bot(s) attacking me are probably have 1 central hosts that does the post login attempts .

I noticed that the password lists that 'they' used to attack those boxes are insanly stupid (see post).
https://evilzone.org/hacking-and-security/1-day-of-running-a-ssh-honeypot/msg90236/#msg90236

Anyway.
A nice start would be to get some out-of-the-box honey applications and fingerprint those to see if you can make a distinction.
If that works you can smack some code together that can do the fingerprinting (nmap scripting engine comes to mind.)

Honeypot IPs exist? If I run a honeypot on my local network then....
I guess it is for global Honeypots and not for victims.

EvilZone

News:

Author Topic: Detect Honeypot or IDS on the target. (Read 1112 times)

hack3rcon

Detect Honeypot or IDS on the target.

P!X3LTR0N

Re: Detect Honeypot or IDS on the target.

nozzlechunks

Re: Detect Honeypot or IDS on the target.

proxx

Re: Detect Honeypot or IDS on the target.

nozzlechunks

Re: Detect Honeypot or IDS on the target.

proxx

Re: Detect Honeypot or IDS on the target.

hack3rcon

Re: Detect Honeypot or IDS on the target.