What are honeypots for? T-pot installation guide

The purpose of a honeypot in a DEM is to incur an attack or unauthorized investigation. Such a tool allows you to study the attacker’s strategy and determine how strikes can be delivered to real security facilities.

In 2018, Kaspersky Lab launched a system of 50 honeypots to analyze malicious attacks. In an hour, the network of traps recorded about 80 thousand infected sessions. In addition to the usual honeypots listening on specific ports, they also created a multi-port honeypot called uberpot. The idea is simple: the honeypot listens on all TCP and UDP ports, accepts connections, and logs the received data and metadata.

Advantages of highly interactive systems:

  • the idea of ​​highly interactive systems lies in the fact that only intruders will perform actions in them, thanks to which the frequency of false alarms is minimized;

  • require minimal resources;

  • have a simple principle of operation – when any activity is detected in the system, it is necessary to track what is happening and respond to these actions properly, since they are usually configured in such a way that a random user cannot get into a highly interactive system;

  • are not overloaded with traffic and do not have problems with the exhaustion of computing resources;

  • they can work with encrypted traffic or in a network operating over the IPv6 protocol, since it does not matter what information comes to the input of a highly interactive system, it will in any case be detected and recorded;

  • do not require large computing power, so almost any outdated embedded device can be used to accommodate them.

Disadvantages of highly interactive systems:

  • have a limited scope, since they can only track activities that are directly aimed at them;

  • the use of honeypots creates the risk of complete compromise of the real system of which they are a part; they can also be used by intruders to attack other computer systems;

  • possible difficulties with “masking” a highly interactive system – an attacker can understand that he is not on a real system and try to trick the honeypot. For example, if an attacker identified the use of a highly interactive system, then he could attack it on behalf of the real computer of the target system. A highly interactive system will detect this attack and mistakenly notify the administrator that suspicious activity has been detected, creating a chain of investigations leading on a false trail, and at this time the attacker will be able to focus his efforts on attacking the real system, which can entail serious consequences;

  • the need for constant improvement of a highly interactive system due to the fact that sooner or later it will be studied by malefactors, and also due to the fact that the capabilities of malefactors are constantly growing.

An illustrative diagram of how a honeypot is connected to a corporate network:

There are honeypots built on dedicated servers and software-emulated honeypots.

Honeypots installed on a dedicated server allow it to be as close as possible to the real server, the role of which it performs (data server, application server, proxy server).

An emulated honeypot recovers quickly when compromised, and is also clearly limited to the host OS. It can be created using a virtual machine or Honeyd.

The difference between the two is network-wide. If, for example, this is a small office network, then it makes little sense to set up a dedicated server for logging suspicious events on the network. Here it will be enough to be limited to a virtual system or even one virtual service. Large organizations use dedicated servers with fully replicated network services. Typically, the configuration of such services is deliberately made in error so that an attacker can successfully compromise the system. This is the main idea of ​​a honeypot – to lure an intruder.

FrameWork Platform Analysis

There are three common types of honeypots:

  • Honeypots with low interaction. These traps simulate services such as Telnet, SSH, and web servers. An attacker or attacking system will mistake a honeypot for a real vulnerable system and install the payload.

  • Medium-level honeypots also simulate vulnerable systems, but they are more functional than the simplest traps.

  • High level honeypots. These are real systems that require additional steps on the part of the administrator to limit malicious activity and to avoid compromising other systems. Their advantage is that they can run on a POSIX-compliant system. This means that attempts to identify hosts that use techniques not yet emulated by low-interaction honeypots will not work against such a trap, and attackers will be convinced that they have hit a real device.

HoneyDrive is the best Linux honeypot distribution. This is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypot, Honeyd low interaction honeypot, Glastopf honeypot and Wordpot, Honeypot Conpot SCADA / ICS, Thug and PhoneyC honeyclients, and much more. In addition, it includes many useful pre-configured scripts and utilities for analyzing, visualizing, and manipulating the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, ELK stack, and more. Finally, the distribution also includes nearly 90 well-known malware analysis, forensics, and network monitoring tools.

Conpot – ICS / SCADA Honeypot. Conpot is a low-interactivity server-side industrial control decoy designed to be easy to deploy, modify, and expand. By providing a set of generic manufacturing control protocols, the foundations were laid for us to build our own system capable of emulating complex infrastructures in order to convince an adversary that he had just found a huge industrial complex. To improve our deception capabilities, we were also given the server’s ability to customize the human-machine user interface to increase the decoy attack surface. Service response times can be artificially delayed to simulate system behavior under constant load. Since we are provided with full protocol stacks, Conpot can be accessed using performance HMIs or expanded with real hardware.

Cuckoo Sandbox is an open source software for automating the analysis of suspicious files. To do this, custom components are used that monitor the behavior of malicious processes when working in an isolated environment.

Dionaea, the “successor to Nepenthes”, is a malware decoy originally developed as part of the 2009 Google Summer of Code (GSoC) Honeynet Project. Dionaea’s job is to catch malware by luring it into a trap, so that researchers are able to get so-called samples of a particular malware. Dionaea has a modular architecture, Python is used as a scripting language for protocol emulation. This decoy is far superior to its predecessor (Nepenthes), it is capable of detecting shellcodes using LibEmu, and supports IPv6 and TLS.

Each of the honeypot implementations has its own characteristics, some are capable of emulating up to hundreds of operating systems. The differences also apply to the OS to which they apply.

The framework was chosen to demonstrate the work. T-pot

Deployment instructions

Install the Debian 10 virtual machine within the Google Cloud Platform to install the T-Pot framework. To get the T-Pot, you need to download a copy of the Github source code. Since Debian does not pre-contain git, we use apt-get.

Executing the download and install commands will start the installation of the T-Pot.

Next, a screen of various options for installing the T-Pot is presented, in our case, select “STANDARD”.

Next, you need to create a username and password to access the T-Pot web interface.

After the user is created, the installation will continue and the rest of the packages will be downloaded.

After installation, the system will reboot.

Now that all honeypots are installed, we connect to the T-Pot at https: // : 64297. We go under the user who was created earlier.

By selecting “dashboard” from the menu, you can view the global dashboards and dashboards specific to each honeypot. You can also create new dashboards here.

The T-Pot’s dashboard contains information that aggregates all attacks into different views, such as port number or country name. This dashboard can also be used to keep track of common usernames and passwords used in bruteforce attempts.

T-Pot also includes a web based management console with a graphical user interface that can be used to manage virtual server and docker images. To access this page, first create an account in the virtual machine and then go to https: // : 64294 and log in.

Finally, you can scan the honeypot host using Nessus Essentials.

These are the results I got.

Similar Posts

Leave a Reply Cancel reply