How to detect a HoneyPot?

Viewing 19 reply threads
  • Author
    Posts
    • #569
      morpheus063
      Participant

      Hi All,

      If we connect to a system, how can we determine whether the target system is a honeypot or a real system?

      Or to put it in other words, , how to detect a honeypot?

      Regards,

      Note: If this is not the correct forum to post this, please let edit or delete this post.

    • #9753
      smittyb
      Participant

      I assume you are doing black box testing and you aren’t sure if a honeypot is present. 

    • #9754
      morpheus063
      Participant

      @smittyb wrote:

      I assume you are doing black box testing and you aren’t sure if a honeypot is present. 

      Yes, One scenario is black box testing. The second scenario is professionally if we are going for a black box testing, we should be smart enough to say that there is/are honeypots in the network and their details are so and so.

    • #9755
      pcsneaker
      Participant

      If you do a black box testing and the honeypot is well configured it is nearly impossible to determine that it’s a honeypot without getting direct access to that box.

      Just by portscanning and fingerprinting it only would work if somebody assembles a weird configuration (e.g. you get the Banner of a Microsoft Exchange Server on TCP Port 25 and TCP fingerprinting tells you that it’s probably some Flavor of Red Hat Linux …)

      There is no receipe how to do that, you’ll need to take all the results you’re able to get and think creative – I mean for instance I would think that it’s rather unlikely (but nevertheless not impossible, so take care !) that somebody will place a honeypot inside an internal LAN side by side with the companys main fileserver.

    • #9756
      Anonymous
      Participant

      The idea behind a honeypot is that it fools the hacker into thinking he has acquired access to an important area. If well setup you should not be able to tell other than you cant seem to move further to any other part of a network. The biggest mistake when setting up a honeypot is making it too inviting! If you were to scan a target of what you thought should have been a secure site and find it has lots of ports open with vulnerable services just begging you to jump in, thats more than likely a honeypit!

    • #9757
      morpheus063
      Participant

      Hi Friends,

      Thanks for the reply.
      If the honeypot is based on a UML , one way to identify it is by identifying its MAC address.

      My only understanding about this is that as UML will be running more than one instance of an OS / honeypot, all these will be having the same MAC ID. So by identifying the MAC ID’s we can identify whether the systems are honeypots or not.

      Correct me if I am wrong and also can anybody throw more light on this?

      Regards,

      The Morpheus

    • #9758
      pcsneaker
      Participant

      To see the MAC address you need to be on the same pysical network segment – that’s very unlikely in a real black box test – in general you’ll have to access the network you want to test from the ugly internet (the same way as wiley hacker would do it). So that would not be an option.

    • #9759
      Anonymous
      Participant

      You can easily identify mac address on a wireless network from the outside with tools like kismet but thats another issue. A well configured honeybot will be extremely difficult to identify, especially from the outside. All examples I am aware of that identify honeypots rely on a poor configuration and we know Admins never do that, lol! There are even commercial tools such as Honeypot Hunter that use anti-honeypot technology. Honeypot Hunter checks with lists of HTTPS and SOCKS4/SOCKS5 proxies for honeypots.  Even tools like that can be defeated if the honeypot is configured properly.

    • #9760
      oyle
      Participant

      Even so, why would you want to? A Honeypot is a bare-bones system, usually with nothing more on it than the OS. It serves as bait for hackers. When properly configured, when a hacker finds a honeypot and is exploring it, the honeypot sends a message (usually an email) to the Admin and gives the Admin time to repsond to the potential attack by a hacker.

      I would say if the hacker finds an install of KFsensor, the most common Honeypot software, then the hacker could be assured yhe had found a Honeypot. But if he’s smart, he’d better get out of there and cover his tracks before he Admin sees him and can track him down. Next step is to call the FBI.

      All a honeypot is is BAIT! That’s it!!!

      ;D

    • #9761
      Anonymous
      Participant

      The only value for the ethicial hacker or admin in seeing if he can detect a honeypot outside of the network is to test the honeypot he has created. That is if you even fool with such things. I am not a big believer in them except in the case where an Admin wants to actually watch and learn how attacks take place.

    • #9762
      morpheus063
      Participant

      @Kev wrote:

      The only value for the ethicial hacker or admin in seeing if he can detect a honeypot outside of the network is to test the honeypot he has created. That is if you even fool with such things. I am not a big believer in them except in the case where an Admin wants to actually watch and learn how attacks take place.

      As Kev mentioned, the ulitimate aim of this discussion is to test the honeypot installation and to learn and countermeasure. As we know, to defend an attack we have to think like an attacker. Even though policies and guidelines exists, the human factor always plays a major role in all security aspects. What I mean to say is that all the Admins won’t be configuring the systems or honeypots in the similar manner. There will be some configuration changes from installation to installation and the hacker’s will be exploiting these minor changes. So our aim should be to detect these configuration changes and to identify the security impact created by these changes.

      Does any one know about a scenario where a honeypot has been compromised and used for further attack? Do you think it is possible or has it happened?

    • #9763
      Anonymous
      Participant

      I have never heard of a honeypot that has been compromised and used for further attacks.  As Oyle pointed out, it’s really a trap and is being observed more than most servers. While it might be a tempting target from the outside, once breached it is the worse place a hacker can end up. Remember, hackers like to sneak into the network. Attacking a honeypot with the idea of further breaching a network is like walking through the front door of a house that is under heavy surveillance by the police!  I have heard of honeypots being attacked with denial of service, but never used as a launch area for further successful infiltration of a network. 

    • #9764
      oyle
      Participant

      As the next logical line of defense, a Sheepdip should be installed. If by some chance a persistent hacker makes his way past the Honeypot with intentions of planting a Trojan, backdoor, or virus, the savvy Admin should install a Sheepdip. A Sheepdip is a separate box that looks for Trojans, viruses, etc. That’s ALL it does.
      Proper placement should be inside the DMZ. A proper DMZ should be formed by dual firewalls, and each firewall should be a different brand, so they check for different tests, constantly. Proxy server also in the DMZ.

      Internet–>exterior firewall–>proxy server–>Honeypot–>Sheepdip–>Interior Firewall–>Interior LAN.

      Granted, it may be a remote possibilty of it happening, but it needs to be comsidered and planned for. Better to be safe than sorry. Nothing should be left to chance or taken for granted.

      ;D

    • #9765
      Anonymous
      Participant

      Yes Oyle is very correct. We should never take things for granted as far as securing a network. I thought I should clarify my post, while I have not heard of a honeypot being a place to launch further attacks, in no way am I saying it’s impossible. I have been involved with security for long time now and can say I have seen some amazing hacks. I remember when we all thought it would be impossible to hack Cisco and then it happened. So I would say its not bad to be a little on the paranoid side if you are in charge of securing a network. Perhaps one day we ethical hackers can meet and have our own “capture the flag” games like they do in Defcon and attacking and owning a honeypot stealthy could be one of them.

    • #9766
      oyle
      Participant

      Y’know, I may not be able to find a full-time job working in networking, but I’ll bet half of these places I apply to don’t even KNOW what a sheepdip is, much less a honeypot.  Someone needs to enlighten these people managing networks.

       

    • #9767
      Negrita
      Participant

      According to my Exam Prep CEH study guide one way of detecting a Honeypot is by testing to see if all the services that appear to be open actually are. Services using SSL in particular should be checked like HTTPS or SMTPS etc.

      Other ways of detecting Honeypots/Honeynets include checking the MAC addresses on the network, as has already been mentioned here. A badly configured Honeynet will have the same MAC on all the NIC’s.

      Many Honeypots have been set up as spam traps by BL’s, and so a quick check to see if any mail has been sent from the mail account or if any legitimate-looking mail has arrived to the mail account, could also show if you’re on a spam trap or not.

      @Oyle wrote:

      A Honeypot is a bare-bones system, usually with nothing more on it than the OS. It serves as bait for hackers.

      I must disagree with Oyle. A Honeypot with nothing more on it than the bare-bones system is just a pot with no honey. So where’s the bait? Unless the hacker is intending to use the honeypot as a zombie or stepping stone, they’ll be gone in minutes if there’s nothing there to keep them there. OK so you may have the logs to analyse how they got on to your Honeypot, but you won’t be able to learn anything else.

      I found a whitepaper on the Honeynet website called Detecting Honeypots and other suspicious environments which may give some of you a more definative answer.

      BTW, a quick perusal of the Honeynet projects Alumnii, shows a certain Edward Skoudis. A search for the word “Honeypot” on the SANS website comes up with the name Marcus J. Ranum numerous times. Both of these people are members/contribute either here at EH-Net or at CSP Mag. Perhaps Don can convince these experts to add some light on the matter.

    • #9768
      pcsneaker
      Participant

      According to my Exam Prep CEH study guide one way of detecting a Honeypot is by testing to see if all the services that appear to be open actually are. Services using SSL in particular should be checked like HTTPS or SMTPS etc.

      Could you explain what you mean ?

      Other ways of detecting Honeypots/Honeynets include checking the MAC addresses on the network, as has already been mentioned here. A badly configured Honeynet will have the same MAC on all the NIC’s.

      It was already mentioned here, but to be able to check the MAC you either have to be on the same physical network with the honeypot (which is unlikely – except you are on a wireless network) or have already logged in to the box in question. If you are using a low interaction honeypot (the most common and easiest type to use) that should not (and will not) happen.
      And a high interaction honeypot is probably not a box running in a virtual environment like vmware or virtual pc (one reason is that it would be too easy to detect) – so I still think that in most cases if not completely impossible at least it’s not an easy task to determine if it’s a honeypot, 

    • #9769
      Negrita
      Participant

      @pcsneaker wrote:

      Could you explain what you mean ? 

      What Michael Gregg (the author of the Exam Cram CEH study guide) says, is that by probing the services which appear to be open to see if they really are. If port 443 appears to be open you could attemp an SSL handshake to see how the system responds. The reason for this is that some protocols (such as SSL) go through a handshake procedure. A low interaction honeypot won’t be able to complete the handshake process, and no exchange of credentials nor negotiation of the security parameters will take place between the client and the server. He then goes on to mention 3 tools; THC-Amap, Send-safe Honeypot Hunter and Nessus.
      He says that while all 3 have the capability of probing targets to check their validity, Nessus in particular has the capability of checking for proper responses to SSL related services.

    • #9770
      Anonymous
      Participant

      If you are actively running a sniffer and save those log files you can actually learn a lot.  If you understand some C programming you can sometimes actually recreate the exploit if it’s a buffer overflow.  You might even grab an undisclosed exploit if you are lucky. The first thing any Admin should do if he hasn’t is set up a windows box that has not been patched and make sure his favorite sniffer is running. Then run a buffer overflow from another box and see what occurs. You should see a huge amount of incoming characters, etc… 

    • #178360
      anonymouswebhacker
      Participant

      https://diarium.usal.es/pmgallardo/2020/11/15/list-of-honeypot-detection-tools/
      Anyway, there are certain detectable patterns, as it is, a system with so many open ports, it is very far from reality.
      But one way to know if we are facing a HoneyPot or not, is to give us a list of open ports, detect if there is a service running or not, example proxychains nmap -vvv -T1 -sS -Pn -sV host with the flag -sV would leave the versions of the supposed services. If they just come out open and there is no version, it can be a high% of being in front of a honeypot

Viewing 19 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?