Sunday, September 4, 2011

HONEY POT Trap Hackers

What is HoneyPot??
In layman terms we can say it is a trap set by the administrators for the hackers, to fool them or to make them believe that they are hacking into admins system, but instead of that hackers are getting hacked by the admin.

How does this work??
This works by presenting the hackers a foul scenario where , hacker thinks that he is penetrating into the system but instead, he is going no where except he is playing in the world created by the admins. By doing so, admins are able to check all the malicious activity of the hackers like what all ports hackers are trying to connect, what files they are trying to upload, which all sections they are trying to access.

HonyPot is mainly designed to trap the hackers, or present a virtual system to the hackers which never exists.

Technically, Honeypot tries to listen to all the ports on the system, and whenever hacker tries to port scan the system, it gets a list of open ports which he thinks is open but actually, it is the opened port which is shown by the honeypot behind the firewall, so when ever hacker tries to access some random port say 100, then he is accessing the honeypot not the system,

Above scenario can be visualised better: Install a VM ware on a system and run any low version of windows or linux on it with all ports open, and port forward those ports on the host system, so when ever hacker tries to fingerprint or try to do port scan, then he will be gettng info about the VM ware not the host system, hacker may be able to penetrate into the VM ware OS, but our HOST OS remains safe.

But there are mainly deficulty in doing the above job , so special application is created called HONEYPOT to do this job and many other jobs like tracking of packets, file access etc.

There are mainly 3 types of honeypots available:
1.Small: Mainly keeps the log of ip-address which are trying to access your system alongwith the port
2.Medium: Its functionality is little advanced, keeping track of files accessed, time-period, hosts etc.
3.Large: It provides all the functionality, but the main feature of these kind of Honeypots are security feature, these can simulate virtual os for the outsiders or hackers very well.

In this article I am going to give the example of HoneyPot of small scale for Windows.
HoneyPots are available both on commercial platform and also as open source, I am taking the example of KFsensor which is freely available here.
STEP 1: Download the KFSENSOR and winpcap from their website and install them
STEP 2: Restart your system, start winpcap server from the folder menu where it is saved mainly in c:\ drive
STEP 3: Start KFsensor, do as promted in the window , it is mainly for the configuring of your new HONEYPOT.
STEP4: Done, keep your system up for the packets scanning.

untitled

Here in above picture u can see some port numbers are striked out, because you need to restart the system, then start your honeypot, then internet connection, else these ports will be used by net connection first, then this honeypot willnot be able to access these ports, hence no information gathering will be possible.

We can also create our small honeypot whose main function is to check for the incoming packets.......
It is nothing but the basic client-server program which listens on all port.

untitled%2B%25281%2529


Within minutes of intallation of this small honeypot i got the scanning alert sound, when checked these were the UDP packets mainly left over the internet for scanning of hosts........

No comments:

Post a Comment