Hiya forum, so its high time I learnt python. I have been working on a course all week and most of the basics are in place. I will be moving onto the more advanced pentesting oriented course next so I would like to have a little pet project to do in tandem with the learning.
I have considered deploying a honepot on my local network for a while. So i’ll just write one!
I am just looking for some suggestions on potential features that would be handy to include to make the honeypot more functional and more likely to detect unwanted guests.
Any suggestions please?
I will start with an arp scan of the LAN to build a lists of known MAC addresses to identify any new MAC’s that may appear.
Next up i’ll open up http and ssh on the honepot server and capture all requests submitted to both services.
I was thinking if an intruder is identified I want to know as much about him as possible. I’ll capture his MAC and IP and run a port scan etc against him. Any suggestions on what else I could do to figure out as much as possible about the black hat?
I was thinking if an intruder is identified I want to know as much about him as possible. I’ll capture his MAC and IP and run a port scan etc against him. Any suggestions on what else I could do to figure out as much as possible about the black hat?
I agree with @sparkla here. The chances of an attacker coming at you from their own IP address is low and it is significantly more likely you will end up scanning another victim machine. It is also significantly more likely they will detect you and think you are the attacker rather than their own compromised device.
Realistically, short of nation-state actors, there is very little value in trying to hack back like this.
Deter, detect, delay then block is probably the best sequence of events.
Actually wifi hacking is a bit of a concern I have. Or people deploying sneaky little devices onto my network such as a packet squirrel, spy cam or wifi keylogger. Going through a divroce. Wife works in IT. I trained her. I’ll say no more.
Ok maybe i’ll put the hackback idea on ice for now.
Im just looking for general inspiration of any useful features that I could include in the honeypot that would detect an intruder really.
I think the most basic is being attractive enough to an attacker when they run a scan.
But it also needs to fit into the environment - so if your network has 10 locked down windows machines, finding a Linux box with anonymous FTP, finger and telnet wide open might be a bit too obvious.
sm4sh, I am going to write the entire thing from scratch so looking to not depend on any external code thats not native to kali. The more I think about it the easier I think its going to be. Its just a matter of running a packet capture while I am doing all my usual scanning activities and have the honepot application be aware of those traffic patterns to trigger a response.
I have a mini pc that will be perfect for it. Low power consumption and is also controling my home theatre setup so its always on anyway.
With the PCAP I’ll apply filters so that it only catches protocols that I have alerts set for rather than all data.
On top of that I’ll write a loop into the code so that it captures say 50mb of data or 20 seconds, which ever comes first then screens it for anything suspect and if nothing suspect is found then purge the 50mb of data, rinse and repeat.
If something suspect = present then save that chunk of data for further analysis later and trigger the alert.