39 Network Monitoring – Honeypots

Jacob Christensen; Arjun Nath; and Isha Patel

Honeypots are useful tools for network defense.  They allow attackers to navigate a dummy infrastructure so investigators can monitor attacker activities to identify their tactics, techniques, and procedures (TTP).   Honeypots need careful configuration otherwise they become a pivot point for attackers to use to gain access to the enterprise architecture.

Learning Objectives

  • Learn how to configure a simple HTTP honeypot on an enterprise network
  • Learn how to use Zenmap to verify services are running

Prerequisites

Deliverables

  • Screenshot of Zenmap scan showing port 80 is active
  • Screenshot of Intrusion Detection report on Pentbox
  • Screenshot of the GNS3 Working Environment

Resources

Contributors

  • Kyle Wheaton, Cybersecurity Student, ERAU-Prescott

Phase I – Building the Network Topology

The following steps are to create a baseline network for completing this chapter. It makes assumptions about learner knowledge from completing previous labs.

By the end of this lab, your network should look like the following:

gns3
Figure 1 – Final GNS3 network
  1. Start GNS3
    1. Save the lab (Network Monitoring – Zenmap Basics) as a new project: LAB_22
  2. Modify the DMZ subnet
    1. Add an Ethernet switch
    2. Add another Ubuntu Server (10.0.0.5)

Phase II – Setting up a Simple HTTP Honeypot

There are many different tools and services that are available for constructing various honeypots. Some are hardware-based, others are software-based, but they all have the same function of monitoring attackers in progress to learn their tactics, goals, and potential motivations.  We are going to use Pentbox which has a honeypot feature.  This tool is usually used by pentesters to ‘watch their back’ in case their target tries to hack back when on a mission, but it is relatively simple to use and operate for new users.
  1. Using Zenmap on the IT laptop, perform a Regular scan on the honeypot server (10.0.0.5) to verify that no standard ports are currently open
    Picture of commands
    Figure 2 – First Zenmap Scan
    1. If any ports are open, identify and terminate the service and re-scan the server
  2. Install the Pentbox software suite
    1. Login to the honeypot server
    2. Download the Ruby scripting language

      > sudo apt install ruby -y

    3. Download Pentbox from the official GitHub repository

      > cd ~

      > git clone https://github.com/technicaldada/pentbox

    4. Decompress the tarball

      > tar -zxvf ~/pentbox/pentbox.tar.gz

      NOTE: “Tarballs” in Linux are files that are archived with the Tar utility and compressed with GNU Zip. They can quickly be identified with the [.]tar[.]gz extension.

    5. Run the pentbox program

      > ~/pentbox-1.8/pentbox.rb

  3. Setup the Honeypot
    1. In Pentbox’s main menu, you should see some options to select via the number associated with it
      Picture of commands
      Figure 3 – Pentbox main menu
    2. Select Network tools (2)
      Picture of commands
      Figure 4 – Pentbox Network Tools
    3. Select Honeypot (3)
      Picture of commands
      Figure 5 – Pentbox honeypot menu
    4. Select Fast Auto Configuration (1)

      Picture of commands
      Figure 6 – Pentbox honeypot activation

      NOTE: Now that the honeypot is running, we can see what port it is operating on (80), the date it was started (April 4th, 2024), and the time based on the current system locale settings (7:45:24 PM).

  4. On the IT laptop, re-scan the honeypot server to verify that port 80 is now open
    Picture of commands
    Figure 7 – Second Zenmap scan
  5. Test the honeypot
    1. In the IT laptop, open a Firefox browser and try to connect to the honeypot server

      http://10.0.0.5:80

      Picture of commands
      Figure 8 – Connection to honeypot over HTTP
    2. Switch to back the honeypot terminal to view the live intrusion detection report
      Picture of commands
      Figure 9 – Pentbox Intrusion Detection Log

      NOTE: From here, we can see a wealth of information about the potential attacker including that it was a Linux machine with the address 192.168.5.111 using a Firefox browser who tried connecting to our server at 7:58:15 PM. If this was not a recognized device, we could blacklist that IP (or MAC) address from our network to prevent connections in the future.

End of Lab

Deliverables

3 Screenshots are required to earn credit for this exercise:

  • Screenshot of Zenmap scan showing port 80 is active
  • Screenshot of Intrusion Detection report on Pentbox
  • Screenshot of the GNS3 Working Environment

Homeworks

Assignment 1 – Setup honeypots on other web ports
  • Use the honeypot manual configuration to open the other common ports used by websites (ports 443, 8080, 8443)
  • From the attacking machine, try to access the webpage in a similar way as before
  • Monitor the results on Pentbox
  • RECOMMENDED GRADING CRITERIA
    • Screenshot of Zenmap scan showing ports 80, 443, 8080, 8443 are active
    • Screenshot of Intrusion Detection reports for the same ports on Pentbox
    • Screenshot of the GNS3 Working Environment

Assignment 2 – Setup honeypots on other commonly attacked ports

  • Use the honeypot manual configuration to open other commonly used ports used by hackers (ports 20, 21, 22, 23)
  • From the attacking machine, use Linux to try to FTP, SSH, and Telnet into the honeypot
  • Monitor the results on Pentbox
  • RECOMMENDED GRADING CRITERIA
    • Screenshot of Zenmap scan showing ports 20, 21, 22, and 23 are active
    • Screenshot of Intrusion Detection reports for the same ports on Pentbox
    • Screenshot of the GNS3 Working Environment

License

Icon for the Creative Commons Attribution 4.0 International License

Mastering Enterprise Networks Copyright © 2024 by Mathew J. Heath Van Horn is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book