39 Network Monitoring – Honeypots
Jacob Christensen; Arjun Nath; and Isha Patel
Honeypots are useful tools for network defense. They allow attackers to navigate a dummy infrastructure so investigators can monitor attacker activities to identify their tactics, techniques, and procedures (TTP). Honeypots need careful configuration otherwise they become a pivot point for attackers to use to gain access to the enterprise architecture.
Learning Objectives
- Learn how to configure a simple HTTP honeypot on an enterprise network
- Learn how to use Zenmap to verify services are running
Prerequisites
Deliverables
- Screenshot of Zenmap scan showing port 80 is active
- Screenshot of Intrusion Detection report on Pentbox
- Screenshot of the GNS3 Working Environment
Resources
Contributors
- Kyle Wheaton, Cybersecurity Student, ERAU-Prescott
Phase I – Building the Network Topology
The following steps are to create a baseline network for completing this chapter. It makes assumptions about learner knowledge from completing previous labs.
By the end of this lab, your network should look like the following:
- Start GNS3
- Save the lab (Network Monitoring – Zenmap Basics) as a new project: LAB_22
- Modify the DMZ subnet
- Add an Ethernet switch
- Add another Ubuntu Server (10.0.0.5)
Phase II – Setting up a Simple HTTP Honeypot
- Using Zenmap on the IT laptop, perform a Regular scan on the honeypot server (10.0.0.5) to verify that no standard ports are currently open
- If any ports are open, identify and terminate the service and re-scan the server
- Install the Pentbox software suite
- Login to the honeypot server
- Download the Ruby scripting language
> sudo apt install ruby -y
- Download Pentbox from the official GitHub repository
> cd ~
> git clone https://github.com/technicaldada/pentbox
- Decompress the tarball
> tar -zxvf ~/pentbox/pentbox.tar.gz
NOTE: “Tarballs” in Linux are files that are archived with the Tar utility and compressed with GNU Zip. They can quickly be identified with the [.]tar[.]gz extension.
- Run the pentbox program
> ~/pentbox-1.8/pentbox.rb
- Setup the Honeypot
- In Pentbox’s main menu, you should see some options to select via the number associated with it
- Select Network tools (2)
- Select Honeypot (3)
- Select Fast Auto Configuration (1)
NOTE: Now that the honeypot is running, we can see what port it is operating on (80), the date it was started (April 4th, 2024), and the time based on the current system locale settings (7:45:24 PM).
- In Pentbox’s main menu, you should see some options to select via the number associated with it
- On the IT laptop, re-scan the honeypot server to verify that port 80 is now open
- Test the honeypot
- In the IT laptop, open a Firefox browser and try to connect to the honeypot server
http://10.0.0.5:80
- Switch to back the honeypot terminal to view the live intrusion detection report
NOTE: From here, we can see a wealth of information about the potential attacker including that it was a Linux machine with the address 192.168.5.111 using a Firefox browser who tried connecting to our server at 7:58:15 PM. If this was not a recognized device, we could blacklist that IP (or MAC) address from our network to prevent connections in the future.
- In the IT laptop, open a Firefox browser and try to connect to the honeypot server
End of Lab
Deliverables
3 Screenshots are required to earn credit for this exercise:
- Screenshot of Zenmap scan showing port 80 is active
- Screenshot of Intrusion Detection report on Pentbox
- Screenshot of the GNS3 Working Environment
Homeworks
- Use the honeypot manual configuration to open the other common ports used by websites (ports 443, 8080, 8443)
- From the attacking machine, try to access the webpage in a similar way as before
- Monitor the results on Pentbox
- RECOMMENDED GRADING CRITERIA
- Screenshot of Zenmap scan showing ports 80, 443, 8080, 8443 are active
- Screenshot of Intrusion Detection reports for the same ports on Pentbox
- Screenshot of the GNS3 Working Environment
Assignment 2 – Setup honeypots on other commonly attacked ports
- Use the honeypot manual configuration to open other commonly used ports used by hackers (ports 20, 21, 22, 23)
- From the attacking machine, use Linux to try to FTP, SSH, and Telnet into the honeypot
- Monitor the results on Pentbox
- RECOMMENDED GRADING CRITERIA
- Screenshot of Zenmap scan showing ports 20, 21, 22, and 23 are active
- Screenshot of Intrusion Detection reports for the same ports on Pentbox
- Screenshot of the GNS3 Working Environment