"

41 Network Monitoring – Honeypots

Jacob Christensen; Arjun Nath; and Isha Patel

Note: This lab is typically performed after the Zenmap Basics lab, but it can also be completed as a standalone.

Honeypots are useful tools for network defense.  They allow attackers to navigate a dummy infrastructure so investigators can monitor attacker activities to identify their tactics, techniques, and procedures (TTP).   Honeypots need careful configuration otherwise they become a pivot point for attackers to use to gain access to the enterprise architecture.

Learning Objectives

  • Learn how to configure a simple HTTP honeypot on an enterprise network
  • Learn how to use Zenmap to verify services are running

Prerequisites

Deliverables

  • Screenshot of Zenmap scan showing port 80 is active
  • Screenshot of Intrusion Detection report on Pentbox
  • Screenshot of the GNS3 Working Environment

Resources

Contributors

  • Kyle Wheaton, Cybersecurity Student, ERAU-Prescott

Phase I – Building the Network Topology

The following steps outline the process for creating a baseline network to complete this chapter. It makes assumptions about the learner’s knowledge from completing previous labs.

By the end of this lab, your network should look like the following:

gns3
Figure 1 – Final GNS3 network
  1. Start GNS3
  2. (Optional) Load the lab (Network Monitoring – Zenmap Basics) and save it as a new project
  3. Modify/create the DMZ subnet, it must contain:
    1. An Ethernet switch
    2. Two (2) Ubuntu Servers
      1. Honeypot – 10.0.0.5
      2. Services server – 10.0.0.4
  4. Create the internal LAN. All devices should receive DHCP from the Services server. Ensure the following devices are included:
    1. Switch
    2. Kali Linux
    3. Three (3) light PCs that have browsers
  5. A Mikrotik router. For ease of use, the following connections should be made:
    1. ether 1 -NAT Node (ISP)
    2. ether 2 – Internal LAN
    3. ether 3 – DMZ

Phase II – Setting up a Simple HTTP Honeypot

A variety of tools and services are available for constructing different types of honeypots. Some are hardware-based, while others are software-based, but they all serve the same function: monitoring attackers in progress to learn their tactics, goals, and potential motivations. We will be using Pentbox, which features a honeypot. This tool is typically used by pentesters to ‘watch their back’ in case their target attempts to hack back during a mission, but it is relatively simple to use and operate for new users.
  1. Using Zenmap on the IT laptop, perform a Regular scan on the honeypot server (10.0.0.5) to verify that no standard ports are currently open
    Picture of commands
    Figure 2 – First Zenmap Scan
    1. If any ports are open, identify and terminate the service and re-scan the server
  2. Install the Pentbox software suite
    1. Login to the honeypot server
    2. Download the Ruby scripting language

      > sudo apt install ruby -y

    3. Download Pentbox from the official GitHub repository

      > cd ~

      > git clone https://github.com/technicaldada/pentbox

    4. Decompress the tarball

      > tar -zxvf ~/pentbox/pentbox.tar.gz

      NOTE: “Tarballs” in Linux are files that are archived with the Tar utility and compressed with GNU Zip. They can quickly be identified with the [.]tar[.]gz extension.

    5. Run the pentbox program

      > ~/pentbox-1.8/pentbox.rb

  3. Setup the Honeypot
    1. In Pentbox’s main menu, you should see some options to select via the number associated with it
      Picture of commands
      Figure 3 – Pentbox main menu
    2. Select Network tools (2)
      Picture of commands
      Figure 4 – Pentbox Network Tools
    3. Select Honeypot (3)
      Picture of commands
      Figure 5 – Pentbox honeypot menu
    4. Select Fast Auto Configuration (1)

      Picture of commands
      Figure 6 – Pentbox honeypot activation

      NOTE: Now that the honeypot is running, we can see which port it is operating on (80), the date it was started (April 4, 2024), and the time, based on the current system locale settings (7:45:24 PM).

  4. On the IT laptop, re-scan the honeypot server to verify that port 80 is now open
    Picture of commands
    Figure 7 – Second Zenmap scan
  5. Test the honeypot
    1. In the IT laptop, open a Firefox browser and try to connect to the honeypot server

      http://10.0.0.5:80

       

      Picture of commands
      Figure 8 – Connection to honeypot over HTTP
    2. Switch back to the honeypot terminal to view the live intrusion detection report
      Picture of commands
      Figure 9 – Pentbox Intrusion Detection Log

      NOTE: From here, we can see a wealth of information about the potential attacker, including that it was a Linux machine with the IP address 192.168.5.111, using a Firefox browser, that attempted to connect to our server at 7:58:15 PM. If this was not a recognized device, we could blacklist that IP (or MAC) address from our network to prevent connections in the future.

End of Lab

Deliverables

3 Screenshots are required to earn credit for this exercise:

  • Screenshot of Zenmap scan showing port 80 is active
  • Screenshot of Intrusion Detection report on Pentbox
  • Screenshot of the GNS3 Working Environment

Homeworks

Assignment 1 – Setup honeypots on other web ports
  • Use the honeypot manual configuration to open the other common ports used by websites (ports 443, 8080, 8443)
  • From the attacking machine, try to access the webpage in a similar way as before
  • Monitor the results on Pentbox
  • RECOMMENDED GRADING CRITERIA
    • Screenshot of Zenmap scan showing ports 80, 443, 8080, 8443 are active
    • Screenshot of Intrusion Detection reports for the same ports on Pentbox
    • Screenshot of the GNS3 Working Environment

Assignment 2 – Setup honeypots on other commonly attacked ports

  • Use the honeypot manual configuration to open other commonly used ports used by hackers (ports 20, 21, 22, 23)
  • From the attacking machine, use Linux to try to FTP, SSH, and Telnet into the honeypot
  • Monitor the results on Pentbox
  • RECOMMENDED GRADING CRITERIA
    • Screenshot of Zenmap scan showing ports 20, 21, 22, and 23 are active
    • Screenshot of Intrusion Detection reports for the same ports on Pentbox
    • Screenshot of the GNS3 Working Environment
Feedback email
Figure 00 – Contact us via prmaster@erau.edu

License

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Mastering Enterprise Networks 2e Copyright © 2024 by Mathew J. Heath Van Horn is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.