41 Network Monitoring – Honeypots

Note: This lab is typically performed after the Zenmap Basics lab, but it can also be completed as a standalone.

Honeypots are useful tools for network defense.  They allow attackers to navigate a dummy infrastructure so investigators can monitor attacker activities to identify their tactics, techniques, and procedures (TTP).   Honeypots need careful configuration otherwise they become a pivot point for attackers to use to gain access to the enterprise architecture.

Learning Objectives

• Learn how to configure a simple HTTP honeypot on an enterprise network
• Learn how to use Zenmap to verify services are running

Prerequisites

• Chapter 38 – Network Monitoring – Zenmap Basics
• Chapter 7 – Creating a Linux Server

Deliverables

• Screenshot of Zenmap scan showing port 80 is active
• Screenshot of Intrusion Detection report on Pentbox
• Screenshot of the GNS3 Working Environment

Resources

• technicaldada and jaykali – Pentbox GitHub Repository – https://github.com/technicaldada/pentbox

Contributors

• Kyle Wheaton, Cybersecurity Student, ERAU-Prescott

Phase I – Building the Network Topology

The following steps outline the process for creating a baseline network to complete this chapter. It makes assumptions about the learner’s knowledge from completing previous labs.

By the end of this lab, your network should look like the following:

1. Start GNS3
2. (Optional) Load the lab (Network Monitoring – Zenmap Basics) and save it as a new project
3. Modify/create the DMZ subnet, it must contain:
   1. An Ethernet switch
   2. Two (2) Ubuntu Servers
      1. Honeypot – 10.0.0.5
      2. Services server – 10.0.0.4
4. Create the internal LAN. All devices should receive DHCP from the Services server. Ensure the following devices are included:
   1. Switch
   2. Kali Linux
   3. Three (3) light PCs that have browsers
5. A Mikrotik router. For ease of use, the following connections should be made:
   1. ether 1 -NAT Node (ISP)
   2. ether 2 – Internal LAN
   3. ether 3 – DMZ

1. Using Zenmap on the IT laptop, perform a Regular scan on the honeypot server (10.0.0.5) to verify that no standard ports are currently open
   

   

   1. If any ports are open, identify and terminate the service and re-scan the server
2. Install the Pentbox software suite
   1. Login to the honeypot server
   2. Download the Ruby scripting language

      > sudo apt install ruby -y

   3. Download Pentbox from the official GitHub repository

      > cd ~

      > git clone https://github.com/technicaldada/pentbox

   4. Decompress the tarball

      > tar -zxvf ~/pentbox/pentbox.tar.gz

      NOTE: “Tarballs” in Linux are files that are archived with the Tar utility and compressed with GNU Zip. They can quickly be identified with the [.]tar[.]gz extension.

   5. Run the pentbox program

      > ~/pentbox-1.8/pentbox.rb

3. Setup the Honeypot
   1. In Pentbox’s main menu, you should see some options to select via the number associated with it
      

      

   2. Select Network tools (2)
      

      

   3. Select Honeypot (3)
      

      

   4. Select Fast Auto Configuration (1)
      

      

      NOTE: Now that the honeypot is running, we can see which port it is operating on (80), the date it was started (April 4, 2024), and the time, based on the current system locale settings (7:45:24 PM).

4. On the IT laptop, re-scan the honeypot server to verify that port 80 is now open
   

   

5. Test the honeypot
   1. In the IT laptop, open a Firefox browser and try to connect to the honeypot server

      http://10.0.0.5:80

       

      

   2. Switch back to the honeypot terminal to view the live intrusion detection report
      

      

      NOTE: From here, we can see a wealth of information about the potential attacker, including that it was a Linux machine with the IP address 192.168.5.111, using a Firefox browser, that attempted to connect to our server at 7:58:15 PM. If this was not a recognized device, we could blacklist that IP (or MAC) address from our network to prevent connections in the future.

End of Lab