A staple of the System Administrators network security toolbox, honeypots can provide companies with unique benefits. For those who might not be familiar with the term, a honeypot is a computer system whose sole purpose is to be attacked, scanned or exploited. Why would one go through the trouble of willingly weakening a computer system? Do we not have enough issues keeping our systems secure in the first place? As valid as those questions might be, they entirely miss the point; for honeypots are amazing when it comes to observing an attacker's behavior, wasting their time, frustrating them and generally keeping them away from the systems and networks that we really care about. Any time an attacker spends time interacting with a honeypot is time not spent attacking a real system.
There are many kinds of honeypots, some are good at simulating an entire network topology with many hosts, each running different operating systems and services. Honeypots have been used widely by researchers to study the methods of attackers, they can be very useful to defenders as well.
HONEYD
One tool that is particularly good is Honeyd which can be obtained at http://www.honeyd.org. The following excerpt is taken from that website:
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to 65536 - on a LAN for network simulation. Honeyd improves security posture by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.
Here is a few interesting features that caught my eye :
- It has the ability of simulating lots of virtual hosts at the same time.
- It uses passive-fingerprinting to identify remote hosts (attackers).
- It simulates several TCP/IP stacks (OS X, Windows, Linux etc...) which means that if it does trick NMAP and NPROBE. (this specific feature blew my mind away)
- It can simulate arbitrary network topologies and even allow you to adjust latency and packet loss.
- You can also run real UNIX applications under virtual Honeyd IP addresses (HTTP servers, FTP servers, anything you fancy actually!
What our guest system administrator had to say
Honeyd is a very impressive tool. We spoke to a system administrator (Linux expert) and asked him to take a look at Honeyd for us and this is what he had to say :
‘ I mainly use *nix and Linux systems so cannot talk about OS X or Windows, but installing it on Kali Linux simply required adding a line to my sources.list file, running apt-get update && apt-get install honeyd. Configuring it required editing a text-based configuration file and making sure my firewall had the correct permissions. The tool's website contains most of the information you'll need to get started.
The rest can easily be picked up by running the tool and attacking it yourself, which is exactly what I did at first. I was amazed at what NMAP was telling me and immediately wanted to know how they had managed to fool NMAP. It turns out that Honeyd's installation includes a file called nmap.prints. The contents of that file is what allows Honeyd to emulate a specific operating system. I have a few honeypots running on Amazon EC2 instances and the type of information that you can gather on scans and attacks is impressive".
KIPPO
Kippo is also a honeypot, however it focuses on faking an SSH server and letting attackers “brute-force it” by setting the root password to something terribly easy such as 123456. What happens after the attacker has successfully logged in your system is the cool part. You can fake an entire file system and can even clone the file structure of an installed system. Our guest system administrator did this and this is what he said :
‘ I've done it with Kali Linux and connected to it from another machine; what I could see by using various system utilities, was what looked like a normal Kali install. I could navigate into folders, request file contents, upload or download files etc... All of that was of course being logged by Kippo.
Look how far you can go in wasting an attacker's time
What I found fascinating with this tool is how far you could go in wasting an attacker's time or resources. Kippo allows you to specify file contents for specific files, such as /etc/passwd, which means that you can really push the envelope when it comes to faking a specific file system. The fact that all interaction with the system is recorded means that any exploit code, shellcode or malware that is uploaded is saved and can be dissected at a later time in a virtual machine”. You can find out more about Kippo at https://github.com/desaster/kippo.
Kippo and Honeyd are just two tools among many. Most of them are open-source which means that modifying them to suit your needs is a joy. Many people build combo-honeypots where they use several tools to build elaborate networks, hosts and services, all of them fake but seeming quite real.
Five advantages that honeypots can bring to companies
- Waste attackers resources, time and attention
- Collect information on attacks, exploits, trends and malware helping to train the security team
- Observe attacker behaviors
- Profile attackers and their methods
- Possibly improve your overall security posture if managed well
A Honeypot must be maintained & updated
I wouldn't recommend fully trusting your honeypot, an experienced attacker may have written scripts that confirm whether a specific machine is a honeypot or not. Like any other tool, a honeypot has scenarios that fit it perfectly and others that don't. You need someone continuously managing the honeypot and always ready to escalate any issues. The honeypot has to be maintained and updated, just as much as other machines. You have to decide whether the gain is worth the pain, and whether you can invest in the necessary pain. Just "adding a honeypot" will do nothing to increase the network security and it may possibly provide a security breach if the honeypot isn't as well insulated and as you believed it to be.
Note : The guest system administrator that contributed to this article was Arona Ndiaye based in The Netherlands.