In the field of cyber security, the question always comes up, how to catch a hacker when he tries to hack our system? So the basic answer is that we can set a trap for hackers, this type of trap is called a honeypot.
Even most of the big companies use smart honeypots like Google, Facebook, and Microsoft to monitor their users and activities if they detect any illegal or malicious activity the honeypot can block the IP.
Honeypots are generally hardware or software deployed by the security department of any organization to investigate threats that attackers possess. Honeypots typically act as decoys for an organization to gather information about an attacker while protecting the actual target system.
What are honeypots?
Honeypots are a type of internet security resource used to lure cybercriminals to trick them into trying to penetrate a network for any illegal use. These honeypots are generally set up to understand the attacker’s activity on the network so that the organization can come up with stronger prevention methods against these intrusions. Honeypots do not carry any valuable data as they are fake proxy that helps in logging network traffic.
Working of honeypots?
In an organization as an IT administrator, you would want to set up a honeypot system that could look like a real system to the outside world. The kind of data that honeypots generally capture:
- The attacker typed and entered hotkeys.
- The attacker’s IP address
- Usernames and various permissions that attackers use
- The type of data the attacker accessed, deleted, or modified.
Types of Honeypots :
Low-interaction honeypots: Correspond to a very limited number of services and applications that are present in a network or system. This type of honeypot can be used to monitor UDP, TCP, and ICMP ports and services. Here we use fake databases, data, files, etc. as bait to catch the attackers to understand the attacks that would happen in real-time. Examples of several low-interaction tools are Honeytrap, Spectre, KFsensor, etc.
Medium-Interaction Honeypots: These are based on real-time impersonation of operating systems and have all their applications and services as the target network. They tend to capture more information because their purpose is to stop the attacker, giving the organization more time to respond appropriately to the threat. Examples of several medium interaction tools are Cowrie, HoneyPy, etc.
High-Interaction Honeypots: These are truly vulnerable software that runs on a real operating system with various applications that a production system would generally have. The information collected using these honeypots is more resourceful, but difficult to maintain. An example of a tool with high interaction is a honeynet.
Pure Honeypots: These honeypots usually mimic an organization’s real production environment, forcing an attacker to assume it’s genuine and invest more time in exploiting it. Once an attacker tries to find vulnerabilities, the organization will be alerted and therefore any kind of attack can be prevented earlier.
Production Honeypots: These honeypots are usually installed on the organization’s actual production network. They also help in finding any internal vulnerability or attack as they are present internally in the network.
Research Honeypots: These are highly interactive honeypots, but are focused on researching areas of various government or military organizations to gain more knowledge about attacker behavior.
Malware Honeypots: These are types of honeypots that are used to trap malware in a network. Their purpose is to attract the attacker or any malicious software and allow them to perform certain attacks that can be used to understand the attack pattern.
Email Honeypots: These honeypots are fraudulent email addresses that are used to lure attackers over the Internet. Emails received by any malicious entity can be monitored and investigated and used to prevent phishing email scams.
Database Honeypots: These honeypots are actual databases that are vulnerable as the name suggests and usually attract attacks such as SQL injection. Their purpose is to trick attackers into thinking they may contain sensitive information, such as credit card details, that will allow the organization to understand the pattern of attacks being carried out.
Spider Honeypots: These honeypots are installed to trap various web crawlers and spiders that tend to steal important information from web applications.
Spam Honeypots: These honeypots consist of fraudulent email servers that attract spammers to exploit vulnerable email elements and provide details of their activities.
Honeynets are nothing but a network of honeypots that are installed in a virtual and isolated environment along with various servers to record attacker activities and understand potential threats.
Honeypots can be deployed in a variety of environments. Today we will see the installation and operation of honeypots in Windows, Android, and Linux environments.
Setting up Honeypot in Kali Linux
First, install a Linux OS like termux, and my Recommended installing kali Linux from there we will install this. Direct Termex apps will not work for this tool. First, install termux kali Linux on android phones and start vnc server. Maltego Tool
- Also Read: How to Install Kali Linux on Android Termux Without Root
- Also Read: How to Install & Run Ubuntu on Android Termux No Root
Once Kali Linux is successfully installed, Kali Linux will open the GUI and run the command in the terminal.
To set up a honeypot on our Kali Linux system, we need to download a tool from github called Pentbox. This tool is written in the ruby language. We will use the following command to download:
Then we need to go to the pentbox folder using the cd command like this:
Here we have a compressed file called pentbox.tar.xz and we will use the following command to extract it:
Then we can see the new folder in this directory using the ls command:
Now we go to the pentbox-1.8 directory and check the files using the following command:
Then we run this ruby tool with a simple command like this:
Then the tool will open
Here we need to go to the network tools option so type 2 and press enter.
Yes, we now see the Honeypot option, so we select it by selecting option 3.
The following is a screenshot:
Now you can see that there are two options you can use to set up your honeypot.
Here we can select 1 for automatic configuration, it will be fast or we can select 2 for manual configuration. The manual configuration has more options but is for advanced users. For learning, we choose option 1 and press Enter.
a) Instant Automatic Configuration
b) Manual Configuration (for advanced users)
Automatic Configuration :
You can choose any option, but it is also easy for newbies, you can choose the default setting. As you can see, the honeypot starts on the top screen.
As you can see, your honeypot will only monitor all activity on PORT 80, but if you want to monitor additional activity on a different port, you can choose the second option Document Fix.
Port 80 means that when someone opens your IP / host in their web browser, they will immediately log this request and display all possible information for this application, as shown below:
Now we can see that we have successfully run the honeypot in our local host on port 80. To check how it works we can go to the browser and check our localhost which is 127.0.0.1:80 and then check in the terminal where we ran honeypot. shows information about who opened our localhost. as the following screenshot:
You can also provide an option to save the log and save the log name. You can see that the honeypot is activated on the desired port and similarly you can manually activate the honeypot for other ports.
Details you can see:
- IP address
- Details of his OS
- Web browser
Under the same Network tools, there are also some exciting options such as “Net Dos Tester” that you can easily use DOS for someone who is affected by SYN and TCP floods.
Manual Configuration :
You can now open a fake port according to your preference and insert a fake message. You can also provide an option to save the log and save the log name. You can see that the honeypot is activated on the desired port and similarly you can manually activate the honeypot for other ports.
Power on the attack computer and scan the host computer with nmap. The results of open ports and services are shown below.
Here, the attacker’s machine tries to connect to the host computer using telnet.
Every time an intrusion attempt is made, it is alerted and a log is created where the attacker’s IP and port are recorded.
Setting up Honeypot in Mobile
HosTaGe is a lightweight, portable, low-interaction generic mobile honeypot that focuses on detecting malicious wireless environments. Since most malware spreads over a network through specific protocols, a low-interactivity honeypot located on a mobile device can scan wireless networks for active malware propagation. We envision such honeypots running on all kinds of mobile devices, such as smartphones and tablets, to provide a quick assessment of the potential state of network security.
HosTaGe emulates the following protocols from the latest version: AMQP, COAP, ECHO, FTP, HTTP, HTTPS, MySQL, MQTT, MODBUS, S7COMM, SNMP, SIP, SMB, SSH, SMTP and TELNET
Honeypots can also be installed on Android phones using the Google Play Store. We downloaded the Hostage honeypot here. Fast Download HosTaGe Honeypot App
Starting & Using Honeypot Service
To run the honeypot service, the device must be connected to WiFi or an LTE/4G network. Current LTE/4G support is minimal. The application honeypot service can be started from the home screen using the switch. By default, the “Paranoid” profile is running, which emulates all protocols in HosTaGe.
Attack on states :
There is an Android bot on the home screen of the app. The robot shows three states through animation which are:
- Safe (Happy Dance)
- Under attack! (Jumping in red with a bee)
- Infected network (avigil bot)
By default, when the honeypot service is started on a new network, an Android bot starts up with a cheerful animation to indicate that the network is secure. The current network status can also be checked by double-tapping the bot. When the android bot detects an attack, it jumps in panic, with a bee around it. Used to notify the user that an attack has been detected. The robot shows panic mode for a detected attack for 15 minutes. After this time, the bot will display a warning animation to alert the user that the network is infected. HosTaGe also stores infected networks in its database, so the user is alerted whenever the application connects to an infected network.
Setp_1: On switching on the application, it looks safe. on honeypots
Setp_2: Connection Information: The information button on the overview screen provides information about the network name, MAC of the network device, and local and external IP address of the device.
Setp_3: Power on the attacker’s system and perform a Nmap scan on the IP address of the Android device.
Setp_4: A notification will be generated on the Android device when the Nmap scan is connected.
Setp_5: A log will be created and we can see the IP of the attacker’s system and the ports that were attacked.
Click 3 line and check Records & Service
The Dangers of HoneyPots
While honeypot security will help plan for a compromised environment, honeypots won’t see everything that’s going on—only the work focused on the honeypot. Just because a particular threat isn’t targeting a honeypot, you can’t assume it doesn’t exist; it’s important to stay on top of IT security issues, not just rely on honeypots to inform you of threats.
A beautiful, well-crafted honeypot will mislead attackers into believing they have access to the real system. There will be the same login warning messages, the same data fields, and the same look and feel of logos as your real apps. However, if an attacker could identify you as a honeypot, they could continue to attack other of your systems and leave the honeypot intact.
Once the honeypot is “fingerprinted,” an attacker can create a malicious attack to distract from the real exploits your production plans are targeting. They can also pour bad information into the honeypot.
Worse, a clever attacker can use a honeypot as a route to your systems. This is why honeypots will never replace adequate security controls such as firewalls and other access systems. Because the honeypot can serve as an internal launch pad, make sure all honeypots are well secured. A “Honeywell” can provide basic honeypot security and prevent honeypot-targeted attacks from penetrating your live system.
A honeypot should give you information to help you prioritize your cybersecurity efforts—but it can’t restore proper cybersecurity. Even if you have a lot of honeypots, consider a package like Kaspersky Endpoint Security Cloud to protect your corporate assets. (Kaspersky uses its honeypots to detect online threats, so this is not necessary.)
All in all, the benefits of using honeypots far outweigh the risks.