How to track hackers in Linux with Honeypot

[blueprats]

Installing and configuring honeypot

1. What is a honeypot?
A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.
Honeypot can emulate services on a machine to simulate the actual operation of a production machine. This system ensures network monitoring by collecting and processing information. The honeypots are mainly divided into two categories: low-interaction honeypots and high interaction honeypots.

- The low interaction honeypots do not provide real service, they just simulate them through the script. These honeypots pose very little security problems.

- In contrast, the high interaction honeypots provide services but not real dedicated production. These are very sensitive and could jeopardize the security of your business. It should therefore pay special attention to their security.

Example : Networking using Honeypot



2. Installation
In this guide we have chosen to use a low-interaction honeypot.

You can download the current version of honeypot from their official site. To install Honeyd (honeypot), we used aptitude, typing the following command:

The main files installed are:

Code:

/ Etc / init.d / honeyd 
/ etc / logrotate.d / honeyd 
/ etc / default / honeyd 
/ usr / lib / honeyd 
/ usr / share / honeyd 
/ usr / share 
/ doc / honeyd 
/ usr / include / honeyd 
/ usr / bin / honeyd

You may need the following packages that effectively work with honeypot.
- FARP
- rrdtool
For more information on these packages you can visit their official site.


3. Configuration
3.1. Config file
The configuration file used is similar to the file installed by default.

Code:

############################ # Setup the virtual network used route entry 10.0.0.1 route 10.0.0.1 ..................

You will see more information (data) on your terminal when you fire this command.


3.2. Establishment
We will use the default configuration proposed by Honeyd in the file honeyd.conf:

Code:

route entry 10.0.0.1 route 10.0.0.1 link 10.2.0.0/24 route 10.0.0.1 add net 10.3.0.0/16 10.3.0.1 ............

You will see more information (data) on your terminal when you fire this command.

To operate the virtual network above we will have to declare a road (real) in the routing table to reach it. The gateway used for this route will be the loopback interface (localhost) so as not to disrupt the network existing.

Code:

route add-net 10.0.0.0 netmask 255.0.0.0 gw localhost

Below is a diagram showing the configuration:

[blueprats]

4. Running
To test our configuration we will first start Honeyd in interactive mode by issuing the following command in a console:

Code:

honeyd-d-p / etc / honeypot / nmap.prints-l / var / log / honeypot / honeyd.log-f / etc / honeypot / honeyd.conf-i lo 10.0.0.0 / 8

Details of the parameters:
-D run in interactive mode
-P file of fingerprints
-F file configuration

Code:

someuser @ ~ # honeyd-d-p / etc / honeypot / nmap.prints-l / var / log / honeypot / honeyd.log-f / etc / honeypot / honeyd.conf-i lo 10.0.0.0 .............

You will see more information on your terminal that this.

It works a little Ctrl + C to stop the order. We will now start our Honeyd daemon. To do this we will modify the daemon configuration. Edit the file:

Code:

/ Etc / default / honeyd

Initially, the constant must be changed to RUN to start the daemon:

Code:

RUN = "yes"

Then specify the interface used and the range of IP addresses of the network:

Code:

INTERFACE = "ath0" NETWORK = 10.0.0.0 / 8

Then start the daemon with the command Honeyd

Code:

/ Etc / init.d / home honeyd

If there are no errors you should get:

Code:

Starting Honeyd daemon: honeyd.

5. Scripts emulation services
To emulate a service running on a virtual machine, Honeyd enables the use of scripts. These can be written in Perl or even a year directly SHELL. Examples of scripts are included with the installation of Honeyd. The various scripts are located in the directory:

Code:

/ Usr / share / honeyd / scripts

For other scripts you can visit the "contributions" on the website Honeypot.


6. Steps to follow
6.1. Checking with a ping
Check if one of our hosts configured responds to a ping command. For more visibility, we will start Honeyd in interactive mode:

Code:

someuser @ ~ # honeyd-d-p / etc / honeypot / nmap.prints-l / var / log / honeypot / honeyd.log-f / etc / honeypot / honeyd.conf-i lo 10.0.0.0 /............

You will see more information on your terminal than this

In another console, we will try to ping a host configured:

Code:

someuser @ ~ # ping 10.3.0.1 PING 10.3.0.1 (10.3.0.1) 56 (84) bytes of data. 64 bytes from 10.3.0.1: icmp_seq = 1 ttl = 63 time = 10.0 ms ........

You will see more information on your terminal than this

Honeyd has received our table:

Code:

someuser @ ~ # honeyd-d-p / etc / honeypot / nmap.prints-l / var / log / honeypot / honeyd.log-f / etc / honeypot / honeyd.conf-i lo 10.0.0.0 ..............

You will see more information on your terminal than this


6.2. Checking with the use of a script
Check if one of our hosts configured answered the call of a script. For more visibility, we will again start Honeyd in interactive mode:

Code:

someuser @ ~ # honeyd-d-p / etc / honeypot / nmap.prints-l / var / log / honeypot / honeyd.log-f / etc / honeypot / honeyd.conf-i lo 10.0.0.0 ..................

You will see more information on your terminal than this

In another console, we will try to access a host configured on port 23:

Code:

someuser @ ~ # telnet 10.3.0.1 23 Trying 10.3.0.1 Connected to 10.3.0.1 ....

Honeyd has received our attempt to access port 23:

Code:

someuser @ ~ # honeyd-d-p / etc / honeypot / nmap.prints-l / var / log / honeypot / honeyd.log-f / etc / honeypot / honeyd.conf-i lo 10.0............

[blueprats]

7. Configuration result:
The configuration so far has been designed not to interact with the existing network. Hence the use of the loopback device (localhost) for routing to our virtual network. Arpd But thanks to the devil you can interact with your network existing. Indeed it can listen to ARP requests and respond to simulate nonexistent machines on the network.



Note: Be careful though its use in a network using DHCP. Arpd can interfere with the DHCP server allowing Honeyd ping response sent by the DHCP server to determine if an IP address on the network is free.

To install Arpd type the command

Code:

apt-get install farpd

The configuration file Arpd devil is in the directory:

Code:

/ Etc / default / farpd

Do not forget to change the following constants:

Code:

INTERFACE = "ath0" NETWORK = "192.168.0.0/24"

8. Conclusion
Honeyd is a low interaction honeypot complete and highly flexible due to its script system. Be careful though as Honeyd has not been designed to operate in an environment of production but rather in an area of research to improve safety network.