Home > Articles > Honeypots – How to seek them out

Honeypots – How to seek them out

April 5th, 2006

To study the proceedings and attacks from hackers, Honeypots are used. The idea thereby is, to put one or more special servers in a network . An aggressor; who cannot differentiate between genuine server/services and honeypots; sooner or later will be taken up the services offered by a Honeypot by his search for a safety gap. All his activities on the honeypot are loged thereby.

So if an hacker, hacks into an Honeypot all his activities could evaluated and from it consequences and proceedings will be concluded. Thus that one who hacked in a honeypot not uses it to hack other systems, the network that contains the honeypot, is secured by a Honeywall7 (transparente bridge, which supervises the traffic to and from the Honeypots), that filters outwardattacks.

The procedure sets exactly here, one simply sends a Ping with a datapacket that contains a shellcode with e.g. hping28 to the server and compares the outgoing ICMP packet with the one returns by the server (with tcpdump9 or ethereal10). If the server does not send an answer to a ping that contains a shellcode, or changed the responsed datapacket (shellcode), then the server is protected with a honeywall.

The best proceeding is, sending a ping with a packet without a shellcode to test if the server response to pings. If he does, sending a packet with a shellcode, if then there comes no response or a modified packet, then it is a network protected by a honeywall.

Sending an ICMP packet that contains the word e.g. Security to a Honeypot will result in no packet loss. And ethereal will show that the response packet contains the same that we have send:



#hping2 -1 -d 5 -E testpacket.txt c 1 10.0.0.20 HPING 10.0.0.20 (eth0 10.0.0.20):

icmp mode set, 28 headers + 5 data bytes [main] memlockall(): Success

Warning: can´t disable memory paging!

len=46 ip=10.0.0.20 ttl=64 id=3471 icmp_seq=0 rtt=1.2 ms 10.0.0.20

hping statistic

1 packets tramitted, 1 packets received, 0% packet loss

roundtrip min/avg/max = 1.2/1.2/1.2 ms



But if we now sending a packet that contains a shellcode, so we will get no response or we will get a packet that contains a different content:



#hping2 -1 -d 5 -E testpacket.txt c 1 10.0.0.20

HPING 10.0.0.20 (eth0 10.0.0.20): icmp mode set, 28 headers + 5 data bytes

[main] memlockall(): Success

Warning: can´t disable memory paging!

10.0.0.20 hping statistic1

packets tramitted, 0 packets received, 100% packet loss

roundtrip min/avg/max = 0.0/0.0/0.0 ms

Articles

Comments are closed.