Skip to main content

HoneyBot Honeypot


I've recently been playing with the HoneyBot Honeypot.  My goal was to put this on my CTF network to watch players.  The HoneyBot Honeypot was SUPER easy to install, and I had it up and running in seconds.  About al you have to do is double-click on the executable, turn off Netbios (it emulates this, so you don't want your host machine transmitting packets from that port as well), and turn off the firewall.

The only problem with HoneyBot is that it models TONS of services, which is great if your intent is to put it on your network and catch a worm.  However, if your intent is to put it on your network and try to fool a human, this certainly won't work without MAJOR tweaking.  Below is a sample of the HoneyBot screen (bottom half of the screen). 



As you can see, I smudged out the IPs so as not to disclose nodes on the CTF.  If you look at the lower left corner, you'll see that by default it had 1336 sockets running!  And I don't think that included the UDP ports it had open!   Thus, when I ran a NMAP scan against this host, it had PAGES of services open, and a Nessus scan took over half an hour to finish!  Crazy.  So I decided to pair down the services to make it look more like a normal box. 

The poorest thing about this Honeypot is that you have to shut off/delete one service at a time!   It took me a couple of hours of just shutting off services to make this look like a somewhat normal windows box!  Ouch.   That was truly painful, and I asked them to allow ctrl/shift to select multiple ports at once. 

Still, after I got it all set up, it seems pretty solid.  It logs each TCP/UDP packet sent to it (not ICMP, so you'll miss ping scans), including the data, and I tested this with a FTP brute force session.  It logged all of the passwords I tried.  So that was pretty cool.   However, keep in mind that it is SIMULATING services, so an attacker won't actually be able to get Metasploit exploits to work on this machine.  But it should be nice for catching recon activities. 

If you're looking for a low-interaction Honeypot to put on your network, and you're just looking for malicious traffic and not trying to fool a human, I'd probably recommend this as the way to go. 

Project Update:  I wrote to the company about the configuration woes, and got the below email in response:

Hi John,
>
> As a workaround you can edit the port configuration by tampering with the
> service.ini file in notepad/excel. It's basically a CSV file and the
> application reads from the file at startup.
>
> The file format is as follows:
> Column 1 = the port to open (0 - 65535)
> Column 2 = tcp (0) or udp (1)
> Column 3 = enabled (1) or disabled (0)
> Column 4 = port description
>
> FYI the next release is scoped to include a feature whereby the user can
> select a port configuration from a list of profiles. The profiles are
> designed to make HoneyBOT look like a default windows install and will only
> have a handful of standard ports open.
>
> Regards,
> Jarrad Branch
> Atomic Software Solutions

I tried this, and it worked like a champ!   What an easy way to configure the box!  Below is a "before" nmap screenshot (where I just scanned the first half of the TCP ports)



As you can see, tons of ports were open...   I then edited the service.ini file, and ran another scan.  Here are those results:



As you can see, modifying the service.ini file worked great!  Now my Honeybot is ready to go.  However, one bad thing is that after closing the ports, you'll only see attack attempts on the ports you leave open.  But that is expected, as when you close the port, HoneyBot has no way to listen to it anymore.   I found this a great workaround, and really makes HoneyBot worth trying!

Comments

Popular posts from this blog

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from: http://www.amazon.com/gp/product/B00C37AZXK/ref=oh_details_o04_s00_i00?ie=UTF8&psc=1
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms:

I could tftp a file from-to any Kali box from-to another Kali box
I could NOT tftp files to a specific Windows 7 box from any Kali box
I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box

After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable.

Thus, I switched to tftpd-hpa.   To install:
apt-get install tftpd-hpa

files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to:
chroot -R /srv/tftp

Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa:
change "TFTP_OPTIONS="--secure" to "TFTP_OPTIONS="--secure --create"

I also changed the IP li…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:
https://www.linuxquestions.org/questions/linux-newbie-8/inte…