Honey pots are a fascinating and valuable tool used in the field of ethical hacking and cybersecurity. A honey pot is a decoy system or network designed to attract and deceive potential attackers, thereby diverting their attention from critical systems and data. The term “honey pot” is derived from the concept of luring adversaries with the allure of something sweet and valuable, only to trap them.

The primary objective of deploying honey pots is to gather intelligence about the attackers’ methods, techniques, and motives, which can then be used to strengthen the overall security posture of an organization. Honey pots serve as an early warning system, providing security teams with insights into emerging threats and attack trends.

Key points to understand about honey pots:

1. Deception: Honey pots are designed to appear as legitimate systems or services that are valuable targets for attackers. They often simulate vulnerabilities and attractive data to lure potential intruders.
2. Isolation: Honey pots should be isolated from the critical production network to prevent any impact on the actual systems. They operate separately, minimizing the risk of exposing sensitive data.
3. Types of Honey Pots: There are different types of honey pots, including high-interaction and low-interaction. High-interaction honey pots mimic real systems and allow attackers to interact fully, capturing extensive information. Low-interaction honey pots emulate specific services or protocols, providing basic interaction while minimizing risk.
4. Detection and Monitoring: Honey pots are actively monitored, and any unauthorized access or activity triggers alerts for security personnel. This allows them to closely analyze the attacker’s actions.
5. Legal Considerations: Deploying honey pots requires careful consideration of legal and ethical aspects. Organizations must ensure that they have the appropriate permissions to use deception techniques and that their activities comply with local laws and regulations.
6. Research and Analysis: Information gathered from honey pots helps security teams understand attack patterns, identify new vulnerabilities, and refine incident response strategies.
7. Complementary Technology: Honey pots are just one tool in the arsenal of ethical hackers and cybersecurity professionals. They work in conjunction with other security measures, such as firewalls, intrusion detection systems (IDS), and regular vulnerability assessments.

In ethical hacking scenarios, the deployment of honey pots is conducted with the goal of improving overall security and understanding the tactics of potential adversaries. Ethical hackers use honey pots to detect, analyze, and ultimately mitigate security threats, making them an invaluable asset in the constant battle against cyber threats.

Introduction to IDS | IPS | Honeypots

Network Security With Snort

Log Analysis

Honeypots and Attack Analysis

UTM

===

UTM stands for Unified THreat Management Syste is a promising technology having Firewalls, Antiviruses, IDS, IPS, Web SEcurity, Wireless SEcurity, Service Enumeration etc.

Eg. Sophos UTM 9.

https://utm.trysophos.com/

===========================================

It is the service which helps in detecting in any kind of intrusion and malicious activity of teh attacker in the network.

IPS –> Intrusion Prevention System|Servcies

============================================

After, once the intrusion is detected, there comes the prevention phase. In this phase, the application or the software will tell you that these are the ways in which you can prevent your system from being intruded or from being compromised.

IDS and IPS are known as the anti virus of the network –> They work on the network level.

They work on the content of the packet which are transmitted in the network.

Destination Port

Source Port

Services

Data

Signarute

Source IP Address

Destination IP Address

SNORT –> It is considered to be the world’s best IDS and IPS used by teh corporates.

It works on the rule basis of the data and the packets.

====================

#apt-get install snort

For Checking the SNORT Version

==============================

#snort -V

For Starting SNORT

==================

#snort

Rule Files

==========

/etc/snort/rules –> where all the rules are located, of snort.

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:”FINGER null request”; flow:to_server,established; content:”|00|”; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21

(msg:”FTP MDTM overflow attempt”; flow:to_server,established; content:”MDTM”; nocase; isdataat:100,relative; pcre:”/^MDTM\s[^\n]{100}/smi”; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;)

Format For Creating Snort Rules

===============================

Basic Rule Syntax

—————–

Action Protocol SourceIPAddress SourcePortNumber DirectionOfFlow DestinationIPAddress DestinationPortNuber (Body;)

alert tcp any any -> any any (msg:”Sample Alert”;)

The Rule Header

—————

Action (log, Alert)

Protocol (TCP, UDP, IP, ICMP, any)

Source IP Address –> From where Data is originated

Source Port Number –> Port Number of the source Device

Direction Operator –> (“->” – Unidertional, “<>” – bidirectional)

<>

Destination IP Address –> To which IP Address data is going

Destination Port Number –> To which port session is creating

Source and Destination IP Address can be variables

==================================================

1. $EXTERNAL_NET –> Any IP Address which is an external IP Address, outside the organisation.

2. $HOME_NET –> Any IP Address from the inernal organisation or the intranet.

=================

1. If I want to make it specific –> instead of any, i want to give an IP Address

alert any 192.168.0.10 any -> $HOME_NET any (msg:”Vallari Mittal Is Again Attacking”;)

2. If I want the source IP Address for Intranet

alert any $HOME_NET any -> any any (body;)

3. If I want the source IP Address for Internet

alert any $EXTERNAL_NET any -> any any (body;)

Same Thing Goes With Destination IP Address.

alert any any any <> any any (content:”www.facebook.com”;msg:”Imma Watson is attacking”)

alert tcp any 22 <> 192.168.0.14 22 (msg; kiki ka ssh)

We will create these rules and save them in /etc/snort/rules.

imma.rules —> rule file

But we havenot implemented those rules.

For Implementing we need to edit a configuration file of snort.

/etc/snort/

/etc/snort/snort.conf

Types Of Rule Options

=====================

There are 5 types of rule Options

1. Metadata

2. Payload Data

3. Non Payload Data

4. Post Detection

5. Thresholding and suppression

Honeypots

=========

It is a system designed to appear vulnerable to attackers. The goal of a Honeypot is to log all the attacker’s activity to study their behavious, log their IP Addresses, Track their locations and collect the data about 0-day exploits. The idea of Honeypot is nothing but a server that offers any kind of services to the attackers, from ssh to telnet, showing various well known exploitable ports.

Pentbox –> HoneyPot for Linux/unix based OS.

Download .tar.gz file from sourceforge.net

Open the terminal

#cd Downloads

#tar vzxf Filename.tar.gz

#cd pentbox-1.0

#./pentbox.rb

Syntax of Log Of A Server

IP Address | Remote Log Name | Authentication Type | TimeStamp | Access Request | Response Code | Data Transfer (Bytes) | Referrer URL | User Agent

IP Address -> 127.0.0.1 –> IP Address of the visitor

Remote Log Name –> Identity Check for browser ‘-‘

Authentication –>  1. Basic Authentication

2. Integrated Authentication

3. Form Based Authentication

4. Digest Authentication

Response Code –> 5 type of responses code

1xx –> Informational resource

2xx –> Successful redirection

3xx –> Redirection

4xx –> Client Side error

5xx –> Server Side error