This is a new two-part series looking back at some of the project work I was involved in. One of the more intriguing pieces was designing and hosting a honeypot (Wikipedia) in an effort to attract attackers. Take a look at Part 1 if you haven't already.

Reconnaissance

Reconnaissance activity was taken against the Honeynet to ensure that vulnerable services were visible to an attacker’s scans. The results below show that an attacker’s reconnaissance activity will show multiple avenues for attacks. This activity was undertaken using several commonly available tools as part of a previous assignment and we will highlight some of our findings below.

Findings

The nmap tool was used to view available services running on the Honeynet. The team was able to identify various services and ports, including the running httpd server on the Linux machine, as well as the IIS web server and remote desktop running on the windows machine.

We can also see, from the combination of Linux and Windows services, that we are dealing with more than one operating system. This would indicate multiple machines running behind this network, and would entice an attacker to explore further. There is a Linux web server detected, along with a Windows IIS service. This would be enticing to a potential attacker, as it indicates a larger network.

Profile

This is where an imitation of a legitimate e-commerce site was set up and below are screenshots of how the various pages appeared.

  • Medium-sized shoe store business
  • Want to increase customer awareness
  • Open up new shoe store website
  • Have some experience in setting up a website with a CMS
  • Little knowledge of computer/network security
Homepage

Image 1.0 - Homepage

Item Listing

Image 1.1 - Item Listing

Item Details

Image 1.2 - Item Details

Contact Form

Image 1.3 - Contact Form

Attack Statistics 

Breakdown of Attackers by Country & IP

Top Five Offenders (by unique IPs & SSH attempts)

Attack Stats 1

Attacks Stats 2

Table 2.0 - Top Five Offenders (details)

Attack Stats 3

Table 2.1 - Top Five Number of Attempts for SSH server

Attack Stats 4

Table 2.2 - Top Five Number of Attempts for Telnet server

Attack Stats 5

Table 2.3 - Top Five Longest Durations for SSH server

Attack Stats 6

Table 2.4 - Top Five Longest Durations for Telnet server

Attack Stats 7Attack Stats 8

Graph 1.0 & Table 2.5 - Top Five Usernames Brute Forced

Recommendations

An exhaustive list of suggestions that is recommended for any network and server setup based on findings of this project.

  • Use strong passwords
    • All publicly accessible services will be brute forced
    • Enforce with a password brute forcer (L0phtcrack)
  • Prohibit password reuse
  • Limit login attempts (Fail2ban)
  • Use least privileges
    • Limit damage of compromised accounts and services
  • Limit running services/ports
    • Restrict to IP range, username, and time
  • Do not have servers in the DMZ
    • Use a proxy to allow users to connect to the server
  • Encrypt traffic whenever it is feasible to do so
  • Prevents eavesdropping or replay attacks
  • Keep software up to date
  • Prevents script kiddie attacks
  • Use an up to date antivirus
  • Use a HIDS/NIDS (Snort)
  • Prevents script kiddie attacks
  • Use remote logging
  • Log files will be intact even if server is compromised
  • Use application sandboxing
  • Limit attacker access even if an application is compromised