Search

What is a honeypot, How to install and what can we see from honeypots?


This is what honeypot is actually, a perfect mousetrap. Honeypots are a powerful security tool for detecting lateral movement and potential malicious actors on your network. Blumira makes it simple to set up and administer honeypots, enabling for early identification of threats and assaults.


Definition


One honeypot definition originates from the espionage world, where Mata Hari-style spies who utilize a romantic relationship to obtain information are referred to as laying a "honey trap" or "honeypot." An enemy spy is frequently caught in a honey trap and forced to reveal what he or she knows.

A cyber honeypot operates in a similar way in terms of computer security, setting a trap for hackers. It's a sacrificial computer system that, like a decoy, is designed to attract attackers. It imitates a hacker target and exploits their infiltration efforts to learn more about cybercriminals and how they operate, or to divert them from other targets.


How honeypots work

The honeypot imitates a genuine computer system, complete with programs and data, leading hackers to believe it is a legitimate target. A honeypot, for example, may imitate a company's customer billing system, which is a common target for thieves looking for credit card data. Once the hackers have gained access, their activities may be recorded and analyzed for hints on how to make the real network more secure.


Honeypots entice attackers by exploiting security flaws. They may have ports that are vulnerable to a port scan, which is a method for determining whether ports on a network are open. An attacker may be enticed by an open port, allowing the security team to watch how they plan to attack.


Why honeypots


You can examine the following by monitoring traffic entering the honeypot system:


  • where cybercriminals are originating from

  • the amount of danger

  • What method of operation are they employing?

  • what kind of data or applications they're looking for.

  • how effective your security measures are in preventing cyberattacks


Benefits of honeypots


  • Dismantle the Assailant's Kill Chain

  • Assist in the evaluation of incident response procedures

  • Simple to Use and Low Maintenance


Illustration-2 (TechTarget)

Installation


Prerequisites:
  • Virtual environment (VMware workstation or VirtualBox)

  • Tpot installation guide on GitHub, link provided in resources.

  • Tpot.Iso file, Check resources.

https://github.com/telekom-security/tpotce/releases

You can download iso file from this link. Current version at the time of writing this report is T-Pot 20.06.2


just download that arrowed file. if you like to check sha256 of file. it is also provided.


Open Vmware and select New Virtual Machine


Click Next

Click Next



select your newly downloaded tpot.iso file.



Click next after selecting ISO file.



Remember this part is critical, if you do not select the correct kernel, it will not work.


give a VM a name, and Click next

Rest you can just follow recommended values,

  • 4GB of free memory is recommended, but i recommend 8GB

  • 32GB of free storage

  • 2 core are enough in my opinion,






first time run.

it will install everything itself. like normal ubuntu installation.


  • Select Country

  • Select keyboard

  • Select timezone.

  • etc,

After it completes Debian installation

It asks for a password for "tsec"(root),

Then it asks for a new user and password.

after that it installs Tpot,

It then starts downloading all the images, Tpot works inside docker, so it pulls all the images that are available at their Github repository,


It takes some time to pull down all the images, sit back and enjoy coffee in the meanwhile...



I was in a different nat setting. so I changed my nat setting, which made my IP address changed.

After that, you can open a web browser




This is an admin interface




you get ELK also with that, and that elk can be connected to Pfsense for logs,

But this is mostly for the purpose of a honeypot, it will create logs and show where different attacks are coming from and what they are trying to access this server.



We can see in the over Admin portal and further inside Containers how many containers are running. From the above screenshot, it is clear that there are many honeypots running at the same time and when the attacker gets tricked to attack that honeypot, it will create a log and send it to Elastic Kibana which is a data visualization dashboard software for Elasticsearch.



I Elastic we can select which kinda logs we want to see, It will show it graphically and in a much better-detailed version with all dots connected.



My network is locked for the outer world, so there isn't much happening here, in my network. But it clearly shows how it creates logs and saves info about different attacks.




Resources:

https://github.com/telekom-security/tpotce

https://www.kaspersky.com/resource-center/threats/what-is-a-honeypot

https://www.fortinet.com/resources/cyberglossary/what-is-honeypot



60 views0 comments

Recent Posts

See All