Honeypots mailing list archives
RE: regarding setup of a honeypot in restricted environment
From: "Bhatnagar, Mayank" <mbhatnagar () ipolicynetworks com>
Date: Tue, 25 Nov 2008 11:46:40 +0530
Hi all, Thanks for the many responses I received on this thread. Thanks Antonio, Jesper, Noah, Dharm for some valuable suggestions including 1. redirection of some common TCP/UDP ports 2. MAC spoofing 3. client honeypot setup Well I plan to begin with initial client honeypot set up and observe the results. The statistics of an un-patched windows machine getting infected was an interesting one. I also plan to move on to some different architectural possibilities. In this regard I also wanted to discuss whether there are any public experiments in Intenret community in area of Honeypot with which I can link up from home using my dialup connection and carry out my research and analysis. I have heard about overlay networks and network testbeds. Are there any specific for honeypots as such?? Regards, Mayank ________________________________________ From: dharm [mailto:dharm910 () gmail com] Sent: Tuesday, November 25, 2008 10:36 AM To: Jesper Jurcenoks Cc: Bhatnagar, Mayank; honeypots () securityfocus com Subject: Re: regarding setup of a honeypot in restricted environment Hello mayank , According to my understanding the scenario which you are assuming need to have access to DSL or to the Proxy so that the external traffic can be forwarded to the internal address. OR if you dont have the access to the proxy or dsl router , in this case you can try 1.MAC spoofing of the Public Interface ( so that outgoing traffic can be captured ) 2.Dynamic IP address wont make any difference as once compromised it will be traced by the attacker for further move . 3. In case you still feel to have a honeypot having public interface , then you really have to ask ISP to give you a static one. Regards Dharm Dhwaj Singh On Mon, Nov 24, 2008 at 10:03 PM, Jesper Jurcenoks <jesper.jurcenoks () netvigilance com> wrote: Hi Mayank. Assuming you have the follwiong setup: dsl line without static IP to home/soho office, a honeypot behind the dsl-router (with builtin firewall function), and you can put the Honeyd on a fixed internal IP address. Then you can do the following simple honeypot. Redirect one of more common TCP and UDP ports to the honeyport and see what random network scannings happens on your firewalls external IP. The Average time to infect for a an unpatched Windows XP machine is about 15 minutes, this means that you should see traffic on RPC ports, netbios ports etc. you can also open SMTP for some open relay probing, port 80 for CGI attacks, etc. Best Regards Jesper Jurcenoks www.winhoneyd.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Bhatnagar, Mayank Sent: Monday, November 24, 2008 3:34 AM To: honeypots () securityfocus com Subject: regarding setup of a honeypot in restricted environment Hi, I am writing this email to know some of your valuable suggestions as to how we can use honeypot in a restricted environment. Suppose if I want to install a honeypot in an environment where it cannot get a public facing IP but the machine o which honeypot is to be installed has an access to Internet 1. via another proxy or 2. via a DSL hub Also, the machine does not have a static IP. Now in this kind of environment I foresee that the honeypot client will not be able to receive Internet traffic (including scan or attack or other malicious binaries propagating..). It maybe possible that we receive only broadcast traffic being forwarded through the gateway. Now, according to us, this is a very limited setup as demanded in a normal honeypot setup. Does anyone still feel we can use our honeypot for any other better purpose? Are there any other architectural solution available to use honeypot concept although not having a static IP and not visible on the Internet directly? Any help/discussion on the same is most welcome. Thanks & Regards, Mayank "DISCLAIMER: This message is proprietary to iPolicy Networks-Security Products division of Tech Mahindra Limited and is intended solely for the use of the individuals to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. iPolicy Networks-Security Products division of Tech Mahindra Limited accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."
Current thread:
- Date/Time issue on Honeywall secpuffy (Nov 17)
- regarding setup of a honeypot in restricted environment Bhatnagar, Mayank (Nov 24)
- RE: regarding setup of a honeypot in restricted environment Jesper Jurcenoks (Nov 24)
- Message not available
- Fwd: regarding setup of a honeypot in restricted environment dharm (Nov 24)
- RE: regarding setup of a honeypot in restricted environment Jesper Jurcenoks (Nov 24)
- Re: regarding setup of a honeypot in restricted environment Noah Meyerhans (Nov 24)
- Re: regarding setup of a honeypot in restricted environment Valdis . Kletnieks (Nov 25)
- regarding setup of a honeypot in restricted environment Bhatnagar, Mayank (Nov 24)
- Message not available
- Message not available
- Message not available
- Message not available
- RE: regarding setup of a honeypot in restricted environment Bhatnagar, Mayank (Nov 24)
- Message not available