Re: How do I make telnet vulnerable to attack?

[George Bakos <gbakos () ists dartmouth edu>]

In your logs, you may see that they have connected to your hpot on port
23, but that is only the first step. Telnet is not the service, but rather
the client, that she is now attempting to use to connect to an ircd. The
attacker obviously thinks she has gained entry to a network device
(switch, router, etc) and is trying to irc out though it.

If you are running a low-interaction stack/service emulator, that is the
best you are going to do. If, instead, you wish to observe follow-on
actions, you will need to assume a bit more risk & put up high-interaction
honeypots/honeynets. But be careful, once those outgoing connections
succeed, you may become an erzatz partner in illegal or otherwise
questionable activities.

Cheers.

On 25 Feb 2003 20:34:39 -0000
<sae0616 () hotmail com> wrote:

> Hello, I recently installed my first honeypot and it sure
> is fun to watch the attacks roll in. I'm seeing this one
> attack against telnet that looks like this in the snort log:
>
> cisco
> telnet [ip removed] 6669
> #'
>
>
> It looks like some kind of attempt to long in using a default
> password of 'cisco'? My question is, how can I allow the telnet
> to happen so that I can see what they are doing?


-- 
George Bakos
Institute for Security Technology Studies
Dartmouth College
gbakos () ists dartmouth edu
voice   603-646-0665
fax     603-646-0666
Key fingerprint = D646 8F91 F795 27EC FF8B  8C95 B102 9EB2 081E CB85