PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: portable honeyport tool waiting for a name

From: Jim Halfpenny <jim.halfpenny () gmail com>
Date: Fri, 21 Oct 2011 15:38:56 +0100
Nice! It works on so many scatological levels.

On 21 October 2011 15:04, Larry Pesce <larry () pauldotcom com> wrote:

A name?

Portable.  Honeypot.

How about Portapotty?

:-)

- L

On 10/16/11 12:18 PM, Chris Benedict wrote:

After listening to the pdc guys talk about "honeyports" on the pdc podcast I decided to run with the idea a bit 
further.  I'm not sure if this has been done yet or not, but I've written a program in Ruby to implement honeyports 
with some extra features thrown into the mix.  For info on honeyports check out john strand's tech segments on 
episodes 203 and 204 of the pdc podcast.

You can use a raw tcp listener (netcat-style) to trigger blacklisting or you can write modules to emulate a ftp 
server or web server or whatever that can, for instance, give a banner and version info but blacklist on attempted 
logins.  When a host trips one of the alarms it broadcasts a signed udp alert to all the other hosts on the lan so 
they can act on it also.  Alerts can be handled by different modules too, so far I have only written a commandline 
module that simply executes a command with an ip address as an argument that you can use to insert an ip into a 
blacklist table in pf for instance.  Something like a syslog or mysql module wouldn't be too difficult to write.

As far as making it secure goes, it has some more work to be done.  Broadcasted alerts are cryptographically signed 
and verified but I need to implement some stuff to prevent replay attacks and I need to add in whitelisting and 
thresholding to make it more difficult to use as a weapon against the user's own network.

So, I've tried to make the code all very modular so its functionality can be tweaked or extended pretty well (the 
sky should be the limit).  The end-goal is to come up with some code that you can drop onto every box on a lan that 
can run a ruby interpreter (jruby for instance).  It would make the entire network go dark once an attacker starts 
grabbing banners or connecting to ports.

This is going to be my first project to be released and it doesn't have a name yet.  So, if anyone has any ideas for 
a name send them my way.  Once I have it named I will put it in a public repo on github with a BSD license for 
anyone to get to and contribute.

-Chris Benedict

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: