PaulDotCom mailing list archives

Re: portable honeyport tool waiting for a name

From: "Ty Purcell" <TPurcell () ffin com>
Date: Fri, 21 Oct 2011 12:23:29 -0500

Pooh.

 

Pooh's Hunny Pot was quite portable..

 

From: pauldotcom-bounces () mail pauldotcom com
[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of John Strand
Sent: Friday, October 21, 2011 11:06 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] portable honeyport tool waiting for a name

 

Pooh 

Sent from my phone.

On Oct 21, 2011 9:59 AM, "Tim Krabec" <tkrabec () gmail com> wrote:

In honor of Larry's Disney vacation I vote Pooh

On Fri, Oct 21, 2011 at 11:16 AM, Jim Halfpenny
<jim.halfpenny () gmail com> wrote:

Portable Honey Pot or PHP for short... oh wait!


On 21 October 2011 15:15, Ron Gula <rgula () tenable com> wrote:

HoneySpot  ?

Ron Gula

-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com

[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Larry Pesce

Sent: Friday, October 21, 2011 10:05 AM
To: pauldotcom () mail pauldotcom com
Subject: Re: [Pauldotcom] portable honeyport tool waiting for a name

A name?

Portable.  Honeypot.

How about Portapotty?

:-)

- L

On 10/16/11 12:18 PM, Chris Benedict wrote:

After listening to the pdc guys talk about "honeyports" on the pdc

podcast I decided to run with the idea a bit further.  I'm not sure if
this has been done yet or not, but I've written a program in Ruby to
implement honeyports with some extra features thrown into the mix.  For
info on honeyports check out john strand's tech segments on episodes 203
and 204 of the pdc podcast.


You can use a raw tcp listener (netcat-style) to trigger blacklisting

or you can write modules to emulate a ftp server or web server or
whatever that can, for instance, give a banner and version info but
blacklist on attempted logins.  When a host trips one of the alarms it
broadcasts a signed udp alert to all the other hosts on the lan so they
can act on it also.  Alerts can be handled by different modules too, so
far I have only written a commandline module that simply executes a
command with an ip address as an argument that you can use to insert an
ip into a blacklist table in pf for instance.  Something like a syslog
or mysql module wouldn't be too difficult to write.


As far as making it secure goes, it has some more work to be done.

Broadcasted alerts are cryptographically signed and verified but I need
to implement some stuff to prevent replay attacks and I need to add in
whitelisting and thresholding to make it more difficult to use as a
weapon against the user's own network.


So, I've tried to make the code all very modular so its functionality

can be tweaked or extended pretty well (the sky should be the limit).
The end-goal is to come up with some code that you can drop onto every
box on a lan that can run a ruby interpreter (jruby for instance).  It
would make the entire network go dark once an attacker starts grabbing
banners or connecting to ports.


This is going to be my first project to be released and it doesn't

have a name yet.  So, if anyone has any ideas for a name send them my
way.  Once I have it named I will put it in a public repo on github with
a BSD license for anyone to get to and contribute.


-Chris Benedict

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
Tim Krabec
Kracomp
772-597-2349
www.kracomp.com
www.smbminute.com (podcast)
tkrabec.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Re: portable honeyport tool waiting for a name, (continued)
- Re: portable honeyport tool waiting for a name Ron Gula (Oct 18)
  - Re: portable honeyport tool waiting for a name John Strand (Oct 18)
- Re: portable honeyport tool waiting for a name Lester Nichols (Oct 18)
- Re: portable honeyport tool waiting for a name Larry Pesce (Oct 21)
  - Re: portable honeyport tool waiting for a name Christopher Croad (Oct 21)
  - Re: portable honeyport tool waiting for a name Jim Halfpenny (Oct 21)
  - Re: portable honeyport tool waiting for a name Ron Gula (Oct 21)
    - Re: portable honeyport tool waiting for a name Jim Halfpenny (Oct 21)
    - Re: portable honeyport tool waiting for a name Tim Krabec (Oct 21)
    - Re: portable honeyport tool waiting for a name John Strand (Oct 21)
    - Re: portable honeyport tool waiting for a name Ty Purcell (Oct 21)
    - Re: portable honeyport tool waiting for a name Jim Halfpenny (Oct 21)
    - Re: portable honeyport tool waiting for a name Yuping Li (Oct 24)