Notifications
Clear all

Honeypots

15 Posts
7 Users
0 Likes
1,045 Views
(@sarah_camp)
Posts: 6
Active Member
Topic starter
 

Hi everyone,

Has anyone got any experience of working with honeypots on Windows OS?
I'm doing my university project on someone hiding their tracks on a honeypot. But there doesn't seem to be much literature on it. I know of Lance Spitzner's Honeypot Project. Do you know where I can find more information?

Many thanks!

 
Posted : 13/02/2013 5:21 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm not sure that you'll find a great deal of literature on that topic. Honeypots are meant to provide tempting targets for attackers/intruders, and lead them into a heavily monitored system or subnet. As such, "hiding your tracks" is extremely difficult, if not impossible (based on what monitoring tools are in place).

A honeypot is akin to putting the last Hostess Twinkie on a pedestal in a room, and having all sorts of cameras, motion detectors, etc., in place. You then hope that the intruder goes after the Twinkie instead of your jewelry, and monitor their actions. With the right monitoring (network taps, file system and Registry monitors, etc.), the only way to avoid being detected is to not even attempt to get the Twinkie at all.

 
Posted : 13/02/2013 6:12 pm
(@twjolson)
Posts: 417
Honorable Member
 

Isn't any Windows PC connected to the internet a honeypot by default?

 
Posted : 13/02/2013 6:14 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Isn't any Windows PC connected to the internet a honeypot by default?

Nope. Honeypots are usually subjected to some sort of monitoring and/or analysis…

 
Posted : 13/02/2013 7:53 pm
(@twjolson)
Posts: 417
Honorable Member
 

Nope. Honeypots are usually subjected to some sort of monitoring and/or analysis…

Ha, and some versions of Windows don't even bother with Event Logs. Cuz, you know, what point is there in knowing why Windows crashed and burned?

 
Posted : 13/02/2013 8:36 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Ha, and some versions of Windows don't even bother with Event Logs.

To which versions are you referring? Win95/98?

 
Posted : 13/02/2013 9:54 pm
(@sarah_camp)
Posts: 6
Active Member
Topic starter
 

I'm not sure that you'll find a great deal of literature on that topic. Honeypots are meant to provide tempting targets for attackers/intruders, and lead them into a heavily monitored system or subnet. As such, "hiding your tracks" is extremely difficult, if not impossible (based on what monitoring tools are in place).

A honeypot is akin to putting the last Hostess Twinkie on a pedestal in a room, and having all sorts of cameras, motion detectors, etc., in place. You then hope that the intruder goes after the Twinkie instead of your jewelry, and monitor their actions. With the right monitoring (network taps, file system and Registry monitors, etc.), the only way to avoid being detected is to not even attempt to get the Twinkie at all.

Thank you for your prompt response.
Do you know if it is possible for an attacker/intruder to alter the logs created by the honeypot? Not using anything else but a honeypot. I.E. no network sniffers etc.
How would an investigator be able to tell if an attacker/intruder has altered the log files?

 
Posted : 13/02/2013 10:46 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Do you know if it is possible for an attacker/intruder to alter the logs created by the honeypot? Not using anything else but a honeypot. I.E. no network sniffers etc.
How would an investigator be able to tell if an attacker/intruder has altered the log files?

It really depends upon the logs being created.

For example, lets say that you have a Windows system with Process Tracking enabled. The attacker can gain access, and depending upon how they do so, disable process tracking. There used to be a tool that claimed to allow an attacker to delete specific entries from the Windows Event Log, but I don't think it works on Win7, and I also think that it horked XP boxes.

So, if the attacker could disable Process Tracking, the person setting up the honeypot would have set up some means for getting the logs off of the system, such as syslog.

Remember, the honeypot is a bait system left out there to attract and possibly engage the attacker. Clifford Stoll used honeypots during the events that he protrayed in his book "The Cuckoo's Egg". In that case, Clifford employed his "honeypot" in order to keep the intruders on the phone line long enough to get traces set up through the phone company. Modern day honeypots are often used in an attempt to observe the TTPs of an attacker, so you would want to have monitoring systems in place that would allow you to get logs before they are modified by the attacker.

 
Posted : 14/02/2013 12:13 am
(@randomaccess)
Posts: 385
Reputable Member
 

Isn't any Windows PC connected to the internet a honeypot by default?

Nope. Honeypots are usually subjected to some sort of monitoring and/or analysis…

he's trying to be funny

Sarah, using harlans analogy, if i were a skilled attacker (and im not), i would steal the jewellery next door as stealthily as possible, then go right up to the twinkie, have a look and leave.
if anything i'd try to be as overt as possible whilst looking at the twinkie to hide my tracks at the jewellery. Hiding your tracks on a honeypot really only makes sense if youre trying to hone your skills.

But then again, im not a skilled attacker.

 
Posted : 14/02/2013 1:20 am
(@trewmte)
Posts: 1877
Noble Member
 

Has anyone got any experience of working with honeypots on Windows OS?
I'm doing my university project on someone hiding their tracks on a honeypot. But there doesn't seem to be much literature on it. I know of Lance Spitzner's Honeypot Project. Do you know where I can find more information?

Many thanks!

Sarah_Camp there are numerous Honeypot Projects and Reports discoverable using web search engines e.g.

- Christian Döring Masterthesis paper Honeypot Project 2005

- Profs Baumann & Plattner Honeypots Open Systems 2002

- 2011 SCADA Honeynets The attractiveness of honeypots as critical infrastructure security tools for the detection and analysis of advanced threats by Susan Marie Wade at Iowa State University

- Amit D. Lakhani Deception Techniques Using Honeypots 2004

- David Romero Barrero External Servers Security 2010

- John Børge Holen-Tjelta Honeypots in network perimeter defense systems 2011

- Vusal Aliyev Using honeypots to study skill level of attackers based on the exploited vulnerabilities in the network 2010

The report below (2011) states under High-Interaction Honeypots - "Balas et al. [9] implemented Sebek a Linux kernel module for monitoring an attacker’s keystrokes and related file accesses. Sebek uses the rootkit technology initially developed by attackers who wished to hide their presence on compromised machines."

- Gerard WAGENER Self-Adaptive Honeypots Coercing and Assessing Attacker Behaviour 2011

It is possible to produce an even longer list. But just as a representative example of what is readily available and downloadable, why would the above Projects and Reports not assist your research?

 
Posted : 14/02/2013 10:29 am
Page 1 / 2
Share: