Oh man the internet is so much fun! I was really bored tonight, so I decided to set up a honeypot. I fired up a virtual machine on one of my burner computers, and placed it my hardware switched DMZ. I configured a variety of applications that pretend to extremely vulnerable to a lot of really old exploits, including Kippo SSH, Wordpot, and Dionaea. Next, I triple checked my firewall rules to ensure that nothing would escape into my LAN. Than I ran some port scans through the msfconsole, and realized that when running nmap inside msf, honeypot applications are easily detected... damn. But wait... there is always a solution to a problem when there is a will (and a good dose of boredom). It turns out that if you just change the banner displayed on the FTP login, the workgroup name on the SMB service, and the presented version of MSSQL, than nmap will not detect that it is scanning a honeypot! To confirm that, I ran portscans from several remote servers. None detected anything but about 500 open ports running so many horribly misconfigured services that anyone with a brain would know that this is just too good to be true. When everything looked okay, I placed the host online.
Next, I open Wireshark, grabbed some coffee, and sat back waiting for the script kiddies to start attacks. While I was waiting, I fired up Metasploit and started generating some payloads for any flies that get caught in the web. I ended up deciding on a passive exploit, a meterpreter embedded in a few PDF files that I placed inside the honeypot's file system, along with a bunch of porn videos, and nonsensical websites that I cloned with HTTP-Track. Than I actually changed my mind about that part. I realized reverse physiological phishing is still not right, even though the attacker would have to break a law or three himself to get the into my system. The way I saw it... there is just no legitimate reason for anyone to break into a honey pot, even if I am doing this because I am just bored. Of couse most of the hits would come from China anyway, so no harm done. Anyway, I even placed a watered down php shell in a hidden directory with a random URI (like a cracked easter egg of sorts...) This was all looking pretty damn good, but it'd been an hour and nobody had bitten the hook yet. I am not a patient person.... But then I thought of...
PASTEBIN. Yes, that is the answer to my lack of problems. A simple paste titled 'Very Compromisable Host" with the target IP address was more than enough to get this party started. I posted the paste... waited 5 seconds...refresh... 55 hits....wait 10 seconds... refresh.... 147 hits .... waited 30 seconds.... refresh.... 269 hits!!!! I checked back just now... over 300 hits! Someone is bound to bite soon...
It's now T+30 since the paste, I am currently half way through the last episode of Bates Motel, and am about to go to bed. Over the last 20 minutes, I've had 6 SSH 'breakins', 1 SMB attack, and 3 ftp logins! By morning, I'm hoping to have a few interesting payloads in Dionaea's archive to add to the old arsenal. Why are people so retarded? Ugh, who cares, it's hilarious. I'll follow up with this post tomorrow. Good night.
That's awesome lol.
ReplyDelete