Honeypots
Typical honeypots (somehow old):
- Kipo
- Dionaea: fake an smb server.
- T-Pot
- Elasticpot
- https://github.com/mushorg/conpot
Course: https://formacion.seguridadsi.com/
Typical honeypots: old OS, outdated apps, registry keys, juicy files, ports, open services, change server banners, etc.
Metaphor for an active defense: leave an open house knowing that there are thieves in the area.
Interesting acronyms:
- MTTD - MeanTimeToDetect
- MTTR - MeanTimeToRecover
Nmap and Nuclei already have options and flags for detecting honeypots.
Some other honeypots: - Active Defense Harbinger Distribution (ADHD)
Installation
- Use canary for creating an alert https://canarytokens.org/nest/ Use the module "# Create JS cloned website Token"
For instance, in js.
- Use https://js.do/ to execute the code
You will get an email. Also you can create a webhook
Others: RDP, Folder DNS (adding a DNS route in the location of the icon of the folder) Create an user Service, that creates a service, enabled, but not authorized to login at any time.
Simulate request LLMNR (Local Link Multicast Name Resolution). We can use invoke-honeycreds.ps1 from github.
Techniques to get the whoami without asking whoami.
https://formacion.seguridadsi.com/courses/take/especialista-en-honeypots-y-sistemas-de-decepcion
Last update: 2024-10-06 Created: October 6, 2024 19:24:59