Skip to content

Honeypots

Typical honeypots (somehow old):

  • Kipo
  • Dionaea: fake an smb server.
  • T-Pot
  • Elasticpot
  • https://github.com/mushorg/conpot

Course: https://formacion.seguridadsi.com/

Typical honeypots: old OS, outdated apps, registry keys, juicy files, ports, open services, change server banners, etc.

Metaphor for an active defense: leave an open house knowing that there are thieves in the area.

Interesting acronyms:

  • MTTD - MeanTimeToDetect
  • MTTR - MeanTimeToRecover

Nmap and Nuclei already have options and flags for detecting honeypots.

Some other honeypots: - Active Defense Harbinger Distribution (ADHD)

Installation

  1. Use canary for creating an alert https://canarytokens.org/nest/ Use the module "# Create JS cloned website Token"

For instance, in js.

  1. Use https://js.do/ to execute the code

You will get an email. Also you can create a webhook

Others: RDP, Folder DNS (adding a DNS route in the location of the icon of the folder) Create an user Service, that creates a service, enabled, but not authorized to login at any time.

Simulate request LLMNR (Local Link Multicast Name Resolution). We can use invoke-honeycreds.ps1 from github.

Techniques to get the whoami without asking whoami.

https://formacion.seguridadsi.com/courses/take/especialista-en-honeypots-y-sistemas-de-decepcion

Last update: 2024-10-06
Created: October 6, 2024 19:24:59