by January 31, 2004 0 comments

Preventing a hacker from getting into a network is an area that is often talked about. But not as much catching a hacker, since this is a more specialized task. One way to catch a hacker is to isolate him in a decoy and monitor him continuously to know his objective and to track his pattern of activity. HoneyPot is a concept that can be used for the decoying and monitoring.

HoneyPot works as a false server that attracts a hacker to itself by advertising some known vulnerabilities. A hacker may think he is in an unsecured server, but in reality he will get no data and will leave logs of his activities in the server when he goes. The administrator can analyze these logs and trace them to the hacker. By attracting the hacker to itself, HoneyPot also keeps the hacker busy on a machine that doesn’t contains any useful data, making the main server safe. 

Many HoneyPot software, such as Honeyd, LaBrea and Dtk, are available. But, as most of them are fairly complicated to configure and since this is the first time we, too, are checking one out, we’ve settled for an easy to use HoneyPot software, called THP (Tiny HoneyPot). We do promise to cover some of the other above-mentioned software in our forthcoming issues. 

Though you can install a HoneyPot over any working machine, it is better to implement it over a virtual machine that runs a system emulator (such as VMware or Bochs). This is because if the hacker does understands that the machine is a HoneyPot and he is malicious enough, he can use the machine (HoneyPot server) to hack in your main network. 

We implemented THP over a fully patched Win XP machine running PCQLinux 8.0 over a VMware workstation. Such a set up will confuse the hacker even if he understands that he is in a decoy setup. We also recommend that you install a good IDS (Intrusion Detection System) such as ethereal or snort so that you can keep a watch on the raw data that the hacker may generate. 

The known decoy
Ironically, implementing a HoneyPot can be a serious violation of wire-tapping. In some countries where wiretapping is illegal, the law says that all HoneyPots should make themselves known. So, the big question is: How many hackers will attempt to hack into a HoneyPot knowing that it actually is one? So, before implementing a HoneyPot, check its legal implications. 

Installing THP 
First, download the software from the http://alpinista.dyndns. org/files/thp/thp-0.4.6.tar.gz website or wait for our next month’s PCQEssential CD. The file is very small (28 kb) and contains some Perl scripts that fake some Unix servers such as httpd, fttpd and POP3. (When a hacker tries to connect to the server, he is presented with a root or ftp prompt). Now, to install THP first copy the downloaded file to the /usr/local directory and unzip and untar it as shown below.

#cp thp-0.4.6.tar.gz /usr/local
#tar —zxvf thp-0.4.6.tar.gz

Now create a link of the folder to another folder called thp because the thp configuration files supposes /usr/local/thp as the root folder for THP. To do so run the following command.

#ln —s thp-0.4.6 thp

Now create a blank directory in which THP will store all the logs, and remove the directory ownership from it so that nobody, except root, can access it. To do this, run the following commands.

#mkdir /var/log/hpot
#chown nobody:nobody /var/log/hpot
#chmod 700 /var/log/hpot

After this go to the /usr/local/thp/xinet.d directory and edit all the files. Here you have to change the ‘disable =yes’ value to ‘disable =no’ in all the files. After changing them copy all the files to /etc/xinet.d directory. Now run the shell script called iptables.rules as below.

#sh /usr/local/thp/iptables.rules 

Then run and configure the portmap with the following commands.

#/etc/rc.d/init.d/portmap start
#pmap_set < /usr/local/thp/fakerpc

Finally, restart xinetd as in the following command and THP will be ready on your network.

#/etc/rc.d/init.d/xinetd restart

One more thing you have to do is to run the logthis shell script that will create the master log file in the /var/log/hpot folder called ‘capture’. Run the command as below. 

#/usr/local/thp/logthis &

Testing THP
To test THP, log in to another machine (Windows or Linux), try connecting to the HoneyPot server with telnet or ftp command and you will be presented with a prompt. You will be able to run all the basic commands but no output will be shown to you. After some time just return to the HoneyPot server, open the /var/log/hpot directory and you will find some files named after the process ids that were allocated to you when you connected with telnet or ftp. Just open the file and you will see all the keystrokes made by you when connected through telnet or ftp.

Anindya Roy

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.