Old Proxomitron Forums

Other => Security - General => Topic started by: sidki3003 on May 04, 2002, 04:43:55 PM

Title: Honey Pots?
Post by: sidki3003 on May 04, 2002, 04:43:55 PM
Hi all,

During the DOS attacks lately, hpguru suggested the use of honey pots.
I found it interesting not just to block all unknown incoming traffic, but to listen on certain ports.

Unfortunately i couldn't find any program (well, maybe one) that did the job nicely:
BackOfficer Friendly, NetGuard, HoneyPot 1.3 are either fixed to a view ports or crashing permanently.
Specter seems to be quite nice, but it's a 900$ app and not available elsewhere
So i sticked with NukeNabber and learned that all that hammering at my port 80 is Nimda!
NukeNabber has a lot of options and can listen to upto 50 ports.
The drawback is, that it produces Winsock errors now and then, and that it can only log HTTP traffic.
Does anyone of you know about a nice port listener?

regards sidki


 
Title: Honey Pots?
Post by: hpguru on May 07, 2002, 07:46:46 PM
I'm not quite sure what you want, a packet sniffer or port listener. If the latter, I don't recommend their use because they tend to hold ports open. Once opened by a dedicated listener they tend to stay open or remain in a "closed" state even after closing the listener. If your firewall cannot stealth listening ports then I would resist the urge to play with these.

If you need a sniffer and you are running Win2k/XP you might try AnalogX PacketMon.

http://www.analogx.com/contents/download/network/pmon.htm

It is an initial release (1.0) and so it may or may not be stable. The site doesn't indicate whether PacketMon is shareware or freeware.

TamoSoft CommView is a very good sniffer that doesn't have an outrageous price tag to go with it (US$99 - single home user, US$199 - single user Enterprise)

http://www.tamos.com/products/commview/

Unlike a port listener, a sniffer simply records traffic passing through your network interface so a hacker won't detect you are using one.

Now I do not possess expert knowledge regarding Honey Pots but they are a different animal entirely. Simply put, a honey pot is a sandbox server. To the ousider it would appear to be a part of your network when in fact it is not. The general idea is to allow the hacker to break into the honey pot without making it too easy for them so that you can monitor their behavior and learn from their tactics.

 
Title: Honey Pots?
Post by: sidki3003 on May 07, 2002, 08:07:51 PM
Thanks hpguru for your comment.
I mixed indeed port listeners with honey pots.
But still, i'm looking for a listener.
NukeNabber listens on defined ports and after something came in, it closes this port for a defined amount of time.
At this point my firewall (KPF/Tiny) stealths it until Nukenabber is ready to listen again.
I use CommView as the "big gun", but in my eyes it's nothing to keep running all the time.

regards sidki


 
Title: Honey Pots?
Post by: sidki3003 on May 09, 2002, 12:12:36 AM
Hpguru, which firewall can do that, stealth listening ports?

 
Title: Honey Pots?
Post by: hpguru on May 09, 2002, 03:51:54 AM
Sorry for the delay. I had to reinstall my OS.

Several firewalls can stealth listening ports.

Kerio Personal Firewall (Formerly TPF and my recommendation until something better comes on the scene.)
http://www.kerio.com/

Conseal (N/A But if you already have v2.09 for your OS, it is a dandy!)

Visnetic Firewall (from the developers of Conseal - haven't tried it yet but it is Conseal in a new suit.)
http://www.deerfield.com/products/visnetic_firewall/

Users of the following three firewalls claim they can stealth listening ports but I cannot comment on that. I will say however that I don't recommend these because *my experience* with them was a negative one. They are in some cases resource hogs or they cause stability problems or you cannot uninstall them completely. These are ZoneAlarm, Outpost and Look'n'Stop.

Before you go shopping for a new FW you might want to put the one you now have to the test at

http://www.pcflank.com/

If you never tested there before I recommend you do a system backup first because I've heard reports of firewalls failing the Exploits tests by crashing the OS.






Edited by - hpguru on 09 May 2002  08:19:45
Title: Honey Pots?
Post by: sidki3003 on May 09, 2002, 04:10:22 AM
Thanks

 
Title: Honey Pots?
Post by: hpguru on May 09, 2002, 08:59:09 AM
You might find this interesting.

http://www.dslreports.com/forum/remark,3232284~root=security,1~mode=flat~start=0

 
Title: Honey Pots?
Post by: sidki3003 on May 09, 2002, 02:03:59 PM
Interesting indeed

I also realized my logical mistake concerning stealthing of listening ports.
Kerio (which i run as i said) can stealth open ports and they are still locally available.
But if i want (and i do want) to receive the HTTP traffic on port 80, a TCP handshake is needed and this port cannot be stealthed.
UDP might be a different story.

BTW, this is Nimda
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


 
Title: Honey Pots?
Post by: TEggHead on June 25, 2002, 06:31:37 PM
Aside from all being said inhere, I would still love to know if someone knows of anything similar to, but less flaky and more flexible than NukeNabber...

I too am interrested to see what exactly is knocking at some ports, but I don't want to bring down performance by using a packet sniffer. I'd rather use a small listener for this. Don't mind that they hold ports open since the purpose is to trap incoming connection attempts only.

I tried NukeNabber, but it won't run stable on my NT4 gate. It launches and runs ok, but touchto it to configure and it dies...trying it out on a different machine, I found it could not listen to connection attempts on a passive port. (meaning the port is in use for outgoing connections and incoming replies only...but is otherwise closed for incoming connection attempts. It is these attempts I want to look at...and I do so want to NOT use a sniffer for this (like going duck hunting with an elephant gun of which I have been accused once to often...)

Anyone?

JarC

 
Title: Honey Pots?
Post by: pooms on June 26, 2002, 01:34:12 AM
Have you tried looking in the "Windows95/98/NT/2k Defense" section here:
http://packetstorm.decepticons.org/defense.html
there's a few things there that look like they might be useful, although
I haven't tried any of them myself. I'm not sure how much I'd trust them,
although some come with code.