How to Set up a simple Web Honeypot to Catch Internal Intruders

What is a Honeypot?

A honeypot is a decoy system that is designed to lure potential intruders, whether external or internal. The primary purpose of a honeypot is to detect, deflect, or study attempts to gain unauthorized access to information systems or networks.

A honeypot can be thought of as a trap set by your team to lure attackers into revealing their methods and motivations, or revealing themselves. By mimicking the appearance and behavior of a real system, a honeypot can provide valuable insight into the tactics, techniques, and procedures (TTPs) of attackers, as well as their motivations and objectives.

In some cases, honeypots can also be used to distract attackers from the real target, giving your SOC more time to detect and respond to the attack. However, it is important to note that honeypots are not foolproof and can potentially be used as a vector for attack if not properly secured and maintained.

While there are professional solutions out there with big ticket prices, you can't go wrong with a simple open-source tool that's been proven effective. You can simply install a package on a virtual machine or extra Linux system, let it run, and stand by for alerts.

Prerequisites

• A Virtual Machine or physical machine with a fresh version of Linux installed. Your choice of flavor, but we utilize Kali or Debian.

• This must be run on a dedicated machine or VM - any non-malicious traffic to the machine/NIC will cloud your results and create false positives.

• A NIC or vNIC with direct network access

• 1 free static IP address on the network

• An internet connection for initial setup

Package Installation

• First, we will download the source package from Sourceforge.

wget http://downloads.sourceforge.net/project/pentbox18realised/pentbox-1.8.tar.gz

• Once the file download is finished, extract the files from the downloaded archive.

tar xvfz pentbox-1.8.tar.gz

• Move over to your newly created package folder.

cd pentbox-1.8

• If you don’t have ruby installed, you'll need to do that now.

sudo apt install ruby

HoneyPot Setup

After you have the package installed (and Ruby), you're ready to spin up the HoneyPot. First, execute the package.

./pentbox.rb

The Pentbox package has a vast array of purposes, but we will only be utilizing the Web Honeypot right now. Let's navigate there.

Select option 2 for Network Tools, and hit Enter.

Now, we'll be selecting option 3 for the HoneyPot module, and press Enter.

Next, you'll need to enter a few options to configure the module using option "2", manual configuration:

• Select your port. Port 80 will likely be your best bet, but you're welcome to use 443 or any alternative web port. You want to utilize a common web port that attackerss would include in scans.

• Enter a return message to show when the web page is accessed. Something nonchalant is best as not to tip off the attacker that they've feel into a trap. "404 Not Found."

• "y" ensure a log file is being generated with intrusion attempts. If you select "n", alerts will simply be echoed to the terminal.

• Determine your desired logfile location. "/root/honeypot/log.txt"

• Decide if you want a beep sound when an intrusion is detected. "y/n"

Once all of your options are in, press Enter to launch the HoneyPot.

You're up and running!

Test your HoneyPot

Now that we're online, we'll want to test it to make sure it's working. In a browser, navigate to your HoneyPot's interface on the desired port.

Now, go check your logfile. You should see a successful entry for your intrusion attempt.

You now have a functioning web HoneyPot!

In addition to using this as a web HoneyPot, it can be configured to any port. For example, if you want to create an SSH honeypot, it can be tuned to port 22 to detect scans against SSH or even attempted logins.

From here, you can continue on as desired. It would be beneficial to set up some form of log feed to send this logfile to your preferred flavor of alerting software. When an alert pops up, you'll know right away. Since this is a brand new system with a static IP address, the only traffic it receives should be malicious scans or attempts ( or your own internal scanning. Be sure to add the IP to exclusions, if so. ) Here's a sample of an attempted scan from the Marai botnet that came into our internet-facing HoneyPot, as an example of what you may be on the lookout for:

Happy hunting, and I wish you a silent HoneyPot.