TinyPot, My Small Honeypot, (Thu, Jul 27th)

Running honeypots is always interesting to get an overview of whats happening on the Internet in terms of scanners or new threats. Honeypots are useful not only in the Wild but also on your internal networks. There are plenty of solutions to deploy honeypots with more or less nice features (depending on the chosen solution). They are plenty of honeypots[1] which can simulate specific services or even mimic a complete file system, computer or specific hardware.

Thats cool but often such honeypots require a lot of dependencies (Python/Perl modules) or must be compiled. Sometimes, you just need to collect basic data to understand whos knocking on your door. I was looking for a quick padding:5px 10px"> # iptables -t nat -A PREROUTING -p tcp --dport 1:65534 -j REDIRECT --to-ports 10000

Note: I limited the range to port 65534 to allow binding my SSH daemon to port 65535 (if you need to access the honeypot remotely).

The next step is to accept and establish a connection on any port (at least the TCP handshake). netcat[2] is the perfect tool for this and is usually installed by default with many Linux distribution. Let padding:5px 10px"> # netcat -l -k -p 10000 | tee -a /tmp/netcat.log

Finally, a full packet capture is always nice to have, let padding:5px 10px"> # tcpdump -i eth0 -w /tmp/tcpdump.pcap -C 1000 -W 10 -lenx -X -s 0 not port 65534

Finally, we can put all the commands in a single script tinypot.sh. Im using the screen padding:5px 10px"> #!/bin/bash /sbin/iptables -t nat -A PREROUTING -p tcp --dport 1:65534 -j REDIRECT --to-ports 10000screen -S test -d -m su - username /home/username/folder/folder/.program /usr/bin/screen -S netcat -d -m /bin/netcat -l -k -p 10000 | tee -a /tmp/netcat.log /usr/bin/screen -S tcpdump -d -m /sbin/tcpdump -i eth0 -w /tmp/tcpdump.pcap -C 1000 -W 10 -lenx -X -s 0 not port 655534 echo TinyPot running, use screen -r [netcat|tcpdump] to access tools width:800px" />
We can see classic stufflike bots scanning for open proxies, SMB shares or searching for admin interfaces. Whats next? Wireshark can be used to export statistics(menu Statistics - Conversations width:800px" />

Nothing fancy here and Im sure that it can be improved but TinyPot just does the work!

[1] https://github.com/paralax/awesome-honeypots

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

© SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Article Link: https://isc.sans.edu/diary/rss/22654