Honeypots are networks, servers or web applications purposely built to appear vulnerable, thus showing obsolete operating systems and software, open services and ports, in order to attract malign visitors and induce them to try exploiting the system. While in a preceding tutorial I explained how to build your own honeypot, here I will explain how hackers try to avoid them, what shrewdness they can apply when surfing the internet looking for victims and how you can fall victim of a honeypot surfing the deep web. Finally we’ll talk about how enterprises system administrators deal with fake access points put in the enterprise’s networks just to steal juicy sensitive data.
Scan The Honeypot
You are a hacker, so then all you do is scan IPs every night to search vulnerabilities and open ports don’t you? So fire up your trustworthy nmap and begin to scan your victim as you would normally do with any other victim. Now, if you see a result like the subsequent, you should really become very suspicious:
As you can see, too many open ports are showed in the nmap result. A modern server, probably firewalled, it would never appear like this, so this is the moment in which you start thinking you’re right in front of a trap purposely prepared for you. Another signal would be an extremely obsolete operating system. Performing a banner grabbing with Netcat would show (for example) a similar result:
A fairly old version of Apache as you can see.
Deep Web Honeypots
It is possible to encounter several kinds of honeypots surfing the deep web, but we can consider two main typologies: a honeypot made by federal agents or a honeypot made by phishers.
Federal agents build honeypots that can simulate drug markets to child-pornography sites, so the criminals connect to them and they are easily caught.
Phishers instead, can build a site that acts like the legitimate one, just to present to you a fake login form that will steal your credentials, or other personal informations.
Well, there are both methods to recognize honeypots and protect yourself from them, but you will see that the second option will be easier for you, as honeypots are often very well developed and difficult to recognize. In order to find out if you’re visiting a honeypot is to always check the URL. Often malicious URLs differ from the benign ones only for a letter; taking your time to check the URL, can save your life! Beyond this, if a trusted website you know starts to ask you for your credentials or even money that it never required before, you should become suspicious as well. There are also methods to avoid the traps: never give away personal informations on a darknet and never click on links shared by anyone. These links can bring you to a fake site or can download malicious software on your machine! Also check for malicious sites looking at the DBL (Domain Block List) site, where hundreds of malicious sites are listed.
Hide Your Identity To Honeypots
You really should know these few things if you’re surfing the deep web but I will tell you the same:
- Always use a VPN
- Always use TOR
- Use a fake identity
- Never give away personal informations that can make someone link your fake identity to your real one
- Do not download software, open executable software, images, PDFs or any other file if it does not come from a VERY trusted source
- If you’re really serious about privacy, use Whonix.
You really should install any honeypot you encounter on the web just to become familiar with their settings. In fact, if the honeypot’s owner is lazy, he will have the default settings on his trap. If you know how the default configuration of (let’s say) KFSensor looks like, you will easily recognize it when you’ll encounter it. The following is a list of very common honeypots you should try to download and install to study their default settings:
Also check this awesome list to find more.
Internal Network’s Honeypots
You are inside an internal network and you suspect someone is running a honeypot. How could you discover it? Unfortunately if you want to avoid being detected you cannot run a vulnerability scan neither nmap, you can only listen for suspicious activity. With an ARP scan you can link any IP to the respective host and then you can fire up Wireshark to sniff for NetBios name requests. From wikipedia:
“NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. Older operating systems[clarification needed] ran NetBIOS over IEEE 802.2 and IPX/SPX using the NetBIOS Frames (NBF) and NetBIOS over IPX/SPX (NBX) protocols, respectively. In modern networks, NetBIOS normally runs over TCP/IP via the NetBIOS over TCP/IP (NBT) protocol. This results in each computer in the network having both an IP address and a NetBIOS name corresponding to a (possibly different) host name.”
It is highly unlikely therefore, that a NetBios request comes from the honeypot workstation. So any host without a NetBios name could potentially be a honeypot.