I’d like to announce the 1.0 release of the server-side, low-interaction honeypot Glutton!
We have built Glutton as a versatile honeypot, capable of receiving any network traffic by accepting connections on any port. Being very easy to adapt and extend, Glutton is a fantastic tool to understand network threats.
This year has been a Christmas more tough than usual for a lot of people. The Covid pandemic is rising again all over the world, the security analysts are facing one of the worst ever found software vulnerabilities (referring to Log4j CVE-2021-44228), and so on.
With the goal to help all the community during these hard times, recently we have been working to a new project, called GreedyBear, that you can find on Github.
I am passionate about Network Security, Cybersecurity, and programming, and I wanted to get involved with a project that includes it all.
HosTaGe project drew my attention because I found it really fascinating the idea that any android device can be turned into a honeypot and be transformed into an essential tool for attack detection.
I wanted to work on this project because it allowed me to improve this new generation of mobile honeypots and consequently improve the security of the internet in general.
The Conpot team is following closely the latest developments in Honeypot research and the methods and technologies used. If you look at the topics presented on security conferences, you might have also noticed an increased interest in ICS security and honeypot technologies in the last two years. One presentation from this years Blackhat’15 conference caught my attention also knowing previous research done by Kyle and Stephen: “The little pump gauge that could: Attacks against gas pump monitoring systems” [link] If you are interested in their findings, I recommend their white paper: “The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems“ [link, pdf] by Kyle Wilhoit and Stephen Hilt from Trend Micro’s Forward-Looking Threat Research team.
TL;DR: Low interaction honeypots are designed to emulate vulnerable services and potentially detect attacks without exposing full operating system functionality. Although they have evolved in many ways over the past 15 years, understanding their limitations and sometimes inherent design weaknesses is important when you consider deploying them. Understanding the history of attempted honeypot detection and evasion allows system defenders to improve their continued use of honeypots and hopefully helps makes all of our networks safer.
Lukas Rist is a software engineer with Blue Coat Norway where he develops behavioral malware analysis systems. In his spare time, he works on web application and ICS/SCADA honeypots and botnet monitoring tools under the umbrella of the Honeynet Project where he is also a Director. He recently developed an interest in deployment automation, ephemeral file systems and exotic industrial communication protocols.
1) What was your motivation to enter Information Security field, and who inspired and helped you along the way?
A few days ago I was contacted by our CPRO, Leon van der Eijk, and asked to write a blog post about my own project called Bifrozt; something which I was more than happy to do. :) This post will explain what Bifrozt is, how this got started, the overall status of the project and what will happen further down the road.
What is Bifrozt? Generally speaking, Bifrozt is a NAT device with a DHCP server that is usually deployed with one NIC connected directly to the Internet and one NIC connected to the internal network. What differentiates Bifrozt from other standard NAT devices is its ability to work as a transparent SSHv2 proxy between an attacker and your honeypot. If you deployed a SSH server on Bifrozt’s internal network it would log all the interaction to a TTY file in plain text that could be viewed later and capture a copy of any files that were downloaded. You would not have to install any additional software, compile any kernel modules or use a specific version or type of operating system on the internal SSH server for this to work. It will limit outbound traffic to a set number of ports and will start to drop outbound packets on these ports when certain limits are exceeded.
The team working on the ICS/SCADA honeypot Conpot, just merged in a more mature support for STIX (Structured Threat Information eXpression) formatted reporting via TAXII (Trusted Automated eXchange of Indicator Information) into the master branch on Github.
STIX allows us to represent event sessions captured by the honeypot in a structured format, which eases the integration of Conpot into existing consumer (e.g. SIEM) infrastructures.
By transforming an arbitrary honeypot event into a schema defined format, we are able to communicate an incident in a language, which is also understandable by someone not trained in interpreting industrial protocol messages.
It is my great pleasure to announce that HoneyDrive 3 is here, codenamed Royal Jelly!
For those in need of a more official description or for people that haven’t heard of HoneyDrive before, here is one:
HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.
SHIVA (Spam Honeypot with Intelligent Virtual Analyzer) is an open-source, high interaction spam honeypot developed in Python2.7 and is released under GNU GPL v3.
SHIVA provides the capability of collecting and analyzing all spam thrown at it. Analysis of data captured can be used to get information on phishing attacks, scamming campaigns, malware campaigns, spam botnets, spammers identity etc. Following are the features which describes the functionality of SHIVA:
Intelligence: A lot of research has been done to develop SHIVA and to counter the techniques used by spammers. There are lots of counter techniques and workarounds that SHIVA uses to pose itself as an authentic open relay SMTP host. These techniques have been researched and deduced from spam analyzed by SHIVA and from the spammers themselves.