Tempted Defnet HoneyPot (HoneyPot Technology)

In many cases, webmasters are often attacked by others. They are confused about the reason for being infiltrated and how my website was hacked. This is the most common problem I have encountered by webmasters. Then the 2nd consciousness is how to make up for and how to delete the network horse. Therefore, the methods they adopt are to make up for themselves. I think we should be active sometimes, and we should not always be passive. So today I will introduce the honeypot technology.

Simulated environment:

Virtual Machine a ip Address: 192.168.1.10 (Honeypot system)

Virtual Machine B IP: 192.168.1.6 (attack host)

I. Creating a honeypot to counter attackers

1. Software Introduction

"Defnet HoneyPot 2004" is a famous "HoneyPot" virtual system that virtualizes a "defective" computer, waiting for malicious attackers to hook up. The system virtualized by Defnet HoneyPot is similar to the real system, but it is a trap for malicious attackers. However, this trap can only intercept malicious attackers to see what commands they have executed, what operations they have performed, and what malicious attack tools they have used. Through the logging of traps, attackers can learn about their habits, obtain sufficient evidence of attacks, and even attack counterattacks.

2. Next trap

Defnet HoneyPot is a green software that can be directly used after downloading without installation. It is easy to set up and is more confusing and simulation-less than other HoneyPot.

(1). Set the Virtual System

Run Defnet HoneyPot. On the right side of the main interface of Defnet HoneyPot, click "HoneyPot" to bring up the Setting Dialog Box. In the Setting dialog box, services provided by conventional websites such as Web, FTP, SMTP, Finger, POP3, and Telnet can be virtualized.

For example, to virtualize an FTP Server service, you can select the "FTP Server" check box for the corresponding service and grant Full Access permissions to malicious attackers. You can set the "Directory" item to specify the disguised file Directory item.

　　

Figure 2

In the "Aclvanced" Advanced Settings of "Finger Server", you can set multiple users. "admin" users are disguised as administrator users, the prompt message is "administrator", that is, the administrator group user, and allows 40 malicious attackers to connect to the user at the same time.

 

Figure 3

In the advanced settings of "Telnet Server", you can also disguise Drive, Volume, serial no, And the Directory Creation Time and directory name, free space in bytes, MAC address, and nic type.

In this way, the virtual system can be more authentic.

(2). behind-the-scenes monitoring

After the HoneyPot is successfully built, click the "Monitore" button on the HoneyPot main program interface to start monitoring malicious attackers. When someone attacks our system, it will enter the honeypot we set. The content in the left window of HoneyPot clearly shows what malicious attackers are doing and what operations they have performed.

 

Figure 5

For example, the information displayed in the honeypot is as follows:

(9:20:52) The IP 192.168.1.6 () tried invasion by telnet (CONNECTION)

(9:21:31) The IP 192.168.1.6 () tried invasion by telnet (USER administrator)

(9:21:53) The IP 192.168.1.6 () tried invasion by telnet (PASSWORD)

(9:22:21) The IP 192.168.1.6 () tried invasion by telnet (USER admin)

(9:22:42) The IP 192.168.1.6 () tried invasion by telnet (PASSWORD)

(9:23:08) The IP 192.168.1.6 () tried invasion by telnet (USER root)

(9:23:29) The IP 192.168.1.6 () tried invasion by telnet (PASSWORD)

The invasor disconnected from the telnet server

(9:23:58) The IP 192.168.1.6 () tried invasion by telnet (CONNECTION)

(9:24:22) The IP 192.168.1.6 () tried invasion by telnet (USER root)

(9:24:44) The IP 192.168.1.6 () tried invasion by telnet (PASSWORD root)

(9:25:08) The IP 192.168.1.6 () tried invasion by telnet (dir)

(9:25:41) The IP 192.168.1.6 () tried invasion by telnet (cd files)

(9:26:20) The IP 192.168.1.6 () tried invasion by telnet (net user)

(9:26:49) The IP 192.168.1.6 () tried invasion by telnet (net user)

(9:27:38) The IP 192.168.1.6 () tried invasion by telnet (net user asp $ test168/add)

(9:28:32) The IP 192.168.1.6 () tried invasion by telnet (net u)

(9:29:12) The IP 192.168.1.6 () tried invasion by telnet (net localgroup administrators asp $/add)

(9:29:36) The IP 192.168.1.6 () tried invasion by telnet (exit)

From the information, we can see that the attacker Telnet to the server using the administrator, admin, and root empty passwords for Access failed, and then re-connect to the system with the root user and root password. Run the dir command to view the Directory and create an administrator password named asp $ and test168. What attackers do is clear, and we get this information.