Build a Remote Desktop honeypot on VPS

Ps: First of all, I would like to thank xianniu for providing a good science popularization. The reason for recording this is that a certain God has shown a figure in the WinEggDrop ox group.

Isn't the 3389 terminal in Linux amazing? With a doubt, tiniu gave a popular science article so he also had the following. If there are any mistakes in old rules, welcome to the popular science exchange ~

 

From & thx 2: http://samsclass.info/123/proj10/rdp-honeypot.htm

 

0 × 01 target

MS12-20 holes are very popular recently (now it seems that some time ago come very "blue"). The vast number of gray are crazy development and testing Exp, of course, a worm Virus is also expected.

This prompted a huge gain for all the tools from the RDP protocol and port 3389 for the honeypot, because there are a lot of interesting things here.

Next we will introduce a very simple method to build the RDP honeypot on the Linux platform. however, please note that I cannot ensure that it is safe enough. Therefore, we recommend that you use vps like Amazon Free EC2. There is no sensitive things that x customers want.

 

0 × 02 reading

Getting a Free AWS Server: samsclass.info/121/proj/pX8-121-AWS.html

SSH Honeypot: samsclass.info/121/proj/pX9-121-AWS-honeypot.html

Packets Captured on My RDP Honeypot: aws.samsclass.info/rdplog.txt

Demonstration of the MS12-20 RDP DoS Attack: samsclass.info/123/proj10/MS12-20-DoS.html

 

0 × 03 initial steps

Open the SSH service of your VPS and run the following command:

Sudo yum install gcc make pam-devel openssl-devel vnc-server libtool libX11-devel libXfixes-devel curl tcpdump-y

Wget http://sourceforge.net/projects/xrdp/files/latest/download? Source = files

Tar xzf xrdp-0.5.0.tar.gz

Cd xdrp

./Bootstrap

./Configure

Make

Sudo make install

Sudo/usr/local/sbin/xrdp

 

You can see information such as "Prcess 18076 started OK.

Run the following command to check the port information:

Netstat-an | grep 3389

Now you can see that port 3389 is in the LISTEN status.

 

0 × 04 open ports in the firewall

For more information, see the help documentation of Amazon VPS.

Https://console.aws.amazon.com/ec2

(I will not translate it here, because there is actually no versatility... Other Linux VPS is also feasible ...)

 

0 × 05 start to record data packets

We use TCPDUMP to record all RDP protocol packets for subsequent analysis.

Run the following command:

Cd

Sudo tcpdump tcp port 3389-I eth0-vvX>/var/www/html/rdplog.txt &

Press enter and you will be back to the prompt status

 

0 × 06 Test honeypot with NMAP

The Nmap installation process is skipped. If the Nmap Result is successful, you can see the service fingerprint to identify that port 3389 is a terminal service.

 

0 × 07 view packets

TCPDUMP is saved to the Apache virtual directory, so you can view the Web Site. Now you can see what X has done to your terminal service.

 

Source: http://forums.fedoraforum.org/showthread.php? T = 193101

From: DarkRay's BLoG .!