Honeypots

Name:

Reg No:
Table of Content

 Introduction………………………………………………………
 What is Honeypot……………………………………………….
 Types of Honeypot……………………………………………...
 Environment For Designing……………………………………
 Implementing The Honeypot…………………………………..
 Result…………………………………………………………….
Abstract
Every day, more and more people are using the web worldwide. It becomes
part of everyone's life. People check their emails, go online, buy goods, play online
games, pay bills online etc. Yet, while they are doing of these things, what
percentage of people does one know who are safe? Are they alert to the danger of
attack, malicious software? Even some malicious software remains circulating within
the network to make numerous threats for users. what number of users know that
their computers are often used as zombie computers to focus on other victims'
programs?
As technology grows faster, new attacks emerge. Safety is a crucial consider
eliminating of these problems. During this thesis, we are going to create a true life
situation, using honey jars. Honeypot could be a well-designed program that pulls
hackers thereto. By enticing a hacker into the system, it's possible to watch the
processes that start and run within the system with a hacker.
In other words, the honeypot may be a trapping machine that appears sort of
a real system to draw in an attacker. The aim of the honeypot is to analyses,
understand, monitor and track the behavior of hackers so as to create safer systems.
Honeypot could be a good way to boost the knowledge of network security
managers and learn the way to induce information from the victim's system using
forensic tools.
Honeypot is additionally very useful for future threats to stay track of attacks
on new technologies.
Introduction
A criminal may well be described as someone who tries to hack an existing
computer. This identity is additionally referred to as hacker, black hat or cracker. the
quantity of computers connected to the net and also the Internet is increasing daily.
Combined with the rise in communication speed has made the acquisition of
entry a challenge. System administrators now must handle an outsized number of
systems connected to networks that provide a spread of services. The challenge
here isn't only to be ready to monitor all the processes but also to be able to react
quickly to different events. Intervention detection usually involved a defense reaction
where systems that were dedicated computers like security walls or host-based
access systems were intended to detect or prevent an attack.
These systems existed as a part of commercial / operational networks and
used strategies like pattern matching or confusing discovery. Another style of
security system is system integrity testers, which are generally supported hosts. the
matter these programs face is that they run on computers, which are used on a daily
basis. These systems often need to handle an oversized number of connections and
data transfers that result in large log files and make it difficult to differentiate between
normal traffic and precise login attempts. Many of those programs are known for
creating a variety of false positives or in some cases with false positives. Additionally
these programs provide little insight into the tools and methods utilized by the black
hat community. An external attack is an attack on someone who isn't a member of an
organization.
Often an attacker may be a criminal who intends to harm or do evil. This
hacker can split into two types, one with the good thing about the intervention and
therefore the other with curiosity trying to research system security. the primary type
is more commonly called the "cracker". Crackers attack websites or web servers in a
trial to get important information like a MasterCard or Social Security information.
Some attempt to tarnish the image of the government or restrict the utilization of the
general public service and should be supported by political motives. The second type
may be a "hacker" that may be divided into two types: - a really intelligent one that
could be a coder or a "child of text".
A wise internet hacker is one who reads agreements and algorithms and tries
to detect risks from them. There's nothing wrong thereupon, although his curiosity
and intentions are often criticized by many security analysts as reckless behavior.
“Script kiddie” could be a criminal with limited abilities but one who uses automated
computer programs or abuses downloaded online code. This" script kiddie "is during
alone amongst one in every of} the explanations why" security in a secret way "will
not work. If you think that you're hidden within the world as you are doing not
advertising any services, the most objective of this hacker is to compromise as many
systems as possible.
 With the assistance of easy-to-use tools that capture multiple IP addresses
searching for a compromised computer. face a fair greater threat, because all the
attackers need to do is compromise one non-essential system within the network
and use it to attack the foremost important programs. Cells.
The concept is to deceive the invader by making the honeycomb appear to be a
legitimate program. Honeycombs are usually virtual machines that mimic real
machines by pretending to be functional services with open holes, services that
someone can find on a typical network machine. These effective services are
designed to draw in the eye of the attackers in order that they will use the precious
time and resources that may be wont to attempt to exploit the machine while the
attacker is monitored and recorded in a very honey pot.
The aim of those programs is to supply programs or services that mislead the
attacker. Such systems help to find out the methods utilized by attackers and might
even be seen as a deception to hack hackers into real programs and services.
Honey jars are often classified as deceptive systems. The definition of a beehive is
“a protective device whose value lies within the investigation, attack or
endangerment”. Honey pots are often used as data collection tools which will be
accustomed force and strengthen existing access to access devices or network
shortcuts. Honey jars shouldn't be considered a network security solution; they must
be seen as helpful in it. We glance at the needs behind the shipping of honeycombs,
their use and safety and therefore the legal issues involved. We also observe the
formation of the honey pot network and present some analysis that supports the
knowledge collected from it.
We summaries by presenting a survey of existing honeypot technology. During this
thesis we glance at a replacement concept of honey pots and their use in entry-level
systems. As a part of a thesis project a network of honey pots was designed and
used. Honey pots stored online for a few times and any network communications or
related events were recorded and analyzed.
What is Honeypot?
As a security researcher “The honey pot is data system resources supporting
the unauthorized or illegal use of that service”. A honeypot may be a tool without
authorized use, so any interaction is taken into account to possess evil intentions.
We already fathom firewalls and Intrusion Detection and Prevention Systems (IDPS)
as network security measures;
However the honey pot offers something different. Kaur, Malhotra and Singh
argue that a firewall can enter all vehicles and collect the maximum amount
information because the administrator can find forbidden to analyses; a pot of honey
but will only attack the host, Joshi & Sardinia states that tiny data sets are easy to
manage and analyse.Honey pots have a spread of applications counting on the sort
of knowledge about the attacks we would like to gather. For that reason the meaning
of a pot of honey might not be the identical.
“The honeypot is that the most significant source of security for research, attacked,
or threatened”
The description says that the honey pot could be a tool to entice invaders to believe
they're managing a true system or real user who may compromise and also gain
some quite benefit. In most cases, however, it's a frenzied program with the intention
of misleading the invader and exposing his actions usually performs a system attack.
Analysis of collected tracks is useful in understanding such behavior and designing
appropriate countermeasures to enhance it to guard themselves from threats and
invaders, not only from researchers, but especially for normal users.
Types of Honeypot

Based on design and deployment, there are two main forms of honeypots:
production and research.

Research honeypots
perform close analysis of hacker activity and aim to find how hackers develop
and progress so as to find out the way to better protect systems against them. Data
placed during a honeypot with unique identifying properties can even help analysts
track stolen data and identify connections between different participants in an attack.

Production honeypots
are usually deployed inside production networks alongside production
servers; the honeypot acts as a decoy, drawing intruders aloof from the assembly
network as a part of the intrusion detection system (IDS). A production honeypot is
meant to look as a true part of the assembly network and contains information to
draw in and occupy hackers to hold up their time and resources. This approach
ultimately gives administrators time to assess the threat level and mitigate any
vulnerabilities in their actual production systems.
Honeypots is classified as pure, high-interaction or low-interaction:

Pure honeypots
are full-fledged production systems that monitor a honeypot's link to the
network. they're the foremost complex and difficult to take care of, but they also
appear most realistic to attackers, complete with mock confidential files and user
information.

High-interaction honeypots
imitate the activities of the assembly systems, hosting a range of services and
capturing extensive information. The goal of a high-interaction honeypot is to entice
an attacker to achieve root -- or administrator-level -- access to the server then
monitor the attacker's activity.

Low-interaction honeypots
simulate the foremost common attack vectors on the network: those services
attackers frequently request. Therefore, they're less risky and easier to take care of.
they are doing not point malicious users to the basic system. The downside of this
sort of honeypot is that it's more likely to appear fake to an attacker. Low-interaction
honeypots are good for detecting attacks from bots and malware.
Environment for Designing
Honey pots may be distributed to a range of ecosystems. That might be a
visible setting or the utilization of hardware simulation software. Another idea is to
line the honeypot directly into the app of visible computers but this attitude is
incredibly bad. That lags behind appears immediately after the pc is infected with
any Trojan horse.
Because there is no quick and easy-to-use recovery option for a healthy
previous state is on the market, re-installation of the complete application and every
one services. It's a necessity. a technique to prevent reverting to a tabula rasa before
roaming in the other website isn't in question for the rationale that it's a skill
indiscriminately identifying the risks of the subsequent website has changed,
therefore the threat is also ignored.
This field of action is absolutely time and energy eating. Although it's not in
the least absurd because a virtual environment will be found (e.g. checking system
registration keys, package processes) which makes the attack not start. This is often
one in every of the ways the attackers tried to avoid disassembly because it isn't
uncommon for the common user to use a visible simulation OS while browsing the
net. The virtual environment seems to be very useful as a result of honey pots. It’s
some advantages for creating honeypot deployment and more practical use. Most
notable is that the simple mechanization to alter. Moreover, the quantity of settings is
equally achievable or different configurations that we will use and thus save time,
work moreover as resources are a very important benefit still.
From only one set in distributed networks of honey pots identified as honey nets.
Because the aim of the honeypot is to infect and collect information about malware,
good management of computer systems is crucial. As malware is ready to depart
invisible tracks, the requirement to revive a healthy state is an obligation otherwise
the talents of the honeycomb could also be compromised. Visible natural tools
change the case by using stored system summaries. It's an automatic process and
far faster than a manual recovery. Today, some visual simulation tools are available,
e.g. VMware, VirtualBox, User Mode-Linux. The choice depends on the pot of bees
controller or developer of the honeypot if any virtualization tool is employed on the
honeypot solution.
Implementing the Honeypot
For Honeypot implementation we'll use python socket. Implementing the
following methods.

sock=socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
sock.connect(("8.8.8.8",80))
return_ip=sock.getsockname()[0]
except:
print("NO Internet Connection")
exit()

This line of code checks the internet connection. If Internet Connection success then
get the system ip using UDP_socket otherwise print "No Internet Connection".

The HTTP python function starts a fake HTTP server on system ip and 80(HTTP)
port. If the attacker searches our system ip on any browser then a fake ftp login page
shows for login. The attacker login with a random username and password. After
login HTTP server send fake file list to the attacker and catch attacker information
like attacker IP, attacker PORT, User-Agent, Device name etc.

The SSH protocol is meant to offer the user a secure method of connecting to a
system, to login or use the opposite services on a system, over an insecure network.
The SSH protocol uses a 3 step process so as to form the secure session; these
steps are as follows, SSH transport layer, SSH user authentication and SSH
connect. These steps are of course sub-protocols that run on top of the previous
sub-protocol respectively to form the SSH tunnel. The transport layer is the first sub-
protocol when creating an SSH session, using TCP/IP to connect to port 22 of the
server so as to supply authentication of the server and therefore the key exchange.
After the initial connect message there's a protocol-identification in order that both
parties are using the identical protocol, SSH version 2 for example. The key
exchange algorithm is then negotiated between the client and server and so the key
exchange itself takes place using the agreed algorithm
In this Honeypot SSH python function starts a fake ssh server on your system ip
and 22(SSH) port and is ready for incoming connection. If any attacker scans our
system ip or tries to connect to ssh then attacker information is caught by this
function and saves all information in the ssh.log file.

The MSSQL python function starts a fake mysql server for incoming connection on
your system ip and 1433(MSSQL) port. If any attacker connects to this fake server
then this function sends a random database to the attacker and catches the attacker
information. Attacker information saved in mssql.log file.
The FTP python function starts a fake FTP(File Transfer Protocol) server on system
ip and 21(FTP) port. If an attacker connects to this ftp server then require for
username and password. Then the attacker fills in a random username and
password for connection and connection established by this ftp server and saves all
the attacker information in ftp.log file.

HTTP_ SERVER = Thread(target = HTTP)

SSH_ SERVER = Thread(target = SSH)
FTP_ SERVER = Thread(target = FTP)
MYSQL_ SERVER = Thread(target = MSSQL)
HTTP_ SERVER.start()
SSH_SERVER.start()
FTP_ SERVER.start()
MYSQL_ SERVER.start()

These lines of code run all the fake servers in parallel using threading. Threading in python
is used to run multiple functions at the same time.
Result
Honeypots have never been in danger so we will still see full entry but still
honeypots record enough data to show that computers today are not safe for
attackers. This Honeypot catches attackers if they attack our system. It saves all the
attacker information in log files. The following information catch by this honeypot:-

 Attacker IP
 Attacker PORT
 Attacker User-Agent
 Attacker Device
 Username entered by Attacker
 Password entered by Attacker

References
 “Developments of the Honeypot “, https://lira.epac.to/DOCS-
TECH/Security/Honeypots/Honeypots%20-%20Tracking
%20Hackers.pdf
 https://thesai.org/Downloads/Volume7No5/Paper_18-
SSH_Honeypot_Building_Deploying_and_Analysis.pdf