Static Low-interaction Honeypots

I love honeypots. They are so much fun. I haven’t run one in a very long time: the reason is that a while back (almost a decade now,) I had a high-interaction honeypot that was compromised, and what I saw was scary. Not that the attacks were all that interesting, but what else they had compromised made me worried. Enough said.

But recently, I have been putting a lot of time and thought into production honeypots—low interaction systems with minimal attack surface that can act as early warning of a real attack. Research-honeypots are fun, but allowing actual compromises, keeping them contained, and doing forensics is a lot of work. My interest at this point is more tactical than academic. There are a lot of really cool honeypot systems out there, but I wanted to get practice building custom web application honeypots. The premise is to create a static mirror of a website, and either introduce simulated, or previously well-known vulnerabilities. Then knowing exactly what vulnerabilities exist, monitor for only those, and automate whatever measures are appropriate, like D-Natting the attacker to a shadow-network away from valuable targets. It’s not a new idea—I wrote a paper on what I called then “bait and switch honeypots” in 1999.

SLowDeATH: Realistic Web-Application Honeypots with only static HTML and NGinX Rewrite Rules

As part of this, I have released a few of the “generic” applications I have created simulations of and have made them available as a project called SLowDeATH (Static Low-interaction Deceptive Attack Target Honeypots) on GitHub.

Right now I have only released two example configurations: Umbraco 4.7 and Tomcat 5.5, and (at the time of writing this at least,) there is a live system you can look at on the Internet: Umbraco Honeypot and Tomcat Honeypot.

attack vs honeypot

Here’s the project’s README from GitHub

Read full post →

Code Highlighting in MacOS Using Services

Update July 7, 2014: Since so much in MacOS is done in unicode, it’s possible that the highlighting code won’t work. I am updating the examples below so that only ASCII characters are passed into the scripts by prepending:

1
LANG=C tr -cd '\11\12\15\40-\176' |

Un-highlighted code looks awful in documentation

I write a lot of documentation, and not always in a markup language where code highlighting is just a tag away. Getting nicely formatted code into Word, Pages, and Curio can be inconvenient. There is a pretty slick way to handle it in MacOS that can save time. MacOS offers “Services” in the menu for each application, it is trivial to create a service that will reformat the clipboard’s contents as syntax highlighted rich text.

Read full post →

Pentesting With Kali

Review: Penetration Testing With Kali Linux

The web page for the class states “Penetration Testing with Kali Linux is an entry-level course …” For a few years I had ruled out taking the PWB (now PWK) class specifically because of that statement. I was also told on good authority that I would be done with the class in only a few days. I thought, okay whatever, maybe I’ll pick something up but at least I get a few CPE’s in the process to feed the other cert that I’ve bothered to maintain. I came into this class seriously underestimating what it was all about.

So about the course. The material is good, better than most, you recieve a (PDF) book, and series of videos, you are also provided RDP access to a Windows client in the lab for working on some of the exercises. The exercises are very clear, and if you pay attention and follow along, you will be writing your own exploits from scratch in no time. I was actually surprised about how easy and how clear that they made some of the topics. But really, it is very much like any other training class. Until you get to the labs.

Read full post →

Wicked Cool Reverse Proxy With Bash and Netcat

There are a lot of guides out there that show how to do various cool tricks using netcat. One thing that I recently came across is the situation where I could execute a command on a remote system, but had no write permissions to the file system. There was a copy of nc on the host, and being an older Unix it had only had bash 3 (though this technique also applies to later versions of bash too.) I put together this technique to get a reverse-proxy connection; I doubt this is anything new, but my searches didn’t turn anything up on how to do this so I figure it’s worth sharing.

The goal was to be able to ssh into the machine, which was behind a firewall. It had outbound access on port 80 but was otherwise pretty restricted. No filesystem write access, older version of bash (no coprocesses),

FIFO redirection

Just about every example you can find on how to perform a reverse proxy connection with netcat makes the assumption that you can write a unix FIFO (named pipe.) Obviously, this requires creating a file. And without being able to do so it becomes difficult to get all of the IO done right.

Read full post →

Goodbye Wordpress

Everything old is new.

Technology trends are cyclic, and sometimes we backtrack to ideas from the past that have fallen out of favor. Static site generators are a good example. They are starting to gain popularity again, the difference is that 10 years ago most sucked and looked pretty awful (also ironic is the trend of many sites returning to single column text, minimal formatting, of course the fonts and layout are nicer than what we had in the mid-90’s.) I’ve decided to jump on the bandwagon too. I’m tired of dealing with scores of automated attacks, maintaining databases, PHP, blah blah blah … all for a site that 1) generates no revenue 2) only has a few thousand visitors a month, and 3) I don’t contribute to on a regular basis.

Read full post →