Messing With Portscans With Honeyports (Cyber Deception)



Hello and welcome! My name is John Strand, and in this video, we’re going to be talking about tripwire Honeyports. Now, this is a lab that’s used in ADHD. This is the virtual machine that we use in my classes that we teach at Wild West Hackin’ Fest and also at Black Hat. But in this video, we’re going to be talking about how you can create a port on your computer system that as soon as an adversary interacts with that port it will automatically blacklist the IP address of said attacker.

Now in this particular situation, as always, all of the usage information is in this file on the desktop called ADHDusage.HTML. We’re using Annoyance, and specifically, we’re looking at HoneyPorts. Now, as I mentioned, the HoneyPort is designed so that if an adversary actually interacts with a specific port, it’s automatically going to blacklist the attacker’s IP address.

Now, it’s very common for people to freak out about this and say, “Well, an attacker can simply spoof a connection and then it would blacklist and DOS your entire environment.”

That’s not at all how that works. It’s not how any of this works. That’s just insane. Let me explain why.

If you’re looking at TCP/IP. The TCP/IP three-way handshake involves me sending you a SYN packet. All right? I’m going to send you a SYN packet, and if that port’s open, you’re going to respond back with the SYN-ACK.

Now, there’s these things called initial sequence numbers that are 32 bits long. Now what that means is there’s 4.27 billion and change possible values for that. Now, I send you a SYN with an initial sequence number, you acknowledge that initial sequence number by incrementing it by one, and then you start another sequence number. Then I acknowledge that sequence number by one, and then we communicate yet again through a series of ACKs.

What does this mean?

This means if an attacker was going to try to spoof a live system, they would have to spoof that system and they would have to guess a 32-bit number on the fly before that system that they’re spoofing responds back with a reset.

Point is, it’s really hard to do. Not impossible, it’s just mathematically improbable to do because this particular scenario with Honeyports, they only trigger in a full established connection to the port.

So let’s get started. Once again, we’re following the instructions on ADHD. I’m going to be using the terminal for this as always. I’m going to CD into the OPT directory, once again following the instructions right there. Let me zoom in.

We’re going to CD into opt/honeyports/cross-platform. This is the one written by Paul Asadoorian of Security Weekly. Then, once we are in Honeyports, we’re actually going to run the version 04a.py. So we got python2, and we’re going to do ./honeyports, and we do dot version 4.a.py, and we hit enter.

Now as soon as I hit enter, it’s going to throw an error.

Specifically, it’s asking for a port. Now the cool thing about this is it means that Honeyports in the script that Paul created is flexible. We can create any port that we want for it to actually listen. So if I hit up arrow, I’m going to give it the port 2222. Once again, totally not creative. We’ve got to give it the minus P. There we are, and now it’s listening on port 2222.

I also made another mistake. Once again, so, so many mistakes, you all.

I’m going to kill this again, and I’m going to run it as root.

The reason why is what Honeyports does is as soon as somebody makes a connection, it is going to create a rule in IP tables. In order to create a rule in IP tables, one must be root.

So now I’m running Sudu. We got python2, honeyports.py. We have the port. Let’s connect to it. I’m going to open up another terminal, and I’m going to simply netcat to port 2222. Go to 127.0.0.1 and port 2222. I hit enter. It says, “Thank you for connecting.”

Now if I kill this, and I try to connect again, you can see it doesn’t work. This connection is dead. That is because this system now is blacklisted, so if I become root really quickly, quick as unto a bunny and/or a gazelle, and I do IP tables, become root. Oh, I am already root.

Let’s go IP tables minus L. It’s going to list out the IP table rules, and if we check the input chain right here, you can see that localhost.com, as soon as localhost.com tries to make a connection to this computer system, it’s going to reject with an ICMP port unreachable message, which is just a fun way to switch protocols and mess with… Look, it’s TCP/IP humor. At least I think it’s funny.

But it’s going to basically redirect and drop any traffic coming from that particular computer system. We can also see over here within HoneyPorts that it did create the rule. We can do P and it’ll print the rules, and we can ultimately kill them and we can actually flush the rules as well. We do IP tables minus F, and it’s going to flush any of the rules that were created. Now if I list them, you see there are no input rules anymore, so we deleted that specific rule.

Now once again, I really want to reiterate that this will not break your environment. An attacker’s not going to show up and start spoofing ports from our IP addresses from everywhere and crash your entire network. That’s not how this works because of the magic of the TCP/IP three-way handshake.

But some people will say, “But what about Kevin Mitnick and Tsutomu Shimomura?” Great question. With Kevin Mitnick and his attack years ago, you should really research it at the Takedown website. What Kevin Mitnick did was this attack against a weak protocol that was wide open to the network, and it was a weak sequence number prediction, and he was able to DOS the system he was trying to spoof. Gets into a lot of weirdness about that specific scenario, but just suffice to say something that happened in the ’90s is not going to happen on your network, at least more than likely, we hope.

Once again, please check out Wild West Hackin’ Fest, Black Hills Information Security, and ActiveCountermeasures.com, and also check out Enterprise Security Weekly with Paul, myself, and Matt every single Wednesday. Thank you so much, and we’ll see you in the next video.



Want to level up your skills and learn more straight from John himself?
You can check out his classes below!

SOC Core Skills

Active Defense & Cyber Deception

Getting Started in Security with BHIS and MITRE ATT&CK

Introduction to Pentesting

Available live/virtual and on-demand