Operation Honeypot - 03 Empty Net
It’s been awhile since I’ve written about the status of the honeypot, so I’ll just update quickly on where it stands and what needs to be done; mostly as a note for myself. I’ve mostly put this project on the backburner for now (I’ve started work on a new project that deals with gardening which makes more sense to work on during the few short months of warm weather we have in upstate New York). I plan on addressing these few concerns when I have time though.
As a side note, I didn’t include this in a blog post (though I should have) but I added a discord alert which puts a chat message into my discord channel every time there is some event with the honeypot (it gets pretty noisy). That code exists in the repository if you’d like to take a look.
The biggest issue I saw was that while I was getting plenty of connections and authentication requests, the first command the hackers wanted to run was to switch out of cleartext and into some encrypted communication channel. I wrongly assumed a hacker wouldn’t care about having a secure channel to upload malware over, but in reality it’s such an quick thing to do and is baked into most FTP libraries that I should have worked on implementing this from the beginning.
I guess this logic issue slipped by as I was too busy programming, but if the goal is to generate a password/username list I will need a mode which denies every authentication request so that a robot will continue trying other combinations. However, if I want to receive files the current mode of operation is fine, which is that it accepts the first authentication request. Another option would be to gather a certain number of attempts before allowing the hacker to connect; this way I will be able to compile my own lists but also gather some malware samples.