Operation Honeypot - 03 Empty Net

Brief Update

It’s been awhile since I’ve written about the status of the honeypot, so I’ll just update quickly on where it stands and what needs to be done; mostly as a note for myself. I’ve mostly put this project on the backburner for now (I’ve started work on a new project that deals with gardening which makes more sense to work on during the few short months of warm weather we have in upstate New York). I plan on addressing these few concerns when I have time though.

As a side note, I didn’t include this in a blog post (though I should have) but I added a discord alert which puts a chat message into my discord channel every time there is some event with the honeypot (it gets pretty noisy). That code exists in the repository if you’d like to take a look.

Known Issues

Support Encryption

The biggest issue I saw was that while I was getting plenty of connections and authentication requests, the first command the hackers wanted to run was to switch out of cleartext and into some encrypted communication channel. I wrongly assumed a hacker wouldn’t care about having a secure channel to upload malware over, but in reality it’s such an quick thing to do and is baked into most FTP libraries that I should have worked on implementing this from the beginning.

Different modes for different goals

I guess this logic issue slipped by as I was too busy programming, but if the goal is to generate a password/username list I will need a mode which denies every authentication request so that a robot will continue trying other combinations. However, if I want to receive files the current mode of operation is fine, which is that it accepts the first authentication request. Another option would be to gather a certain number of attempts before allowing the hacker to connect; this way I will be able to compile my own lists but also gather some malware samples.