Table Of Contents

• HONEY TECHNIQUES
  • WINDOWS
  • LINUX
  • NETCAT
  • PASSIVE DNS MONITORING

---

HONEY TECHNIQUES

WINDOWS

Honey Ports Windows:

• Ref. http://securityweekly.com/wp­-content/uploads/2013/06/howtogetabetterpentest.pdf

• Step 1: Create new TCP Firewall Block rule on anything connecting on port 3333:

  echo @echo off for /L %%i in (1,1,1) do @for /f "tokens=3" %%j in ('netstat -nao ^| find ^":3333^"') do@for /f "tokens=1 delims=:" %%k in ("%%j") do netsh advfirewall firewall add rulename="HONEY TOKEN RULE" dir=in remoteip=%%k localport=any protocol=TCP action=block >> <BATCH FILE NAME>.bat

• Step 2: Run Batch Script

  <BATCH FILE NAME>.bat

Windows Honey Ports PowerShell Script:

• Ref. https://github.com/Pwdrkeg/honeyport/blob/master/honeyport.ps1

• Step 1: Download PowerShell Script

  "%ProgramFiles%\Internet Explorer\iexplore.exe" https://github.com/Pwdrkeg/honeyport/blob/master/honeyport.ps1

• Step 2: Run PowerShell Script

  honeyport.ps1

Honey Hashes for Windows (Also for Detecting Mimikatz Use) :

• Ref. https://isc.sans.edu/forums/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/

• Step 1: Create Fake Honey Hash. Note enter a fake password and keep command prompts open to keep password in memory

  runas /user:yourdomain.com\fakeadministratoraccount /netonly cmd.exe

• Step 2: Query for Remote Access Attempts

  wevtutil qe System /q:"*[System[(EventID=20274)]]" /f:text /rd:true /c:1 /r:remotecomputername

• Step 3: Query for Failed Login Attempts

  wevtutil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /f:text /rd:true /c:5 /r:remotecomputername

• Step 4: (Optional) Run queries in infinite loop with 30s pause

  for /L %i in (1,0,2) do (Insert Step 2) & (Insert Step 3) & timeout 30

LINUX

Honey Ports Linux:

• Ref. http://securityweekly.com/wp­-content/uploads/2013/06/howtogetabetterpentest.pdf

• Step 1: Run a while loop to create TCP Firewall rules to block any hosts connecting on port 2222

  while [ 1 ] ; echo "started" ; do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1´; iptables -A INPUT -p tcp -s ${IP} -j DROP ; done

Linux Honey Ports Python Script:

• Ref. https://github.com/gchetrick/honeyports/blob/master/honeyports-0.5.py

• Step 1: Download Python Script

  wget https://github.com/gchetrick/honeyports/blob/master/honeyports-0.5.py

• Step 2: Run Python Script

  python honeyports-0.5.py -p <CHOOSE AN OPEN PORT> -h <HOST IP ADDRESS>

Detect rogue scanning with Labrea Tarpit:

apt-get install labrea

labrea -z -s -o -b -v -i eth0 2>&1| tee -a log.txt

NETCAT

Use netcat to listen for scanning threats:

nc -v -k -l 80

nc -v -k -l 443

nc -v -k -l 3389

PASSIVE DNS MONITORING

Use dnstop to monitor DNS requests at any sniffer location:

apt-get update

apt-get install dnstop

dnstop -l 3 <INTERFACE NAME>

• Step 1: Hit 2 key to show query names

Use dnstop to monitor DNS requests from a pcap file:

dnstop -l 3 <PCAP FILE NAME> | <OUTPUT FILE NAME>.txt