Creating a Honey Pot With Artillery

Posted: October 22, 2011 in Random pontifications
Tags: , , , , ,

Introduction

For those who don’t know Artillery is a new tool released by David Kennedy (ReL1K) who if you don’t know is a very well respected figure in the Information Security field and writer of the Social Engineering Toolkit as well as Fast Track.

For this discussion we’re going to explore the features of Artillery, and its use as a honey pot. Please be aware that Artillery is in its alpha infancy and is probably not suitable for a production environment quite yet.

Configuring your Honey Pot

The first step is to set up your Honey Pot, at this stage of the game Artillery has some pretty good configuration options. The one I’m most interested in is the following.

# PORTS TO SPAWN HONEYPOT FOR
PORTS="135,445,22,1433,3389,8080,21,5900,25,53,110,3306,1723,1337,10000,5800,44443"

These are the default options, but if you want to tailor your honeypot more to the network it’s on this is fully customizable. The really cool thing about this program is that it allows you (if you choose) to use iptables to drop the traffic when someone wants to attempt to interact with one of the “services”.

nmap scan prior to Artillery's Start

nmap scan after Artillery has been started

Interacting With Your Honey Pot

This is a very limited application at this point, so it can’t really interact , but it’s a great light weight solution if you want to gather data on common automated scanning, and brute force attempts.

As you can see it will drop traffic that tries to interact with a service on the honey-pot. So it is great if used in conjunction with tcpdump if you want to test an IDS you can have it monitor this, and compare the tcpdump traffic and Artillery logs to what your IDS picked up.

Running exploit code against one of Artillery's "services"

Additional Features

This nice little application can also monitor and block SSH brute force attempts. As well as check for insecure configurations (root login enabled etc). It can also monitor permissions and possibly insecure configurations in any directories you choose. The defaults are /etc and /var/www however you can specify which directories you would like monitored.

Artillery stopping an SSH brute force attack.

Conclusion

I’m definitely looking forward to seeing what this tool develops into and I think that it’s a great solution for a low interaction honey pot, particularly if combined with packet sniffing technology.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s