AntiOnline Spotlight: Advanced Web-based Honeypot Techniques

By Enterprise IT Planet Staff
August 5, 2005

Email Print Digg This Add to del.icio.us

Google and other search engines have quickly become the go-to resource of happy hackers.

Any technology can be used for good or, as human nature would have it, to make a mess of things.

Google's powerful search algorithms combined with a tenacious crawler have brought many embarrassing vulnerabilities to light. The same technology the masses have embraced to power their research and dig up obscure facts can expose poorly configured servers and IP-enabled devices. As a result, hackers have added to their arsenal a free, easy-to-use tool that scours the Internet for attractive targets.

It can be argued that thanks to Google, administrators are starting to think twice about how they lockdown their Web-facing systems. Perhaps, but there’s little reason to let the number one search engine, or any hacker widget for that matter, give anyone a glimpse into your network.

A new version of the Google Hack Honeypot (GHH) at SourceForge makes it easy for everyone from the Web-server-in-the-basement startup to an IT giant to see how attackers are testing the waters.

Deploying a honeypot is a crafty way of observing the enemy. By witnessing the techniques hackers apply in their attempts to sneak into your network, you can make sure that your defenses are up to the task.

Honeypots also provide valuable insight into how hackers are adapting their tactics over time — a great way to stay one step ahead. After all, if they keep running into the same impenetrable wall, they will quickly search out other ways to get in.

Plus, if hackers are wasting their time fruitlessly hacking your honeypot, the less damage they’ll do to others. And, of course, it’s always fun to see them make the wasted effort.

Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.

This Week's Spotlight Thread:
Advanced Web Based Honeypot Techniques

Soda_Popinsky drops in with another tutorial based on the GHH project. First, a brief intro...

The GHH project develops web based honeypots designed to lure "Google Hackers" using malicious search engine tactics, along with tools and documentation to allow others to develop customized honeypots, decreasing the exposure of vulnerable applications in the Google index.

Recommended Reading: http://www.antionline.com/showthrea...threadid=266049

Now, onto one of the topics the tutorial covers.

Spoofed file extensions

While browsing through the Google Hacking Database (GHDB), you should notice that not all of the signatures target server side scripts (.php for example). This hack, for example:

inurl:passwd.txt

That hack searches for the file extension .txt. The contents of these files are usually interesting, and their exposure could introduce a vulnerability to the server on which they are hosted. There is usually more of a risk being introduced to the environment than a typical Web application vulnerability in cases like these.

Or perhaps these:

inurl:admin.mdb
inurl:customer.mdb
inurl:users.mdb

Depending on their contents, a database file such as this could cause extreme losses. In order to emulate filetypes like these, GHH depends on apache htaccess files to spoof its file extension. We can then take advantage of server side scripting to log and handle the attack any way we want, and if we're using GHH as an engine, this means log remotely and apply signatures to the attack...

Of course, there's much more. Read the rest of this tutorial here.

AntiOnline Spotlight: Advanced Web-based Honeypot Techniques

Spoofed file extensions

Whitepapers and eBooks

Webcasts

Downloads and eKits

Tutorials and Demos