Honeypots are easy for the everyday person to set up and use. I have used them for years to catch online predators and unsuspecting threat actors before they can launch offensive attacks against my online assets. They've been one of the most formidable weapons in my overall bag of tricks.
Honeypots are designed to appear as legitimate and attractive targets to attackers, but they are, in fact, controlled environments set up to detect, deflect, or study hacking attempts. Considering a cyberattack occurs every 39 seconds worldwide, honeypots play an important role in defensive strategies.
Cyberattacks monitored within a sandboxed environment offer significant insights into emerging cybersecurity threats and attack vectors. They’re ideal for companies and law enforcement because deploying them serves as a buffer, distracting threats from discovering proprietary assets while simultaneously providing an opportunity to monitor those threats.
Honeypots come in all shapes and sizes. They can be websites, servers, rogue WiFi access points, email addresses, apps, redirect links, and more. This article focused primarily on using a free website for deploying our honeypots.
Many companies deploy honeypots in the form of vulnerable computer systems within otherwise safe environments, separate from their protected local area networks. This allows them to misdirect and monitor a threat’s behaviors as they explore the system.
Hackers run honeypots, too.
Honeypots in the wild
Those of us who search for vulnerable systems using Shodan can tell you that the sheer amount of honeypots deployed in the wild is staggering. Chances are, any internet device with a ridiculously large amount of open ports is, in fact, a honeypot.
As of this publication, when you search Shodan for Confluence, it reports 261,308 internet-facing Confluence honeypots worldwide. I used to come up with some weird honeypots back in the day, and the good news is that these methods are still valid today. In 2007, I started a cyber war against a rival hacking group that didn’t employ adequate OPSEC.
I wanted to attract my enemies onto a platform under my complete control, so I could obtain their IP addresses, browser fingerprinting, geographical location, and more. This enemy group was searching for the private forum board my hacking group socialized on. Therefore, I knew I had to create a dummy forum if I wanted them to fall for the trap.
Posing as a defector, I enticed them to visit the forum, which was pretty easy since they were eager to see what we were all saying about them. The forum board was private, meaning they would have to register in order to see the private posts.
As the administrator, I was able to recover the passwords associated with the email addresses they used during the registration process. This resulted in my group compromising several of their email accounts since most of them had very bad password hygiene. This enabled us to perform dozens of account takeovers.
Hidden within the source code of the forum and website was a simple PHP script, which contained portions encoded to hexadecimal, so it could look somewhat innocuous. It was designed to capture IP addresses, perform browser fingerprinting, and a guestimation of the target’s operating system. The script had instructions to email the visitor logs to me.
This provided opportunities for us to attack their internet connections through Distributed Denial of Service (DDoS). Knowing their IP addresses opened up an entire world of possible attack vectors.
The forum and website had open authenticated FTP server access, so there was no reason for them not to be able to just log in and have a look around. I referred to these as “drop boxes.”
I uploaded several random, nonsensitive files to the FTP drop box, knowing that the enemy would download and run them out of curiosity. The best part was that these files were malicious, which gave me remote access to their now-infected computers.
How to create a basic honeypot for IP capture
Often, threat actors are usually smart enough not to click on unsolicited links. There’s always the exception. When I need quick results, I will use Grabify.link, which allows users to create and manage IP-grabbing campaigns freely. But what we need is more inconspicuous.
Create a free website. There are plenty to choose from, such as Godaddy and Wix. This is important because you will be able to repurpose a honeypot site to fit multiple needs, making it easy to rearrange content for different campaigns. In this example, we are using Wix.
Next, create an account with TraceMyIP. If you feel like the 2000s just called and want their IP logger back, you’re in the right place. It’s free. Moreover, it’s useful for providing more in-depth website visitor statistics.
Click on Tracker Code in My Projects. Note the section “Page Loads.” Once the honeypot is in full swing, this section will display your site visits, the captured IP address, the browser and operating system, and other information.
Next, select your code type. Under the subcategory Universal Trackers, you can experiment with any of the options. In this example, I have chosen JavaScript Code, which is the recommended option. Click Get Code. Doing so will generate the code for you to copy and paste into Wix.
This is for those of you who remember what it was like back in the 2000s when we had Myspace layout generators. You get excessive tags, and in this case, we need to remove an image source path so it doesn’t appear on your honeypot and automatically give it away as something suspicious. Upon removing the sections I have highlighted in red, your code should be sanitized from any artifacts.
You don’t need to have your Wix site built at this stage, that can come later. Head over to Settings, and click on Custom code.
Click + Add Custom Code. This will take you to the custom code template where you can introduce your own 3rd-party code snippets.
Copy and paste your custom code and configure it how you want the code to load, and on which pages.
Test out your code by visiting your Wix site. Then head back over to TraceMyIP, My Projects, and select Page Loads. Should see a comprehensive list of site visits. Click Trace. The page will open and conveniently display a wealth of interesting information on your site visitor. TraceMyIP is very feature-rich, so take time to explore its many options.
Weaponizing OSINT
How you use your honeypot ultimately depends on what you need it for. This Wix site can be modified to fit your current goal and can easily be changed within minutes to accommodate new goals.
Remember, you can use any platform that allows users to run third-party code to host your IP logging script. For example, Start.me allows third-party embedded code, which is a great browser homepage where users can organize their favorite website links, news feeds, notes, and more.
The information you capture from site visitors and threat actors is the first step. You can use open-source intelligence tools like Netlas.io to passively conduct network reconnaissance, such as related domains, registrar information, open ports, and vulnerability CVEs, which can provide vital insights in determining potential attack vectors if you are pursuing offensive strategies.
There are so many ways to create honeypots. For example, T-Pot is like the Swiss army knife of honeypots, with feature-rich options and and graphical interface. It also provides animated live attack maps, including cyber threat detection and analysis. This is ideal for monitoring real and simulated incidents and helps with incident response and digital forensic investigations.
Because these do exist in the wild, it is imperative to mind your security and ensure your IP address isn’t openly leaking for others to grab and attack. No matter what you do online, anonymity should always be your foremost weapon against online surveillance. You can easily defeat honeypots if you practice good OPSEC by utilizing reliable online anonymity tools.
Your email address will not be published. Required fields are markedmarked