Article directory
foreword
The annual HW is coming soon, [but I heard that it has been postponed this year] , the masters should not be able to bear it anymore, today I will try to deploy the HFish honeypot system, which is relatively out of the circle, and make a shallow record
basic environment
HFish official website installation package
HFish official tutorial
VMware virtual machine & win7 system
Honeypot deployment
Management side deployment
Here we take the win7 system as an example to demonstrate, [for the convenience of the demonstration, the system firewall is closed, the port should be released by configuring the firewall policy during actual deployment], first copy the downloaded installation package to win7, decompress the installation package and click
install , the installation of the WEB management terminal is completed, [this can’t mean that I am in the water], the pop-up window shows the connection address and default account, note that the https management terminal login page is as follows: use the default account password to log in, the
actual
deployment Remember to change to a strong password.
Next, you need to access the database. Since my win7 does not have other databases installed, I will choose SQLite for demonstration.
Next, the installation is complete.
The main page is still very good.
Add node & start service
Here we take adding a linux node as an example. The system uses centos7.6. First, you need to ensure that the node and the management end are under the same network and the network environment is normal.
Then find the environment management-node management on the menu page, and you can see the current honeypot system. Node, then click Add Node, select the operating system type of the node Next, an installation command will be generated, you only need to execute
the command in the node . Honeypot service Here, the server environment is used as an example to show, you can check the desired service by yourself, and after adding the service, you need to release the corresponding firewall Here, take Thinkphp as an example, enter the HFish password to verify that the port turns green, indicating that it has been enabled normally, and the actual deployment You can modify the port information when you visit the corresponding port 9226 to see the open service information
attack display
Related access records can be seen in the threat awareness item
port scan test
Here, Yujian is used to scan the honeypot port, and
the scan record can be seen on the management side
directory scan test
Use dirsearch to scan the directory of the honeypot web page.
The effect of the management side.
You can see the specific access log in the attack list.
POC test && ssh test
Here we use tools to test, but there is no getshell in the test, and the test URL and results can be seen in the test record,
so we decided to use the ssh honeypot to perform the failure test, open the ssh honeypot and connect, this environment is not a real environment that
can be seen by the management side The command executed by the attacker, and the command execution environment can be seen, but the countermeasure function has not been found for the time being, and friends who have seen it can comment and tell me
Failure test
First of all, you need to add a secret bait file and open the port. Here we take a windows attacker as an example. Click on the windows logo, and the command will be copied and executed. Assume
that the attacker has obtained the shell of the honeypot system and found the bait file.
Here is a convenient demonstration. Use the download command provided by HFish to download the bait file, click the windows button above to automatically copy the command, and execute it on the attacker’s target machine
View the bait file at the download location
Here, take ssh as an example to log in, use the above account and password information After logging in,
you can see the relevant fall information at the fall perception, and you can see that the target has bitten the hook
cool big screen
Finally, I found that the honeypot system also has a large screen function, which feels a bit too cool, so let’s show it briefly
postscript
The deployment of the honeypot system has greatly improved the active defense capabilities of the blue team in HW, and has also significantly improved the attack analysis capabilities of the red team. A perfect honeypot system can allow the red team to counter directly and win The attacker's shell, a real offensive and defensive confrontation has officially begun.
Tips
For the blue team, the honeypot system should be as relevant as possible to the business, and should be deployed on the public network after debugging on the internal network. There are two views on the deployment of public network honeypots.
On the one hand, some masters believe that the public network honeypot system should be deployed as soon as possible, so that it can be retrieved and recorded by tools such as fofa and Intergraph, so that the red team can hook it as soon as possible. On the other hand, some masters believe that the honeypot should be deployed to the public network system as late as possible to prevent the characteristics of the honeypot from being detected and displayed by tools such as fofa and Intergraph, making it more difficult for the red team to bite the hook.