iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (2)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
How to recognize a honey-pot ?
  • mandi
    Posts: 207
    I have been studying about a target,I am suspecting they may have honey-pots,
    How can i confirm my traget is running a specific O/S?
    I Already did nmap scans and got an result for O/S finger printing and got some services on the open ports

    but here are my questions

    1)I have found some list of services being running on the web-server,before proceeding to next step i want to confirm the services are really running on them,because I have heared that honey-pots can be configured to give fake finger printing and services result..
    So how can i confirm the service is really running on the specified port?
    '
    2)Nmap scans says me it is running linux server,
    but i found these services running on their server,which looks suspicious for me..



    139/tcp filtered netbios-ssn
    1025/tcp open NFS-or-IIS
    3389/tcp open ms-term-serv


    Does a normal linux web-server run the above services?
    Because it looks suspicious to me,If i am wrong please correct me

    So can any 1 tell me how can i over come this?

    looking for some advice to recognize the server has honey-pot or not...?'
    hope i will find some help here...
  • zero
    Posts: 6
    dude as far is metter is concernet about the services as u discribed above i guess all these service run on windows machine usually microsoft terminal service is windows service and netbois is also belongs to windows i did not think that these service can be run on linux if m not wrong these services belongs to windows platform
  • RetroGod
    Posts: 21
    Be careful, only because a port is open and it is usually used for running a service, it also can be used to run another one.

    Just thought this should be said >.<
  • mandi
    Posts: 207
    JUst figured a way to find it!!

    Anyway thanks for your ideas :) if you got any other ideas for detecting honey-pots please feel to share here...
  • McKittrick
    Posts: 194
    a good way to test for a honeypot, might be to use a fuzzer. run a tool like AMAP that will send random garbage to the socket that is listening. you might be able to determine if the service is fake by fuzzing out random fields and maybe getting a response back. i tried using a fake honeypot concept with netcat. create a socket that is listening and have nothing behind it and the attacker has no clue what to do with it
  • McKittrick
    Posts: 194
    speaking of honeypots, i have had an idea in my head for years now (not sure how to implement it as far as coding goes, just have the idea) that would be almost the ultimate firewall/honeypot combo

    anyone interested further, let me know and i will explain the concept (not even sure it will work, but it MIGHT be feasible)
  • chroniccommand
    Posts: 1,389
    NetBios is windows. So it can't be running a Linux server.
  • McKittrick
    Posts: 194
    that NETBIOS service is being filtered from the upstream provider's firewall from what i can tell
Add a Comment