Who is the fish and who is the bait? Summary of honeypot recognition methods from the perspective of red team

introduction

Honeypot technology is essentially a technology to cheat the network attacker , By arranging some simulated systems on the service 、 Network services 、 Or simulate some Internet of things devices to tempt attackers to attack them so as to capture attacks 、 Analyze attack means and methods 、 Or collect some personal information of the attacker to analyze the portrait to achieve the purpose of accurate traceability . When a large-scale attack and defense drill is coming , We summarized some ways and experiences of honeypot recognition , I hope it can help the little friends of the red team .

​

Identification based on Honeypot fingerprint

Fingerprint identification is usually the most direct way to identify business system categories , The honeypot will also leave its unique fingerprint information . Most developers of open source programs want to protect copyright , Or publicity purpose , Will leave copyright identity information , Or using some other open source program will always leave a signature , For example, most open source honeypots have unified return information , Therefore, it is relatively simple to identify open source honeypots that are deployed directly .

The following table shows the fingerprint information of our manually verified open source honeypot ：

In addition to the open source honeypot , Some commercial honeypots also leave fingerprints , For example, a well-known honeypot can be identified in the following ways ：

The honeypot system will load a /js/moment.js, The js yes jsonp The use of code , After obfuscation encryption , contain ：

      
      

       
       var a22l=['B09UBwK='
       
       
var a1l=['zNvUy3rPB24TDa=='
      
      
      
      

       
       
1.
       
       
2.
      
      

Note the direct access to the js Add header Inside the head Referer, No addition Referer It's not the same as the return from adding , The honeypot can be identified by identifying variables .

In addition to the honeypot client , The management end of the honeypot can also be identified by fingerprint , For example, another well-known commercial honeypot can be identified at the management end in the following ways ：

There are three steps to identify the honeypot system , The first step to visit the system home page will jump to /login page , During a visit to /login The page will be loaded umi.js and umi.css.

The second step is to visit /login There will be a paragraph when the page js Code "';}continue;case'", Here it is js The code pushes forward 12 Bit will get a random code.

The third step is to visit /{code}/func-sns.php The return state is 200 And includes "jsonp" Wording , The php The file was finally generated js The file contains some jsonp Loophole .

The fingerprint information of this kind of honeypot can be sorted out and studied by our partners , There will be no more details here .

Identification based on traceability

As mentioned above jsonp Loophole , In fact, many commercial honeypots use major manufacturers （ Such as Taobao 、 Baidu 、 Jingdong etc. ） Front end vulnerability to obtain the identity information of the attacker . This technology mainly relies on the jsonp or xss Loophole , Accumulate these vulnerabilities into the front-end js Puddle code , When the user's browser parses these js When asked , Obtain the fingerprint information of the user in these mainstream applications across domains , So as to achieve the purpose of identity traceability . The following figure is a screenshot of a self-developed system using this technology to capture fingerprint information of major mainstream applications ：

However, the fingerprint acquisition technology based on the front end is the fingerprint information obtained by transferring the data loaded on the user side to the server . Actually implement jsonp or xss The request for is made on the user side , This native request cannot be encrypted or obfuscated . Even if some systems are disabled F12 Debug panel or regularly clear the network connection of the debug window , We can still get the request link of the foreign domain by capturing packets . When we find that when accessing an application system, there are a lot of requests to major mainstream manufacturers ajax A high probability is that you will encounter a honeypot when requesting , Attackers can also exploit the front-end vulnerabilities of a wave of manufacturers by capturing packets .

in fact chrome80 In the future, it will default that cross domain carrying is not allowed in the case of cross domain requests cookie To the back end , The cross domain request that causes the honeypot page to obtain the resources of the attacker's fingerprint data will no longer carry session cookie, It is equivalent to accessing data acquisition in an unregistered state jsonp or xss link , Naturally, fingerprint data cannot be obtained , So that jsonp or xss（ With iframe Tag nesting ） The way to get fingerprints in an attacker's use chrome Browser failure . meanwhile , With firefox Other leading browser manufacturers have also informed that they will use this security policy in the near future . This kind of front-end fingerprint acquisition technology will eventually become history , However, we can still recognize honeypots through such features .

Identification based on configuration distortion

Honeypot system in order to capture attacks , Will let oneself become “ Especially easy to identify ”, This leads to configuration distortion . Some students who do penetration attacks or exploit vulnerabilities should have such experience , There are always oneortwo stations that are always within the condition of fingerprint identification when scanning the target for batch vulnerabilities . They are generally similar , In the returned information, a large number of *** Or return header Very long , These are not in line with common sense web service . This kind of honeypot is mainly used to collect the attack behavior of attackers , At the same time, it can capture the attack payload used by the attacker , Even 0day Loophole . Usually this kind of honeypot will be in server、header、title And other fields will return a large number of feature information , If you follow server Found a system that is iis It's also apache Of , This is logically unreasonable , Is a typical honeypot feature .

besides , The open port of honeypot system may also lead to configuration distortion . For example, one server is opened at the same time 22 and 3389 port , or 8080 Port display windows, and 8081 Show ubuntu. The above are port configurations that do not conform to common sense , Basically, it can be recognized as a honeypot , However, the proxy mapping service of some firewall devices is not excluded , Therefore, it is necessary to conduct secondary identification manually .

Identification based on Honeynet characteristics

After obtaining the permission of a certain system , We need to judge whether the system is a honeypot or in a Honeynet . Because Honeynet usually needs to simulate various systems or equipment , So you don't usually use real physical machines , Usually virtual machines . Then virtual machine is a necessary and insufficient condition for the existence of Honeynet , We can preliminarily judge whether the virtual machine is in a Honeynet by detecting the characteristics of the virtual machine . Virtual machines have many features , Such as ：

1、VM Virtual machines are commonly used mac Address prefix ：00-05-69,00-0C-29,00-50-56 etc.

2、 Judge OpenVZ/Xen PV/UML, This method is a common and accurate way to identify virtual machines , There are a lot of demo The procedure is for reference .

Of course, virtualization is only a weak feature of Honeynet , This is just a reminder to the attacker , If the device under current control is found to be a virtual machine , Then you need to be careful , In addition to the fact that some real businesses are actually deployed on the virtualization platform , It may also fall into a Honeynet .

besides , Most Honeynet administrators are afraid to take responsibility , In order to prevent attackers from using Honeynet as a springboard to attack third-party systems , The upper limit of outbound connections is usually set , For example, only 15 Two outbound TCP link , We can send a lot of syn Packets are sent to other hosts for detection and identification .

Recognition based on forged scenes

In some highly interactive honeypots , In order to entice an attacker to attack the system , Honeypots are usually set up very realistically , It not only fits the business, but also some common attack routines of attackers “ Pit trapping ”. Here are two honeypot scenarios I have encountered , When a system is easily taken down by you , First ask yourself whether the system has been taken down or whether you have been taken down .

The first case is mobile phone number entrapment identification , Mobile phone number entrapment is mainly based on letting users input their mobile phone number spontaneously to obtain their real phone number , Commonly used scenarios are SMS verification codes . The core idea of using mobile phone numbers to trap is how to lure attackers to use their mobile phone numbers to collect verification codes to complete sensitive system operations . Honeypot will construct some special scenes to realize the concealment of the reaction , For example, deliberately disclose the source code file of the trap site , Then upload vulnerabilities are preset in the source file , In order to upload successfully, we must return the SMS verification code to the utilization condition of the upload vulnerability , Attackers will often let down their guard after following a set of procedures , Think this is not a honeypot , In order to obtain webshell And use your own mobile number , So as to obtain such information .

For this kind of honeypot , Red team personnel should be vigilant at all times , Some online access platforms can be used for mobile phone verification . Even if there is no available decoding platform , You can also use uncommon mobile numbers, new mobile numbers or Alibaba small numbers , Generally, after getting your mobile phone number , A round of social work database query will be conducted , therefore Using the new mobile number can effectively avoid being painted .

The second case is the honeypot based on email , As the system that the attacker focuses on, the mail server contains a lot of sensitive information . From the experience of previous offensive and defensive drills , Many attackers use email content as a starting point , Look up sensitive information to launch attacks on relevant systems . In turn, this idea can also be applied to honeypots , The classic case is to preset an email system , Deliberately set the weak password of the administrator , Put in the mail the same as “ Operations staff ” Communication records , You can put... In the attachment vpn client 、 Website login signature program and other fake software , In essence, it is a Trojan horse to obtain sensitive information on the attacker's host , The attacker can obtain the information after downloading and using . To distinguish whether a visitor is an attacker or a normal user , It can be set at the landing port “ Forget the password ” Wait for the trap button , As shown in the figure below ：

The scenario constructed using the above figure not only prompts the attacker's administrator's account , At the same time, you can also reset the administrator's password by forgetting the password instead of using a weak password （ The answers to the account prompt questions can be exhaustive ）, This greatly reduces the vigilance of the attacker , Improved the success rate of traceability .

The purpose of this kind of honeypot is to trace the source of the attacker , For executable programs obtained from any source , It is better to carry out sandbox detection first , After detection, use the virtual machine to run to prevent traceability .

​  Click to learn more ​