- BEWARE OF UPCOMING CHANGES
- RELOAD PAGE from time to time
- + - Firewall has NOT been opened yet, traffic is still filtered to B118
- [previously] “ Lab 1 - Introduction to the Internet and the OSI-model ” Addressing, Addresses,
- [previously] “ Lab 2 - Reconnaissance Phase "
- [previously] “ Lab 3 - Vulnerability Scan ”- Use OpenVAS and Nessus to scan for vulnerabilities in the networks found in Lab 2.
- [now] “ Lab 4 - Become Vulnerable, Be the Target " - Now we flip the situation, we passively sit and wait to be attacked, exposed to all the dangers of the (nowadays evil) Internet.
By putting a computer on the Internet, unprotected and without any type of firewall, what (malicious) traffic will it attract?
First you gather a lot of data for a long time, then you save the data into a file, and finally ypu present the data in three different ways in SPLUNK.
Check that the log file is growing by the minute with the command journalctl | grep robert
EXAMPLE
Aug 4 13:23:00 kali kernel: robert IN=eth0 OUT= MAC=a2:be:d2:ab:11:af:e2:f2:00:00 SRC=192.168.2.115 DST=192.168.1.23 LEN=52 TOS=0x00 PREC=0x00
TTL=127 ID=9434 DF PROTO=TCP SPT=58428 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
QUESTION: Collect iptables-data for 4 hours. How many attacks per minute? Generate the below histogram with logarithm(10) y-axis of most attacked ports! List the 10 least attacked ports
You can use excel (bad), or learn how to use SPLUNK below (good)
TIP: Use the command journalctl | grep robert > attacker.log to create a file with only your data
SPLUNK is a commercial alternative to ELK-stack i.e. Elasticsearch, Logstash & Kibana
Not so difficult
Search data and Draw the Map
source="/var/log/attacker.log"
source="/var/log/attacker.log" SRC
0.0.0.0 123
1.0.232.123 23
1.1.12.4 12
SRC count City Country Region lat lon
0.0.0.0 176
1.0.243.134 1 Thailand 13.75000 100.46670
123.10.169.5 1 Uddevalla Sweden 58.34980 11.93560
1.10.170.79 1 Thailand 13.75000 100.46670
1.11.242.151 1 Seoul Rep. of Korea Seoul 37.51110 126.97430
NICE MAP
latitude Longitude Count
-49.12312 -68.123123 12
12.45234 31.1231 7
-12.12312 12.1233 300
SRC | iplocation SRC | search Country="Sweden" | stats count by City | sort - count | head 16
Final Result of three (3) on a dashboard:
QUESTION Generate the above dashboard with three ELEMENTS (1. Lin-Log histogram of ports attacked, 2. Map of source locations, 3. top swedish towns that attacked your computer) and put a screenshot of it in your report
Intro
Firstly: The idea behind T-Pot🍯 is to create a system, whose entire TCP network range as well as some important UDP services act as honeypot.
Secondly: to forward all incoming attack traffic to the best suited honeypot daemons in order to respond and process it.
Warning!
* If you boot on the T-Pot USB stick - IT WILL KILL YOUR HARD DISK !! This is a automated installer that partitions & reformats your computer
* The installer requires Legacy BIOS, not UEFI
Watch Youtube
QUESTION What is a container (not a Virtual Machine) and what is it used for?
QUESTION a/ Explain the above architecture of T-Pot! b/ According to your port-histogram in SPLUNK, what subsystem container honeypots will be mostly used?
QUESTION: Evaluate the difference between Cowrie and Suricata; what are your findings?
QUESTION: From the table below;
a/ which of the 4 attacks ("Cross site scripting", "SQL Injection", "Trojans" & “Information Disclosure”) can you observe in T-Pot🍯?
b/ How many of each?
QUESTION: From the table above and the figure “T-Pot🍯 Architecture” above; which honeypot is most suitable for finding this type of attacks?
QUESTION: Make sure that you have at least 24 hours of data in T-Pot🍯
a/ Change the time interval (top-right) to last 24 hours/one day
b/ What CVE (attack) do think is the most serious that your vulnerable system has been attacked with (Probably not the one with the highest CVSS score)
c/ Make a screenshot of the most interesting (or funny) thing you have discovered in the T-Pot🍯 arsenal of honeypots. Motivate!
QUESTION: I Think the ASA-honeypot is the most obscure & niche honeypot in the T-pot🍯 collection
a/ Find another honeypot that you find as obscure & niche as possible!
b/ Are there any attacks against that honeypot?
wget -O splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.3&product=splunk&filename=splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm&wget=true'
echo "--------------------------"
yum localinstall splunk-6.5.3-36937ad027d4-linux-2.6-x86_64.rpm
rpm -ql splunk | grep splunk
$ echo "--------------------------"
# firewall-cmd --add-rich-rule='rule family="ipv4" port port="8000" protocol="tcp" accept'