Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Honeyports, powershell script - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Honeyports, powershell script

If its happen that you like to run your honeypot on a Windows system then Honeyport is something worth to try.

Honeyports is a powershell script that  will Creates a job that listens on TCP Ports specified and when a connection is established, it can either simply log or add a local firewall rule to block the host from further connections.

The script is written by John Hoyt, Carlos Perez and Greg Foss and it’s available on  https://github.com/Pwdrkeg/honeyport/

Once you download the script you need to run it with an administrator privileges ,in this example I am going to configure it to listen on port 2222

.\honeyport.ps1 -ports 2222

 

One of the greatest features of the honeyports powershell script that it will log to the Windows events ,the events would be logged under the name of honeyports

Now let’s try to connect to port 2222 and see what’s will happen :

From another machine I will netcat to port 2222

nc 192.168.8.104 2222

 

And I will run the following powershell command

Get-EventLog honeyport

Index Time          EntryType   Source                 InstanceID Message

 ----- ----          ---------   ------                 ---------- -------

108216 Apr 22 14:48  Information BlueKit                      1002 192.168.8.105 has probed the HoneyPort on port ...

108215 Apr 22 14:47  Information BlueKit                      1001 HoneyPort has started listening for connections...

 

 

Now let’s explore one more thing , honeyports can block the IP address that established a connection to the specified port by adding a new rule to the Windows Firewall.

.\honeyport.ps1 -ports 4444 -block $true

 

And when we check the eventlog

  Index Time          EntryType   Source                 InstanceID Message

  ----- ----          ---------   ------                 ---------- -------

 115644 Apr 22 16:36  Information BlueKit                      1002 192.168.8.105 has been blocked on port 4444

 115643 Apr 22 16:36  Information BlueKit                      1002 192.168.8.105 has probed the HoneyPort on port ...

 

The script will block only the tcp protocol from that IP address. If you would like to block all the traffic you need to do a small modification to the script.

On line 133 you have to change

$rule.Protocol = 6

 

To

$rule.Protocol = all

 

And after your done with the honeyports you should stop the job by running

stop-job -name HoneyPort

remove-job -name HoneyPort

 

And don’t forget to unblock the IP addresses that have been blocked by the script by running

Remove-NetFirewallRule -DisplayName "Block scanner"

 

 

Basil

52 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!