Honeyports, powershell script
If its happen that you like to run your honeypot on a Windows system then Honeyport is something worth to try.
Honeyports is a powershell script that will Creates a job that listens on TCP Ports specified and when a connection is established, it can either simply log or add a local firewall rule to block the host from further connections.
The script is written by John Hoyt, Carlos Perez and Greg Foss and it’s available on https://github.com/Pwdrkeg/honeyport/
Once you download the script you need to run it with an administrator privileges ,in this example I am going to configure it to listen on port 2222
|
.\honeyport.ps1 -ports 2222 |
One of the greatest features of the honeyports powershell script that it will log to the Windows events ,the events would be logged under the name of honeyports
Now let’s try to connect to port 2222 and see what’s will happen :
From another machine I will netcat to port 2222
|
nc 192.168.8.104 2222 |
And I will run the following powershell command
|
Get-EventLog honeyport |
|
Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 108216 Apr 22 14:48 Information BlueKit 1002 192.168.8.105 has probed the HoneyPort on port ... 108215 Apr 22 14:47 Information BlueKit 1001 HoneyPort has started listening for connections...
|
Now let’s explore one more thing , honeyports can block the IP address that established a connection to the specified port by adding a new rule to the Windows Firewall.
|
.\honeyport.ps1 -ports 4444 -block $true |
And when we check the eventlog
|
Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 115644 Apr 22 16:36 Information BlueKit 1002 192.168.8.105 has been blocked on port 4444 115643 Apr 22 16:36 Information BlueKit 1002 192.168.8.105 has probed the HoneyPort on port ... |
The script will block only the tcp protocol from that IP address. If you would like to block all the traffic you need to do a small modification to the script.
On line 133 you have to change
|
$rule.Protocol = 6 |
To
|
$rule.Protocol = all |
And after your done with the honeyports you should stop the job by running
|
stop-job -name HoneyPort
|
And don’t forget to unblock the IP addresses that have been blocked by the script by running
|
Remove-NetFirewallRule -DisplayName "Block scanner" |
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago