CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [85]
A honeypot is a decoy box residing inside your network Demilitarized Zone (DMZ), set up by a security professional to trap or aid in locating hackers, or to draw them away from the real target system. The honeypot is a decoy system that a malicious attacker might try to attack; software on the system can log information about the attacker such as IP address. This information can be used to try and locate the attacker either during or after the attack. The best location for a honeypot is in front of the firewall on the DMZ, making it very attractive to hackers. A honeypot with a static address looks just like a real production server.
The easiest way to bypass a firewall is to compromise a system on the trusted or internal side of the firewall. The compromised system can then connect through the firewall, from the trusted to the untrusted side, to the hacker's system. A common method of doing this is to make the compromised system connect to the hacker with destination port 80, which looks just like a web client connecting to a web server through the firewall. This is referred to as a reverse WWW shell.
Using a tunnel to send HTTP traffic, the hacker bypasses the firewall and makes the attack look innocuous to the firewall; such attacks are virtually untraceable by system administrators. Hacking programs can create covert channels, which let the attack traffic travel down an allowed path such as an Internet Control Message Protocol (ICMP) ping request or reply. Another method of utilizing a covert channel tunnels the attack traffic as a TCP acknowledgment.
To evade the trap set by a honeypot a hacker can run an anti-honeypot software that tries to determine whether a honeypot is running on the target system and warn the hacker about it. In this way a hacker can attempt to evade detection by not attacking a honeypot. Most anti-honeypot software checks the software running on the system against a known list of honeypots such as honeyd.
Hacking Tools
007 Shell is a shell-tunneling program that lets a hacker use a covert channel for the attack and thus bypass firewall rules.
ICMP Shell is a program similar to Telnet that a hacker uses to make a connection to a target system using just ICMP commands, which are usually allowed through a firewall.
AckCmd is a client/server program that communicates using only TCP ACK packets, which can usually pass through a firewall.
Covert_TCP is a program that a hacker uses to send a file through a firewall one byte at a time by hiding the data in the IP header.
Send-Safe Honeypot Hunter is a honeypot-detection tool that checks against a proxy server for honeypots.
This attack works because most firewalls permit outgoing connections to be made to port 80 by default.
Countermeasures
Specter is a honeypot system that can automatically capture information about a hacker's machine while they're attacking the system.
Honeyd is an open source honeypot that creates virtual hosts on a network that is then targeted by hackers.
KFSensor is a host-based IDS that acts as a honeypot and can simulate virtual services and Trojan installations.
Sobek is a data-capturing honeypot tool that captures an attacker's keystrokes.
Nessus Vulnerability Scanner (http: //www. nessus . org/) can also be used to detect honeypots.
Exam Essentials
Know the two main types of IDSs. IDSs can be either host-based or network-based. A hostbased IDS is operating system-specific and protects a single system. A network-based IDS can protect the entire network.
Know the definition of a honeypot. A honeypot resides in a DMZ as a vulnerable host and advertises services and software to entice a hacker to hack the system.
Know the definition of a firewall. A firewall is a packet-filtering device that compares traffic to a list of rules and filters traffic from an untrusted network to a trusted network.
Understand how to detect a honeypot. A honeypot