Honeypots
Commercial anti-honeypot tool Nov 17 2003 08:38PM
Bill McCarty (bmccarty pt-net net) (2 replies)
Commercial anti-honeypot tool Jan 12 2004 03:14PM
KeyFocus (support keyfocus net)
A couple of months back Bill McCarty posted a reference to Hon.eypot
Hun.ter, a commercial tool to identify honeypot systems.

I finally found some time to download and play with it.
If the risks in running such an application have put you off, but want to
know how this tool works then you may find the following interesting :-)

- Tom

Background
---------------

Hon.eypot Hun.ter is made by "Send Safe" which specialise in selling a
serious bulk emailing package.
Their bulk emailer is sold on a per usage basis. $10 per million emails may
sound cheap, but given the amount of spam their customers pump out they must
be making a tidy sum.

Their software contains all the latest spamming tricks such as the ability
to add random words and techniques to fool AOL.
However the key selling point is how it uses SOCKS servers to provide
anonymity to their customers.

So the emergence of honeypot SOCKS servers threatens to undermine their
whole business which is why they have come up with Hon.eypot Hun.ter.

Hon.eypot Hun.ter
-----------------------
Hon.eypot Hun.ter is a tool for testing a list of SOCKS servers.
It reads a text file containing a list of IP & ports and outputs them to
three files (good, bad & honeypot) depending on the results of the test.

There are plenty of such tools already available. The unique feature is the
ability to identify honeypots.

Hon.eypot Hun.ter works by listening on port 25 where it runs its own
emulated SMTP service.
It then connects to the target SOCKS server and issues a version 4 CONNECT
request back to its own IP on port 25.
If the connection works then it attempts to send an email to its own SMTP
server.

There are four types of Honeypot SOCKS servers based on the level of
deception they provide.

Type 1 - Returns connection authorised and then records input without
responding.
Hon.eypot Hun.ter marks this as bad.

Type 2 - Returns connection authorised and then relays to a honeypot SMTP
server.
Hon.eypot Hun.ter marks this as bad, as it does not detect a connection
back to its own port 25.

Type 3 - Returns connection authorised and connects to the target SMTP
server. This enables the honeypot to grab the correct SMTP banner and other
data to send back to the client. The honeypot does not allow the DATA
command to be relayed and instead fakes a positive response. This is the
best level of deception possible without allowing emails to be sent.
Hon.eypot Hun.ter marks this as a honeypot, as its own SMTP server does not
receive all the data it is expecting.

Type 4 - Allows full SOCKS functionality but logs all traffic. No easy way
to detect this, but open to abuse.
Hon.eypot Hun.ter marks this as good.

Hon.eypot Hun.ter seems to be designed to detect the Type 3 honeypots that
some people have deployed.

The following is transcript of Hon.eypot Hun.ter's test against a working
SOCKS server:

Notes: The names and mail contents are random data to avoid the honeypot
identifying Hon.eypot Hun.ter.

Sent to Proxy
----------------

[04 01 00 19 C0 A8 02 0A 00] - SOCKS 4 Connect: 192.168.2.10:25

HELO qgyrm.edu
MAIL FROM:<htdvqybem (at) qgyrm (dot) edu [email concealed]>
RCPT TO:<uecyiqiyf (at) qgyrm (dot) edu [email concealed]>
DATA
From: <htdvqybem (at) qgyrm (dot) edu [email concealed]>

Message-Id: <155901c3d911$7fe1ed10$5d7e0241@htdvqybem
Date: Mon, 12 Jan 2004 07:39:27 -0600
Subject: lpqyc th ruv
To: <uecyiqiyf (at) qgyrm (dot) edu [email concealed]>

Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

af ru v kvfl omkgkj nsscb v bb t uynecw rbmv wn xitcpppu l q ttduwxhe eb
r bqkahki
kb qfci
.

Reply from Proxy
----------------------

[00 5A 0F 39 C0 A8 02 09] - SOCKS 4 Request Granted

220 qgyrm.edu (IMail 8.00 153-1) NT-ESMTP Server X1
250 hello qgyrm.edu
250 ok
250 ok its for <uecyiqiyf (at) qgyrm (dot) edu [email concealed]>

354 ok, send it; end with <CRLF>.<CRLF>
250 message queued [c6e3489b79ee04eb9e74a86da9de5a9b]

[ reply ]
Re: Commercial anti-honeypot tool Nov 18 2003 10:48AM
KeyFocus (support keyfocus net)


 

Privacy Statement
Copyright 2010, SecurityFocus