Honeyports, powershell script
If its happen that you like to run your honeypot on a Windows system then Honeyport is something worth to try.
Honeyports is a powershell script that will Creates a job that listens on TCP Ports specified and when a connection is established, it can either simply log or add a local firewall rule to block the host from further connections.
The script is written by John Hoyt, Carlos Perez and Greg Foss and it’s available on https://github.com/Pwdrkeg/honeyport/
Once you download the script you need to run it with an administrator privileges ,in this example I am going to configure it to listen on port 2222
.\honeyport.ps1 -ports 2222 |
One of the greatest features of the honeyports powershell script that it will log to the Windows events ,the events would be logged under the name of honeyports
Now let’s try to connect to port 2222 and see what’s will happen :
From another machine I will netcat to port 2222
nc 192.168.8.104 2222 |
And I will run the following powershell command
Get-EventLog honeyport |
Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 108216 Apr 22 14:48 Information BlueKit 1002 192.168.8.105 has probed the HoneyPort on port ... 108215 Apr 22 14:47 Information BlueKit 1001 HoneyPort has started listening for connections...
|
Now let’s explore one more thing , honeyports can block the IP address that established a connection to the specified port by adding a new rule to the Windows Firewall.
.\honeyport.ps1 -ports 4444 -block $true |
And when we check the eventlog
Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 115644 Apr 22 16:36 Information BlueKit 1002 192.168.8.105 has been blocked on port 4444 115643 Apr 22 16:36 Information BlueKit 1002 192.168.8.105 has probed the HoneyPort on port ... |
The script will block only the tcp protocol from that IP address. If you would like to block all the traffic you need to do a small modification to the script.
On line 133 you have to change
$rule.Protocol = 6 |
To
$rule.Protocol = all |
And after your done with the honeyports you should stop the job by running
stop-job -name HoneyPort
|
And don’t forget to unblock the IP addresses that have been blocked by the script by running
Remove-NetFirewallRule -DisplayName "Block scanner" |
Comments