WEB BASED

HONEYPOT DECOYS
INTRODUCTION
HONEYPOT - a computer system on the Internet that
is expressly set up to attract and "trap" people who attempt
to penetrate other people's computer systems.
HONEYNET - a network containing honeypots
LOW INTERACTION - the functionality or
vulnerability it provides is only emulated
HIGH INTERACTION - provides real functionality
to the outside world and does not only perform emulation
4 MAIN CONCEPTS –
DEPLOYING HONEYPOT
DATA CONTROL - mitigate the risk
DATA CAPTURE - gather information about the
attacker, without the attacker’s knowledge
DATA ANALYSIS - converts the collected data
into sensible information
DATA COLLECTION - Transfer and store all
data captured in a central location
DEVELOPMENT OF
HONEYNET CREATOR
REQUIREMENT
system functionality and performance should be the same
as the identical web application would offer as a non-
honeypot system

Comprehensive data capture – stored externally on a

separate and secure system

Prevent attacker from using the honeypot

provide different means to support the process of

analyzing the collected data.

should be extensible that it easily adapt to new attack

patterns and exploits
DESIGN APPROACH
Design approach – 2 ways

to start off with an existing web application and

convert it into a honeypot

to take an existing low-interaction honeypot for a

specific web application and add any kind of
functionality separately
WORKING
In order to log the information an attacker enters into a
web application, the contents of four crucial arrays are
stored which are provided PHP

1. $_SERVER

2. $_GET

3. $_POST

4. $_COOKIE
 WORKING (Cont…)
$_SERVER

HTTP USER AGENT - a string denoting the user agent

which was used to access the page

HTTP REFERER - describes the address of the page

REMOTE ADDR - the IP address of the current user

requesting a page
WORKING (Cont..)
REMOTE PORT - the port being used on the user’s
machine to communicate with the web server

HTTP ACCEPT - refers to the HTTP accept request-header

HTTP ACCEPT LANGUAGE - similar to Accept,

restricts the set of natural languages as a response
to the request

REQUEST TIME - keep track of every single

request
WORKING (Cont..)
$_GET - contains all data that is transferred to the
server via HTTP GET request

$_POST -contains all data that is transferred to the

server via HTTP POST request

$_COOKIE - contains all data that is transferred to

the server via HTTP cookies
 LOGGING CODE
a specially crafted logging code is inserted into each relevant file of
the web application – following steps are performed

makes a list of each source code file the web application

comprises
serializes the data and stores it in an external SQL database.

recursively crawls the directory of the web application and creates a

list of all PHP and HTML files
the Honeypot-Creator performs all insertions at the beginning
 ANALYSIS TOOL
To support the process of extracting the important information out
of the data

supports the analysis of data acquired from all different kinds

of web-based honeypots

Two main views - Overview mode and Detailed viewing mode

Tool - filters for attacks patterns

- Provides high expendability
- Should comprise an automatic download function
ANALYSIS TOOL
HIHAT - High Interaction Honeypot Analysis Tool

overview about the most recent entries.

Actual number of entries per access varies and

depends on the implementation of the web application

to avoid illicit access to the analysis tool, a password is

requested for the usage of HIHAT
STRUCTURAL OVERVIEW
 Honey Log
pot I server

Honeypot II

SQL db
Analysi
s Tool
Honeypot
SQL db
III

Honeypot
IV
SQL
db
Honeypot
V
DATA CONTROL
to ensure the system is running within safe boundaries and
does not cause harm to other non-honeypot systems
Following issues has to be considered
Secure base operating system
Connection number limitation
Bandwidth limitation
Honeywall
TRANSPARENT LINKING

LEVEL1.php

LEVEL2.php\

LEVEL3.php
LEVEL1.php
LEVEL4.php
LEVEL2.php

LEVEL3.php
start LEVEL2.php
Index.php LEVEL4.php

LEVEL2.php
HONEYNET SETUP
A proper configuration and setup of the system can be
accomplished performing these steps

Operating system
High customizability
Good security support
Minimalistic system
Detailed documentation

Virtual machine setup

HONEYNET SETUP (Cont..)
Honey wall setup
Decoy selection
Log server setup
Honeypot - Creator
Transparent links
Setup of HIHAT
CONCLUSION