BANGALORE INSTITUTE OF TECHNOLOGY

K. R. Road, V. V. Pura, Bangalore – 560004

DEPARTMENT OF TELECOMMUNICATION ENGINEERING

CRYPTOGRAPHY AND NETWORK SECURITY (17TE71)

ASSIGNMENT-3

 Title: Setup a honey pot and monitor the honeypot on network using tcpdump

 Group Members:

1. DISHA SINGH (1BI17TE010)

2. NITHYASHREE JAGADEESHA KJ (1BI17TE024)

3. PRASHANT MOHAN (1BI17TE027)

INTRODUCTION:

 There is an old idiom that goes “more flies are caught with a drop of honey than with a
bowl of vinegar” and this suits all this topic perfectly, since honeypots are precisely about
attracting the most requests to analyze their intentions.

 A Honey Pot is an intrusion (unwanted) detection technique used to study hacker

movement and interested to help better system defenses against later attacks usually made
up of a virtual machine that sits on a network or single client.

 A honey pot is a computer system on the Internet that is expressly set up to attract and
"trap" people who attempt to find access into other people's computer systems.

 This includes the hacker, cracker, and script.

 A honeypot is a security resource whose value lies in being probed, attacked, or

compromised. They can be used, for example, to massively attack a web domain – which
is known as a denial-of-service or DoS attack – or to keep this troop occupied in its spare
time by putting it to snoop into all that gets in their way.

 They can provide early warning about new attack and utilization trends and they allow in-
depth examination of unwanted users during and after use of a honeypot.

 Many people have their own definition of what a honeypot is, or what it should
accomplish. Some feel it’s a solution to deceive attackers. Others feel it’s a technology
used to detect attacks.

 While other feel honeypots are real computers designed to be hacked into and learned
from. 
BLOCK DIAGRAM:

IMPLEMENTATION:

 We develop and test our honey pot using two Linux systems. The client system (Ubuntu

18.04) is used to run nmap and tcpdump. The server (Yocto, embedded Linux) is used to

run our Python3 honeypot.py script as root. Note that two systems aren't actually

required, and the honey pot could be run on almost any machine where Python is

installed.

 Tcpdump is a command line program that displays network activity.

 Nmap is a free and open source (license) utility for network discovery and security

auditing". It's a great tool for probing networks and discovering information (i.e., open

ports on any networked system).

 Both nmap and tcpdump can be installed on Ubuntu using the apt package manager:

$ sudo apt install tcpdump

$ sudo apt install nmap

 The socket module / interface depends on calls to the underlying operating system, so

your usage of the provided example may work differently ( or not at all) on a particular

system.

 The python socket interface is modeled after the Unix socket API. When working with

Python sockets, you may want to refer to Linux man pages for various definitions:

$ man socket

DESCRIPTION

Socket () creates an endpoint for communication and returns a file descriptor that refers

to that endpoint. The file descriptor returned by a successful call will be the lowest-

numbered file descriptor not currently open for the process.

 Let's start out by verifying that nmap and tcpdump are working properly on our client

system by confirming that an ftp server is running on our embedded Linux server. Shell 1
will be used for nmap and shell 2 will be used for tcpdump. Note that we're just
using ftp (tcp port 21) as an example here with the assumption that this is a service
commonly run on a server. In our honey pot example below, we'll switch to telnet (tcp
port 23). Other popular ports to consider are 80 for HTTP and 22 for ssh, and you can
take a look at your /etc/services file for a comprehensive list of popular ports.

CLIENT SHELL 1

$ nmap 192.168.3.200 -p 21

Starting Nmap 7.60 (https://nmap.org) at 2018-12-01 12:01 EST

Nmap scan report for p1010 (192.168.3.200)

Host is up (0.00034s latency).

PORT STATE SERVICE

21/tcp open ftp

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

 CLIENT SHELL 2

$ sudo tcpdump -Xvn -i enp2s0 host 192.168.3.200 and port 21

...

<packet dump>

...

 You should see packets exchanged in shell 2 when running nmap in shell 1. It's a good

idea at this point to play around with different nmap options (e.g., -sV: determine service)

and also try this with the ftp server not running. 

FLOWCHART;
PROGRAM:

import sys

import argparse

from socket import socket, AF_INET, SOCK_STREAM

VERSION = '0.1a'

welcome = b"Ubuntu 18.04.1 LTS\nserver login: "

def send_email(src_address):

""" Todo: send an email if we're scanned / probed on this port """

Pass

def honeypot(address,port=23):

""" create a single Threaded telnet listen port """

try:

ski=socket(AF_INET,SOCK_STREAM)

ski.bind((address, port))

ski.listen()

conn,addr = ski.accept()

print('honeypot has been visited by ' + addr[0])

 send_email(addr[0])

conn.sendall(welcome)

while True:

data=conn.recv(1024)

if data == b'\r\n':

ski.close()

sys.exit()

except:

ski.close()

sys.exit()

if __name__ == '__main__':

parser = argparse.ArgumentParser(description='honeypot prototype',

epilog='Version: ' + str(VERSION))

parser.add_argument('-a','--address',help='server ip address to use',action='store',

required=True)

args = parser.parse_args()

honeypot(args.address)
 RESULT:

 You should see the honey pot report the activity as shown below:
# ./honeypot.py -a 192.168.3.200

honeypot has been visited by 192.168.3.36

 You can also try your honey pot using the telnet client. It should close the port after the
user hits the enter key (return).
$ telnet 192.168.3.200

Trying 192.168.3.200...

Connected to 192.168.3.200.

Escape character is '^]'.

Ubuntu 18.04.1 LTS

server login:

 Note that it can take up to a minute or two for ports to close after running these tests, so

subsequent runs of honeypot.py may return immediately until the port closes / time outs.

APPLICATIONS:

 Beyond collecting data about scans and targets, a simple honeypot can also be used to

monitor outbound traffic. For example, a network administrator may collect data about

typical office network traffic (with appropriate permissions). This way, they can set a

baseline for normal usage.

 If there's ever a spike in unusual traffic, then the administrator can jump in and see what's

going on. It might be the start of a computer virus or worm, or maybe something else.
ADVANTAGES:

 Small data sets of high value.

 Easier and cheaper to analyze the data.

 Designed to capture anything thrown at them, including tools or tactics never used

before.

 Require minimal resources.

 Can collect in-depth information.

 Conceptually very simple.

DISADVANTAGES:

 Can only track and capture activity that directly interacts with them.

 All security technologies have risk.

 Building, configuring, deploying and maintaining a high-interaction honeypot is time

consuming.

 Difficult to analyze a compromised honeypot.

 High interaction honeypot introduces a high level of risk.

 Low interaction honeypots are easily detectable by skilled attackers.

CONCLUSION:

 Honey pots are an extremely effective tool for observing hackers movements as well as

preparing the system for future attacks.

 Although the down side to using Honeypots are amount of resource used, this is usually

countered by implementing a central analysis module, but is still a security risk if that

central module goes down.

 Keep in mind that a honey pot is basically a fake network service, and they're easy to

write. The other side of this story is to remind yourself to not blindly trust network

services since providers and hackers can replace or modify them with a compromised

implementation for the purpose of stealing data.

Virtual Lab
 Experiment: Breaking the Shift
Cipher

OBJECTIVE:

To understand that secure encryption is not possible with small key space. This is more popularly

known as the principle of large key space.

We carry out the brute force attack as follows:
 after changing shift value from 0 to 7 plaintext was obtained

Conclusion: Larger the keyspace more secure the encryption

QUIZ
  Encrypt the following plain text using key k = 7.

Plain Text : Lord Rama was a good king.

Given a plain text and its corresponding cipher text, find out the key used for the
encryption of the plain text
Plain Text : abcdefghijklmnopqrstuvwxyz
Cipher Text : tuvwxyzabcdefghijklmnopqrs

How many different keys are possible with an n-letter alphabet?

Keys = 2^n keys

Given a cipher text, find out the corresponding plain text using brute force attack.

Cipher text : HAAHJR HA KHDU