DIPLOMA IN COMPUTER SCIENCE (CS110)

ITT320 - INTRODUCTION TO COMPUTER

SECURITY PROJECT PROPOSAL

PROJECT: PENETRATION TESTING VIA HONEYPOT

PREPARE BY:
NAME STUDENT ID
HAZIM BIN MD. YUSOF 2020620368

MUHAMMAD ZHARIF AZFAR BIN NORHASI 2020881388

MUHAMMAD KHAIRUL AKMAL BIN MAZLAN 2020860698

LECTURER’S NAME:
DR. NOR MASRI BIN SAHRI
Table Of Content

Team Member’s Profile 3

Introduction 4

Objectives 5

Honeypot Selection 6

Honeyd Advantages 7

Impact on the network 7

Scope of Penetration Testing 8

Risk involves 9

Conclusion 10

2
Team Member’s Profile

Profile Picture

Name : Hazim Bin Md. Yusof

Student ID : 2020620368

Name : Muhammad Zharif Azfar Bin

Norhasi

Student ID : 2020881388

Name : Muhammad Khairul Akmal Bin

Mazlan

Student ID : 2020860698

3
Introduction

For this project, our group chose to do the penetration testing via honeypot. A penetration
test, commonly referred to as a pen test, simulates a cyberattack on your computer system
to look for weaknesses that could be exploited. Penetration testing is frequently used to
supplement a web application firewall in the context of web application security (WAF).

Pen testing involves attempting to get into any number of application systems such as
frontend/backend servers and application protocol interfaces (APIs) in order to find security
holes like unsanitized inputs that are vulnerable to code injection attacks.

One description of a honeypot originates from the field of espionage, where spies in the
Mata Hari tradition who utilise a love relationship as a cover for stealing information are
referred to as "laying a honey trap" or "honeypot" operators. A honey trap is frequently used
to lure an enemy spy, who is then coerced into divulging all of his or her knowledge.

A cyber honeypot functions similarly in terms of computer security, setting a trap for
hackers. It serves as a sacrifice computer system, acting as a decoy to draw cyberattacks. It
acts as a phishing site for hackers and takes advantage of their infiltration efforts to learn
more about online criminals and how they operate or to divert them from other targets.

The honeypot fools hackers into thinking it's a legitimate target by having the appearance
of a real computer system, complete with apps and data. A honeypot could, for instance,
imitate a business's customer billing system, which is frequently targeted by thieves looking
for credit card details. Once the hackers are inside, it is possible to trace them and analyse
their activity to find out how to safeguard the real network.

Attackers are drawn to honeypots because they are purposefully designed with security
flaws. For instance, a honeypot may have weak passwords or ports that respond to port
scans. To lure attackers into the honeypot environment rather than the more secure live
network, vulnerable ports may be left open.

In contrast to a firewall or antivirus, a honeypot isn't designed to solve a particular issue.

Instead, it's a tool for information that can assist you in understanding current hazards to
your company and recognising the advent of fresh threats. Security initiatives can be
selected and concentrated with the help of the intelligence gathered from a honeypot.

4
Objectives
A penetration tester's main goal is to find security flaws in a network, system, or piece of
software. Once it is made evident, the vulnerabilities may be closed off or the weaknesses
can be lessened before adversaries learn about them and use them against you.

In order to prevent vital systems from being attacked, gain early warning of an ongoing
attack, and learn more about the attacker and their tactics, honeypots' major goals are to
divert harmful traffic away from crucial systems.

● To learn more about purpose of penetration testing

● To demonstrate the implementation of Honeypot in the network environment
● To discover and understand the various weaknesses that may be in your
environment
● To evaluate the security of an IT infrastructure by safely trying to exploit
vulnerabilities

5
Honeypot Selection

The honeypot that we choose is Honeyd. Niels Provos' open source Honeyd programme
enables users to set up and manage many virtual hosts on a computer network. The user
can simulate an endless number of computer network setups by configuring these virtual
hosts to impersonate various kinds of servers. The use of Honeyd is mostly restricted to the
realm of computer security.

Honeyd's capacity to serve as a honeypot gives rise to its name. On a network, only
legitimate servers should be used for all regular communication to and from. As a result, a
network administrator using Honeyd can check his or her logs to determine if any traffic is
travelling to the virtual hosts that Honeyd has created. Any traffic going to these virtual
servers should be viewed with extreme suspicion. The network administrator can then take
preventative action, either by blocking the suspicious IP address or keeping a closer eye on
the network for suspicious activity.

Two purposes are the main uses for honeyd. Potential hackers can be sidetracked by
Honeyd by using its capacity to simultaneously imitate a large number of distinct network
hosts (up to 65536 hosts). A hacker may believe that a network has hundreds of servers
even when it only has three real servers and one server that is running Honeyd. The hacker
will then need to conduct extra investigation (perhaps using social engineering) to ascertain
whether servers are authentic, or else they risk being caught in a honeypot. The hacker will
either be stopped or maybe even caught in either case.

6
Honeyd Advantages

● Recognise intrusions and give hackers a passive fingerprint

● Simulate network topologies
● Simulate multiple virtual hosts simultaneously
● Set up real FTP and HTTP servers, and even UNIX applications under virtual IP
addresses
● Simulate numerous TCP/ip stacks

Impact on the network

Honeypots are designed to attract hackers, and the more convincing they are, the more
successful they will be. Attackers breaking into a honeypot believe they have hacked a
legitimate part of the target network where they might find valuable data, critical applications
or vulnerable parts of the network infrastructure.

7
Scope of Penetration Testing

The penetration testing actually have three phases of plan for the scope.

Reconnaissance
● To inform the attack strategy, assemble as much information as you can about the
target from both public and private sources. Internet searches, the retrieval of domain
registration data, social engineering, nonintrusive network scanning, and occasionally
even dumpster diving are sources. The attack surface and potential vulnerabilities of
the target are mapped out by pen testers using this information. The type of
reconnaissance varies depending on the goals and parameters of the pen test; it
could be as straightforward as making a phone call to go through a system's
features.

Scanning
● Pen testers employ tools to look for flaws in the target website or system, such as
open services, application security problems, and open source vulnerabilities.
Depending on what they discover throughout the test and during their
reconnaissance, pen testers employ a range of tools.

Gaining access
● Attacker goals may include stealing, altering, or destroying data; transferring money;
or simply tarnishing a company's name. Pen testers choose the finest malware,
social engineering, or other methods to access the system in order to carry out each
test case. They also decide the best tools and techniques to exploit security holes
like SQL injection.

Maintaining access
● Once pen testers have gained access to the target, their simulated attack must
remain connected for a sufficient amount of time to achieve its objectives of data
exfiltration, modification, or functional abuse. It involves showcasing the possible
impact.

8
Risk involves

You might assume that honeypots are the best security option given all of these fantastic
benefits. Sadly, this is not the case. Numerous drawbacks exist with them. Due to these
drawbacks, honeypots are not intended to replace any existing security measures; rather,
they are intended to complement and strengthen your existing security architecture.

The main drawback of honeypots is their limited field of vision, which only allows them to
see activity that is directed at them. Your honeypot won't be able to detect any activity if an
attacker penetrates into your network and targets several other systems until it itself is
attacked. If the attacker knows what the honeypot is, she can now avoid that system and
infiltrate your company without the honeypot realising it. As was already said, honeypots
have a magnifying glass effect on the value of the data you gather, allowing you to
concentrate closely on information with known value. The honeypot's extremely constrained
range of view, like a microscope, can, however, exclude events occurring all around it.

Fin-gerprinting is another drawback of honeypots, especially many commercial models.

When a honeypot exhibits specific anticipated traits or behaviours, an attacker can
determine its true identity using fingerprinting. A honeypot might imitate a web server, for
instance. The Web server reacts by sending a typical error message in standard HTML
whenever an attacker establishes a connection to this particular sort of honeypot. We would
anticipate a Web server to respond just like this. However, the honeypot contains a typo and
spells one of the HTML commands incorrectly, such as the word length, which is written as
legnht.

Given that the Web server emulation issue makes this misspelling easy for any attacker to
spot, it now serves as the honeypot's fingerprint. A honeypot that has been installed
incorrectly can potentially recognise itself. A honeypot, for instance, might have features that
distinguish it from a Unix Solaris server even though it is intended to mimic an NT IIS Web
server. These contradicting selves can serve as a honeypot's hallmark.

A blackhat could impersonate other production systems and attack the honeypot if he
discovers a company utilising a honeypot on its internal networks. The company would go on
a wild goose chase once the honeypot discovered these spoof assaults and incorrectly
informed administrators that a production system was assaulting it. An attacker could
concentrate on actual attacks while everything was chaotic.

9
 The risk of fingerprinting is significantly higher for research honeypots. If discovered, a
system built to acquire intelligence could be completely destroyed. Instead of trying to evade
detection, an attacker can give false information to a research honeypot. The security
community would then draw the wrong assumptions about the blackhat community as a
result of this poor information.

10
Conclusion

Honeypot is seen as a technology with a high degree of adaptability that can be practical
and helpful in various contexts. If a basic honeypot is required, utilise a low-interaction
honeypot and spare yourself the significant danger associated with a high-interaction
honeypot. Honeypots can also be employed in a wide variety of ways. They quickly
demonstrate their value by spotting and seizing illicit behaviour.

But honeypots have a number of serious disadvantages. They have a small field of view,
which is the most significant characteristic. If they are not attacked, they are worthless.
Second, some honeypots can leave a fingerprint that makes them detectable. The use of
honeypots to attack or harm other systems or organisations presents a third disadvantage
and an additional risk. As you add additional services or apps to your environment, more
things are possible to go wrong.

Production honeypots' main benefit is detection, one of the three components of security
prevention, detection, and reaction. Production honeypots are a highly effective tool for
spotting unauthorised activity since they significantly reduce the issue of both false positives
and false negatives. They are helpful for responding as well, which helps businesses
enhance their incident response capacities. Production honeypots are not very useful for
preventing theft.

Although most businesses would be better off concentrating their limited resources on
security best practises like updating vulnerable services, honeypots can be used to prevent
attacks utilising the concepts of deception and deterrence. Honeypots won't stop hackers
from targeting vulnerable systems.

11