Please give me some ideas about it?
How to find out if a box I breaked in to is a Honeypot or not ?

in my experience, if its easy to get into then its a honeypot :-)

but stilla good question, honeypots can be setup so you dont know it is one, hence i suppose the whole point of it all

any box can be a honeypot it's almost impossible to know if ur inside one since there is no "kit" to setup a honeypot they make it look like a normal vuln machine running programs etc....

my best bet is be safe use wingates, proxies etc

ohh and btw if u see folders like:

creditcard or credit card numbers
socialsecurity numbers
funds

i would leave the box asap since ya know (but this is in my opinion)

ohh and always use the badips list to check the range before u do anything to it

lastly use something to clear the windows event logs/security logs


good luck, and let's hope me and u don't fall into the honey

You don't know. I run a honeypot on an EDU domain through a guy I know on campus and we actually catch kids and kill their botnets. We thought about setting up a website to describe how we do it, but then people would design around it. In the meantime, it doesn't matter what kind of rootkit you use, our IDS (sitting right next to the honey) is going to know if your trojan is connecting to an IRC server.

We also do other checks too, it's pretty obvious if the machine initiates a connection that it's a trojan, since it doesn't do anything but sit and idle anyway.

The whole concept of a honeypot is that you should have no idea you just walked into a trap. I dont think you could use the 'how easy to break it' factor to determine if it is or not. just like normal targets, honeypots will come in many flavors, from way too easy, to almost impossible to get in.

The only way i could think of to check if they are honey or not, would be to use them for something blatently illegal, and see how long it lasts serving that purpose. Even there... how long were the fbi infiltrated in the warez top scene before the dod bust. they were contributing big hard drives and fast links too.

You just cant know.

Some white papers on Honeypots. You may also want to review the section on HoneyTokens.

Honey Pot Whitepapers and Resources

Pretty good reading material if your wanting to learn more about Honey Pots

I would also say google for the paper done on the Super Bowl Hack.

Well, there is never a 100% sure way to identify a machine as a honey pot, but I found that most people who setup the honey pot forget to make it look like it's actually been used. So look if someone is actually doing some work on the machine and maybe when the last login's of the useres were.

as far as my experience goes..
ive been in a live honeynet once..
there were too many services like chargen and day time service ..
and snmp commnity set to public.
and it was ofcourse entirely exploitable..
i was conected to it using a bess proxy
they are the fastest and also anonymous.
it was almost similar to any host but the amount
of services available for exploitation are too many
i could even use the unicode exploit on it.
when i tried downloading the ftp pssswd file
it gave a scary message that was enought to
say it was a Honeypot...
even Specter has emulated the same in the latest version of
its Honeypot Specter 7.0

There are several ways u can tell. Look through the persons programs on their computer, do they look like the type of programs that somebody with network security experiance would use...like packet sniffers, etc. If they are, do u really think that that person would allow a script kiddy with an autohacker to break into their machine..no prolly so assume that it may be a honeypot or at the very least the host will figure out that an attack took place. Along the same lines take a look through their favorites. You can tell alot about a person by the type of links that they commonly visit.

Also, understand under what context u're supposed to be getting access to the target machine. If the exploit that u're using is supposed to be a system privelages exploit, then make sure that u're getting system rights. Chances are a honeypot would run various services under low user context to prevent the attacker from doing damage. So if u get access denied when trying to add users, modify registry, etc assume that the machine might be a honeypot.

Heres some information from a recent episode on a honeypot -

This was a visit from a Dialup Account. Since were talking honeypots. I thought this information might be of interest to some. For cmds For Response

USER anonymous
PASS xxxxxx@xxxxxx.xxx
CWD /pub/
CWD /public/
CWD /pub/incoming/
CWD /incoming/
CWD /_vti_pvt/
CWD /
MKD 040118002511p
CWD /upl

>>>>220-xxxxxxxxx.xxxx
>>>>220 Enter Username:
USER anonymous
>>>>331 Password Required.
PASS xxxxxx@xxxxxx.xxx
>>>>230 User logged in.
CWD /pub/
>>>>550 Access denied.
CWD /public/
>>>>550 Access denied.
CWD /pub/incoming/
>>>>550 Access denied.
CWD /incoming/
>>>>550 Access denied.
CWD /_vti_pvt/
>>>>550 Access denied.
CWD /
>>>>250 "/" is current directory.
MKD 040118002511p
>>>>550 040118002511p: Permission denied.
CWD /upload/
>>>>550 Access denied.

How does that make it a honeypot? Plenty of anonymous FTPs won't let you do anything. Just because you can logon but not do anything doesn't instantly make it a honeypot.

@easternerd

most honeypots have got almost nothing installed, and have a great speed and space.

But They must have run many Services to attract hackers!

Quite often honeypots have windows and unix services running at a time. Quite obvious it is some fake.

Though sometimes it is a router with port forwarding to internal boxes so you got win/unix services on one IP but from several boxes. Generally, really: too many ports, ain't good at all.

Once a possible honeypot has been compromised a broadcast ping and and a close look to the arp tables/MACs can really clear things up.

Well since we're on the topic of honeypots I figured I'd show a real live one in action. When u see the following things u can be pretty certain that the host is a honeypot. Heh forgot to hide the hostmask...

In my experience, if you are on a true honeypot, its going to simulate the services and their exploits, but you won't be able to get anywhere with them. Also, the box will typically look like almost too good to be true in terms of ease of exploit.

I don't think there would be much point to a honeypot unless permissions are granted, because the whole purpose is to observe the attacker at work and learn his techniques etc.

hmm...I was on google that day an found a link to a honey pot project running under supervision of Pakistani Government to trace hackers supported by Cyber.net.pk .
As I m also a Paki so I mailed them and requested them that I wanna join that but they didnt allow after they got the wind of my age.
The website is www.honeynet.org.pk
It contains real Honey Pot stats etc. and other info.
Regards
~Faceless Master

@ beardednose

They scare the shit out of me to be honest...

A question, so what if you've 'hacked' into a honeypot and they know all your info. What would be their next step? Take legal actions against you? ...

In all honesty, one must think of what a honey pot is used for. It is simply used to study hackers. Any machine could do this, just setup something to monitor it remotely.

I would assume all honeypots are there for research in some way or another and I dont think they would all be easily exploitable.

Why set up a honeypot if all you plan to watch is someone use x-scan the sqlexec, if I was running one I would want it on a pretty secure and on a fast line to... you would need a good incentive to make them go to all the effore of hacking a secure server