This article helps to protect easily your website with honeypots and track/spy the hackers and will help you better how you can protect your website better.
Resources:
- https://github.com/pH-7/
- https://github.com/pH-7/Honeypots
- http://ph7.me
P.S. I wrote this article several years ago when my English was really bad. Sorry about that!
1. NETWORK SECURITY
Page 22 http://pentestmag.comEXTRA 06/2012(10)
I
n general, when a hacker trying to break into a
website, he will try to bypass the security of the
administration functionality by exploiting a secu-
rity breach (SQL injection, ...), or using a bot that
will try all possible combinations to login and ac-
cess and do whatever he wants.
One technique of protection is to change the
name and location of the folder for administration,
this complicates the break in by making it more dif-
ficult for the hacker to find the page.
Instead of having a folder named “admin”, “ad-
ministration” or “admin.php”, you can give it a
name difficult to find, but that does not stop the
hackers to adapt a strategy to discover the name
of the folder.
Then, while keeping the true administration fold-
er hidden, we will simulate a fake of administration
page that will attract hackers by the easy prey so
that will not only be wasting valuable time trying to
connect instead of seeking the real administration
page, but also allow us to analyze the ways they
use to exploit potential vulnerabilities in the web-
site.
You guessed it; in this tutorial I will show you how
to create a fake administrative part which will serve
as a honeypot.
To do this, rename the real administration folder
of your site by a name hard to guess but easy to
remember (e.g. /my-real-secret-admin-folder/).
Then create the fake administrative part in a fold-
er under the name “admin” with an index.php file
which will require the identifier of the administrator.
Here we will record the steps hackers try to get in
the administration of your site (Listing 1).
Remember that the design of this fake adminis-
tration interface should look similar to your site so
that the attacker does not doubt that this is a real
login page.
We now retrieve the information sent by the login
form and store them in a log file or send them by
email, thus you will be immediately notified when
someone try to connect.
You can also add a tracking code to get more
analytical information (from the country, city, time
left on the page, etc.) on people who are trying to
connect to the fake admin CP.
Finally, I set the sleep function which allows the
script to sleep for a few seconds in order to se-
cure against brute force attacks caused by pos-
sible bots, but also to annoy the hacker.
And now the “Sniffer” PHP class (Listing 2) which
will allow to recover most of the actions of the at-
tacker, and add the possibility of automatically
banning the hackers and bots who try to log into
the administrative part (because these visitors of-
ten bring nothing positive to your site).
Protect you site with
the Honeypots
In all interactive websites, there is a part called "sensitive" such as
administrative part which allows for control of almost the entire
site. In this article, we'll learn how to create a honeypot, more
precisely a fake administration panel that allows you to learn how
the hacker is doing to exploit vulnerabilities in your site, but also
discourage/stop the continuation of the act of piracy, like the
principle of honey pot.
3. NETWORK SECURITY
Page 24 http://pentestmag.comEXTRA 06/2012(10)
Listing 2a. The class that is used to analyze and store the
behavior of hacker
<?php
class Sniff
{
/**
* Your informations here.
*/
// TRUE = enable sending email to each
someone tries to connect to
admin login.
const EMAIL_REPORT = true;
// Email address where reports will be sent
emails if Sniff::EMAIL_REPORT
is TRUE.
const EMAIL_ADDRESS = 'you@your-domain.com';
/**
* Settings of application.
*/
// TRUE = Automatically banned all those who
attempt to log into the admin.
const AUTO_IP_BLOCK = false;
// Path where will be stored log files.
const LOG_PATH = '../../_data/logs/
attackers/';
// Path from the list of IP addresses that
are banned from the site.
const BAN_IP_FULL_PATH = '../../_data/bans/
ip.txt';
private $_sUsername, $_sPassword, $_sIp, $_
sContents;
/**
*
* @param string $sUsername The Username of
the Admin Login.
*/
public function __construct($sUsername,
$sPassword)
{ // Initializes login variables.
$this->_sUsername = $sUsername;
$this->_sPassword = $sPassword;
// Creates the log message and adds
it to the list of logs.
$this->setLogMsg()->writeFile();
// Sends the email report.
if(self::EMAIL_REPORT) $this-
>sendMessage();
// Blocks IP address.
if(self::AUTO_IP_BLOCK) $this-
>blockIp();
}
/**
* Check if the IP address is banned.
*
* @return boolean Returns true if the ip
is banned, otherwise returns
false.
*/
public static function isIpBlock()
{
if(is_file(self::BAN_IP_FULL_PATH))
{
$aIpBans = file(self::BAN_IP_FULL_
PATH);
foreach($aIpBans as $sIp)
{
$sIp = trim($sIp);
if(0 == strcmp(self::getIp(),
$sIp)) return true;
}
}
return false;
}
/**
* Return the IP address of a client.
*
* @return string
*/
public static function getIp()
{
if (!empty($_SERVER['HTTP_X_FORWARDED_
FOR']))
{
$sIp = $_SERVER['HTTP_X_FORWARDED_
FOR'];
4. Page 25 http://pentestmag.comEXTRA 06/2012(10)
Listing 2b. The class that is used to analyze and store the
behavior of hacker
}
elseif (!empty($_SERVER['HTTP_CLIENT_
IP']))
{
}
else
{
$sIp = $_SERVER['REMOTE_ADDR'];
}
return preg_match('/^[a-z0-9:.]{7,}$/',
$sIp) ? $sIp : '0.0.0.0';
}
/**
* Build the log message.
*
* @return this object
*/
protected function setLogMsg()
{
$sReferer = (!empty($_SERVER['HTTP_
REFERER'])) ? $_SERVER['HTTP_
REFERER'] : 'NO HTTP REFERER';
$sAgent = (!empty($_SERVER['HTTP_USER_
AGENT'])) ? $_SERVER['HTTP_
USER_AGENT'] : 'NO USER AGENT';
$sQuery = (!empty($_SERVER['QUERY_
STRING'])) ? $_SERVER['QUERY_
STRING'] : 'NO QUERY STRING';
$this->_sIp = self::getIp();
$this->_sContents =
'Date: ' . date('Y/m/d') . "n" .
'IP: ' . $this->_sIp . "n" .
'QUERY: ' . $sQuery . "n" .
'Agent: ' . $sAgent . "n" .
'Referer: ' . $sReferer . "n" .
'LOGIN - Username: ' . $this->_sUsername
. ' - Password: ' . $this->_
sPassword . "nnn";
return $this;
}
/**
* Write a log file with the hacher
informations.
*
* @return this object
*/
protected function writeFile()
{
$sFileName = $this->_sIp . '.log';
$sFullPath = self::LOG_PATH .
$sFileName;
file_put_contents($sFullPath, $this->_
sContents, FILE_APPEND);
return $this;
}
/**
*
* @return this object
*/
protected function blockIp()
{
$sContent = $this->_sIp . "n";
file_put_contents(self::BAN_IP_FULL_PATH,
$sContent, FILE_APPEND);
return $this;
}
/**
* Send an email.
*
* @return this object
*/
protected function sendMessage()
{
$sHeaders = "From: "{$_SERVER['HTTP_
HOST']}" <{$_SERVER['SERVER_
ADMIN']}>rn";
mail(self::EMAIL_ADDRESS, 'Reporting
of the Fake Admin Honeypot',
$this->_sContents, $sHeaders);
return $this;
}
}
5. NETWORK SECURITY
Page 26 http://pentestmag.comEXTRA 06/2012(10)
Listing 3. File used to manage the router correct login
page
<?php
define('IS_INDEX', 1);
session_start();
if (strcmp(@$_SESSION['joomla_admin_sess'],
'YOUR_SECRET_WORD') != 0)
{
require '_honeypot_index.inc.php'; // The
fake admin interface.
}
else
{
require '_joomla_index.inc.php'; // OK, the URL
from where the person is the URL
custom administration.
}
?>
Listing 4a. Fake login admin page
<?php
/**
* Architecture and design reproduced of Joomla
version 2.5.6
defined('IS_INDEX') or die; // Security check
session_start();
/**
* Generate a random token name field of the
login form.
*/
if(empty($_SESSION['login_token']))
$_SESSION['login_token'] = md5(uniqid(mt_
rand(), true));
/**
* Gets the root URL.
* It is useful to get the URL to reproduce
exactly the same source
code as the original Joomla
administration.
*
* @return string
*/
function get_url()
{
// URL Association for SSL and Protocol
Compatibility
$sHttp = (!empty($_SERVER['HTTPS']) &&
strtolower($_SERVER['HTTPS']
== 'on')) ? 'https://' :
'http://';
return $sHttp . $_SERVER['HTTP_HOST'] . dir
name(dirname(htmlspecialchars
($_SERVER['PHP_SELF'])));
}
/**
* Gets the root relative URL.
* It is useful to get the URL relative to
reproduce exactly the same
source code as the original
Joomla administration.
*
* @return string
*/
function get_relative_url()
{
return dirname(dirname(htmlspecialchars($_
SERVER['PHP_SELF'])));
}
/**
* This page is a fake admin login page of site.
* Your real login page it just another URL
(e.g. http://your-site.com/_
my-secret-admin-page/).
*/
require '../../_inc/Sniff.class.php';
$bErr = false; // Default value
if(isset($_POST['username'], $_POST['passwd']))
{
sleep(6); // Security against brute-force
attack and this will irritate
the hacker...
$bErr = true;
}
/**
* Check if the IP address is banned.
*/
if(Sniff::isIpBlock())
{
header('Location: ../'); // Go to index.
7. NETWORK SECURITY
Page 28 http://pentestmag.comEXTRA 06/2012(10)
Listing 4c. Fake login admin page
<label id="mod-login-
password-lbl" for="mod-login-
password">Password</label>
<input name="passwd" id="mod-
login-password" type="password"
class="inputbox" size="15" />
<label id="mod-login-language-
lbl" for="lang">Language</
label>
<select id="lang" name="lang"
class="inputbox">
<option value=""
selected="selected">Default</
option>
<option value="en-GB">English (United
Kingdom)</option>
</select>
<div class="button-holder">
<div class="button1">
<div class="next">
<a href="#"
onclick="document.
getElementById('form-login').
submit();">
Log in</a>
</div>
</div>
</div>
<div class="clr"></div>
<input type="submit" class="hidebtn"
value="Log in" />
<input type="hidden" name="option"
value="com_login" />
<input type="hidden" name="task"
value="login" />
<input type="hidden" name="return"
value="aW5kZXgucGhw" />
<input type="hidden" name="<?php echo
$_SESSION['login_token'] ?>"
value="1" /> </fieldset>
</form>
<div class="clr"></div>
</div>
</div>
<p>Use a valid username and
password to gain access to the
administrator backend.</p>
<div id="lock"></div>
</div>
</div>
<noscript>
Warning! JavaScript must be
enabled for proper operation
of the Administrator backend.
</noscript>
</div>
<div id="footer">
<p class="copyright">
<a href="http://www.joomla.
org">Joomla!®</a> is free
software released under the
<a href="http://www.gnu.org/
licenses/gpl-2.0.html">GNU
General Public License</a>.
</p>
</div>
</body>
</html>
Listing 5. File that initializes the session to the login page
Joomla
<?php
define('IS_INDEX', 1);
session_start();
$_SESSION['joomla_admin_sess'] = 'YOUR_SECRET_
WORD'; // Joomla Login is OK
header('Location: ../administrator/');
?>
8. Page 29 http://pentestmag.comEXTRA 06/2012(10)
In this class, we create five constants.
The first two concerns the report email, the fol-
lowing is the activation of the automatic ban an IP
address, then the last two are the paths of the log
file and the file list of IP addresses banned from
the site.
Then we create the constructor that initializes the
variables entered login via the admin interface.
After we initialize and write the log message with
the setLogMsg() and writeFile() methods, then we
send an email with using the sendMessage() meth-
od if the constant EMAIL_REPORT is TRUE and we
ban the IP address of spammer using the blockIp()
method if the constant AUTO_IP_BLOCK is TRUE.
For more information about this class, see the
URL of the source code for this article in the links
section.
Use the honeypot fake admin in a CMS
This technique is perfectly usable in a CMS (even
recommended). Indeed, the CMS are generally
more at risk of this kind of attack, because the per-
son who wants to hack your site will first scrutinize
the source code of the script question in order to
know its architecture and the distribution of files as
well as any piece of code that contains a security
vulnerability that could be exploited.
In this example, we will use the famous CMS
Joomla 2.5, but it should be easy to adapt the code
to another CMS.
Joomla, we will use a slightly different technique,
because Joomla does not allow it renames the
folder “administrator”, so we'll leave everything in
that folder.
We will rename the file “index.php” from the
folder “_joomla_index.inc.php” and add the code
defined('IS_INDEX') or die; at the beginning of
the file, just after the <?php, this, line is used to pre-
vent a person from access without going through
the routing file access that we will create later.
Thus, only those who know the secret folder admin
will have a session variable that will have access to
the original login page, others get a fake login page.
Always in the same folder, create a file “_hon-
eypot_index.inc.php” with the content of Listing 4.
It is the fake login page including class listening,
etc. Finally, create the real administration folder on
the name of your choice, but difficult to guess and
to create an index.php file containing the code in
Listing 5.
Keep in mind that in general you rename the real
name of the administration folder so that it is diffi-
cult to guess and to create an erroneous adminis-
trative section with the name of the former (e.g. /
admin/) and then modify a variable or a constant
that is the way of the administrative part (usually it
is in the configuration file of your site).
The previous example is different because Joom-
la does not allow that the folder "administrator" be
renamed under a different name.
Different techniques of honeypots
In this tutorial, we use the honeypot to fool hackers
or spammers (robots, etc.) that tried to misuse the
login page of the administrative part, but in reality
this is a trap.
But this technique of honeypots can be used for
other things.
For example, to create a fake captcha that will
be invisible to the naked eye to users, but visible to
spam bots. It would also be interesting to examine
the behavior and the technique used by the bot,
for example improving our true captcha to make it
more effective.
We can also banish these robots by its IP ad-
dress in the same way that we did in "Sniff" class.
Another example is email spam (also known as
e-mail trap or spamtrap) which is used to receive
spam. This technique is often considered a spam
honeypot.
Figure 1. Honeypot standalone example
9. NETWORK SECURITY
Page 30 http://pentestmag.comEXTRA 06/2012(10)
A project under the name Project Honey Pot also
been created to fight against spam and collect all
email addresses for spam or other similar purpos-
es, such as bulk mail and email fraud.
These examples are far from complete, as the
technique of honeypots is very broad and is not
only meant for the Web.
The honeypot are also often used in Internet net-
works.
For more information, I added a Wikipedia article
in the links section.
Categories of honeypot
Before concluding this article, I suggest you to dis-
cover broadly two types of honeypots.
Low-interaction honeypots
It is easier to implement and more secure family
honeypots.
Their goal is to collect as much information while
providing minimum privileges to attackers to mini-
mize security risks.
High-interaction honeypots
They can be considered as the extreme side, be-
cause they are based on the principle of access to
real interactions and functions of the department.
The risks are much greater than for the low inter-
action honeypots. It therefore appears necessary
to secure maximum service architecture for the at-
tacker cannot kick back and take in and access to
other features and services with which they are not
intended.
In this tutorial, we learned how to create a low-
interaction honeypot, which is generally recom-
mended.
Conclusion
This technique allows a better understanding of
the intentions and hacking attempts on your site.
For example, now you will receive an email or a
message in the log files whenever a person tries
to connect, you can also see if the person uses
the same user name or password, if such is the
case, it means that someone else knows your log-
in password; you must protect yourself by chang-
ing your password.
It also helps to lose precious time trying to hack
anyone your site and thus reduce the risk of at-
tempted hacking elsewhere (on your site or on an-
other).
You can block IP addresses malicious people to
further reduce any risks of hacking your site, even
though this is debatable, in fact you can easily
change your IP address using proxy servers, many
more operator provides a dynamic IP Internet (ad-
dress that changes periodically).
Finally, bots that try to use all possible combina-
tions to access the site administration, will also be
banned if you have enabled the protection of IP
banning automatic.
Pierre-Henry Soria
Pierre-Henry Soria worked in web de-
velopment for several years. He spe-
cializes in accessibility, SEO and se-
curity and possible techniques to
avoid intrusions. It also works on
parsers and lexical and syntac-
tic analyzers in low-level languag-
es. He can be contacted by email at:
phenrysoria@gmail.com.
Information on theWeb
• http://github.com/pH-7/Honeypots – The entire source code discussed in this article.
• http://github.com/pH-7/fake-admin-honeypot-V1.1 – A module that's fake administration panel that you can inspire
the source code.
• http://github.com/dmpayton/django-admin-honeypot – A fake Django admin CP login screen to notify admins of
attempted unauthorized access.
• http://sourceforge.net/projects/spamhole/ – The fake open SMTP relay in the fight against spam.
• http://projecthoneypot.org – Project Honey Pot is a network IP address harvesting spam to fight against unwanted
mail.
• http://en.wikipedia.org/wiki/Honeypot_(computing) – Brief explanation of the operating principles of the honey-
pot.
• http://www.tracking-hackers.com/papers/honeypots.html – Old article, but still interesting on the definition and
explanation of the honeypot.
• http://old.honeynet.org/papers/gen2/ – Article also very interesting on Honeynets.
• http://www.symantec.com/connect/articles/honeypots-are-they-illegal – Interesting article that I suggest you read
on legality of honeypots.
Indeed, you must not abuse the way you use the honeypot and confidentiality of users on log files.