Playing with Plugins for HoneyPoint

Posted on by

I have been playing with various plugins lately for HoneyPoint. In this case, I wanted to show the output of two plugins I am playing with currently.

The first one is the TweetCLI plugin that I have written about before. In this example, I am going to show an event that has come in and what the plugins did for me.

The TweetCLI plugin posted the following to the @HoneyPoint feed on Twitter:

Suspicious Activity Captured From: 41.205.122.150 on port 23

Then, the console also executed a plugin I lovingly call AutoPoke. It basically does a whois look up of the address and performs a basic nmap TCP port scan of a few common ports. This produced the following output:

OrgName: African Network Information Center

OrgID: AFRINIC

Address: 03B3 – 3rd Floor – Ebene Cyber Tower

Address: Cyber City

Address: Ebene

Address: Mauritius

City: Ebene

StateProv:

PostalCode: 0001

Country: MU

ReferralServer: whois://whois.afrinic.net

NetRange: 41.0.0.0 – 41.255.255.255

CIDR: 41.0.0.0/8

NetName: NET41

NetHandle: NET-41-0-0-0-1

Parent:

NetType: Allocated to AfriNIC

NameServer: NS1.AFRINIC.NET

NameServer: NS-SEC.RIPE.NET

NameServer: NS.LACNIC.NET

NameServer: TINNIE.ARIN.NET

Comment:

RegDate: 2005-04-12

Updated: 2005-07-12

OrgAbuseHandle: GENER11-ARIN

OrgAbuseName: Generic POC

OrgAbusePhone: +230 4666616

OrgAbuseEmail: abusepoc@afrinic.net

OrgTechHandle: GENER11-ARIN

OrgTechName: Generic POC

OrgTechPhone: +230 4666616

OrgTechEmail: abusepoc@afrinic.net

# ARIN WHOIS database, last updated 2008-12-29 19:10

# Enter ? for additional hints on searching ARIN’s WHOIS database.

Starting Nmap 4.68 ( http://nmap.org ) at 2008-12-30 xxx AST

Interesting ports on 41.205.122.150:

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp filtered telnet

25/tcp closed smtp

79/tcp closed finger

80/tcp filtered http

110/tcp closed pop3

135/tcp filtered msrpc

136/tcp closed profile

137/tcp closed netbios-ns

138/tcp closed netbios-dgm

139/tcp filtered netbios-ssn

443/tcp closed https

445/tcp filtered microsoft-ds

1433/tcp closed ms-sql-s

3389/tcp closed ms-term-serv

5800/tcp closed vnc-http

5801/tcp closed vnc-http-1

5900/tcp closed vnc

5901/tcp closed vnc-1

6666/tcp closed irc

6667/tcp closed irc

6668/tcp closed irc

6669/tcp closed irc

Nmap done: 1 IP address (1 host up) scanned in 2.330 seconds

This output is kind of fun (at least to me) to watch. I get real time info about where scans and probes are coming from. I also get real time port info from the scanning hosts. Over time, this gives me some pretty interesting insight into common postures of hosts that appear to be compromised or infected.

In this case, this particular host was interesting because of the source. Our global HoneyPoint deployments don’t see too many offending hosts from this particular region. Over time, if I see more activity originating from there or the like, then I can decide if the threat levels in that area are increasing, but none the less, even this first one is interesting. A quick review of the host shows a likely vulnerable ssh deployment, which may indicate that the host is compromised and/or bot-net infected. Of course, this is all supposition, but interesting (to me) anyway.

Now you know how I spend my time. I love to watch the ebb and flow of attacks, probes and scans. I like to know the sources and virtual “look and feel” of the victim systems. I suppose that is where many of the capabilities in HoneyPoint come from. I think they are just toys that I would like to play with, thus they end up in the product. Do you have some plugins you would like to see or some new HoneyPoint toys or functions you would enjoy? If so, drop me a line. We are working on the plans for HPSS 3.xx as we speak, so now would be a great time to hear a want list from the public!

Thanks for reading!

Leave a Reply