I have been playing with various plugins lately for HoneyPoint. In this case, I wanted to show the output of two plugins I am playing with currently.
The first one is the TweetCLI plugin that I have written about before. In this example, I am going to show an event that has come in and what the plugins did for me.
The TweetCLI plugin posted the following to the @HoneyPoint feed on Twitter:
Suspicious Activity Captured From: 126.96.36.199 on port 23
Then, the console also executed a plugin I lovingly call AutoPoke. It basically does a whois look up of the address and performs a basic nmap TCP port scan of a few common ports. This produced the following output:
OrgName: African Network Information Center
Address: 03B3 – 3rd Floor – Ebene Cyber Tower
Address: Cyber City
NetRange: 188.8.131.52 – 184.108.40.206
NetType: Allocated to AfriNIC
OrgAbuseName: Generic POC
OrgAbusePhone: +230 4666616
OrgTechName: Generic POC
OrgTechPhone: +230 4666616
# ARIN WHOIS database, last updated 2008-12-29 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.
Starting Nmap 4.68 ( http://nmap.org ) at 2008-12-30 xxx AST
Interesting ports on 220.127.116.11:
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp filtered telnet
25/tcp closed smtp
79/tcp closed finger
80/tcp filtered http
110/tcp closed pop3
135/tcp filtered msrpc
136/tcp closed profile
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp filtered netbios-ssn
443/tcp closed https
445/tcp filtered microsoft-ds
1433/tcp closed ms-sql-s
3389/tcp closed ms-term-serv
5800/tcp closed vnc-http
5801/tcp closed vnc-http-1
5900/tcp closed vnc
5901/tcp closed vnc-1
6666/tcp closed irc
6667/tcp closed irc
6668/tcp closed irc
6669/tcp closed irc
Nmap done: 1 IP address (1 host up) scanned in 2.330 seconds
This output is kind of fun (at least to me) to watch. I get real time info about where scans and probes are coming from. I also get real time port info from the scanning hosts. Over time, this gives me some pretty interesting insight into common postures of hosts that appear to be compromised or infected.
In this case, this particular host was interesting because of the source. Our global HoneyPoint deployments don’t see too many offending hosts from this particular region. Over time, if I see more activity originating from there or the like, then I can decide if the threat levels in that area are increasing, but none the less, even this first one is interesting. A quick review of the host shows a likely vulnerable ssh deployment, which may indicate that the host is compromised and/or bot-net infected. Of course, this is all supposition, but interesting (to me) anyway.
Now you know how I spend my time. I love to watch the ebb and flow of attacks, probes and scans. I like to know the sources and virtual “look and feel” of the victim systems. I suppose that is where many of the capabilities in HoneyPoint come from. I think they are just toys that I would like to play with, thus they end up in the product. Do you have some plugins you would like to see or some new HoneyPoint toys or functions you would enjoy? If so, drop me a line. We are working on the plans for HPSS 3.xx as we speak, so now would be a great time to hear a want list from the public!
Thanks for reading!