Skip to content
This repository has been archived by the owner on Jan 2, 2023. It is now read-only.

Advanced Networking

Jump to bottom
Thomas Nicholson edited this page Aug 21, 2015 · 2 revisions

Without Advanced Networking

Without HonSSH advanced networking functionality enabled the following scenario happens. When an attacker connects from the internet, HonSSH creates another SSH tunnel between the client_addr and the honey_addr.

  1. honey_addr - e.g. 192.168.1.10

  2. client_addr - e.g. 192.168.1.1

                              2)       1)
                            \        \
 /----------\       |--------|       |----------|
 | Internet |-------| HonSSH |-------| HoneyPot |
 \----------/       |--------|       |----------|`

In the example above, the honey pot will always see connections coming from 192.168.1.1 and not the attacker's IP address. This helps give away HonSSH as a honey pot system and is not desired.

With Advanced Networking Enabled

HonSSH's Advanced Networking allows HonSSH to create fake IP addresses on the HonSSH box (using ip link and ip addr commands) and do NAT (using iptables) to make it look like all packets are coming from the attacker. Thus, this functionality requires privileges to run those commands or to be ran as root.

If HonSSH does not have permission to run any of these commands, it will fall back to using the honey_addr rather than the Advanced Networking functionality.

Walkthrough

  1. honey_addr - e.g. 192.168.1.10

  2. client_addr - e.g. 192.168.1.1

  3. attacker - e.g. 1.1.1.1

                   3)                                  2)       1)
                 \                                   \        \
      |----------|       /----------\       |--------|       |----------|
      | Attacker |-------| Internet |-------| HonSSH |-------| HoneyPot |
      |----------|       \----------/       |--------|       |----------|

When an attacker connects from 1.1.1.1, HonSSH starts by creating a dummy interface called 'honssh'.

ip link add name honssh type dummy
ip link set honssh up

After creating the interface it assigns it a semi-random IP address. HonSSH will bind to this address to create the tunnel between HonSSH and the honey pot.

ip addr add 2.2.2.2/32 dev honssh

Now HonSSH has bound to a semi-random Fake IP address, we need to use some iptables NAT rules to translate between the attacker's IP address and our fake address.

iptables -t nat -A POSTROUTING -s 2.2.2.2/32 -d 192.168.1.10/32 -p tcp --dport 22 -j SNAT --to 1.1.1.1
# Translate the source address of any packets leaving our Fake IP to the honey pot as if they were from the attacker.
iptables -t nat -A PREROUTING -s 192.168.1.10/32 -d 1.1.1.1/32 -p tcp --sport 22 -j DNAT --to 2.2.2.2
# Translate the packets destination from the honeypot destined for the attacker to our Fake IP address.

All packets will now appear as if they are coming from the attacker.

When the attacker disconnects, HonSSH will check that they have no other sessions open. If they have no other sessions, HonSSH will remove the Fake IP address and iptables rules.

ip addr del 2.2.2.2/32 dev honssh
iptables -t nat -D POSTROUTING -s 2.2.2.2/32 -d 192.168.1.10/32 -p tcp --dport 22 -j SNAT --to 1.1.1.1
iptables -t nat -D PREROUTING -s 192.168.1.10/32 -d 1.1.1.1/32 -p tcp --sport 22 -j DNAT --to 2.2.2.2

If there are no other sessions running, HonSSH will also remove the honssh interface.

ip link del dev honssh

tnich you should secure this page better - your friendly neighborhood hackerman :)

Clone this wiki locally