API tools faq
paste
Joker0day

How to detect ssh honeypots

Joker0day
Feb 19th, 2017
329
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.21 KB | None | 0 0
raw download clone embed print report
  1. ======================================
  2. = Detecting simple OpenSSH Honeypots =
  3. = Guide by J0ker =
  4. ======================================
  5.  
  6. SSH honeypots are fairly easy to detect, even laughably so. Many of them are aimed at catching automated or older malware that doesn't have any built-in honeypot checking.
  7.  
  8. ! - This guide will only be helpful for medium-interaction honeypot - any honeypot that is an actual computer sitting there vulnerable, to be analyzed at a later date, is almost impossible to detect - !
  9.  
  10. There are two main ways that SSH honeypots allow access into them, which is the easiest way to detect them.
  11.  
  12. 1.) The allowed password list
  13.  
  14. Many SSH honeypots will allow you to set an allowed password list. For example, you could put root:*, meaning root as the username with any password would be allowed. These are easy to detect - just test a wide range of passwords, and if more than one gives you access to the same user, its a honeypot!
  15.  
  16. 2.) The random-login allowance
  17.  
  18. Some honeypots will allow you to set two integers, a maximum and a minimum, and will generate a random number between these two integers every time someone connects. The person has to attempt logging in that many times to finally be allowed access. For example, if the number was 4, you'd have to attempt logging in four times to finally gain access. These are easily detectable because it will allow login with obviously-wrong passwords. You can try logging in 50 times with the password TheresN0waY!y-ouCanHav3th1SpAssw0rD?! or something to that effect. If it gives you a successful login, you know its a honeypot.
  19.  
  20. ===========
  21. = Closing =
  22. ===========
  23.  
  24. This is just a short phile on two different easy-to-detect login techniques that SSH honeypots have, and how to avoid them. Hope it was worth the read. Stay safe out there!
  25.  
  26. Greetz to Me.
  27.  
  28.  
  29. / \
  30. ( @ / \ @ )
  31. `.__," ".__,"
  32. \ /
  33. ) (
  34. / \
  35. / \ / \
  36. | Y |
  37. | | |
  38. ". | ." hjw
  39. ". | ."
  40. \ | /
  41. \ | /
  42. BTC donation\ | /1B1XMYEQEOYVWRYKWEZFTOECRRQ9EBQPHQ
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!