WEBVTT

00:00.600 --> 00:09.450
Honeypots are nothing more than devices that are designed to emulate a host or a network to allow you

00:09.450 --> 00:14.430
to let the bad guys in and to be able to track what they're doing.

00:14.430 --> 00:20.850
A honeypot is a very very common tool used by ITC curity professionals whenever they're worried about

00:20.850 --> 00:22.530
somebody coming in.

00:22.560 --> 00:29.360
The whole idea of a honeypot is to emulate services that you would find on a typical host.

00:29.490 --> 00:36.120
For example a honeypot would emulate a web server a honeypot can emulate an FPP server honeypot can

00:36.120 --> 00:37.680
emulate a DNS server.

00:37.680 --> 00:41.130
It will emulate most any server that you want.

00:41.130 --> 00:47.730
The trick about honeypots is not only will they emulate it but then they will also log literally everything

00:47.730 --> 00:53.300
that's typed so that you can keep track and see what bad guys are trying to do.

00:53.370 --> 00:55.970
Now there's lots of different honeypots out there.

00:56.100 --> 01:00.610
There are honeypots that are incredibly powerful and sophisticated and expensive.

01:00.870 --> 01:06.390
Or you can do like I'm doing here and here is a wonderful free one called Honey bot that I've actually

01:06.390 --> 01:07.880
got up and running right now.

01:07.920 --> 01:10.560
And I put it on my system right here.

01:10.560 --> 01:16.230
Now unlike a real honeypot what I've done is I've asked people around my office.

01:16.230 --> 01:25.290
This is internal to start trying to open up web browsers or FTB clients or email or any kind of thing

01:25.560 --> 01:29.250
to see what happens when they approach this system.

01:29.280 --> 01:33.580
And if you take a look we've actually got quite a few people coming in now.

01:33.780 --> 01:39.780
What's important here and this is about by the way if you look at what ports they're coming in on port

01:39.810 --> 01:44.460
80 that's HTP port 22 that's S-sh.

01:44.520 --> 01:52.330
We've got some DNS stuff coming in there with DHC piece that's rather We've got 21 FTB.

01:52.530 --> 01:55.310
We've got all kinds of stuff going on.

01:55.320 --> 02:00.900
The problem with these honeypots is that for example it's going to emulate a web server but it doesn't

02:00.900 --> 02:03.220
emulate a very good web server.

02:03.270 --> 02:09.300
So when people are logging in to this particular IP address when they go into their browsers they see

02:09.300 --> 02:13.320
just the ugly little under construction sign like this.

02:13.320 --> 02:18.570
And hopefully that's enough to get people to think that this is actually a real web site that a lot

02:18.570 --> 02:23.880
of more sophisticated hackers would recognize that this is a honeypot pretty much instantaneously.

02:24.060 --> 02:29.480
Well and that's part of the reason why it's free because it simply doesn't give us a lot of detail but

02:29.490 --> 02:34.350
it doesn't matter if you come back in here what really becomes important on a honeypot is it gives us

02:34.350 --> 02:38.550
information what port numbers are people trying to come in on.

02:38.600 --> 02:40.610
And it also gives the IP addresses.

02:40.610 --> 02:44.340
Now you'll notice here everybody's local because this is an internal network.

02:44.480 --> 02:49.520
I don't want to have a real honeypot sitting on a public network right now because this is good enough

02:49.520 --> 02:52.180
to get you through the idea of what a honeypot does.

02:53.370 --> 02:58.130
Now honeypots need to sit out on the public Internet.

02:58.170 --> 03:04.110
So one of the places we tend to put honeypots more often than not is within the DMZ the demilitarized

03:04.110 --> 03:10.250
zone you might want to check other videos we talk about DMZ quite a bit within this series.

03:10.310 --> 03:16.700
But the other important thing that the honeypot does is it logs everything a sophisticated honeypot

03:17.000 --> 03:20.480
with log every keystroke everything anybody's entered.

03:20.480 --> 03:26.090
And what we can do is we can analyze that to see what type of attacks people are doing what commands

03:26.090 --> 03:30.130
are they typing are trying to get in and what kind of havoc are they trying to wreak.

03:31.100 --> 03:36.760
Honeypots are very popular but in a lot of situations attackers aren't necessarily just going for one

03:36.760 --> 03:37.530
computer.

03:37.660 --> 03:41.190
What we see more and more is that attackers are going for networks.

03:41.200 --> 03:47.950
So what we can do is we can actually emulate not just an individual system but a network in what's known

03:47.950 --> 03:49.350
as a honeynet.

03:49.630 --> 03:54.820
You can get a lot of Honeybun that's one of the places we see hunting that's a lot is on virtual systems.

03:54.820 --> 04:00.230
Somebody will create four or five virtual machines and put them all within their own little network.

04:00.280 --> 04:06.340
And really what they're doing is they're running honeynet software watching not only on individual systems

04:06.670 --> 04:11.420
but in within the entire network to see what bad guys are trying to do.

04:11.770 --> 04:16.420
And

04:17.540 --> 04:20.970
on

04:21.010 --> 04:24.060
and

04:25.170 --> 04:30.730
on and.