Joshua Cruz

Building a homelab - Part 2 - Honeypots and More

October 08, 2019

Update

Since the start of the fall semester, I haven’t been able to contribute to my blog as much as I did over the summer. I’m a little bit disappointed in that, but life happens. Because I rarely have time to work on my own projects, I have to be wise about what I work on. Evolving my homelab seems like the right choice because of the overall learning experience associated with it.

Introduction

In this part of the lab, I decided to remake my homelab from scratch. Doing this ensures I have the basics down:

As an addition of adding servers and clients, I included a honeypot(IDS) system, to simulate a vulnerable machine that an attacker can easily “attack”. There has been some debate over Honeypots and their usefulness. This reply from a Redditor, that specifies that there are more efficient options than setting up and keeping a honeypot environment active. Useful or not, setting it up and seeing what it can do and its usefulness did show me what a honeypot can effectively do.

Diagram Update 1

The purpose of my homelab is to help understand how these systems interact with each other. I tried my best to include different OS’s to have a general sense of how they work and operate. It also gives me the opportunity to do a bit of red and blue teaming.

By all means this isn’t nearly completed. I want to continuously work on this and grow it into something I can be proud of. I have a bunch of ideas I have planned that I eventually want to include into my homelab, but this is a slow and growing process.

Honeypot (KFSensor) Setup

For my first honeypot, I’ve decided to choose one that is relatively easy to get up and running, so I installed KFSensor on a Windows 7 machine. The purpose of KFSensor is to attract and detect hackers. It has IDS capabilities built into the program to detect and respond to attacks. The great thing about KFSensor is that, right after installation it starts monitoring all TCP and UDP ports, as well as ICMP traffic on the network. Any network, client, port I decide to scan it will get logged into KFSensor, to be easily analyzed.

Homelab Overview

This overview show my entire desktop and how I set up all my VM’s using a Type 2 virtualization like VirtualBox

Digging into KFSensor

The easy installation of KFSensor, I’m am able to quickly test out how it all works. I used Kali Linux to do basic pings and nmap scans. Here and I can see what I’m working with.

KFSensor Logs

At line 10, we can see I use the Kali Linux (192.168.1.8) to send a ping request to a another host on the network. The honeypot machine detects the ping request indicated by the ICMP ECHO REQUEST packet.

At line 18, I use the Kali Linux machine (192.168.1.8) to scan for open ports. I decided to use a very noise scan to see how KFSensor works: nmap -sV -sC 192.168.1.4.

As a program thats both a vulnerable machine and an IDS, its interesting to see how the two work together. As a homelab and and a learning resource, I really enjoy this piece of software. Being able to analyze logs without much set up makes it easier for myself to learn this kind of thing.

Conclusion

This was another small addition to my homelab. I was able to add an easy to install honeypot and other servers and clients using different OS’s. This gives my homelab a lot of versatility. There are a few other things I would like to include, but this will take time to think about and produce.