With the emerging security threat nowadays, we should know how to detect and analyze every possible threat to your network.
Just with simple solution we could make our MikroTik to became a powerful tool to fool the hacker.
MikroTik as Low Interaction HoneyPot.
27. Server Farm Network Example
192.168.1.2 DNS Server
192.168.1.5 Web Server
192.168.1.10 DB Server
192.168.1.15 Mail Server
SERVER X
Didiet Kusumadihardja - didiet@arch.web.id
27
192.168.1.0/24
28. Confuse your enemy
192.168.1.1 Fake Server 1
192.168.1.2 DNS Server
192.168.1.3 Fake Server 2
192.168.1.4 Fake Server 3
192.168.1.5 Web Server
192.168.1.6 Fake Server 4
192.168.1.7 Fake Server 5
192.168.1.8 Fake Server 6
192.168.1.9 Fake Server 7
192.168.1.10 DB Server
192.168.1.11 Fake Server 8
192.168.1.12 Fake Server 9
192.168.1.13 Fake Server 10
192.168.1.14 Fake Server 11
192.168.1.15 Mail Server
Didiet Kusumadihardja - didiet@arch.web.id
28
192.168.1.0/24
29. How we do it with
Mikrotik?
Didiet Kusumadihardja - didiet@arch.web.id
29
37. Combine with Honey Pot
Didiet Kusumadihardja - didiet@arch.web.id
37
KFSensor
Others HoneyPot: Honeyd, Kippo, Dionaea, Nepenthes
38. What Hacker See (NMAP)
Before After
Didiet Kusumadihardja - didiet@arch.web.id
38
Nmap / Zenmap
39. What Hacker See (SoftPerfect NetScan)
Before After
Didiet Kusumadihardja - didiet@arch.web.id
39
SoftPerfect Network Scanner
40. I don’t want to use HoneyPot
Didiet Kusumadihardja - didiet@arch.web.id
40
Step 1: Chain
Step 2: Action
41. What we see, If someone PING
Didiet Kusumadihardja - didiet@arch.web.id
41
SRC-MAC ADDRESS
SRC-IP ADDRESS
42. What we see, If someone NMAP
Didiet Kusumadihardja - didiet@arch.web.id
42
Mikrotik LOG:
43. The Dude, Hotspot & Userman
Didiet Kusumadihardja - didiet@arch.web.id
43
IP Address MAC Address User ID Person
44. Use Case 1
Didiet Kusumadihardja - didiet@arch.web.id
44
Internet Café
(WARNET)
University
Office
Insider Threat
45. Use Case 2
Didiet Kusumadihardja - didiet@arch.web.id
45
Analytics
For Fun
Learn hacking method
from hacker / script kiddies
Research
http://public.honeynet.id
(Low Interaction Honeypot)
(High Interaction Honeypot)