[原創文章] 作者:tjs1214 -----轉載請註明出處和作者
HoneBot構造入侵檢測系統
Honeybot一款很牛B的僵屍網絡跟蹤工具。能夠在網絡上模仿超過1000個易受攻擊的服務的Windows蜜罐程序,可以捕獲和記錄入侵和襲擊企圖。它運行於Windows 2000及以上版本,是AtomicSfotwareSolutions公司的產品。
上圖可以看出有很多ip訪問我本地的1433 8080 22 1080 80 3389等端口,據經驗有的是尋找socks代理,有部分是中了網絡蠕蟲病毒,拼命朝我的135端口 1433端口發數據。如果你發現一個ip連接你的多個端口,很可能是入侵前的掃描工作。HoneyBot能夠記錄下來,並能提供ip頭信息,模仿真實的服務使入侵者上當。可以模仿65535個TCP/UDP端口。下面是我用掃描工具HScan v120 獲得的信息:
[192.168.1.2]: hostname: "6ea4c3a2cbfe4f7"
[192.168.1.2]: Found "PORT: 21/ftp" !!!
[192.168.1.2]: Found "PORT: 22/unknow" !!!
[192.168.1.2]: Found "PORT: 23/telnet" !!!
[192.168.1.2]: Found "PORT: 25/smtp" !!!
[192.168.1.2]: Found "PORT: 42/nameserver" !!!
[192.168.1.2]: Found "PORT: 53/domain" !!!
[192.168.1.2]: Found "PORT: 79/finger" !!!
[192.168.1.2]: Found "PORT: 80/http" !!!
[192.168.1.2]: Found "PORT: 109/pop2" !!!
[192.168.1.2]: Found "PORT: 110/pop3" !!!
[192.168.1.2]: Found "PORT: 111/sunrpc" !!!
[192.168.1.2]: Found "PORT: 139/netbios-ssn" !!!
[192.168.1.2]: Found "PORT: 143/imap" !!!
[192.168.1.2]: Found "PORT: 161/unknow" !!!
[192.168.1.2]: Found "PORT: 443/https" !!!
[192.168.1.2]: Found "PORT: 445/microsoft-ds" !!!
[192.168.1.2]: Found "PORT: 512/exec" !!!
[192.168.1.2]: Found "PORT: 513/login" !!!
[192.168.1.2]: Found "PORT: 514/cmd" !!!
[192.168.1.2]: Found "PORT: 515/printer" !!!
[192.168.1.2]: Found "PORT: 1080/unknow" !!!
[192.168.1.2]: Found "PORT: 1433/ms-sql-s" !!!
[192.168.1.2]: Found "PORT: 2000/unknow" !!!
[192.168.1.2]: Found "PORT: 3306/unknow" !!!
[192.168.1.2]: Found "PORT: 3389/unknow" !!!
[192.168.1.2]: Found "PORT: 5000/unknow" !!!
[192.168.1.2]: Found "PORT: 5631/unknow" !!!
[192.168.1.2]: Found "PORT: 5800/unknow" !!!
[192.168.1.2]: Found "PORT: 6000/unknow" !!!
[192.168.1.2]: Found "PORT: 8080/unknow" !!!
[192.168.1.2]: SMTP banner: 220 SMTP Ready
[192.168.1.2]: IPC NULL session connection success !!!
[192.168.1.2]: FTP banner: 220 黑客入侵者請加qq80165983交流技術!呵呵!奇怪吧?-------FTP banne可以在HoneyBot裏設置
[192.168.1.2]: Found "MSSQL account: sa/[null]" !!! ------------------SQLEXEC居然連接後可以diy出目錄。