When we conduct a penetration test one of the areas we normally test is the public facing internet IP addresses of the client we’re working for. An IP address is like a door number on the internet that anyone can knock on the door of to see if they get an answer. It got me thinking one day about how likely an attack would be on a random internet connection and how valuable our testing could be. I decided to do a bit of my own basic research.
Once I’d found an internet connection I could use for this purpose I setup a Honeypot. A Honeypot in Cyber Security terms is a device that’s been setup to monitor for and alert any interactions with it. It could be a decoy website, printer, switch, server or router. Everything about the device tells both casual and advanced hackers that it really is the device it purports to be and as the Honeypot owner you can control what they can do with it and what they can see when they interact with it. It generates a detailed report about the attack. The Honeypot I deployed was made to be more appealing than an ice cold Magnum in mid-summer but it did nothing to advertise it was on the internet other than exist. I set it up to appear as if it were a Cisco router and opened a number of ports (holes into the device through its internet connection) that would be of interest to an attacker. I opened SSH, Telnet, SNMP, FTP and enabled port scan detection. I then waited.
I only had to wait about 15 minutes. I then noticed someone in New Jersey USA had already tried to login to the Telnet port. 15 minutes!! I was astounded to see action so quickly. Now, you should note that until I attached the Honeypot nothing had been attached to that internet connection for some considerable amount of time so hadn’t been showing anything as running. The Honeypot had been found from a cold position. It must have been automated. I could tell I was going to have a fair amount of data so unplugged the Honeypot to think about how to use it and figured I put a blog article together.
A few days later I left the Honeypot connected for 24 hours to see what happened. What resulted were nearly 100 attacks from 30 different countries across all services. I’ve provided a breakdown of the attacks for you to view. Hopefully this gives you a good reason to have a penetration test carried out.
“If you’re not doing scans and penetration tests, then just know that someone else is…..and they don’t work for you”