Tracking Exploitations Using Digital Forensics: An Exercise of Cybersecurity Utilizing

Vulnerabilities

Ian Bernasconi Michael Costello Alexis Harvey Kody Horvath Sayvion Mayfield
Florida State Florida State Florida State Florida State Florida State
University University University University University
iab17b@my.fsu.edu mvc09@my.fsu.edu aph15@my.fsu.edu kjh15b@my.fsu.edu sm16bc@my.fsu.edu

Abstract
Cybersecurity, the constant challenge of protecting internet-connected devices from tampering, theft, or
damage, creates an endless cycle of prevention, patching, and evaluation of systems. This is an important problem for
businesses, organizations, and personal networks due to the expectations of confidentiality, integrity, and availability
of devices and information. Losing control of systems or customer information can be costly, pushing security to be
one of the top priorities of any company in order to maintain constant uptime. While many attacks on organizations
can be catastrophic and lead to damage of systems and information, there are also subtle, quiet attacks that without
close monitoring might never be detected. Because of this, constant monitoring of data and major systems to detect
changes in confidential files and tasks are essential to maintaining a secure and working network. Using many tools
within Linux environments combined with the defenses on our network, we aim to illustrate the importance of data
forensics on a network and go through the process of not only monitoring a system but displaying how we can detect
an attack on vital systems.

Keywords: Digital forensics, Intrusion detection, network security, honeypot

Introduction

A network of computers and systems, the backbone for any company or organization, is what allows many
companies to operate normally in a age where processing and storage of large amounts of data is important. Because
of this, maintaining an environment clear of malicious code, insider and outsider attacks, and all other threats is one
of the biggest concerns of many businesses. While we allow for defensive systems to detect attacks, there is always a
possible threat from the inside or by more silent outsider attacks. Therefore, it is important that any business handling
records and important data participate in data forensics to make sure that any unnoticed changes are reversed, and that
in case of an attack, proper steps are taken to ensure the attackers can no longer access the system, and to determine
the extent of the damage.

We are adopting a three-pronged strategy in this exercise. Our focus will center around forensics and will
incorporate several tools to generate data on any attempts to breach the network. By collecting and preserving digital
evidence of intrusion attempts, we will be able to build a report on any malicious activity. We will employ HoneyBOT
to capture malicious traffic and ensnare other groups’ attempts at breaches. We will also build a sophisticated forensics
system using the SecurityOnion tool set, giving us access to a number of powerful IDS tools. Attackers often leave
backdoors, or other traces, during infiltration; and having a complete set of logs is critical to understanding how the
breach occurred, and how to prevent an intrusion in the future.

While it is important to be able to determine the extent of a breach, and identify the malicious actors, this
information is useless if you are unable to prevent an attack from happening again in the future. Our defensive strategy
involves using a comprehensive set of firewall rules within the Palo Alto Network Firewall interface, as well as the
open source firewall program pfSense. Our initial setup will behave similarly to a typical network, and as we collect
evidence of intrusion attempts, both successful and unsuccessful, we will tweak our firewall rules to harden our
security. Firewall rules should create a DMZ in the network architecture, allowing outside requests to interface with
relevant machines, while still shielding critical assets from malicious attacks.

After ensuring that our own network is properly protected and server logs are accurate, we can turn our focus
onto attacking the rival entities. The first objective is to run some form of reconnaissance on the opponent’s network.
We have access to Wireshark in our virtual environment, which will allow us to analyze packets being sent and
received across their networks. After gleaning enough information about the critical infrastructure, our attack strategy
will shift in focus to using an LLMNR and NetBIOS exploit to perform a Responder Attack, as well as to create
backdoors in opponents’ critical network architecture. Kali Linux has useful tools for launching these attacks and will
be an invaluable resource throughout this exercise.

Cybersecurity Forensics

Network Forensic Analysis Tools

In order to convey the best practices for network traffic forensics analysis it is important to understand that
forensics is a tedious and time-consuming task. There are many tools out there that will allow you to view the network
traffic in real-time but viewing the network traffic for larger organizations becomes very heavy. Corey, Peterman,
Shearman, Greenberg, Van Bokkelen (2002) stated that many times to analyze the traffic on a larger-scale network it
is best to archive the traffic and analyze the subsets that are deemed appropriate. This is a process best known as
reconstructive traffic analysis, or network forensics (Corey et al., 2002). An example of this would include “the
analysis detecting a user account and its Pretty Good Privacy keys being compromised, good practice requires you to
review all subsequent activity by that user, or involving those keys” (Corey et al., 2002). There are a wide variety of
reasons to want to better understand the network traffic, however, legal and security concerns are always considered
to be to priority. Some of the more low-level reasons would include mail servers losing a large number of messages
and the backup methods failing. A fix to this would be analyzing the traffic and finding the lost messages through the
recorded traffic.

A topic that is typically brought up when talking about and researching Network Forensic Analysis Tools
(NFAT) is their purpose alongside Intrusion Detection Systems (IDS). Firewalls and IDS’s are great resources for
network security, but a question that arises when NFAT’s are introduced to them is are they working to complement
each other or are they being replaced? A regular IDS’s job is to detect activity that violates an organization's security
policy by implementing a set of rules describing preconfigured patterns of interests. A firewall’s job is to allow or
disallow traffic to or from specific networks, machine addresses, and port numbers. The general consensus is that
NFAT’s work together with firewalls and IDS’s by preserving a long-term record of network traffic, and it allows
quick analysis of trouble spots. There are three major tasks that NFAT’s must perform well: capture network traffic,
analyze the traffic according to the user’s needs, and must let system users discover useful and interesting things about
the analyzed traffic.

When analyzing the traffic, it is best to archive the network traffic first which is the first layer of forensic
information. There is a method called sessionizing and is extremely useful for filtering unrelated packets that may
have been transmitted at the same time as the packets you need to inspect. The tool should structure the packets into
individual transport-layer connections between machines (Corey et al., 2002). There is also protocol parsing and
analysis which is typically done by hand. A list of queries is typed in to make this happen: tcpdump, strings, grep
(specific word or phrase), and when completed researchers can rerun tcpdump with a filter to extract from data. Now
the more efficient approach to uncovering all of this data is expert-system analysis on the sessionized traffic. This
approach evaluates the individual connections content and also it correlates the connections with each other. Using
forensic tools such as NetIntercept, would let you explore and understand data that was unintelligible at the packet-
sniffer level (Corey et al., 2002).

There are certain specific security concerns when working with NFAT’s such as handling encrypted traffic,
avoiding detection and circumvention, and protecting the sensitive data revealed by the analysis. There are programs
and documents that will help you secure your system and ensure all three concerns mentioned before will be covered.
To avoid detection, L0pht Heavy Industries introduced a program called antisniff, which attempts to find other
machines running packet monitors (sniffers). The program looks for certain abnormal behaviors demonstrated by
common NT and Unix TCP stacks while sniffers are running. When protecting the data, you must remember that all
of the packets and their contents are available to anyone with physical access to the same wire unless encrypted.
Computers that are being used to perform the network forensics are most secure when users can access them only
from their consoles, but you could also multihome the machine, with a silent interface on the monitored networks and
an interactive one on a private network with access limited by policy or physical barriers (Corey et al., 2002).

Big Data Analysis

The use of big data analysis of network traffic to find threats have become increasingly more sought after
and researched. To understand the use of big data in cyber security, it is important to know what big data is. The term
Big Data refers to exceptionally large data sets of analysis and management technologies that that surpass the
capabilities of traditional data processing technologies, that reveal patterns, relations, and trends. These big data tools
and cybersecurity solutions has led to the creation of the term ‘Big Data Cybersecurity Analytic Systems’, “which
refers to systems that collect large amount of security event data from different sources and analyze it using big data
tools and technologies for detecting attacks either through attack pattern matching or identifying anomalies,”(Ullah &
Babar, 2018). Some of the sources from which the data is obtained from other than network traffic data, include
firewall logs, web logs, system logs and application logs. The big data analysis on network traffic data is based on
detecting anomalous activities and malicious data that are transmitted over the network, by analyzing the large
quantities of network traffic with big data tools.

“It has been proposed that big data tools would transform cybersecurity analytics by first, enabling
organizations to collect a large amount of heterogeneous data from diverse sources such as networks, databases, and
applications. Second, perform deep security analytics at real-time. Third, it would provide a consolidated view of the
security-related information,”( Ullah & Babar, 2018). Big data can be used against various types of online threats.
Network vulnerabilities are determined by big data by analyzing the network and determining which databases are
vulnerable to hackers. This is crucial for databases that have sensitive information. “Big data has the ability to detect
anomalies in a network, without knowing what kind of attributes to look for at the start of the analysis” (Hess 2018).
This is usually done by finding correlations in large data sets, or mining and analyzing the data set to find patterns and
behaviors. Anomalies are also major with behavior of an attacker. Analysis of irregular behaviors can help determine
and protect against future threats, such as attackers installing malicious code, or sending a malicious email with a
Trojan horse malware. Big data has made many improvements in cyber security and provided new options to analyze
threats from solutions based on analysis. Understanding the strategies of big data can help avoid breaches and form
more efficient protection methods.

It is often wondered how Big data differs from the conventional approaches of network traffic analysis,
system logs, and other sources that identify threats and malicious activities. “The main differences that are reported
are the tools to control large quantities of structured and unstructured data” (Cárdenas, Manadhata, & Rajan 2013).
Though analyzing logs and network traffic for forensics and intrusion detection is already a thing, the traditional
technologies aren’t always the most efficient. This is because they weren’t equipped to handle large quantity data sets
for long periods of time. However, new big data technologies are becoming part of security management software
because they help clean and organize the incomplete, heterogeneous data efficiently (Cárdenas, Manadhata, & Rajan
2013). Big data has made managing large-scale collection and storage of data possible, thus expanding the amount of
information collected about threats to the network. Technologies such as Hadoop have incorporated big data analysis
and have shown to handle data more quickly and efficiently than traditional technologies, which don’t have the
resources to handle large amounts of data. The security data warehouse behind Hadoop “lets users mine meaningful
security information from not only firewalls and security devices but also web traffic, business processes, and other
daily transactions,” (Cárdenas, Manadhata, & Rajan 2013).

Though big data has many advantages, it also comes with disadvantages. big data has provided more threats,
such as attackers that use big data to discover new holes in a network. (Hess 2018). Some of the main threats that
come with using big data are protecting sensitive and personal data, data rights, and not having the skill or ability to
analyze the data, like a data scientist. When your security around your big data is low, you have a high chance that
attackers will see big data sets and will be much more intrigued to hack your system. However, if the proper steps are
taken and your big data is properly managed and protected there are more benefits than threats. Big data has provided
the opportunity to analyze sources of data and properly respond in real time. Big data can also analyze vast amounts
of data and make connections that traditional technology wouldn’t otherwise generate. Big data provides management
of real-time network traffic and detection of malicious and suspicious patterns and provide overall enhanced security
techniques.

Network Topology & Firewall Defense

Within our lab environment, there are a total of 5 main devices for each team member being used for testing
and research. The devices are as follows: (1) An Apache 2.2 equipped Windows virtual machine, (2) Windows 10
virtual machine, (3) a Kali Linux machine, (4) a Raspberry Pi and (5) a Ubuntu machine. The Kali Linux machine
will be our main machine for penetration and network scanning. In addition, Security Onion and Comodo intrusion
detection systems will be used to help monitor the network. Lastly, we will be utilizing Palo Alto and pfSense equipped
machines for firewall exceptions and rulemaking for our environment. All of these devices were connected within one
subnet, the 192.168.72.0 network, but most are now configured behind firewalls on the 172.16.0.0 subnet. The
machine's respective IP addresses, Domain Name System (DNS), and default gateways are listed in Figure 1. The
Ubuntu, Windows 7, Apache, and Raspberry Pi systems are all connected through the Palo Alto and pfSense interfaces.
The Onion Defense, Comodo, and Kali virtual machines are outside the firewall and trunk alongside the firewall
interface towards the rest of the FSU network from our SECNET Lab node.

Machine IP Address Subnet Mask DNS Default Gateway

(CIDR)

Palo Alto Firewall 1) 192.168.74.114 /24 192.168.72.7 192.168.74.114

192.168.72.114
172.16.31.254
2) 192.168.74.115
192.168.72.115
172.16.32.254

pfSense 172.16.30.254 /24 192.168.72.7 192.168.74

Ubuntu 172.16.30.0/24 /24 192.168.72.7 172.16.30.254

Windows 7 172.16.31.0/24 /24 192.168.72.7 172.16.31.254

Apache 172.16.32.0/24 /24 192.168.72.7 172.16.32.254

Security Onion IDS 192.168.72.27 /24 192.168.72.7 192.168.72.254

Comodo IDS 192.168.72.202 /24 192.168.72.7 192.168.72.254

Kali 172.16.31.75 /24 192.168.72.7 172.16.31.254

172.16.31.76
172.16.31.77
172.16.31.78
172.16.31.79

Figure 1: Network Details

Figure 2: Network Topology

 Kali Linux Attacks

Responder Attack

Responder is an attack tool created by Trustwave SpiderLabs that can answer LLMNR and NBT-NS queries
giving its own IP address as the destination for any hostname requested. The responder attack is an attack used in Kali
Linux targeting a Windows machine who cannot resolve a hostname using DNS and instead relying on the Link-Local
Multicast Name Resolution (LLMNR) protocol to ask neighboring computers. The LLMNR can be used to resolve
both IPv4 and IPv6 addresses. In the event the LLMNR fails, NetBIOS Name Service (NBT-NS) will kick in and
resolve only IPv4 addresses. When these two protocols, LLMNR & NBT-NS, are used and host on the network who
knows the IP of the host being asked about can reply. The reply does not have to be correct but will still be regarded
as legitimate.

When initiating the attack, it is always best to see the options included with the attack and for Responder you
can do this by simply typing “responder -h.” You must first specify the interface you wish to run the attack on such
as eth0. This will continue to run in the background listening for events to take place and when the client tries to
resolve a name not in the DNS, Responder will poison the LLMNR and NBT-NS requests that are sent out. For
example, when using the file explorer and requesting access to a network resource that is not there the attack will take
place. A user can simply type “\\fielshare” which is not a valid resource and Responder will take over and say that its
IP is the location of “fielshare.” The Windows machine will then try to connect to this resource using SMB which it
believes is located on the Kali host. The SMB process will send the Windows username and hashed password to the
Kali host.

Responder Attack (WPAD)

Responder has been known to be more reliable in gaining usernames and password hashes through the WPAD
protocol. When a browser such as Internet Explorer is configured to automatically detect proxy settings, then it will
make use of the WPAD protocol to try and locate and download the wpad.dat Proxy Auto-Config (PAC) file. The
PAC files defines proxy servers that a web browser should use for different URLs. The WPAD protocol works through
attempting to resolve the hostname “wpad” through a series of name requests. Fortunately, Internet Explorer has
WPAD enabled by default.

In order to initiate this attack, you must type the following argument, “responder -I eth0 -w -f”, in order to
poison WPAD requests and serve a valid wpad.dat PAC file. When a user on the local network uses Internet Explorer,
the browser should retrieve the wpad.dat file from Responder. With the argument -F, Responder will also force the
client to authenticate when they try to request the wpad.dat file. As the attack is performed from the local network,
Internet Explorer should recognize the service as being in the Intranet security zone and automatically provide the
user’s credentials without any prompt from the user. Both Internet Explorer and Google Chrome will automatically
do this, but Firefox prompts the user to manually enter their credentials, which is something to keep in mind when it
comes to a network with Firefox users. Wireshark can be used for both ways of the Responder attack to analyze and
ensure the attack was successful.

Captured Hashes in Responder Attacks

For both ways of the Responder attack, the hashes are output into the log files of Responder. In most cases,
hackers will use John the Ripper to crack the hashed passwords and gain access to the networks. This technique when
used during penetration tests have been quite successful and many times credentials for Domain Admin accounts have
been captured and cracked. This leads to the compromise of the entire Active Directory domain and its resources.

Figure 3: Outputting Captured Hash Log

After running the responder attack on the network, we are able to output the results of our logs and display
the captured credential hashes for other computers. In this instance, we have the password hash of the machine with
the hostname “4777A04WIN” with the username admin. With this, we can use the several available programs that
will attempt to crack the hash using wordlists. Some of the most popular are hashcat and john the ripper.

Figure 4: Using John the Ripper to crack hashes

 For cracking, we use John the Ripper which is a popular program used to for its simplicity and auto-hash
type detection. In this case, we are cracking a hash under the NTLMv2 protocol, which are based on challenge and
response. To crack, we specify the log file that contains our hash and use the pre-defined wordlist “rockyou.txt”. This
list contains passwords (which have their own unique hashes) to compare to our unknown hash. While weaker
passwords can be cracked easily in minutes, stronger passwords can be hacked with more time and bigger wordlists.

Figure 5: Cracked Passwords

After running John the Ripper, we are given the password “Domainsup3r!” allowing us access into accounts
of the other machines. With the username and password exposed, this not only allows experienced hackers to take
control of an entire machine, but also an entire domain if this computer is part of an organizational domain. This would
expose not only the original computer to hijacking, but all computers on the domain, potentially leading to issues with
data integrity, availability of machines and information, and destruction of systems.

Building Back Doors

With the usernames and passwords gleaned from John the Ripper, we are able to access accounts with admin
privileges. One valuable tool for an attacker to use is a back door. With access to an account with admin privileges,
it is possible to create another account with admin level privileges, allowing the attacker to reenter the system with
ease. An unsuspecting network administrator may not notice the new account created and may not be able to see
exactly what activities it is performing, especially if the account has an inconspicuous name. An effective counter
defense to this type of attack is routine account and access auditing and suspending login abilities to questionable
accounts.

Another common type of backdoor typically used by Advanced Persistent Threat actors is the use of a
malicious shell within an administrator privileged account. The creation of this shell allows an attacker to execute
commands on the host machine using a privileged account. This shell would be able to be accessed by the attackers
without the need of infiltrating the privileged account again. These shells can be used to modify or exfiltrate existing
sensitive data, or to perform some other action useful to the attacker. The use of these shells has a few hallmark
patterns that make it easier to detect their presence. Behavior analysis can be a relatively easy way to detect the
presence of the unauthorized shell, since it will behave inconsistently with legitimate use.

Solutions to Responder Attack

For this attack a solution provided by 4armed.com explains it is best to disable LLMNR and NBT-NS. Also,
to mitigate the WPAD attack, you can add an entry for “wpad” in your DNS zone. As long as the queries are resolved,
the attack will be prevented. To disable LLMNR you must navigate to the Local Group Policy Editor and then to
Computer Configuration->Administrative Templates->Network->DNS client. Locate “Turn off multicast name
resolution” and click “policy setting.” Enable the option, press Apply then click OK.
 To disable NBT-NS, browse to DHCP scope options. Right click “Scope Options” and click “Configure
Options” in the Scope Options window, click on the Advanced tab, change the drop-down menu to “Microsoft
Windows 2000 Options” and select the “001 Microsoft Disable NetBIOS Option” and change its value to “0x2”, click
Apply and then OK.

Nmap

Nmap is an open source tool for networking security used by most operating systems, including Kali Linux.
Nmap is used in ways of determining things like what hosts are available on a network, what services they provide,
what firewalls are in use, and what OS is being used. Nmap can be used as an attack and a defense when deploying it
to a network. When using it as an attack tool, it can do anything from DoSing a target to exploiting them. The Nmap
scripts cover multiple categories: Auth is used to test if you can bypass authentication mechanism, Brute is used for
password guessing, Exploit is used to exploit a vulnerability, Dos is used to test whether a target is vulnerable to DoS,
etc. One of the simplest features for exploiting a network is running a scan on the target network to see if there are
any open ports that can be exploited; Having too many ports open is a major vulnerability on a system.

Figure 6: NMAP Scanning

Nikto

Nikto is an open source web server scanner tool that performs tests against hosts. The scanner looks for
dangerous files, it checks for older or outdated versions of servers, and specific issues on servers. In addition, Nikto
will look at the configuration of servers based on their presence of certain index files, and server options. Likewise,
the scanner will look for or find what software is installed on web servers. Once scanning is completed, Nikto has nice
features such as saving reports in HTML or XML format. Next, after interpreting the web server’s security holes,
preventative measures can be taken for protecting a web server like closing certain ports. Ultimately, Nikto can expose
potential vulnerabilities within web servers for the perspective web server admin or malicious hacker. In order to
perform an attack on a web server, you will need the following parameters shown in the figure below. In the first
command, the main components are an IP host, the output directory, and the format type for the report. For this scan,
we used an Internet Information Services (IIS) equipped Windows 10 web server. Once Nikto completes scanning, it
lists all the potential security holes on the web server. With the list of information provided, an administrator can
research and implement possible solutions, so the web server is not exploited. Nikto can be observed in action with a
firewall or network sniffing tool like Wireshark.

Figure 7: Nikto Scanning for vulnerabilities

Kali Linux Defenses

Palo Alto Firewall Defense

Palo Alto Networks, a world-renowned cybersecurity organization that offers advanced enterprise firewalls
and cloud-based solutions, created the first next-generation firewalls that can operate on and inspect all layers of
traffic. To demonstrate a controlled network environment, we needed one of the most basic forms of defense to
segment our network into trusted and untrusted zones. Because we are operating in a virtual network, were able to
achieve this using the Palo Alto virtual firewall solution. Using Palo Alto firewalls, we can define rules that allows us
to shape and verify traffic to and from other machines on the network and try to prevent other teams’ potentially
malicious machines from accessing our private network. We have implemented two Palo Alto firewalls to allow us
flexibility in the design of our network.
 Figure 8: Palo Alto Interfaces

Because we are using the virtual version of the Palo Alto firewall to create our private and secure network,
we can access the management GUI through the management IP address 192.168.74.114 from our machine where we
can see the interfaces that are currently set up. On ethernet1/1, we have assigned the interface to the 192.168.72.0/24
subnet and tagged it as an untrusted layer 3 zone, along with ethernet1/2 as an interface in the 172.16.0.0/24 subnet,
tagged as a trusted layer 3 zone. This allows us to put all of our virtual machines behind the 172.16.0.0/24 network,
isolating our machines from the public 192.168.72.0/24 network. Through the use of the virtual router, we can route
traffic between the interfaces, which will eventually allow us to access the internet as well as other services.
 Figure 9: Palo Alto Security Rules

With network traffic routed correctly, we created rules to designate what traffic was allowed in and out of
the firewall. Because we have no reason to add restrictions on our machines, we simply created a rule to allow
anything from the trusted zone (behind the firewall) to the untrusted zone (outside network), giving our machines
full internet access, as well as access to any services or websites. Because we only created one rule from the trusted
zone to the untrusted zone, traffic from machines outside the firewall is blocked from entering, giving us a layer of
protection incase this traffic is malicious.

Palo Alto Forensics

With rules in place, we can now monitor data inside and outside of the firewall, giving us a view of how
data is flowing between zones, what application or service the data is from, and which rules allowed or denied the
traffic. With this, we are given a log of all data, meaning if an attack on our firewall was to take place, we can set the
firewall to not only alert us, but also intelligently mark the attempt as a threat automatically. With this, we can
investigate the event, fix the vulnerability or hole in our firewall that is being attacked, and further prevent any
issues. In a serious environment such as an organization, major attacks on these systems would be flagged and the
location and origin of these attacks could be investigated as a crime and reported to authorities, especially if access
was eventually gained.
 Figure 10: Palo Alto Monitoring Data and Traffic

Security Onion

The Security Onion suite is a Linux distribution loaded with powerful forensic tools. These tools can be used to
identify the potential attackers attempting to gain access to system resources. In addition to keeping complete logs of
users attempting to log in to a protected website, it logs all of their activities and notifies you of possibly illegitimate
entry attempts. The suite comes complete with comprehensive IDS tools and NSM tools.

Honeypots

Honeypots are one type of defense a user can implement for their networks. The difference between a
honeypot and most defense mechanism is that most are made to keep the attackers out, while honeypots are made to
attract the attackers. A honeypot is a deflect system that is made to mimic a real computer system, in which attackers
interact with thinking they are attacking the target system; A honeypot is a computer security mechanism set to deflect
or counteract attempts at unauthorized use of computer systems. Honeypots are made to gather information and
behavior about an attacker while keeping the attacker from exploiting the real network. They can help further the
information you gather on the attacker’s behavior in more detail without disruption to your own network. There are
different interaction levels for honeypots, high-interaction, medium-interaction, and low-interaction. Low-interaction
gives the attacker very limited access to the operating system. There will be a small amount of internet protocol and
network services deployed to the system, just enough to deceive the attacker. High-interaction honeypots are much
more interactive. In addition to mimicking protocols, the attacker has a real system they can attack, making it less
likely for them to know it’s a decoy. Information gathered from high-interaction honeypots are also much more in-
depth and make it easier to spot threats, though they take much more time and resources to deploy.

The PenTBox is a tool on Kali Linux that can be used to implement a honeypot. To deploy the Honeypot, it
first must be run with root privileges. Then you can deploy the honeypot to run on a network, such as port 80.

Figure 11: Setting up the web server honeypot

When the attacker attempts to access the IP of the honeypot network on the server, they will get an “Access
Denied” message, leading them to think there is something important hidden on the network.

Figure 12: Attacker accessing the honeypot webpage on port 80

While on the other end, the authorized user receives intrusion attempt messages with details of the intrusion.
If the attacker continued to exploit the honeypot server, the user will receive more alerts and details of the attacker’s
behavior.

f
Figure 13: Intrusion detection message
 Works Cited

Corey, V., Peterman, C., Shearman, S., Greenberg, M. S., & Van Bokkelen, J. (2002). Network Forensic
Analysis. On the Wire.

Cárdenas, A.A., Manadhata, P.K., & Rajan, S.P. (2013). Big Data Analytics for Security. IEEE Security &
Privacy, 11, 74-76.

Hess, B. (2018, July 05). Predicting Future Online Threats with Big Data. Retrieved from
https://insidebigdata.com/2018/07/04/predicting-future-online-threats-big-data/

Hurer-Mackay, William. “LLMNR and NBT-NS Poisoning Using Responder.” 4ARMED Cloud Security
Professional Services, 6 June 2016, www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/.

Ullah, F., & Babar, M.A. (2018). Architectural Tactics for Big Data Cybersecurity Analytic Systems: A Review.
CoRR, abs/1802.03178.

Setup honeypot in Kali Linux. (2016, June 16). Retrieved from

https://www.blackmoreops.com/2016/05/06/setup-honeypot-in-kali-linux/

Yeahhub. “Setup Honeypot in Kali Linux with Pentbox.” Yeah Hub, 22 July 2017, www.yeahhub.com/setup-
honeypot-kali-linux-pentbox/.

“Pwning with Responder - A Pentester's Guide.” NotSoSecure, 13 May 2017, www.notsosecure.com/pwning-

with-responder-a-pentesters-guide/.