NEED: Source for honeypot IPs etc

lsp · 02-21-2017, 11:49 AM

Hi!

Not sure if this is the right place to ask but I need a list of known honeypots etc.

I'm building a little scanner and I want a comprehensive-as-possible do-not-scan list to avoid various types of IPs - gov, edu etc.

Failing that, how about honeypot detection? If I can develop some methods for detecting honeypots etc, could set it up as a service or at least a maintained github or something.

Tia.

Bish0pQ · 02-21-2017, 04:29 PM

I had a list with a few thousand honeypots somewhere, I'll send it to you if I can still find it. It's in my directory "All other stuff" so it will take some time to search that directory. Especially since my naming sucks.

lsp · 02-21-2017, 04:45 PM

Thanks thats brilliant.

Do you remember where you got it? Or have a suggestion for a collection system?

Bish0pQ · 02-21-2017, 06:04 PM

(02-21-2017, 04:45 PM)lsp Wrote: Thanks thats brilliant.

Do you remember where you got it? Or have a suggestion for a collection system?

I got it from a private tool of mine which collects pastebin data. Anyway, I mean you could make a simple SSH checker, something that would try a various combinations of logins and than try execute some commands that are deleted by default on honeypots.

Also, please notice that people who setup honeypots usually have logins like root:toor, admin:password, because they want people to break in. That's why you could easily set up something like a checker which after login would try execute some commands.

Hit me up if you're interested in my help, I'll see what I can do but I can't promise anything.

lsp · 02-21-2017, 09:59 PM

Cool, I'll look into it and throw together some prototype code and run it by you. I'll be spending a few hours on this and probably will have some anti-honeypot PoC tomorrow Smile

Blink · 02-21-2017, 10:14 PM

Hmm... Lemme know what you find, I belive zmap and masscan have some default IPs to avoid.

Mirai avoids a few ranges too.

m0dem · 02-21-2017, 11:53 PM

(02-21-2017, 06:04 PM)Bish0pQ Wrote:
(02-21-2017, 04:45 PM)lsp Wrote: Thanks thats brilliant.

Do you remember where you got it? Or have a suggestion for a collection system?

I got it from a private tool of mine which collects pastebin data. Anyway, I mean you could make a simple SSH checker, something that would try a various combinations of logins and than try execute some commands that are deleted by default on honeypots.

Also, please notice that people who setup honeypots usually have logins like root:toor, admin:password, because they want people to break in. That's why you could easily set up something like a checker which after login would try execute some commands.

Hit me up if you're interested in my help, I'll see what I can do but I can't promise anything.

This is interesting. How would you find the SSH servers to probe? Just go through the millions of IP's and check for SSH? (not to mention all the different ports SSH can be on)

Bish0pQ · 02-22-2017, 12:40 AM

(02-21-2017, 11:53 PM)m0dem Wrote:
(02-21-2017, 06:04 PM)Bish0pQ Wrote:
(02-21-2017, 04:45 PM)lsp Wrote: Thanks thats brilliant.

Do you remember where you got it? Or have a suggestion for a collection system?

I got it from a private tool of mine which collects pastebin data. Anyway, I mean you could make a simple SSH checker, something that would try a various combinations of logins and than try execute some commands that are deleted by default on honeypots.

Also, please notice that people who setup honeypots usually have logins like root:toor, admin:password, because they want people to break in. That's why you could easily set up something like a checker which after login would try execute some commands.

Hit me up if you're interested in my help, I'll see what I can do but I can't promise anything.

This is interesting. How would you find the SSH servers to probe? Just go through the millions of IP's and check for SSH? (not to mention all the different ports SSH can be on)

That would be highly inefficient. You can exclude quite a few ranges (based on country, military IP's, government IP's...)

Most efficient would be getting them from various sources. Also, often honeypots are used on a VPS server, which will give you possibly more IP's to honeypots.

Bish0pQ · 03-06-2017, 10:58 AM

I have found the list.

https://ghostbin.com/paste/cgdv8

The list is already a few months old though, but I never full checked it.
They're all telnet logins though, not SSH.

Enjoy

protonrotuing · 03-10-2017, 02:28 AM

My tip for getting honeypots is using virus checkers like virustotal and quickly capture their IP before they're removed from your list.