chevron_left chevron_right
Login Register invert_colors photo_library


Stay updated and chat with others! - Join the Discord!
Thread Rating:
  • 0 Vote(s) - 0 Average


NEED: Source for honeypot IPs etc filter_list
Author
Message
NEED: Source for honeypot IPs etc #1
Hi!

Not sure if this is the right place to ask but I need a list of known honeypots etc.

I'm building a little scanner and I want a comprehensive-as-possible do-not-scan list to avoid various types of IPs - gov, edu etc.

Failing that, how about honeypot detection? If I can develop some methods for detecting honeypots etc, could set it up as a service or at least a maintained github or something.

Tia.

Reply

RE: NEED: Source for honeypot IPs etc #2
I had a list with a few thousand honeypots somewhere, I'll send it to you if I can still find it. It's in my directory "All other stuff" so it will take some time to search that directory. Especially since my naming sucks.
[Image: 5u8rTPk.jpg]
Click image to go to my website, it has been updated!

Reply

RE: NEED: Source for honeypot IPs etc #3
Thanks thats brilliant.

Do you remember where you got it? Or have a suggestion for a collection system?

Reply

RE: NEED: Source for honeypot IPs etc #4
(02-21-2017, 04:45 PM)lsp Wrote: Thanks thats brilliant.

Do you remember where you got it? Or have a suggestion for a collection system?

I got it from a private tool of mine which collects pastebin data. Anyway, I mean you could make a simple SSH checker, something that would try a various combinations of logins and than try execute some commands that are deleted by default on honeypots.

Also, please notice that people who setup honeypots usually have logins like root:toor, admin:password, because they want people to break in. That's why you could easily set up something like a checker which after login would try execute some commands.

Hit me up if you're interested in my help, I'll see what I can do but I can't promise anything.
[Image: 5u8rTPk.jpg]
Click image to go to my website, it has been updated!

[+] 1 user Likes Bish0pQ's post
Reply

RE: NEED: Source for honeypot IPs etc #5
Cool, I'll look into it and throw together some prototype code and run it by you. I'll be spending a few hours on this and probably will have some anti-honeypot PoC tomorrow Smile

Reply

RE: NEED: Source for honeypot IPs etc #6
Hmm... Lemme know what you find, I belive zmap and masscan have some default IPs to avoid.

Mirai avoids a few ranges too.


(11-02-2018, 02:51 AM)Skullmeat Wrote: Ok, there no real practical reason for doing this, but that's never stopped me.

Reply

RE: NEED: Source for honeypot IPs etc #7
(02-21-2017, 06:04 PM)Bish0pQ Wrote:
(02-21-2017, 04:45 PM)lsp Wrote: Thanks thats brilliant.

Do you remember where you got it? Or have a suggestion for a collection system?

I got it from a private tool of mine which collects pastebin data. Anyway, I mean you could make a simple SSH checker, something that would try a various combinations of logins and than try execute some commands that are deleted by default on honeypots.

Also, please notice that people who setup honeypots usually have logins like root:toor, admin:password, because they want people to break in. That's why you could easily set up something like a checker which after login would try execute some commands.

Hit me up if you're interested in my help, I'll see what I can do but I can't promise anything.

This is interesting. How would you find the SSH servers to probe? Just go through the millions of IP's and check for SSH? (not to mention all the different ports SSH can be on)

Reply

RE: NEED: Source for honeypot IPs etc #8
(02-21-2017, 11:53 PM)m0dem Wrote:
(02-21-2017, 06:04 PM)Bish0pQ Wrote:
(02-21-2017, 04:45 PM)lsp Wrote: Thanks thats brilliant.

Do you remember where you got it? Or have a suggestion for a collection system?

I got it from a private tool of mine which collects pastebin data. Anyway, I mean you could make a simple SSH checker, something that would try a various combinations of logins and than try execute some commands that are deleted by default on honeypots.

Also, please notice that people who setup honeypots usually have logins like root:toor, admin:password, because they want people to break in. That's why you could easily set up something like a checker which after login would try execute some commands.

Hit me up if you're interested in my help, I'll see what I can do but I can't promise anything.

This is interesting. How would you find the SSH servers to probe? Just go through the millions of IP's and check for SSH? (not to mention all the different ports SSH can be on)

That would be highly inefficient. You can exclude quite a few ranges (based on country, military IP's, government IP's...)

Most efficient would be getting them from various sources. Also, often honeypots are used on a VPS server, which will give you possibly more IP's to honeypots.
[Image: 5u8rTPk.jpg]
Click image to go to my website, it has been updated!

[+] 2 users Like Bish0pQ's post
Reply

RE: NEED: Source for honeypot IPs etc #9
I have found the list.

https://ghostbin.com/paste/cgdv8

The list is already a few months old though, but I never full checked it.
They're all telnet logins though, not SSH.

Enjoy
[Image: 5u8rTPk.jpg]
Click image to go to my website, it has been updated!

[+] 1 user Likes Bish0pQ's post
Reply

RE: NEED: Source for honeypot IPs etc #10
My tip for getting honeypots is using virus checkers like virustotal and quickly capture their IP before they're removed from your list.

Reply






Users browsing this thread: 1 Guest(s)