Hey hackers!
As a pentester, I want to know how an attacker is able to understand if there is a honypot listening on a specific port .
If he can understand ,how to prevent him from doing so?

what do you think how they do it?

Honeypots may not be 100% equal to a real system - VMs behave different than physical machines.
The mirai botnet tested if a real bash or a fake shell was used.
And: Many attackers don't care - sooner or later the "hack" is discovered but can not be stopped, today we still have devices vulnerable to attacks by mirai.

@sbiewald what do you mean by a real bash or fake? Aren't honeypots complete but isolated systems that mostly serve as a diversion or info gathering systems?

A honeypot will always have limitations (otherwise, you would just have a simple vulnerable system that you lose control over).

Most projects I know would, after compromise, not allow the attacker to upload and/or execute binaries (Or: anything the attacker downloads is saved and uploaded to Virustotal), so that is a clear giveaway - but on the other hand, once you allow that, the attacker could do anything with your system.

That's why the first thing I'd try uploading is a simple Hello World, not my prized, self-written, yet-unknown-to-the-world remote access toolkit. If I can execute that, I'm either in a real system or in a very credible honeypot.

DNS resolution and Pinging/Tracert-ing another IP and checking the results can help.

Another thing to check is the /proc directory: What can I find out about the system? Am I in a VM? Which one? If so, this may be an indicator (but lots of webhosters offer VM's, AS and whois data could help deciding what to make of that).

@ilPinguino these checks seem very weak. All environments I've seen have ICMP disabled by default except whitelisted addresses (yes, I did it, I used the "W" word! bite me if you care). So neither ping nor tracert will give you anything good. Even if ICMP is enabled hops can be 'hidden'. Anything ICMP-based is unreliable and hardly worth wasting your time.

ALSO it's quite easy to mock a prod-like environment: NW topology, DNS records, even databases, applications, etc. If one REALLY cares about ITSec he/she can build an entire PROD-like infra mock.

I can only figure out a relatively reliable way to detect honeypot in a small-medium sized infra: 1. login to the server; 2. use the publicly available application's interface to put as much load on it as you can; 3. if server's CPU metrics haven't changed during that time window you're either in a honeypot or dealing with too large application.

Although I can also think of ways to mitigate that vector...

@nnee Sure, isolated, but sometimes they onky simulate the behaviour and only accept a limited set of commands (e.g. https://github.com/Phype/... ).
I've written an FTP honeypot which accepted uploads but downloads would just contain null-bytes.

@netikras can server send fake data about cpu just to bypass this?

@R1100 you'd need a custom OS for this. Not worth it.

You can mock loads by monitoring amounts of requests on either of your PROD server (or AVG or you servers pool) and mimicking them on your honeypot. If you're monitoring a pool, apply a ratio multiplier to that number to be more realistic, i.e. if you have 100 servers in your pool do count(requests)/100.

Requests would originate from within LAN but possibly a different subnet. Such requests passing through prod-like NW topology would be logged just like in any other PROD server.

Quite easy to implement using MQ Topics in the ecosystem. Such mock requests would alter CPU, memory usage, sockets and other metrics as if the h-pot were a real prod machine.

As for gathering environment info... well that might be useful, might be not. If you know absolutely nothing about the environment then it's as good as nothing. You do NOT know what *real* environment should look like. It could just as likely be a VM or a container or a physical device. Just like a h-pot -- it can be either of those. Unless someone is stupid enough to call the host "app-api_honeypot"....

@netikras can i place fake data inside honeypot to fool the attacker? 😂

In my strong belief you *should*.