I Put A Fake Email Server On The Internet
Вставка
- Опубліковано 8 січ 2024
- jh.live/pwyc || Jump into Pay What You Can training at whatever cost makes sense for you! jh.live/pwyc
We tried a different style with this video. Please let me know what you think!
Free Cybersecurity Education and Ethical Hacking
🔥UA-cam ALGORITHM ➡ Like, Comment, & Subscribe!
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
What do you think of this style and format? The first half of the video is a bit more scripted, with some more explanation and storytelling. Good, bad, ugly?
I like it easy to follow
Second. :3 Early crew. Shalom. :3
It's good. Thanks. 🤝😅🤓😎
Oh yes! it is verry easy to follow with the video itself. I like this methodology
Good, Keep experimenting with this format and I like where this is going.
Joda32 here :) I'm glad you enjoyed that and thanks for the shout out
Look out for the big guy!
Also, big guy, wouldn't you say it's a little presumptuous from John's part to say a "try it out yourself"? As if there IS any vulnerability or way of id'ing your hp there might be a breach and bleed? Bad actors still would like a random access to use for their own purposes.
Huge thanks joda32!!! :D
@@somexneJohn set up a cloud computer... Even if It was compromised, who cares? That's like worrying about running a virus on a virtual machine...
@@fightme5543 Wrong. This machine could be involved in criminal activities under John's name. Also used as a C&C. Depending on the workings of the machine, he could even get charged more for the usage of the computer.
@@fightme5543 More than that, this is John's case. Other people could use and not sanitize or stop the machine after the use and worse.
> Tries to setup a honeypot
> Gets memed by viewers to get a cool shout out in the next vid
:3 Early crew. Shalom. :3
Matt here thanks for showing the resources in all of your videos. + Being intertaining. And a free shout out. Why not😉
When I started practising ethical hacking it immediately opened my eyes for what I already knew from "blue" side knowledge. Knowing how reds work complemented that and I started connecting the dots. I learned first hand how things I see in logs when analyzing breaches work. Knowing how to perform an attack is ultra usefull when posing as blue.
What the fuck are you saying
Bro! Your production is looking sweet!!! Great video too. Gotta love a good honeypot 😎👍
Thanks so much Daniel!!!
This is so cool. I really want to try this sometime. I used to run a Kippo SSH honeypot years ago. Had a lot of fun with it and learned a lot too. Also, just signed up for some training with your sponsor. Will be taking their PWYC SOC Core Skills class.
John love the video and new fromat. You are killing it dude
Great video keep up the good work Mr.John :)
While the concept is great, hosting the service in the cloud is going to cost a small fortune if the threat actor starts performing DDoS attacks as your traffic will significantly ramp up and inflating your costs. You could build a local VM inside a local DMZ port forwarding out.
i dont think gcp or aws charge for online traffic until you setup specific services, for a simple vm on cloud any provider worth 2cents wont charge for traffic
@@oksowhat I've only ever built a Honeypot in Azure as a side project and off the bat, it started charging for the hosting portion as well as the bandwidth. I was fortunate enough to be working for an MS partner meaning that I got the $200 per month to run Azure services. Does GCP and AWS run with the same model billing structures?
@@michaelk6702 I have only used azure to host a vm as a vscode server for a team project since I had student credit so I don't know where was I charged, but in gcp and AWS there is not charges for bandwidth until you use some services to manage it like load balancer. As far as I know, I have only built small projects on both
Thanks so much JohnHammond your UA-cam channel is very important channel
So maybe this is a stupid question but without asking no knowledge is gained:
I assume one could set blocking rules based on the host header and I am pretty sure that the host header you send can be spoofed so would a defender want to set blocking rules for non-browser host headers/pentesting utility host headers or is it better to not block them?
From my perspective it may be better to allow these host headers so attacks are easier to identify as blocking them would „prompt“ the attacker to spoof it but I‘m happy to hear other opinions and expand my horizon.
6:57 John "pork" hammond my beloved
I setup an SSH honeypot years ago and holy cow the bots. It was interesting parsing the data
Thanks for the video and keep it up!! Can you do basic tutorials of IT cybersecurity along with website free to learn in 2024? I am very hungry for knowledge!!
Breaking things down in a pie chart by Source-Country would have been cool to see.
Getting PTSD flashbacks to OWA incidents...
I set up honeypots on the default port of an application and then run the legit application on another port, then fail2ban anyone trying to hard on the honeypot
That works until you accidentally forgot to use set the custom port option on your SSH session.
i set a fake ssh server the last time an ssh vulnerability was announced and the results i got were fun to say the lest. i am thinking about doing something similar next time an apache or Nginx (it's easy enough to fake the server's headers) vuln is released just to see.
Did you use Cowrie? That is my favorite
@@CybersecPat actually Dockpot
Nice video keep up the good work
The scary part would be capturing this info then transferring them to the Levite site logged in.
I usually put honeypot on common SSH ports and real (well protected) SSH on some obscure port.
Would a WordPress login page get attacked more often? 🤔
I should probably set up a honeypot on my VPS too.
Also, consider putting honeypots inside corporate systems so you can track hackers that move laterally. 🙃
grep your logs for xmlrpc.php .... then block all those trying to access it. Typically, the same bots - people are trying to access that and wp-login
I looked through my web server logs and some of the most common interesting paths have been WordPress related. Some look for backup directories, files related to vulnerable plugins and themes, xml-rpc or login page.
I have a WordPress installation that isn't even accessible through google or any other search engine, they found it purely by scanning hosts of my hosting provider.
It's now 2pm on Jan 14 2024 and I already have 34 failed login attempts on my wp-login.php just today (attempts that come up as 403 in my server log)
It will be targeted basically the second you generate certificate for the domain. They will try to scan the site to gather data about vulnerable plugins and themes and ofc try to bruteforce the admin account since WP instance is much more interesting than some outlook form, because with simple vulnerability or just bruteforcing the admin account, you can run your own code on the server.
I actively run a python based ssh honeypot for the past few years on a VM on a jailed VLAN that allows "logins" with everything logged that is run on the command line. "Root" gets used at least 10K times a day. Fun times.
well - who the heck would actually keep the default UserAgent string ?
I'd either use a random one, or constantly rotate to a different one.
when is the automation video coming!?
I would have thought, to use a random user agent for every request, but with the 10k from the same Mac... seems they really don't care
Wait, squarespace lets you setup a honeypot domain name?
I don't think any of us using hydra really , personally i play around with some python and customize my brute force either for owa or 1&1 or ovh or what ever so i really suggest always to learn a bit of programming maybe basics before try pentesting anything
9:31 line 93 🤣
you should do it without the domain with just the ip and there would be higher chance that someone would find that the server ip has some app on it
The User-Agent is trivial to edit. The option is -A or --user-agent. This is build in in curl. It can be clearly seen with the actual "hack". Those 10 004 are clearly using a fake user-agent. The fact that you did not said that, makes it feel that you either did not know (which is doubtful) or just ignored and leaving people with the wrong information, which can be dangerous. Not having information is better than having the wrong information in many cases when it concerns security. And security is not so much IT stuff, it is an attitude. ;-)
Still interesting, but the --user-agent information is almost totally meaningless.
he did mention it... lol
What link have the tutorial for this honeypot?
Sounds like another name for value for value.
honey pot ia great software most of the cyber security people in the modern era
Yeah, just expose SSH to the net and wait. I did it and had MB's of logs within a few years. Got sick of it and changed the default port.
I don't have time to set up a HoneyPot but I would like to learn how to protect my server for those attacks!
IP/NFtables and UFW
or cloudflare zero trust tunnel
We swnd these out all the time using cracked SMTP servers
I notice ALOT of the password fields have letter only combinations. Is this even possible anymore?
Most systems/sysadmins get password requirements all wrong, though it has improved. Ideally they would set a very high minimum length (say, 20 characters) a reasonable minimum entropy (say, at least 7 unique characters) and _allow whitespace_ . Then users can choose a phrase: "why should we care about security?" This is easy to remember and type-which means less likely to end up on a sticky note-but infeasible to brute-force.
What's more typical? 10 characters, at least one number, one capital letter, one special character, no whitespace...great. Now you have a password that's difficult to remember and type, but _trivial_ to brute-force. I've even encountered one system that specified a _maximum_ length of 12 characters! I can't even...
@@hibob84110 characters with special symbols? Should take 5 years, it's not trivial. Totally randomized 10+ passwords are fine, the problems start when you use normal words with some numbers.
Why hackers choose his target can anyone explain ?
did you outsource your video editing?
I have been editing his videos for over a year, now. :)
@@nordgaren2358Props man! Great quality work & super efficient!
Thanks @fightme5543 ! UA-cam won't let me see your comment, but I see it on the channel. Appreciate the blessing! 🙏
pay what you can, yes but there is a minimum cost of 300 bucks. so not really pay what you can
or i can not look and im just missing stuff
At the top of the registration page, there is text that says "For tuition assistance, please click here", and then the minimum is $0 🙂
@@_JohnHammond thanks, im just blind😅
you can make a sweet password list by doing this.
Why would you bother? Hackers will just be using already known tables of passwords you're only going to be reassembling that data again?
@@rob-890 what?
They're mostly just using well known passwords anyway. Though you could find some rather rare default credentials for cheap IoT manufacturers over something like Telnet.
can this pot be run in a container?
Yes it can easily be done, I've just not had the motivation to do that :) log a ticket on the project and I'll dockerize it :)
😂wow I was very curious here 🔞📵🌐🤣
I think this honeypot is useless.
blocking IP addresses is not the way to go.
nothing will be achieved from the logs you obtained.
This video is so slow, the first 4 minutes is filled with stuff everyone already knows hello...
This video feels like you're trying to pad out an essay anything to get to that 10 minute mark
👍
So happy to appear in the video 8:25 - 8:32 (I really mean it the last one xD)
incredible
It is good!
nice
Early crew. Shalom. :3
Need to figure out how to extract malicious IP from logs and send to firewall dynamic block list. Must learn scripting first.. :)
1st ^^
Giant waste of time video...
Oh c'mon , just another script-kiddo who gets his views based on his good looks 🙄
Just joking John - Happy New Year 🤣
If you spoke normal I'd be interested in what you have to say.
It is illegal to spoof a commercial website. In the United States, website spoofing is considered a federal crime and can result in fines and imprisonment. In Australia, website spoofing is a criminal offense under the Cybercrime Act 2001 and can result in imprisonment for up to 10 years.
In this case it is not spoofing a commercial website. It is spoofing a common product that many organizations deploy (well they did that in the past) plus he was hosting it on his own domain. No company was spoofed. But yes, picking an organizations actual site and cloning that can land you in hot water.
he is not spoofing a commercial site, he is spoofing the login page to his own server.
I'd like to have seen this done as a silent exercise, without telling twitter - Hey - Try hack this! I get why this was done but it would be nice to see how long it took for genuine attacks to start