You can create fake PoC exploits that make a call to a back-end HTTP server to collect metadata on the individuals that use it.[^1] You can obfuscate this using Hex and Base64 encoding to look like shellcode for the payload.[^1] This can be concatenated using custom delimiter characters.[^1] The back-end server can be made to make the session seem unstable.[^1] It can also appear to be a Windows or Linux machine with a series of statements to provide bogus responses to normal commands.[^1] You can log all of the input to a mySQL database and link it to a private Slack Channel for real-time monitoring.[^1] Be sure to de-fang any URLs.[^1] make sure that the response to the ipconfig command gives a believable IP address.[^1] You can Reflect the incoming IP address from the PHP script and change the last octet to a 1 to look like the gateway.[^1] Some of the most common commands that have been found with honeypots (in order of frequency) are:
whoami– responded withnt authority\systemipconfigdirnet userexitdir C:\cd ..hostnamelssysteminfo
If you can get attackers to use an -lhost flag, you may be able to get the IP addresses of their C2 servers.[^1]
Also The most common C2 listening ports (also in order of frequency) were:
- 4444
- 8080
- 8000
- 8888
- 10223
- 10000
- 7777
- 1337
- 42
- 443
- 4445
Backlinks
[[Base64 Encodings]]
[[C2 Servers]]
Honeypot
[[HTTP Request]]
[[Internet Routers]]
IP Addresses
[[ipconfig Command]]
[[PoC Exploit for API Vulnerabilities]]
[[whoami]]
Sources
[1] C. Brazzell, “Hoeysploit: Exploiting the Exploiters,” Hoeysploit: Exploiting the Exploiters. [Online]. Available: https://curtbraz.medium.com/exploiting-the-exploiters-46fd0d620fd8