Home » Articles » Micro-Honeypots and the Usage of Browser Fingerprinting Techniques to Track Hackers
Click Here To Hide Tor

Micro-Honeypots and the Usage of Browser Fingerprinting Techniques to Track Hackers

Malicious attacks have grown at a relatively high rate during the past few years across the whole internet. To shield websites against various forms of web attacks, researchers and penetration testers utilize honeypots to collect attack information. Nevertheless, hackers can hide themselves via stepping stones (e.g. proxy servers, VPNs) or anonymous P2P networks (e.g. the Tor network). Traditional honeypots are ineffective means for gathering information regarding the identity of an attacker who hides himself using these anonymizing means, which imposes a serious challenge to law enforcement agencies attempting to trace these hackers.

A recently published paper proposed the use Micro-Honeypots which are centered on the utilization of fingerprinting techniques to track hackers launching malicious attacks. Traditional honeypots trick hackers in order to monitor their activities. A Micro-Honeypot is implemented within a conventional honeypot. It will run and collect identity information whenever a malicious attacker successfully visits a honeypot. Results of the researchers’ experiments show that Micro-Honeypots can gather more information and track attackers even though they might have been using stepping stones (e.g. proxy servers, VPNs) or anonymous networks (the Tor network) to hide themselves.

architecture of micro-honeypot.PNG

Figure 1: High level architecture of a Micro-Honeypot

What is a Micro-Honeypot?

A Micro-Honeypot is implemented inside a conventional honeypot. Figure 1 illustrates the basic infrastructure of a Micro-Honeypot. A front end collection module is inserted into a honeypot. When an attacker is lured and accesses the honeypot, they will get a page with the front end collection module, which runs and collects information that is sent to the tracking server that monitors all activities of the attacker. The front end collection module will collect multiple items related to the attacker’s activities including the time of visit, target, fingerprint, intranet_IP, browser type and version, color_depth, resolution, available_resolution, navigator_platform, and others.

Types of honeypots used with Micro-Honeypots:

In order to lure the attackers, three different honeypot templates, inside which the Micro-Honeypot can be deployed, were used in the experiments:

1. A website disguised as an exclusive drug marketplace that only allows trades to take place between a private circle of invited members. The website of the marketplace was created using an old version of the widely used OSCommerce e-marketing application. The version used in the researchers’ experiments included several known vulnerabilities, which enable a hacker to take over the admin panel and maliciously manipulate accounts and files.

2. A blog site that markets customized online solutions for hosting hidden services on the Tor network. The website was built using an outdated version of the WordPress CMS, which included multiple known vulnerabilities. The honeypot also included several subdirectories with a number of web shells, in order to convey the idea that the website was already successfully attacked by other hackers. The website was configured in a manner that allowed directory listing, so that a hacker or a malicious script could easily navigate through the framework of the website and locate the shells.

3. A custom private forum that only allowed registered members to take part in the discussions there. The forum described the process to become a forum member, to require a valid referral from another forum member. In this case, the researchers manually included a remote file-inclusion vulnerability that enabled a hacker to upload arbitrary files via maliciously modifying PHP filters. The vulnerability was created to be clearly “standard”, to resemble others.

Browser fingerprinting , Micro-Honeypots and the General Data Protection Regulation (GDPR):

The wide application of browser fingerprinting to deanonymize users, especially with the novel implementation of Micro-Honeypots raises concerns regarding the privacy of internet users. Even though policy is usually rather slow to react to users’ privacy concerns, consumers have witnessed a big win last year with the General Data Protection Regulation (GDPR) , which represents a new group of European Union rules that were created to give users tighter control over their private online data. This has only gone into effect recently, so this is expected to make it even harder for law enforcement agencies to use Micro-Honeypots and browser fingerprinting to locate hackers during the foreseeable future, so more research is needed to experiment the use of Micro-Honeypots as new privacy rules come into action.

3 comments

  1. Doesn’t this all require JavaScript to be enabled? Let’s remember that any so-called hackers in their right mind will disable JS when they are on the quest of hacking a site.

    I’m confused that the word “JavaScript” wasn’t mentioned here even once.

  2. JavaScript may not be required to finger print services located inside a honeypot. The information that the server side collecting service is gained through mainly the plain old browser fingerprint….not a lot more is needed other than some ids collection to see maybe what attack surface they are using….for example scanning 3389 port on tcp to see if RDP attack or SQL injection on SQL port etc.

    JavaScript is just highlighted on DNM’s because of the vulnerability for leaking your original IP when connection over VPN hence not masking your real IP.

    Attack surfaces are numerous and not just based on JS.

    This is my understanding in any case.

    Kindest,
    A

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *