• XSS.stack #1 – первый литературный журнал от юзеров форума

active directory

Отслеживать
Пожалуйста, обратите внимание, что пользователь заблокирован
P_path сказал(а):
you mean honeypots?

you can try https://honeyscore.shodan.io/ :)
i know about this ...my question is about something in network like user honeypot
i have my methods for this .. i am just asking maybe someone can tell me something i don't know like new methods to detect them
:)
 
As far as I know there is no specific tool to find honeypots but you can try this. Maybe you can share your "methods" to find honeypots so we can understand what you don't know or what we can help you to improve?
Usual methods, try to gather as much information about all users as you can and try to get some patterns, honeypots should breaks this patterns. Simple example: Users change their passwords every 30 days, the honeypot never changed its password.
Also look for:
  • ObjectSID (it can be different from others SID)
  • lastLogon, LogonCount
  • Badpwdcount (this is very good pointer to real users vs fake ones)
 
Пожалуйста, обратите внимание, что пользователь заблокирован
ivan2021 сказал(а):
As far as I know there is no specific tool to find honeypots but you can try this. Maybe you can share your "methods" to find honeypots so we can understand what you don't know or what we can help you to improve?
Usual methods, try to gather as much information about all users as you can and try to get some patterns, honeypots should breaks this patterns. Simple example: Users change their passwords every 30 days, the honeypot never changed its password.
Also look for:
  • ObjectSID (it can be different from others SID)
  • lastLogon, LogonCount
  • Badpwdcount (this is very good pointer to real users vs fake ones)
HoneypotBuster is old option at this time and for the real world
lastlogon , logoncount , badpwdcount this three option is effective if the blue team uses free tool to
set up there honeypot and never look at them again
 
Пожалуйста, обратите внимание, что пользователь заблокирован
ivan2021 сказал(а):
As far as I know there is no specific tool to find honeypots but you can try this. Maybe you can share your "methods" to find honeypots so we can understand what you don't know or what we can help you to improve?
Usual methods, try to gather as much information about all users as you can and try to get some patterns, honeypots should breaks this patterns. Simple example: Users change their passwords every 30 days, the honeypot never changed its password.
Also look for:
  • ObjectSID (it can be different from others SID)
  • lastLogon, LogonCount
  • Badpwdcount (this is very good pointer to real users vs fake ones)
ObjectSID option is good also let me tell you there is paid tools to make honeypot users etc
so the other 3 option you said will work automatically by the honeypot tool beacouse they know how you thinking
 
Some tools will also use tricks like polluting lsass memory. So if you try use the dumped hashes it will alert. They fill the network with fake hosts and objects that staff will never use or see.

To survive you will need to work slowly and carefully. Even if passive, if you do too much at once it could still alert. Use their tools to look at account details like the last logon, group memberships and password changes. See if the account name also exists in their mail. If created by a tool you may also see many made at the same time and their details may look fake. Review event logs, qwinsta, netstat, etc to see what accounts are being used and where. Limit your actions to only what you know is real.
 
Пожалуйста, обратите внимание, что пользователь заблокирован
greywraith сказал(а):
Some tools will also use tricks like polluting lsass memory. So if you try use the dumped hashes it will alert. They fill the network with fake hosts and objects that staff will never use or see.

To survive you will need to work slowly and carefully. Even if passive, if you do too much at once it could still alert. Use their tools to look at account details like the last logon, group memberships and password changes. See if the account name also exists in their mail. If created by a tool you may also see many made at the same time and their details may look fake. Review event logs, qwinsta, netstat, etc to see what accounts are being used and where. Limit your actions to only what you know is real.
you can't learn this by paid courses , you get this only by experience in the real world
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх