2

I'm watching all this movement around Metasploit project, the great number of different exploitation plugins, and thousands of exploit packs. Now, it is real truth, anyone could configure his own black-hole in the network. Moreover, any admin of any services in the network could attack me just for fun, while I'm reading an article on his page.

I know, there is only one exception, it is: up-to-date system, up-to-date browser, javascript disabled by default, and without any flash players. However, I can see such option, to verify my services for fair-play. It is Exploitable Browser ala Honey-Pot.

The same way Metasploit collects holes in different browsers, this Honey-Browser could collect holes to keep up an alert-system. I know FireFox and Chromium are Open-Source and would be the base for such Honey-Browser. Such an alert-system with all known exploits could detect any Http/Https/Whatelse activity against my browser as an Network-IDS.

Is there any thing what I'm talking about? For example, I know about the Mantra Security Framework. There are hundreds of attack-plugins or extensions, but no one to defend.

For example,

  1. How does an exploit-pack work? It is a pack of exploits, and all exploits attack browser whether it is IE, FF, or Chrome, one by one, in sequence.

  2. Once any of the exploits was detected by signature, the next part of session could be written in a kind of sandbox to protect the browser.

Such a plugin could be a nice shield for browser.

David Freitag
  • 1,130
  • 12
  • 13
anonymous
  • 21
  • 3
  • 1
    A honeypot allows the attack to happen just to see how far the attack goes. Is that what you want? Or do you just want to defend against all possible attacks? – schroeder Jul 18 '15 at 05:51
  • Defend as an option. And as an option to track attacker, what happens after infection, where is his C&C, what he does, etc... Such Honey-Browser could give all this options – anonymous Jul 18 '15 at 07:16

3 Answers3

1

If I understood well your question's title, and if you are looking for opensource stuff:

I know, FireFox and Chromium are Open-Source and would be the base for such Honey-Browser.

then you can use, for instance, Thug which is a browser emulator written in Python automatically interacts with the malicious website to check its exploits.

There are also other Thug equivalent tools.

Note that the attacks upon browsers are mainly done using malicious JavaScript code performing especially drive-by download attacks. One of the solutions I implemented myself to detect compromised websites intended to target clients/visitors is based on a honeypot that uses several virtual machines on which different operating systems and browsers are running -without antivirus intalled- and a program that checks the health of the operating systems and browsers during and after the automatic navigation of all the pages of a given URL.

  • Yeah, you understood me well. It is exactly this thread. However, additionally, I would like to have such plugin for Firefox or Chromium, or modified `modern` Browser, with alarm-system on board. To surf the web safety. – anonymous Jul 18 '15 at 07:21
  • As you can see, Owasp Mantra - gives alot of additional info about site, IP, Country, Programming Framework, Operation System of Server, version of Web service, everything. It is very nice and usefull. Would be good to add here - activity / honeypot-like sandbox, to gather malicious site, while surfing. To be protected against any force Majeure, like, someone crack "schneier on security"-blog, and inject poison for every new visitors. How can I be safe? Such plugin could give us chance. – anonymous Jul 18 '15 at 07:24
  • @anonymous You won't find a plugin for Firefox or other usual browsers that do exatly what you expect, instead you can only find several security plugins to control more or less suspicious JS activities. Example for Firefox [here](https://addons.mozilla.org/en-US/firefox/search/?q=security&appver=39.0&platform=linux) –  Jul 18 '15 at 07:31
1

A honeypot is not a plugin which will defend you while surfing. For this you already have several plugins available, each one dedicated to face different kind of attacks (whether it is phishing, tracking, SSL / JavaScript / Flash related, etc.).

A honeypot on the contrary is made to attract and allow attacks to better study them. The way I could imagine such a honeypot browser system would be as is:

  1. Setup a VM which will mimic a end-user environment but used only for this honeypot system (you do not want to make all the hostile plugins you will download to reach you real files, do you?)
  2. Download a listing of known hostile URLs (you can find several on the Internet, mainly intended for filtering purposes). You may want to let your honeypot browser surf the web randomly or visit the sames sites as you, but the chances here to actually catch anything in your honeypot will be very low,
  3. Use a browser automation system, like Selenium for instance which is mainly dedicated to QA world but should work for the job here too since it's goal is to emulate user's action on real browsers.

By this way, you should be able to build a virtualized system where majors browser would automatically browse to the worst URLs of the moment, get contaminated by every and each malware, allowing you then to collect and analyse the collected data at will (like build a database for further detection since you mentioned this in your question).

However, be sure to check honey pots good practices (there are already several posts on the subject around here) since, for instance, you do not want your honey pot to serve as a relay to contaminate the rest of your internal network, neither you want your honey pot to serve as a relay to contaminate other external systems or become a bot of any kind.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
1

AFAIK several implementations exist, but openess is often limited by competitive advantage (AV companies for example). Microsoft has published much of their honeymonkey project. See http://research.microsoft.com/en-us/um/redmond/projects/strider/honeymonkey/ for more details.

wireghoul
  • 5,745
  • 2
  • 17
  • 26