MVP Development for a Web Application

Honeypot on Hyper-V

This document outlines the steps and considerations for creating a Minimum Viable Product
(MVP) for a web application honeypot on Hyper-V. The focus is on setting up the
environment, configuring logging, and ensuring proper system management while
intentionally leaving the system vulnerable for research purposes.

Breaking Down MVP Development for a Honeypot

Environment
Setup

MVP Logging
Development Configuration

System
Requirements and Steps Management

1. Study the Operating System

2. Create Logging to Splunk

Set up logging to Splunk to capture all relevant events and activities within the honeypot.
This will be crucial for analyzing interactions and potential attacks.

3. Configure the Correct Logging Level

Adjust the logging level to ensure that you are capturing enough detail without
overwhelming the system with unnecessary data. This may involve setting different levels for
different types of logs (e.g., error, warning, info).

4. Snapshot After Build Completion

Once the initial build of the honeypot is complete, take a snapshot. This will allow you to
revert to a clean state daily, ensuring that any changes made during testing or attacks do not
affect the base configuration.

5. Consider Adding Sysmon

Integrate Sysmon (System Monitor) to enhance logging capabilities. Sysmon provides
detailed information about process creations, network connections, and changes to file
creation time, which can be invaluable for forensic analysis.

6. Regular Patching
Ensure that the operating system and any installed software are patched to the latest
versions. This is essential for maintaining the integrity of the honeypot and ensuring that it
remains functional.

7. Study the Hyper-V System

Gain a thorough understanding of Hyper-V, including its configuration, management tools,
and networking capabilities. This knowledge will be critical in effectively deploying and
managing the honeypot.

8. Configure Access Controls

Open the system to SSH and RDP access only from specified countries (Jordan, Tunisia, Egypt,
and the Data Center). This will limit exposure while still allowing for necessary access. Ensure
that these configurations are properly documented.

9. Manage Open Machines

All "red machines" (the honeypots) should be configured to be open for interaction. This is
part of the honeypot's purpose, allowing for the observation of attack patterns without
concern for defensive measures.

10. Do Not Worry About Attacks (I’m still a little lost about this point)
The primary goal of this honeypot is to observe and study attacks. Therefore, do not
implement defensive measures; instead, focus on capturing data and understanding the
behavior of potential attackers.

Honeypot Setup and Management

Snapshot Manage
Study OS Creation Access

Effective
Initial Setup Honeypot
Management

Configure Enhance
Logging Security

Building the Vulnerable Web Application:

Testing and Validation

Patch Management
Internal Testing
External Access Verification Regular Patching

Intentional Vulnerabilities Logging and Monitoring

SQL Injection Detailed Request Logging

XSS Custom Logging
Open Directories Sysmon for System Logs
Insecure Authentication Honeypot Splunk Forwarding
Weak Access Control Configuration
Data Simulation
Framework Selection
Fake User Accounts
Flask (Python) Mock Files and Databases
Express (Node.js) Interactive Content

Access Control Snapshot Management

Geo-IP Blocking Hyper-V Snapshot

Port Restrictions Automated Rollback

• Framework Selection
• Basic Routes and Endpoints:
• Login Page: A mock login form vulnerable to SQL Injection and possibly weak
authentication.
• Admin Panel: An admin page with poor access control, designed to attract
attackers.
• File Upload Page: A page that appears to accept file uploads, where attackers
might try to upload malicious files.
• Sensitive Pages: Additional routes like /config, /settings, /backup, and /admin
to simulate an actual web service.
2. Introduce Intentional Vulnerabilities
• Common Vulnerabilities:
• SQL Injection: Use unsanitized SQL queries on the login page.
• Cross-Site Scripting (XSS): Allow user input to be reflected on a page without
sanitization.
• Open Directories: Set up a directory that mimics unsecured access, simulating
accidental exposure of sensitive files.
• Insecure Authentication: Set weak or hard-coded credentials to entice brute
force or credential-stuffing attacks.
• Simulate Weak Access Control: Configure the "admin" section to be accessible via
predictable URLs without strong access controls.

3. Configure Logging for Splunk

• Detailed Request Logging:
• Capture all incoming requests, including headers, IP addresses, request bodies,
and URLs accessed. These logs will help identify attack patterns, IPs, and
common vectors.
• Custom Logging: Integrate custom logging in your web app (Flask or Express)
to log critical events. For example, log entries could capture:
• Login attempts (successful and failed)
• Requests with unusual query parameters (SQL injection patterns)
• Access attempts to sensitive or admin pages
• Sysmon for System-Level Logs:
• Sysmon can be configured to log process creations, file modifications, network
connections, and more. This will capture potential attempts to exploit the web
app and gain system-level access.
• Splunk Forwarding: Set up Splunk Universal Forwarder on the VM hosting the
honeypot to automatically forward logs.
4. Access Control and Geo-Restriction
• Geo-IP Blocking:
• Allow access to the honeypot web app only from specified regions (Jordan,
Tunisia, Egypt, and your data center).
• Configure firewall rules to enforce these restrictions, allowing only specific IP
ranges or countries to interact with the honeypot.
• Port and Protocol Restrictions:
• Open specific ports for HTTP/HTTPS, SSH, and RDP access from authorized IPs.
Ensure that these settings are replicated across the VMs if necessary for a
consistent setup.
5. Daily Snapshot Rollback
• Hyper-V Snapshot:
• After configuring and deploying the honeypot, create a snapshot of the VM.
• Schedule an automated task to revert the VM to this snapshot daily, effectively
resetting any changes, infections, or modifications from attacks.
6. Simulate Data and Content to Attract Attackers
• Populate the web app with dummy data to make it look realistic, including:
• Fake User Accounts: Seed a few user accounts with fake credentials.
• Mock Files and Databases: Populate pages with references to databases,
backup files, or sensitive documents to entice attackers.
• Interactive Content:
• Allow actions such as “view user profiles,” “modify settings,” and “download
logs,” simulating functionalities attackers might try to exploit.
7. Patch Management and Maintenance
• While the honeypot will be intentionally vulnerable, regular patching of system
components and libraries is necessary to avoid unexpected bugs or crashes. This
ensures that the application remains stable and operational for attackers to interact
with.
8. Logging and Analysis in Splunk
• Splunk Dashboards: Set up dashboards in Splunk to track:
• IPs accessing the honeypot.
• Common attack types (based on request patterns and vulnerabilities).
• Unauthorized access attempts.
• Alerts:
• Create alerts for specific events like repeated login failures, SQL injection
patterns, or access to the admin page.
• Visualization: Use Splunk to visualize trends in attack patterns, traffic sources, and
types of vulnerabilities exploited.
9. Testing and Validation
• Internal Testing: Test each vulnerability to ensure it works as expected (e.g., SQL
injection on the login page, XSS on the comment section).