I have a fun project I would like to invest some time into and am interested if anyone would like to join me on the voyage.
Quite simply it is an extension of a honeypot, though one with an odd response.
When an inbound attack is sent it is caught and run through an engine I will design, from there if we have no way to figure out how the payload is attached or what it does, it will be dropped.
However for common things like ssh attacks or shellshocks the attack will be adjusted slightly and sent back to the originator, the idea being that whatever is scanning and attacking has probably been exploited using the same attack.
In the event a reverse attacks succeeds the first thing to be done is establish which process spawned the connection to our machine (which should still be active in most cases) and destroy it. From there if it was using a known attack vector[1] it would be patched, of course the engine that detected that would still remain on that system for a few days to expand the inbound detected attack pool.
If the system is embedded and read only or such, the device would attempt to be destroyed to remove it as a threat from the internet.
Generally what I am suggesting building is a blue team honey pot with red team extensions
Let me know your thoughts!
[1] A known attack vector that was used to gain access to the machine that we are now connected to! (In most cases this should be simple to diagnose the art is removing whatever malware was installed via it)
The core would likely be prototyped in csharp or perl but the actual idea is infrastructure based there is no reason anyone could not for instance add a handler for a specific attack vector signature in php or vb distribution being the king and all
That is why it is under a project header my idea is to create this as a general distributed project, when an attack is detected its sig will be distributed to the client list connected. so everyone can write their own retaliatory attack against anything
I think I will give a small youtube on my plans because who cares, probably with adjoined hangouts so people can join next week, will see if I can rope fraq etc in
It seems we have some interest into this project so I will be setting up a private project tracker to it, will repost login details as they become availible
Small update, the protocol I am intending to use to link the relevant parts of this little project is entering early testing, will give more detail within the next 2 weeks
