Now that you have acquired a foundational comprehension of each section in T-POT, let's proceed to delve deeper into "Attack Map", "Elasticvue", "Kibana", and "Spiderfoot" aspects.
Attack Map
Click on "Attack Map" on T-POT web interface.
- A new window will display real-time information regarding ongoing attacks.
- The first column shows the Services of the attack in color.
- For example: we can see that Pakistan is using SSH attack.
- [Abuseipdb.com](Abuseipdb.com) is a good website to check if Pakistan is using SSH attack.
- Navigate to Abuseipdb.com and paste Pakistan's IP into the search bar to check.
- Confirmed that Pakistan's IP address is using SSH attacks.
- The second column displays the IP address that made the highest number of attempts to breach the virtual machine, along with the corresponding count of attack attempts.
- The third column display the country that made the highest number of attempts to breach the virtual machine, along with the corresponding count of attack attempts.
- The fourth column display the most recent events of attack.
Elasticvue
- Click on "Elasticvue" on T-POT web interface.
- Click on "Connect" at the bottom of the page.
- Click on "NODES" at the top of the page.
- The utilization of the server is shown here for us to manage.
- Click on "SEARCH" at the top of the page.
- A search function can be use here to search for the attacks.
- For example: put "Admin" in the search bar and press SEARCH.
- It will return all the login attempts using "admin".
Kibana
Comprising various elements, Logstash integrates seamlessly with Elasticsearch to provide a comprehensive solution. Essentially, it empowers users to efficiently gather, process, and present data, yielding valuable insights and outcomes.
- Click on "Kibana" on T-POT web interface.
- Navigate to page 2 of Kibana.
- Click on the ">T-Pot" for view of T-POT dashboard.
- This dashboard will give all information from the honey pots that you have installed with T-POT.
- In the upper-right corner, there is an option to modify the date, allowing for the viewing of data points at different points in time.
- Within the "Attack Map - Dynamic" interface, it displays the region where the highest volume of attack attempts has been observed.
- Within the "Attacks by Country" interface, it displays each country by the percentage for the volume of attack attempts.
- Scrolling down within the "Username Tagcloud" and "Password Tagcloud" interface, it displays the usernames and passwords that has been used the most for the attack attempts.
- The larger the word, the more frequently it is used.
- Within the "Suricate CVE - Top 10" interface, it displays the CVE-ID that are related to the most attempted attacks.
- Within the "Attacks by Country and Port" interface, it displays the ports that each country uses in a percentage format.
Spiderfoot
- Click on "Spiderfoot" on T-POT web interface.
- Click on "New Scan" at the upper right corner.
- Fill in the information.
- Scan Name: scan .
- Scan Target: [I will use the IP from Pakistan from before] 119.156.102.230 .
- Click on "Run Scan Now"
- After the scan completed, it displays the data type in the summary.
- Navigate to "Browse" section, which presents a comprehensive array of diverse data types obtainable on the internet associated with the specified IP Address.
# Concluding the Project
To avoid any potential future charges, it will be necessary for me to remove the resource group where I have deployed the virtual machine and honeypot.
- Navigate to the honeypot VM.
- In Overview click on "Delete".
- Check all the boxes and click on "Delete".
- Click on "Delete resource group".
- Enter in the resource group name: "Honeypot".
- Click on "Delete".
Discover Threats with HoneyPot in Real-Time
Now that you have acquired a foundational comprehension of each section in T-POT, let's proceed to delve deeper into "Attack Map", "Elasticvue", "Kibana", and "Spiderfoot" aspects.
Attack Map
- A new window will display real-time information regarding ongoing attacks.
- The first column shows the Services of the attack in color. - For example: we can see that Pakistan is using SSH attack.
- [Abuseipdb.com](Abuseipdb.com) is a good website to check if Pakistan is using SSH attack. - Navigate to Abuseipdb.com and paste Pakistan's IP into the search bar to check.
- Confirmed that Pakistan's IP address is using SSH attacks.
- The second column displays the IP address that made the highest number of attempts to breach the virtual machine, along with the corresponding count of attack attempts.
- The third column display the country that made the highest number of attempts to breach the virtual machine, along with the corresponding count of attack attempts.
- The fourth column display the most recent events of attack.
Elasticvue
- Click on "Elasticvue" on T-POT web interface.- Click on "Connect" at the bottom of the page. - Click on "NODES" at the top of the page. - The utilization of the server is shown here for us to manage.
- Click on "SEARCH" at the top of the page. - A search function can be use here to search for the attacks. - For example: put "Admin" in the search bar and press SEARCH. - It will return all the login attempts using "admin".
Kibana
Comprising various elements, Logstash integrates seamlessly with Elasticsearch to provide a comprehensive solution. Essentially, it empowers users to efficiently gather, process, and present data, yielding valuable insights and outcomes. - Click on "Kibana" on T-POT web interface.- Navigate to page 2 of Kibana.
- Click on the ">T-Pot" for view of T-POT dashboard.
- This dashboard will give all information from the honey pots that you have installed with T-POT.
- In the upper-right corner, there is an option to modify the date, allowing for the viewing of data points at different points in time.
- Within the "Attack Map - Dynamic" interface, it displays the region where the highest volume of attack attempts has been observed.
- Within the "Attacks by Country" interface, it displays each country by the percentage for the volume of attack attempts.
- Scrolling down within the "Username Tagcloud" and "Password Tagcloud" interface, it displays the usernames and passwords that has been used the most for the attack attempts. - The larger the word, the more frequently it is used.
- Within the "Suricate CVE - Top 10" interface, it displays the CVE-ID that are related to the most attempted attacks.
- Within the "Attacks by Country and Port" interface, it displays the ports that each country uses in a percentage format.
Spiderfoot
- Click on "Spiderfoot" on T-POT web interface.- Click on "New Scan" at the upper right corner.
- Fill in the information. - Scan Name: scan . - Scan Target: [I will use the IP from Pakistan from before] 119.156.102.230 . - Click on "Run Scan Now"
- After the scan completed, it displays the data type in the summary.
- Navigate to "Browse" section, which presents a comprehensive array of diverse data types obtainable on the internet associated with the specified IP Address.
# Concluding the Project To avoid any potential future charges, it will be necessary for me to remove the resource group where I have deployed the virtual machine and honeypot. - Navigate to the honeypot VM. - In Overview click on "Delete". - Check all the boxes and click on "Delete".- Click on "Delete resource group". - Enter in the resource group name: "Honeypot". - Click on "Delete".
- Confirm the Delete by clicking on "Delete".