Browser Honey-Pot Setup

TL;DR

Turning a browser into a honey-pot involves configuring it to attract and log malicious activity without actually harming your system. This guide shows how to set up a basic, isolated environment for this purpose using virtualization and browser settings.

1. Virtual Machine Setup

The safest way to run a honey-pot browser is within a virtual machine (VM). This isolates any potential threats from your main operating system.

1. Choose a Hypervisor: Popular options include VirtualBox (free) and VMware Workstation Player (free for personal use).
2. Install an Operating System: Use a lightweight Linux distribution like Ubuntu Server or Debian. A minimal installation is best to reduce the attack surface.
3. Networking: Configure the VM’s network adapter in bridged mode if you want it directly accessible on your network (for more realistic attraction of attacks). Otherwise, use NAT for isolation.

2. Browser Installation

Install a browser within the VM. Older versions are often targeted by exploits, making them good candidates.

1. Download and Install: Download an older version of Firefox or Chrome from archive websites (e.g., FileHippo).
2. Disable Auto-Updates: Crucially, disable automatic updates to prevent the browser from patching vulnerabilities that you want to monitor.

3. Configure Browser Settings for Attraction

Make the browser more appealing to attackers by enabling features they often look for.

1. Enable JavaScript: Most exploits rely on JavaScript. Ensure it’s enabled in your browser settings.
2. Install Common Plugins (if applicable): Older browsers may use plugins like Flash or Java. Install these, but *do not* update them!
3. Accept All Cookies: This can make the browser appear more ‘real’ to attackers.

4. Logging and Monitoring

This is the core of your honey-pot. You need to capture activity within the browser.

1. Browser Developer Tools: Use the browser’s built-in developer tools (usually accessed by pressing F12) to monitor network requests, JavaScript execution, and console output.
2. Network Traffic Capture: Use a tool like tcpdump or Wireshark within the VM to capture all network traffic.

   sudo tcpdump -i any -w /tmp/browser_traffic.pcap

   This saves captured packets to a file you can analyze later.

3. System Logs: Monitor system logs (e.g., /var/log/syslog on Ubuntu) for suspicious activity related to the browser process.
4. Consider a Web Proxy: Setting up a web proxy like Burp Suite within the VM allows you to intercept and analyze HTTP traffic in detail.

5. Exposure (Optional, Use with Caution!)

To attract attacks, you need to make your honey-pot browser accessible.

1. Port Forwarding: If using bridged networking, forward port 80 and/or 443 on your router to the VM’s IP address.
2. Publicly Accessible URL (Advanced): Consider a dynamic DNS service if you don’t have a static IP address.
3. Be Aware of Risks: Exposing a vulnerable browser to the internet carries risks. Monitor it *very* closely and be prepared to shut it down immediately if compromised.

6. Analysis

Regularly analyze the logs and captured traffic for malicious activity.

• Look for Suspicious URLs: Identify requests to known malware domains or phishing sites.
• Analyze JavaScript Code: Examine any downloaded JavaScript code for obfuscated scripts or attempts to exploit vulnerabilities.
• Check for Exploits: Search for patterns associated with common browser exploits in the captured traffic and system logs.