She tested the next target. Malformed ICMP. The response came back in 0.3ms—too fast for any real kernel. Honeypot.
She replicated it: a Python script that encoded her meterpreter shell into DNS TXT queries. The firewall’s deep inspection saw DNS, yawned, and let it pass. On the target, she typed whoami . root. The firewall had just held the door open for the intruder.
Then came the masterclass: Honeypot as a weapon. She tested the next target
ip_frag 8 tcp_seg 12 delay 500ms She ran the scan again. The packets left her machine looking like a jigsaw puzzle scattered by the wind. On the monitoring screen, Snort yawned. No alerts. Just fragmented noise. The instructor smiled on-screen. "The sensor sees only the pieces. And pieces are never malicious."
She started with reconnaissance— without scanning. She used the TTL trick from earlier, sending single crafted ICMP packets with low TTLs to map the firewall’s hop count. She found the border firewall at hop 2. The HR server at hop 5. No alerts. Honeypot
He walked away. Maya sat frozen for a moment, then laughed softly. She reopened the course homepage. A new module had unlocked: "Advanced Deception: Building Your Own Honeypots."
The next morning, Viktor stopped by her desk. "I saw your final exam run," he said, almost smiling. "The SOC didn't even blink. You walked right past the firewall, used a honeypot's own fake credentials to blindside it, and made Snort drop half your packets." On the target, she typed whoami
Most firewalls allow outbound SSH (port 22) and DNS (port 53). He showed her how to tunnel a reverse shell over DNS requests. "Firewalls trust DNS," he said. "After all, how else will users resolve google.com?"