Beruflich Dokumente
Kultur Dokumente
Honeypots
TO KNOW YOUR ENEMIES
Adel Karimi
The Honeynet Project
Speaker
Adel Karimi
Member of The Honeynet Project (Iranian Chapter Lead) Editor-in-chief of Snoop Security Ezine M.S. Student @ Tehran Polytechnic
Agenda
About The Honeynet Project Introduction to Honeypot High-Interaction Honeypots Low-Interaction Honeypots Client Honeypots
~ 40 International Chapters
Past Challenges:
Challenge 6 - Analyzing Malicious Portable Destructive Files Challenge 5 - Log Mysteries Challenge 4 - VoIP Challenge 3 - banking troubles Challenge 2 - browsers under attack Challenge 1 - pcap attack trace
Honeypots
Definition: A honeypot is a security resource whose value lies in being probed, attacked, or compromised.
- Lance Spitzner
Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise
Honeypots
Uses of honeypots
Slowing down and following incoming attackers Catching and analyzing 0-days, malwares, botnets, and so on Improving intrusion detection systems
SurfIDS Nebula (An Intrusion Signature Generator)
To learn the tools, tactics and motives involved in computer and network attacks.
SurfIDS
Honeypots
Honeypot vs. IDS Honeynet:
A network of [High-Interaction] honeypots Main requirements:
Data Control Data Capture Data Analysis Data Collection
Types of Honeypots
Production vs. Research honeypots:
Production honeypots protect an organization, while research honeypots are used to learn.
Different Types:
High-Interaction
Real environment
Low-Interaction
Simulated resource(s)
High-Interaction Honeypots
Honeywall For capturing, controlling and analyzing attacks
It creates an architecture that allows you to deploy both LI and HI honeypots, but is designed primarily for HI. Layer 2 bridging device (Based on CentOS 5) Tools:
IPtables Snort_inline Snort Hflow P0f Argus Sebek Walleye
Honeywall
High-Interaction Honeypots
SEBEK
For data capture Hidden kernel module that captures all activities
High-Interaction Honeypots
Qebek (QEMU Sebek)
A QEMU based HI honeypot monitoring tool which aims at improving the invisibility of monitoring the attackers activities in HI honeypots. Two techniques: Virtual machine introspection (VMI) and system view reconstruction (SVR).
VMI enabled the IDS or other security system to monitor the system events from outside the virtual machine, while SVR allows the monitoring system to reconstruct meaningful high OSlevel information from the raw hardware-level information generated by VMI
Read the recently published KYT paper, Qebek - Conceal the Monitoring
- The paper is available from http://honeynet.org/papers/KYT_qebek
Low-Interaction Honeypots
Honeyd
Written by Niels Provos in 2002. Available at www.honeyd.org Features:
Simulates thousands of virtual hosts at the same time Configuration of arbitrary services via simple configuration file Simulates operating systems at TCP/IP stack level Tarpit Dynamic templates Subsystem virtualization:
Run real UNIX applications under virtual Honeyd IP addresses
Low-Interaction Honeypots
Nepenthes
Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.
(Excerpt from Nepenthes website)
Nepenthes is outdated
Do not use Nepenthes, use Dionaea instead. Read why: http://carnivore.it/2009/10/27/introducting_dionaea
PHARM - is a client/server tool to manage, report and analyze all your distributed nepenthes instances from one interface.
Low-Interaction Honeypots
Mwcollect
mwcollectd is a versatile malware collection daemon, uniting the best features of nepenthes and honeytrap.
Low-Interaction Honeypots
Dionaea
Nepenthes successor Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network.
Features:
Static state machines to emulate vulnerable service Pattern matching to extract values from shellcode Download copies of the attacking worm Store on disc, or submit to a sandbox
Dionaea
Features:
Implement required parts of the SMB protocol Uses libemu (Beyond pattern matching) Less services, better emulation and better logging..
Low-Interaction Honeypots
Amun A Python Honeypot
Basically a nepenthes port to python
Amun
A sample of collected attack data from Amun:
Amun
DEMO
//Using Metasploit to Launch an Attack against Amun (MS08-067)
Source: http://amunhoney.sourceforge.net
Low-Interaction Honeypots
A new approach..
Client Honeypots
What is a HoneyClient!?
Drive-by Download Attacks
Source: http://www.honeynet.org/papers/mw
SSH Honeypot
Kippo Kojoney
Conclusion
You can use Honeypots to know your enemies..!
Collecting Malwares Tracking Botnets
Virtual Honeypots: From Botnet Tracking to Intrusion Detection By Niels Provos, Thorsten Holz
Thank You..