The Honeypot Project

By
Itzik Jislin
Yiftach Benjamini
Supervisor: Ben Bershtein

Introduction

What is a Honeypot?

"A honeypot is an information system

resource whose value lies in
unauthorized or illicit use of that
resource." - Lance Spitzner

Honeypot Overview
A Honeypot has no functional
value
A Honeypot does not do anything
active. Its value lies in the
knowledge that any access to the
Honeypot is probably malicious
In a perfectly safe network a
Honeypot should see no traffic at
all

Honeypot Overview Advantages

Small data sets of high value
Very flexible
does not rely on a fixed database (Like
Anti-Virus software). Allows the
detection of new and unknown methods
and tools

Minimal resources
Since Honeypots are not intended to
actually server a magnitude of clients
they need very little resources

Simple
Honeypots are simple to install and
maintain

Honeypot Overview - Disadvantages

Limited view
A Honeypot can observe only
interaction with itself. It is not a
sniffer and cannot log actions against
other functional systems in the
network

Risk
Depending on the type of the
Honeypot the risk can be greater or
lesser. But there is always a risk to
the network when a multitude of
servers are active in it.

Honeypots Overview - Types

Low-Interaction
Simulates some network services
(HTTP, Telnet, FTP, etc)
Very low risk (Interaction is only with
a simulation)
Less flexible (Can only simulate what
was programmed)
Easier to identify
Examples are: Specter, honeyd, our
project

Honeypots Overview - Types

High-Interaction (Sacrificial Lamb)
Real servers running some kind of
logging software
High risk (Attacker is working with
the real thing)
Almost impossible to identify

Honeypots Overview Honeynets

Overview But what good is it?

Collect data
Allows researching attackers methods
and tools and developing countertools.

Prevention
Sticky Honeypots slow down
scanning capabilities of attackers by
slow response times
If the usage of Honeypots is publicly
known it might deter hackers from
attacking the network for fear of
being caught

Overview But what good is it?

Detection and Response
If a Honeypot detects suspicious
activity it can send an e-mail or sms
to a network administrator
A Honeypot is a non essential system,
so taking it offline in order to analyze
damage done by an attack will be less
harmful and disruptive to the
functionality of the network

Overview But what good is it?

Counter Attack
A Honeypot could be configured to
actively respond when it detects
attacks coming from systems within
its network. For instance if it detects
worm activity from some system in
the network it can quarantine the
system or shut it down or even use
some routine to purge the worm

Overview - Threats
Viruses
Pieces of software that attach to
innocent files. Consume computers
recourses and may be even more
malicious (deleting files, ruining
hardware, etc). Rely on social
engineering for spreading

Worms
Self propagating code. Searches for
communication vulnerabilities and
uses them to infect more computers
at an exponential rate.

Overview - Threats
Humans
White Hats Good Hackers searching
for vulnerabilities in order to report
them and increase security awareness
Black Hats Hackers with personal gain
or mayhem in mind. Break into systems
in order to steal or corrupt data.
Script Kiddies Tool users. No real
understanding of what the are doing.
Techniques usually include scanning for
a system and then hammering it with
various tools in order to find a
vulnerability.

Our Solution
The path to implementation

Phase I How to simulate an

IIS?
Fingerprinting using HMAP

HMAP vs. www.technion.ac.il

HMAP vs. Our Honeypot

Phase II How do you hack a web server?

Directory traversal (double

decode)
Buffer Overflow (Code Red)
Malformed SQL statements

Phase II How do you hack a web server?

Look for directories set up by

default with execute permissions
These directories may also hold
default scripts that contain
vulnerabilities
Find them by sending requests like
these:

GET /frick.html HTTP/1.0

GET /scripts/ HTTP/1.0
GET /_vti_pvt/ HTTP/1.0
GET /cgi-bin/GetFile.cfm HTTP/1.0
Etc

Phase II How do you hack a web server?

If we find such a directory we can

send malicious strings that use
known vulnerabilities such as the
double decode directory
traversal attack
Our mission is to execute the
cmd.exe program that will get us
root access to the computer

Phase II How do you hack a web server?

Example:
Send the string:
/..%%35%63..%%35%63..%%35%63..%
%35%63winnt/system32/cmd.exe?/c+dir+c:

Since the ../../../ attack is well known it

checks for it. (Cant find it in this string)
Then it decodes the string changing %35
to 5 and %63 to c. Now we have:
/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c:

Now it realizes it forgot to decode %5c

which surprisingly decodes to a /
/../../../../winnt/system32/cmd.exe?/c+dir+c:

Now we have root permissions

Simulating Port Scanning

Knocker FrontEnd port scanner

Vulnerabilities check
N-Stealth Security Scanner

Phase III
Implement

Based On
Visual C++ .net
Visual Basic .net (GUI)
Winsock2
ODBC

Honeypot Architecture
Deployment:

Attacker
Network Scan

Honeypot Architecture
The program is divided into two
main applications.
GUI Allows an easy way of starting
and stopping the servers, searching
through collected data and displaying
statistics
Honeypot_Core Creates and
maintains the servers. Collects the
data from the users and updates the
databases

Honeypot Architecture
Block Diagram

Honeypot Architecture
Communication between GUI and
core is done over Winsock
Why Winsock?
Answer:
There were many available options:
RPC, Signaling, Shared memory, And much
more

We wanted to allow for the expansion

of the deployment scheme. Suppose
you want to run multiple instances of
the core on different computers.
Using Winsock allows running the GUI
on one machine while controlling
others over the network

Honeypot Architecture Classes

Honeypot Architecture Classes

myDb
A class used as an interface with our
ODBC database.
Functions:
Connect to the db
Disconnect from the db
Insert data into a table in the db

Honeypot Architecture Classes

mySock
A class used as an interface with the
winsock2 objects
Functions:

Create a new socket

Set socket options (Timeout)
Connect to a server
Accept (Listen) new connections
Send data
Receive data
Close socket

Honeypot Architecture Classes

myServer
A class used to create and maintain
server objects. New servers are
created by inheritance and need to
implement the serveClient virtual
function.
Implementation allows easy way to
add new services in the future
Functions:
Create and init a server
Start the server
Stop the server

Honeypot Architecture
myServer

Honeypot Architecture HTTPServer

The purpose is to catch malicious
http strings sent as innocent
requests
The http server emulates a
Microsoft IIS 5.0 web server
The emulation displays only one
page taken from index.htm
The Honeypot is completely safe
from all attacks since it does
actually try to execute any
commands sent at it. Its default
response is Not implemented

Honeypot Architecture HTTPServer

Honeypot Architecture
TELNETServer
The purpose is to observe the

usernames and passwords attackers

will try when hacking a telnet server
This will allow the creation of a
common used passwords database
so that users can be advised (or
required) as to what passwords not
to use
It can also help detecting stolen
passwords
The server emulates nothing more
than the login handshake.
All logins fail

Honeypot Architecture
TELNETServer

Honeypot Architecture Communication

Flow

Demonstration

Summery

Summery
Honeypots are a cheap and simple
way to add protection to a
network
Honeypots allow the study of
attackers methods of operation.
And help developing new ways for
countering them.

Possible Future Additions

More services such as ftp,
messenger, p2p applications
Allow administration of multiple
servers via network
Add the ability to answer as
different ip addresses
Emulate different kinds of web
servers other than IIS
Emulate a more complex telnet
session

Thanks!
We wish to thank:

Ben for his help and endless

patience
Ilana and the Tochna lab team
Our families