View
6
Download
0
Category
Preview:
Citation preview
Apr-16-09Apr-16-09 presentatie naampresentatie naam 11
Honeypots Honeypots / / honeynetshoneynets
Apr-16-09Apr-16-09 presentatie naampresentatie naam 22
AgendaAgenda
HoneypotsHoneypots HoneynetsHoneynets HoneywallHoneywall
Apr-16-09Apr-16-09 presentatie naampresentatie naam 33
TrafficTraffic
Problem:Problem: Vast quantities of normalVast quantities of normal traffictraffic Find suspect bitsFind suspect bits
Apr-16-09Apr-16-09 presentatie naampresentatie naam 44
HoneypotHoneypot Machine without normal taskMachine without normal task That is never mentionedThat is never mentioned
So:So: Machine that gets no normal trafficMachine that gets no normal traffic Every network packet is suspectEvery network packet is suspect
WithWith Contained environmentContained environment IDS (snort) and loggingIDS (snort) and logging
Apr-16-09Apr-16-09 presentatie naampresentatie naam 55
WhereWhere Anywhere within netAnywhere within net No specific placeNo specific place Built like productionBuilt like production
machinemachine Without functionWithout function
Apr-16-09Apr-16-09 presentatie naampresentatie naam 66
DefinitionDefinition
A honeypot is a [sacrificial] security resourcewhose value lies in being probed, attacked orcompromised.
Source: Source: HHooneypotsneypots: Tracking Hackers", Lance : Tracking Hackers", Lance SpitznerSpitzner, 2002 (book), 2002 (book)
Apr-16-09Apr-16-09 presentatie naampresentatie naam 77
HistoryHistory 1990: real systems1990: real systems
Deploy Deploy unpatched unpatched systems in default systems in default conconfifig g on unprotectedon unprotectednetwork (network (‘‘low-hanging fruitlow-hanging fruit’’))
Easy to deployEasy to deploy High-interaction, high-riskHigh-interaction, high-risk Nice reading: Nice reading: ““CuckooCuckoo’’s Eggs Egg”” by Clifford Stoll by Clifford Stoll
1998: service / OS emulation1998: service / OS emulation Deception Toolkit, Cyber Cop Sting, Deception Toolkit, Cyber Cop Sting, KFSensorKFSensor, Specter, Specter Easy to deployEasy to deploy Low-interaction, low-riskLow-interaction, low-risk
1999-current: virtual systems1999-current: virtual systems HoneyDHoneyD, , HoneywallHoneywall, , QdetectQdetect, Symantec Decoy Server(!, Symantec Decoy Server(!’’03/03/’’04)04) Less easy Less easy todeploytodeploy Mid / high-interaction, mid / high-riskMid / high-interaction, mid / high-risk
Apr-16-09Apr-16-09 presentatie naampresentatie naam 88
History of the History of the Honeynet Honeynet ProjectProject 1999: Lance 1999: Lance Spitzner Spitzner (Sun) founds (Sun) founds HoneynetprojectHoneynetproject 1999-2001, 1999-2001, GenIGenI: : PoCPoC, L3 + (, L3 + (modimodifified ed IP-headers)IP-headers) 2001-2003, 2001-2003, GenIIGenII: : GenI GenI + bridging (no TTL, harder to detect)+ bridging (no TTL, harder to detect) 2003: Release of 2003: Release of Eeyore Honeywall Eeyore Honeywall CD-ROMCD-ROM 2003-current, 2003-current, GenIIIGenIII: : GenII GenII + blocking (+ blocking (HoneywallHoneywall)) 2005: Release of 2005: Release of Roo Honeywall Roo Honeywall CD-ROMCD-ROM future: future: ‘‘GenIVGenIV’’ refers to refers to next-gen next-gen analysis capabilitiesanalysis capabilities
HoneynetHoneynet.org is home to the .org is home to the ‘‘KYE papersKYE papers’’..
Apr-16-09Apr-16-09 presentatie naampresentatie naam 99
Take care!Take care!
Machine must look realMachine must look real Outside traffic possibleOutside traffic possible
Or clearly fakeOr clearly fake Capture all trafficCapture all traffic
analyseanalyse Special restrictions onSpecial restrictions on outgoing trafficoutgoing traffic
Everything is allowedEverything is allowed Low bandwidth (Low bandwidth (tarpittarpit))
Apr-16-09Apr-16-09 presentatie naampresentatie naam 1010
PurposePurpose ResearchResearch
Attract Attract blackhatsblackhats Reveal Reveal blackhattacticsblackhattactics, techniques, tools(KYE), techniques, tools(KYE) Reveal motives / intentions(?)Reveal motives / intentions(?) Mostly universities, governments, ISPsMostly universities, governments, ISPs
ProtectionProtection Deter Deter blackhats blackhats from real assetsfrom real assets Provide early warningProvide early warning Mostly governments, large enterprisesMostly governments, large enterprises
Purpose may determine Purpose may determine honeypot honeypot functionalityfunctionalityand architectureand architecture
Apr-16-09Apr-16-09 presentatie naampresentatie naam 1111
DefinitionsDefinitions DeDefifinitionnition
A A honeynet honeynet is a network of [high-interaction]is a network of [high-interaction]honeypotshoneypots..
DeDefifinitionnition A A honeywall honeywall is a layer-2 bridge that is placed in-lineis a layer-2 bridge that is placed in-line
between a network and a between a network and a honeynethoneynet, or between a, or between anetwork and a network and a honeypothoneypot, to , to uni- uni- or or bidirectionallybidirectionallycapture, control and analyze attacks.capture, control and analyze attacks.
DeDefifinitionnition A A honeytoken honeytoken is a is a honeypot honeypot which is not a computer.which is not a computer.
Apr-16-09Apr-16-09 presentatie naampresentatie naam 1212
Functional requirements of aFunctional requirements of ahoneypothoneypot
Data controlData control Data captureData capture Data collectionData collection Data analysisData analysis
Apr-16-09Apr-16-09 presentatie naampresentatie naam 1313
EntrapmentEntrapment
Applies only to law enforcementApplies only to law enforcement Useful only as defence in criminalUseful only as defence in criminal
prosecutionprosecution Still, most legal authorities considerStill, most legal authorities consider
honeypots honeypots non-entrapmentnon-entrapment
ResponsibilityResponsibility for everything done fromfor everything done fromour netour net
Apr-16-09Apr-16-09 presentatie naampresentatie naam 1414
Low vs. High interactionLow vs. High interaction Low interactionLow interaction
Burglar alarmBurglar alarm Not to learn about new attacksNot to learn about new attacks simplesimple
High interactionHigh interaction ResearchResearch Look at new thingsLook at new things Anatomy of new exploitAnatomy of new exploit Invest resources (manpower)Invest resources (manpower)
Apr-16-09Apr-16-09 presentatie naampresentatie naam 1515
RealnessRealness
Make things look realMake things look real Windows servicesWindows services Windows exploitsWindows exploits But SolarisBut Solaris network stacknetwork stack
Apr-16-09Apr-16-09 presentatie naampresentatie naam 1616
How to How to organiseorganise
Honeypot Honeypot moremore than than unpatched unpatched hosthost See what happensSee what happens ContainmentContainment Check logsCheck logs Limit outgoing trafficLimit outgoing traffic
DonDon’’t try this without thought!t try this without thought!
Apr-16-09Apr-16-09 presentatie naampresentatie naam 1717
HoneydHoneyd http://www.honeyd.orghttp://www.honeyd.org
FrameworkFramework Config Config filefile ScriptsScripts forfor emulated servicesemulated services
•• Internal (python interpreter inInternal (python interpreter in honeyd honeyd))•• External (extern process)External (extern process)•• StdinStdin++stdout stdout = net,= net, stderr stderr == syslog syslog
Acts using Acts using nmap nmap fingerprintsfingerprints
Apr-16-09Apr-16-09 presentatie naampresentatie naam 1818
honeydhoneyd
Apr-16-09Apr-16-09 presentatie naampresentatie naam 1919
HoneydHoneyd
Run on a single ip addressRun on a single ip address Several services on one addressSeveral services on one address
Run as Run as honeynethoneynet SeveralSeveral hosts on several addresseshosts on several addresses Attract trafficAttract traffic
•• Static route in routerStatic route in router•• Have Have honeyd arp honeyd arp on addresseson addresses
Apr-16-09Apr-16-09 presentatie naampresentatie naam 2020
ContainmentContainment
HoneywallHoneywall ApplianceAppliance Based on Based on unixunix 3 network interfaces3 network interfaces
•• ManagementManagement•• Data (inside / outside bridge)Data (inside / outside bridge)
Apr-16-09Apr-16-09 presentatie naampresentatie naam 2121
SebekSebek: spying on your intruder: spying on your intruder
HoneynetHoneynet.org: .org: ““Sebek Sebek is a tool designed for datais a tool designed for datacapture, it attempts to capture most of the attackerscapture, it attempts to capture most of the attackersactivity on the activity on the honeypothoneypot, without the attacker knowing it, without the attacker knowing it(hopefully), then sends there covered data to a central(hopefully), then sends there covered data to a centrallogging system.logging system.””
Linux kernel module that hooks Linux kernel module that hooks sys_readsys_read()() Covertly sends captured data to Covertly sends captured data to honeywall honeywall (UDP)(UDP) Recovers keystrokes, uploaded Recovers keystrokes, uploaded fifilesles, passwords, IRC, passwords, IRC
chats, even if they are encrypted chats, even if they are encrypted bySSHbySSH, , IPSec IPSec or SSL.or SSL.
Apr-16-09Apr-16-09 presentatie naampresentatie naam 2222
SebekSebek
Apr-16-09Apr-16-09 presentatie naampresentatie naam 2323
Honeynet Honeynet RequirementsRequirements
Data ControlData Control Data CaptureData Capture
http://old.http://old.honeynethoneynet.org/alliance/requirements.html.org/alliance/requirements.html
Apr-16-09Apr-16-09 presentatie naampresentatie naam 2424
Gen II Gen II honeynethoneynet
Apr-16-09Apr-16-09 presentatie naampresentatie naam 2525
No Data ControlNo Data Control
Apr-16-09Apr-16-09 presentatie naampresentatie naam 2626
Data ControlData Control
Apr-16-09Apr-16-09 presentatie naampresentatie naam 2727
Honeynet Honeynet BridgeBridge
Internet
Eth0-NO IP
Eth1-NO IP
129.252.140.3 192.252.140.7
AdministrativeInterfaceSSH ConnectionsTrusted Hosts
Eth2- 129.252.xxx.yyy
Apr-16-09Apr-16-09 presentatie naampresentatie naam 2828
What is Data Control andWhat is Data Control andWhy?Why?
Process used to control or contain traffic toProcess used to control or contain traffic toa a honeynethoneynet
Upstream liability Upstream liability –– an attack from one of an attack from one ofyour your honeypotshoneypots
Snort-inline Snort-inline –– South Florida South Florida HoneynetHoneynetProjectProject
Apr-16-09Apr-16-09 presentatie naampresentatie naam 2929
Connection Limiting ModeConnection Limiting Mode
Hub
Data ControlSnort-InlineIPTables
Enemy
DROP
Packet No =10
IPTables
Apr-16-09Apr-16-09 presentatie naampresentatie naam 3030
Snort-Inline Drop ModeSnort-Inline Drop Mode
Enemy Data ControlSnort-Inline
Hub
IP Tables
Ip_queue
Snort-InlineSnort Rules=Drop
IPTables Drop
Apr-16-09Apr-16-09 presentatie naampresentatie naam 3131
Snort-Inline Replace ModeSnort-Inline Replace Mode
Enemy Data ControlSnort-Inline
Hub
IP Tables
Ip_queue
Snort-InlineSnort Rules=Replace
IPTables
bin/sh->ben/sh
Apr-16-09Apr-16-09 presentatie naampresentatie naam 3232
GEN II Data ControlGEN II Data Control Gen II :Gen II :
Incorporates a firewall and IDS in one systemIncorporates a firewall and IDS in one system Provides more stealthy data controlProvides more stealthy data control Can be implemented for layer 2 bridging orCan be implemented for layer 2 bridging or
Layer 3 NAT translationLayer 3 NAT translation Packets passed from internet to Packets passed from internet to honeynet honeynet asas
layer 2 (layer 2 (datalinkdatalink) layer packets) layer packets•• no TTL decrementno TTL decrement•• invisibleinvisible
Apr-16-09Apr-16-09 presentatie naampresentatie naam 3333
IPTables IPTables for GEN II for GEN II HoneynetHoneynet
IPTables IPTables is a free, is a free, statefulstateful, Open Source firewall for Linux, Open Source firewall for Linux2.4.x and 2.5.x kernels2.4.x and 2.5.x kernels
Each packet header is compared to a set of Each packet header is compared to a set of ““chainschains”” Chains contain rules: ACCEPT, DROP, REJECT, QueueChains contain rules: ACCEPT, DROP, REJECT, Queue Custom ChainsCustom Chains
tcpHandlertcpHandler udpHandlerudpHandler icmpHandlericmpHandler
Apr-16-09Apr-16-09 presentatie naampresentatie naam 3434
Honeywall Honeywall Bootable CD-ROMBootable CD-ROM Standard ISO distributionStandard ISO distribution
GenII GenII Data Capture/Data Control featuresData Capture/Data Control features SebekSebek Simple User InterfaceSimple User Interface Auto-configure from floppyAuto-configure from floppy
Customization featuresCustomization features ““TemplateTemplate”” customization (file system) customization (file system) Run-time boot customizationRun-time boot customization
Apr-16-09Apr-16-09 presentatie naampresentatie naam 3535
HoneywallHoneywall
Standard Standard intel intel PCPC 3 3 ethernet ethernet cardscards
Inside (Inside (honeypotshoneypots)) Outside (internet)Outside (internet) ManagementManagement
Outside -> inside: bridge, no restrictionsOutside -> inside: bridge, no restrictions Inside -> outside: bridge, restrictionsInside -> outside: bridge, restrictions Management: hidden from outside worldManagement: hidden from outside world
Apr-16-09Apr-16-09 presentatie naampresentatie naam 3636
Honeywall Honeywall - - RooRoo
http://www.honeynet.org/tools/cdrom/http://www.honeynet.org/tools/cdrom/
Apr-16-09Apr-16-09 presentatie naampresentatie naam 3737
Malware Malware catchingcatching
Nepentes Nepentes (http://nepenthes.carnivore.it)(http://nepenthes.carnivore.it) Malware-collecting Malware-collecting mid interaction mid interaction honeypothoneypot Emulates known vulnerabilitiesEmulates known vulnerabilities Captures Captures malware malware trying to exploit themtrying to exploit them Modular architectureModular architecture
First released in 2006First released in 2006
Apr-16-09Apr-16-09 presentatie naampresentatie naam 3838
NepentesNepentes
Apr-16-09Apr-16-09 presentatie naampresentatie naam 3939
Real world usesReal world uses
Surfnet Surfnet IDSIDS Honeypot Honeypot in sensorin sensor
QnetQnet Quarantaine Quarantaine net sensornet sensor ContainContain misbehaving hostmisbehaving host
Louis mail relayLouis mail relay Try again laterTry again later……
Recommended