KFSensor Vs Honeyd Honeypot System Sunil Gurung [60-475] Security and Privacy on the Internet

KFSensor Vs HoneydHoneypot System

Sunil Gurung

[60-475] Security and Privacy on the Internet

Agenda

• Introduction

• Honeypot Technology

• KFSensor

• Honeyd

• Features

• Tests

• Conclusion

Introduction

• Good Defence is Good Offence

• Network security – Firewall, IDS, antivirus.

• Traditional approach – defensive

• Today – offensive approach

• Honeypot solutions

Honeypot Technology• “A honeypot is security resource whose value lies in

being probed, attacked, or compromised.” - Lance Spitzner

• we want attackers to probe and exploit the virtual system running emulated services.

• System no production value, no traffic, most connection probe, attack or compromised.

• Complements the traditional security tools.

Fig: The basic setup up of the honeypot system. In the figure two KFSensor are configured production honeypots.

Figure taken from “ User Manual of KFSensor – Help “

TYPES of ATTACKERS

1) Script Kiddies- Amateurs, don’t care about the host- Educate the inadequacy of the security policy

1) Blackhat- Focus on high value system, more

experienced- More dangerous and operate silently

Types of HoneypotInteraction: level of activity Honeypot allows with attacker

• Low InteractionEmulated services, easy to deploy and maintain, less risk.

Designed to capture only known attack

• High InteractionSetup real services and provides interaction with OS

More information, no assumption made give full open environments.

Can use the real honeypot to attack others.

Symantec Decoy Server, Honeynet

KFSensor

• Commercial low interaction honeypot solution

• Windows OS

• Preconfigured services: ssh, http, ftp etc

• Easy configuration and flexible

• Components of KFSensor

• Scenarios, Sim Server – standard and banner

Honeyd

• Low interaction, open source

• Developed by Niels Provos of U of M

• Features: service emulation and IP stack of OS

• Product Detail• Software: honeyd

• Version: honeyd 0.8

• License: open source

• Download site: http://honeyd.org

• OS: Windows, Linux, Unix – Solaris

Installation

• ARPD, Libraries Dependencies

• Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz

• Honeyd package

Installation process:# tar -zvxf libevent-0.8a.tar.gz

Compile the libevent:

# cd libevent-0.8a (Note: pwd is /honeyd_packages/ libevent-0.8a)

#. /configure

# make

# make install

Major Differences between the two software

• IP address assignment

• Listening port

• OS emulation

• Open source advantage

• Financial value

How it works

1. Configuration File

2. Nmap.print & Xprobe2

3. Script for running the services

Explanation of Configuration file

# Example of a simple host template and its bindingannotate "AIX 4.0 - 4.2" fragment oldcreate templateset template personality "AIX 4.0 - 4.2"add template tcp port 80 openadd template tcp port 22 openadd template tcp port 23 open set template default tcp action resetbind 192.168.1.80 template

Nmap.print and Xprobe2

# Contributed by Felix Lindner (flindner@gmx.de)

Fingerprint AXENT Raptor Firewall running on Windows NT

TSeq(Class=TR)

T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)

T2(Resp=N)

T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)

T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T7(Resp=N)

PU(Resp=N)

Test Environment

• Inside the router

1) University network

2) Home network: putting the honeypot system inside the router [192.168.0.102]

Various test performed:

Testing Honeyd

IP of honeypot: 192.168.1.122

IP of host running the honeypot: 192.168.1.121

1) Running ARPD

#arpd 192.168.0.0\24

2) Running Honeyd

#honeyd –d –f config.sample –p nmap.print –x xprobe2 –l \”Log File” –I 2

Test 1: FTP (KFSensor)

Test 2: FTP honeyd

Other possible test (Network Topology)route entry 10.0.0.1route 10.0.0.1 link 10.0.0.0/24route 10.0.0.1 add net 10.1.0.0/16 10.1.0.1 latency 55ms loss 0.1route 10.0.0.1 add net 10.2.0.0/16 10.2.0.1 latency 20ms loss 0.1route 10.1.0.1 link 10.1.0.0/24route 10.2.0.1 link 10.2.0.0/24create routeroneset routerone personality "Cisco 7206 running IOS 11.1(24)"set routerone default tcp action resetadd routerone tcp port 23 "scripts/router-telnet.pl"create netbsdset netbsd personality "NetBSD 1.5.2 running on a Commodore

Amiga (68040 processor)"set netbsd default tcp action resetadd netbsd tcp port 22 proxy $ipsrc:22add netbsd tcp port 80 "sh scripts/web.sh"bind 10.0.0.1 routeronebind 10.1.0.2 netbsd

Results – take from the abstract

$ traceroute -n 10.3.0.10traceroute to 10.3.0.10 (10.3.0.10), 64 hops max1 10.0.0.1 0.456 ms 0.193 ms 0.93 ms2 10.2.0.1 46.799 ms 45.541 ms 51.401 ms3 10.3.0.1 68.293 ms 69.848 ms 69.878 ms4 10.3.0.10 79.876 ms 79.798 ms 79.926 ms

Conclusion

• Both are low interaction

• Honey with better feature like IP simulation and OS IP stack simulation

• KFSensor better GUI easy configuration

Can not replace the existing system. Work better along with it.