IssueDate:

Revision:

Honeypots&Honeynets

AdliWahid

1

Contents

1. Objectives2. DefinitionofHoneypot&Honeynets3. Benefits&Riskconsideration4. ExampleofHoneypottools5. TheHoneynet Project

Credits:DavidWatson(Honeynet Project)forthesomeofthecontentsofthisslidedavid@honeynet.org.uk

2

Objectives

1. Understandthetheconceptofhoneypots/honeynets andhowtheyaredeployed

2. Understandthevalueofhoneypotsandhoneynets tosecurityresearchers,securityresponseteams

3. Familiarizewithdifferenttypesofhoneypots4. Shareexperiencedeployinghoneynets

3

KnowYourEnemy

Howcanwedefendagainstanenemy,whenwedon’tevenknowwhotheenemyis?

(LanceSpitzner 1999)

4

KnowYourEnemy(2)

Tolearnthetools,tacticsandmotivesinvolvedincomputerandnetworkattacks,andsharethelessonslearned

(MissionStatement,TheHoneynet Project)

ThreatIntelligence,IndicatorsofCompromise

5

Howdowedetectattacksorvulnerabilitiesinournetworks?• Hint

• Howdoattackersdoit?• Namethecontrolsthatwehaveinplace

• Whatarethelimitationsofthecontrolsthatwehaveinplace?• Whatarethetargets&why?

HoneypotsandHoneynets

• Ahoneypotisaninformationsystemresourcewhosevalueliesintheunauthorizedorillicituseofthatresource

• Honeypotsystemshavenoproductionvalue,soanyactivitygoingtoorfromahoneypotislikelyaprobe,attackorcompromise

• Ahoneynet issimplyanetworkofhoneypots• Informationgatheringandearlywarningaretheprimarybenefitstomostorganisations

7

HoneypotandHoneynet Types

• Low-MediumInteraction(LI)• Emulatesservices,applicationsandOS’s• Easiertodeploy/maintain,lowrisk,butonlylimitedinformation

• High-Interaction(HI)• Realservices,applicatios andOS’s• Captureextensiveinformation,buthigherriskandtimeintensivetomaintain

8

HoneypotandHoneynet Types

• ServerHoneypots• Listenforincomingnetworkconnections• Analyse attackstargetingthehosts,servicesandoperatingsystems

• ClientHoneypots• Reachoutandinteractwithremotepotentiallymaliciousresources• Havetobeinstructedwheretogotofindsomethingmalicious• Analyse attackstargetingclientsapplication

9

HoneypotandHoneynet Pros/Cons

Pros• SimpleConcept• Collectsmalldatasetsofhighvalue

• FewFalsePositives• Catchnewattacks• LowFalseNegatives• Canbeatencryption• Minimalhardware• Realtimealerting

Cons• Potentiallycomplex• Needdataanalysis• Onlyamicroscope• Detectionbyattackers• Riskfromcompromises• Legalconcerns• Falsenegatives• Potentiallylive24/7• Operationallyintensive

10

ImplementingHoneypot

11

Recap

Honeypots: Computer resource(s) to be probed and/or attacked

12

Evilness

Malware

Badness

Noise

Whywouldyouwanttodothis?• Byright,youshouldnotexpectanyrealactivityortrafficto/from/inyourhoneypot

• Detectanomalousactivitiesinyournetworkorsystem?• Infected/Compromisedcomputers• Misconfiguration

• LearnaboutattacksontheInternet(inthewild)• Context• Attacksourceandtechniques• Vulnerabilitiesexploited• InformationSharingopportunities

• Improveoverallsecurity

13

Scneario 1:Generic‘Network-basedAttack’

14

Honeypot (Target)

Host1 Host 2

1

2

(Or)2

1.ConnectioninitiatedtoHoneypot

2.ConnectBack/Call-Home

Whatcanyoulearn?• Hoststhataretryingtoconnect/scanyou

• Potentiallyalreadycompromisedorinfected

• Scripts,binaries,files,toops fetchedordropped• Requestsbeingmade,Loginattempts• Packets,netflows• Sourceofattack• Relationshipswithothersystems• Commandpotentiallyexecuted

15

Scenario2:Client-basedHoneypot

16

Honeypot (Client-Side)

Target1.Honeypotinitiateconnection

2.Analyse response

Whatyoucanlearn?

• (0-days)orattacksontheClientApplication(i.e.WebBrowser)• Learnabouthosts/computersthatarehostingmaliciouswebsites

• <Iframes>• Javascript• Flash• PDFetc

17

Logs

• 2010:09:14:07:13:10 < honeypot> 2010-09-14 07:19:27 GMT 184.y.z.144 a05dfd7cca7771a7565a154d65f05ea2http://domain.lv/inx/fx29id1.txt????

• 2010:09:14:07:13:11 < honeypot> 2010-09-14 07:19:30 GMT 184.y.z.144 8dcad47f3e32e7dc1aee59167e67c601http://domain.lv/inx/fx29id2.txt?????

19

HoneypotSystems

20

HighInteractionHoneypot

• Thinkaboutyourgoalsandobjectivesfirst• Possiblescenario

• SetuparealsystemandmakegiveitanIPaddress(soitisreachabletosomething)

• i.e.InstallaWindows,Linux,Unixserver)

• Challengingtocontrol&manage• Whatifattackerusesystemtolaunchattacktoothersystems• Keepingthecomputerinausablestate

21

OpenSourceSystems

• Honeyd,Amun – (openmultipleports)• Dionaea,Nepenthes(Malware)• Kippo,Cowrie- SSHhoneypot• Glastopf – WebHoneypot• Ghost– USBHoneypot• Thug– ClientHoneypot• Conpot – IndustrialSystem

22

Dionaea

• 2nd Generationlowinteractionhoneypot• Python,runson*NIX• IPv6Support

• Goals• Detectbothknownandunknownattacks• Betterprotocolawareness• Vulnerabilitymodulesinscriptinglanguage• ShellcodedetectionusingLibEmu

• Checkouthttp://dionaea.carnivore.it• Learnaboutattacks,malwareandmanymore

23

Kippo

• EmulateSSHserver• Allow‘attacker’tolog-inusingcredentials(usernameandpassword)• Environmentallowlimitedcommands– i.e.ping,who,andwget• Recordactivities(keylog)ofattackersandtheiractivities

• Cowrie• ForkofKippo• AlsodoesTelnethoneypot

24

Glastopf WebHoneypot

• MinimalisticwebserverwritteninPython• ScansincomingHTTPrequestsstrings• Checksforremotefileinclusion(RFI),localfileinclusion(LFI)andSQLinjection

• Signaturesanddynamicattackdetection• Attempttodownloadattackpayloads• Searchkeywordindexingtodrawattackers• MySQLDBpluswebconsole• Integrationwithbotnetmonitoring&sandbox• Visitwww.glastopf.org

25

Ghost

• USBHoneypot• RunsonWindows• Manymalwarespreadacrosssystemsusingthumbrive (andbypassnetworkcontainmentstragegies)

• i.e.Stuxnet,Conficker

• TrickmalwareintothinkingthataUSBThumbrive hasbeeninserted• CapturesmalwarewrittenonUSB• More:https://code.google.com/p/ghost-usb-honeypot

26

Thug• LowInteractionClient-basedhoneypottoemulatewebbrowser

• BrowserPersonalities(i.e.IE)• DiscoveringExploitKits,MaliciousWebsites

• Scenario– yourwebsitehavebeencompromisedandattackerplacedamaliciousscriptonyourwebsite

• Pythonvulnerabilitymodules:activeX controls,corebrowserfunctions,browserplugins

• Logging:flatfile,MITREMAECformat,mongoDB,HPFeeds events+files• Testing:successfullyidentifies,emulatesandlogsIEWinXP infectionsanddownloadsservedPDFs,jars,etc fromBlackhole &otherattackkits

• Moreinformation• http://www.honeynet.org/node/827

27

VOIPHoneypots

• PBXdeploymentlackssecurity/exposetotheInternet• ToolsliveSIPvicious areusedtoscantheInternetforPBX• Miscreantsexploitweakauthentication&accesscontroltomakelongdistancecalls

• Organisations lose$• Honeypotscanbeusedtoidentifysourceofattacks:

oArtemisa

Canary- HoneyTokens• Discoverthatyou’vebeenbreached• Tokens=adigitalobject- file(s),emails,webpage,image• Deployedincertainlocationtodetect(attract)maliciousactivities

• Example:• mailininboxormailserver,• Files(PDF,HTML,Doc,XLS,etc)infileserver,usb stick,webserver,cloud

• Confidential.pdf,analysis.xls,networkdiagram.ppt

• CanaryTokensbyThinkst• https://www.canarytokens.org• http://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html

• Furtherreadingo http://www.slideshare.net/chrissanders88/using-canary-honeypots-for-network-security-monitoring?from_action=save

SecurityEducation

• USBSticks• Associatedwithmalware• SocialEngineeringorTargetedAttack• CreateAwareness,test

• CanaryTokens• https://www.canarytokens.org

• Triggered!Oneofyourcanarydrops wastriggered.

Channel:HTTPTime :2016-05-2605:47:49.009176Memo :usbstix-03Source IP:203.119.X.YUser-agent:Mozilla/5.0(Macintosh;IntelMacOSX)Word/14.61.0

SupportingToolsandProjects

• CuckooSandbox• Visualization• TheHoneynet Project

• HPFeed• InformationSharing

• LogAnalysis

31

CuckooSandbox

• AutomatedMalwareAnalysisSystem• WhynotjustuseAnti-Virus?

• AnalyzeWindowsexecutables,DLLfiles,PDFdocumetns,Officedocuments,PHPScripts,PythonScriptsandInternetURLs

• WindowsguestVMsinVirtualBoxLinux• Windowshooking/driverpluspythonmodulesforextractingandanalysing sampleexecutions

32

CuckooSandbox(2)

• AnalyzeBinaries,Filescapturedinahoneypot• Traceofrelevantwin32APIcallsperformed• Dumpnetworktrafficgenerated(pcap)• Creationofscreenshotstakenduringanalysis• Dumpoffilescreated,deletedanddownloadedbythemalwareduringanalysis

• Extracttraceofassemblyinstructionsexecutedbymalwareprocess• http://cuckoobox.org• http://www.malwr.com

33

Virustotal.com

• Siteforanalyzingmalwaresamples(orunknownfiles)• Let’sscansomefile

TrafficAnalysis

• FullPacketCapture(PCAP)• Supportingtools(Wireshark,TCPDUMP,Moloch)• Considersizeoffile

• Netflow• Argus• SurfNet IDS

• MaliciousTrafficorNot?• Snort• BroIDS

Visualization

• ManyofthetoolsdonotreallyhaveaGUI• Reporting /Presentationiskey• Manyvisualizationtools

• HPFeeds• PicViz• Afterglow• Gnuplot• Splunk• Plug-insorfront-endformanyoftheexistingtools

36

Hardware

• Any(old)hardwarewithnetworkinterface• Singleboardcomputers(i.e.RaspberryPi)• Virtualizationisanotheroption

Community- TheHoneynet Project

• Theplatformforthoseinterestedinrunning,buildingandlearningfromhoneypots

• http://www.honeynet.org

• ManyChaptersfromaroundtheworld• Initiativeforinformationsharing

• HPFeeds• http://hpfeeds.honeycloud.net

• GoogleSummerofCodes(GSOC)

38

CommercialSolutions?

• CanaryTools• https://canary.tools• http://arstechnica.com/security/2015/05/canary-box-aims-to-lure-hackers-into-honeypots-before-they-make-headlines/

• (older?)• Spector(Symantec)• Mantrap

Consider!

• InstallingandplayingwithHoneypotstolearnaboutsecurity• Deployingitinternallytocatchmaliciousactivities• JoiningtheHoneynet Project• Sharingyourexperienceandknowledge• HappyHoneypotting!

40

Demo

1. Kippo,SSHHoneypot• Bruteforce• CompromiseLinux/Unixservers,routers

2. Deploymnent Experience• TheModernHoneypotNetwork(MHN)• Frameworkformanaginganddeployinghoneypots

41

Kippo Demo

42

MHNInstallation

• Runningmultiplehoneypots• http://threatstream.github.io/mhn/

• SetupExperience• UsingLXC• Debian/UbuntuSystems• Easytoadd&RemoveHoneypots• Dataaggregated

• SupportingSystem• Moloch(http://molo.ch)• Maltrail (https://github.com/stamparm/MalTrail)• BROIDS

• OtherFreeTools• Let’sEncrypt(TSL/SSLCertificates)

• Demo!(nopictureplease)

43

Molochhttps://molo.ch

• Molochisanopensource,largescaleIPv4packetcapturing(PCAP),indexinganddatabasesystem.

• AsimplewebinterfaceisprovidedforPCAPbrowsing,searching,andexporting.APIsareexposedthatallowPCAPdataandJSON-formattedsessiondatatobedownloadeddirectly.

• MolochisnotmeanttoreplaceIDSenginesbutinsteadworkalongsidethemtostoreandindexallthenetworktrafficinstandardPCAPformat,providingfastaccess.

• Molochisbuilttobedeployedacrossmanysystemsandcanscaletohandlemultiplegigabits/secoftraffic.

45

Maltrail

• Maltrail isamalicioustrafficdetectionsystem,utilizingpubliclyavailable(black)listscontainingmaliciousand/orgenerallysuspicioustrails

• StatictrailscompiledfromvariousAVreportsandcustomuserdefinedlists,wheretrailcanbeanythingfromdomainnametoipaddresses

• Trailsarepulledfrom• https://github.com/stamparm/MalTrail

46

Recap

• HowcanweuseHoneypots/Honeynet inourenvirionment?• Howcanitcomplementexistingsecuritycountermeasures

oDetectiono EducationoResponse

• Whatifthehoneypotdoesnotreceiveanything– hits/traffic/etc?

LearnMore!• Playwithone

• Honeydrive VirtualMachine• https://bruteforce.gr/honeydrive• Linuxbasedhoneypotdistro• Manytoos &honeypotsystems

• Deployoneyourself• Insidetheorganization• OntheInternet/DMZ

• Participateinaproject• WriteCode• Help/Document

• Honeynet Project• http://www.honeynet.org

48

MoreHoneypots

• https://github.com/paralax/awesome-honeypots• JointHoneypot/Honeynet projects

oDistributedSensors?o Sharedataandobservation?oAutomatedalerts

IssueDate:

Revision:

Questions?

Email:adli@apnic.netTwitter:adliwahidLinkedIn:AdliWahidBlog:https://blog.apnic.net

50