Upload
logan-townsend
View
223
Download
0
Tags:
Embed Size (px)
Citation preview
The Honeynet ProjectAdvancements in Honeypot
Tools
Presented by Kirby Kuehl
Background Feel free to ask questions during
presentation. Email: [email protected] Websites: http://www.honeynet.org
http://winfingerprint.sourceforge.net
About the Honeynet Project Informally began as the Wargames mailing
list in 1999. Project officially formed in 2000. Became a Non-profit organization in 2001. Consists of 30 members who volunteer
their time and resources to research the hacker community.
Honeynet Project Goals Learn the Tools, Tactics, and Motives of the
Hacker Community Raise Awareness through release of “Know Your
Enemy” series of whitepapers. Teach and Inform• Scan of the Month Challenges• Reverse Challenge• Forensic Challenge Research• Honeynet Alliance• Tool Development
Layer 3 Data Control: A shell script counted the number of outbound connections initiated by the attacker and blocked all connections after a count of 10 was reached. This suspicious behavior could lead to the discovery of the firewall via TTL decrementing (traceroute) and possible attack since the firewall obviously has Layer 3 Address (IP Address).
Data Capture: The IDS (snort) listens on the span port of the switch, capturing all inbound/outbound traffic.
Generation II Honeynet Sensor Components:
The Bridging Firewall Counting and Blocking Connections
Improvements Data Control with Snort-Inline Sebek kernel module Honeyd and arpd Sneak Peak of “The Honeywall CD”
Honeynet Data Control The Linux Bridging Firewall
Bridges are Layer 2 devices that connect two or more distinct Ethernet segments. All packets received by one interface are transparently copied to the other interface based upon MAC address.
A Bridging Firewall is capable of transparently filtering received frames before they are copied to the second interface.
Requires a Linux kernel compiled with bridge and bridge firewall support. See http://bridge.sourceforge.net/ for kernel patches and more information.
Honeynet Data ControlMethod 1: Counting and Blocking Connections IPTables Firewall Script uses the LOG and
ACCEPT targets for all inbound connections allowing attackers to enter the honeynet.
The IPTables Firewall Script LOGs and ACCEPTs outbound connections until a predefined limit is reached within a specified timeframe. Connection attempts beyond the limit are DROPped.
Example Data Control Firewall Script http://www.honeynet.org/papers/honeynet/tools/rc.firewall
Honeynet Data ControlMethod 2: Snort-Inline The Honeynet Project utilizes Snort-Inline in combination
with netfilter/iptables operating as a bridging firewall to send packets to userspace for processing.
This is accomplished with the QUEUE target. The standard queue handler for IPv4 iptables is the
ip_queue module, which is distributed with the kernel and marked as experimental.
Snort-inline (the userspace application) uses the libipq API, (which is distributed with iptables) to receive and possibly manipulate the packets traversing the bridge as demonstrated in the next slides.
Snort-Inline: http://www.snort.org/dl/contrib/patches/inline/ Netfilter/iptables: http://www.netfilter.org
Snort-Inline Rule Options Drop – The drop rule tells iptables to drop the
packet and log it via usual snort means Sdrop – The sdrop rule tells iptables to drop the
packet. Nothing is logged. Reject – The reject rule type tells iptables to drop
the packet; log it via usual snort means; and send a TCP reset if the protocol is TCP or an ICMP port unreachable if the protocol is UDP.
Snort-Inline Drop Rule
To drop an DNS attack, the signature would look as follows:
drop tcp $HOME_NET any $EXTERNAL_NET 53(msg:"DNS EXPLOIT named";flags: A+;content:"|CD80 E8D7 FFFFFF|/bin/sh";
Snort-Inline Drop Rule
Data ControlSnort-Inline Honeypot
Management Kernel Space
modprobe ip_queue
iptables -A OUTPUT -p icmp -j QUEUE
Iptables-1.2.7a
Ip_queue
User Space
Snort-Inline Snort Rules = Drop
DROPsnort –Q –c /snort.conf
Snort-Inline Replace Rule
Another option replaces portions of the payload (disabling the effectiveness of the attack) but allowing the connection to continue:
alert tcp $HOME_NET any -> $EXTERNAL_NET 53(msg:"DNS EXPLOIT named";flags: A+;content:"|CD80 E8D7 FFFFFF|/bin/sh";replace:"|0000 E8D7 FFFFFF|/ben/sh";)
Snort-Inline Replace Mode
Data ControlSnort-Inline Honeypot
Management Kernel Space
modprobe ip_queue
iptables -A OUTPUT -p icmp -j QUEUE
Iptables-1.2.7a
Ip_queue
User Space
Snort-InlineSnort Rules = Replace
Internet
/bin/sh/ben/sh
Honeyd
Honeyd, when used in conjunction with arpd can simulate an entire LAN containing virtual hosts.
These virtual hosts can fool various TCP and ICMP fingerprinting methods.
These virtual hosts can run various virtual, proxied, or fake services.
http://www.citi.umich.edu/u/provos/honeyd/
Honeyd Operation
Honeypot
ping 192.168.1.15
arpd
arpd_send:who-has 192.168.1.15 to
192.168.1.9
arpd_reply:192.168.1.15 is-at00:09:6b:e0:39:9b
honeyd
Sending ICMPEcho Reply:
192.168.1.15 ->192.168.1.9
Reply from 192.168.1.15:
bytes=32 time<10ms TTL=64
Honeyd: The role of arpd
Like the bridging firewall used by snort-inline, arpd also operates at Layer 2.
Arpd replies to any ARP request for an IP address (Layer 3) within the simulated network with the MAC address of the specified interface of the machine running arpd.
This allows one host to simulate an entire network of machines.
Arpd Screenshot
Honeyd Screenshot
ARP Cache
Sample Honeyd Configuration
# Example of a simple host template and its bindingcreate defaultset default personality “FreeBSD 2.2.1-STABLE”add default tcp port 80 “sh scripts/web.sh”add default tcp port 22 "sh scripts/test.sh $ipsrc $dport" add default tcp port 113 resetadd default tcp port 1 resetset default uid 32767 gid 32767bind 192.168.1.15 defaultset 192.168.1.15 uptime 1327650#add default tcp port 23 proxy 192.168.1.13:23#set default subsystem “/usr/sbin/httpd”
NMAP Portscan and OS Fingerprint
SebekKernel Space data collection The Sebek kernel module collects data passing
through the read() system call. This captures the intruder’s ssh keystrokes and recovers scp file transfers.
Sebek utilizes the adore rootkit to hide the sebek files and processes from the attacker.Sebek : http://www.honeynet.org/papers/honeynet/tools/
Adore: http://www.team-teso.net/releases.php
Sdm: The Sebek Device Monitor
Sdm encrypts the payload. Based on the intruder’s input, the IP
addresses, MAC addresses, and UDP port numbers are falsified.
Data is transferred using a variable amount of delay.
Sdm transmits decoy packets when there is no legitimate traffic.
Sebeksniff and Sbdump
Collects the data from sdm, unencrypts it, and stores it in a log file.
Use the sbdump.pl script to examine these log files.
Sbdump displays the timestamp, user id, process name, tty, file descriptor and the data (ssh keystrokes or file transferred by scp)
Sebek Diagram
Honeywall CDComing Soon…
Bootable CDROM Honeynet Gateway extracts operating system onto a ram drive.
Hardware requirements: 256MB of RAM, a CD-ROM, a 10GB IDE hard drive (for logging and storage of various boot variables such as which networks to bridge), and two NICs.
Capable of Generation 1 (Layer 3) or Generation 2 (Layer 2) Honeynet Data Control.
Kernel contains bridge firewalling support for the inline enabled snort. Also includes Sebek, dsniff, tcpdump, and p0f.
Honeywall CD Main Screen
Initialize drive mounts a local IDE drive for Honeynet Logging and storage of settings.
Start Layer 2 Bridge
Bringing up the bridge and starting various utilities
Wininterrogate: Analysis of Win32 File systems and Processes
Wininterrogate: File system
Recursively walks directory structure obtaining the following: File Name Complete Path Directory File Size Creation Time Last Access Time Last Write Time Attributes
Wininterrogate: Processes
Display Process Name and Path Process ID (pid) Linked DLLs DLL Entry Point DLL Base DLL Image Size Port Bindings (Windows XP Only)
Wininterrogate: Common Options MD5 Checksum providing similar functionality to tripwire CSV (comma separated value). Import into Microsoft
Excel or any database for processing.Extra information Gathered on *.DLL, *.VBX, *.DRV, *.EXE,
*.OCX, *.BIN, *.SCR CompanyName FileDescription FileVersion InternalName LegalCopyright OriginalFilename ProductName ProductVersion