The Honeynet ProjectAdvancements in Honeypot

Tools

Presented by Kirby Kuehl

Background Feel free to ask questions during

presentation. Email: kkuehl@cisco.com Websites: http://www.honeynet.org

http://winfingerprint.sourceforge.net

About the Honeynet Project Informally began as the Wargames mailing

list in 1999. Project officially formed in 2000. Became a Non-profit organization in 2001. Consists of 30 members who volunteer

their time and resources to research the hacker community.

Honeynet Project Goals Learn the Tools, Tactics, and Motives of the

Hacker Community Raise Awareness through release of “Know Your

Enemy” series of whitepapers. Teach and Inform• Scan of the Month Challenges• Reverse Challenge• Forensic Challenge Research• Honeynet Alliance• Tool Development

Layer 3 Data Control: A shell script counted the number of outbound connections initiated by the attacker and blocked all connections after a count of 10 was reached. This suspicious behavior could lead to the discovery of the firewall via TTL decrementing (traceroute) and possible attack since the firewall obviously has Layer 3 Address (IP Address).

Data Capture: The IDS (snort) listens on the span port of the switch, capturing all inbound/outbound traffic.

Generation II Honeynet Sensor Components:

The Bridging Firewall Counting and Blocking Connections

Improvements Data Control with Snort-Inline Sebek kernel module Honeyd and arpd Sneak Peak of “The Honeywall CD”

Honeynet Data Control The Linux Bridging Firewall

Bridges are Layer 2 devices that connect two or more distinct Ethernet segments. All packets received by one interface are transparently copied to the other interface based upon MAC address.

A Bridging Firewall is capable of transparently filtering received frames before they are copied to the second interface.

Requires a Linux kernel compiled with bridge and bridge firewall support. See http://bridge.sourceforge.net/ for kernel patches and more information.

Honeynet Data ControlMethod 1: Counting and Blocking Connections IPTables Firewall Script uses the LOG and

ACCEPT targets for all inbound connections allowing attackers to enter the honeynet.

The IPTables Firewall Script LOGs and ACCEPTs outbound connections until a predefined limit is reached within a specified timeframe. Connection attempts beyond the limit are DROPped.

Example Data Control Firewall Script http://www.honeynet.org/papers/honeynet/tools/rc.firewall

Honeynet Data ControlMethod 2: Snort-Inline The Honeynet Project utilizes Snort-Inline in combination

with netfilter/iptables operating as a bridging firewall to send packets to userspace for processing.

This is accomplished with the QUEUE target. The standard queue handler for IPv4 iptables is the

ip_queue module, which is distributed with the kernel and marked as experimental.

Snort-inline (the userspace application) uses the libipq API, (which is distributed with iptables) to receive and possibly manipulate the packets traversing the bridge as demonstrated in the next slides.

Snort-Inline: http://www.snort.org/dl/contrib/patches/inline/ Netfilter/iptables: http://www.netfilter.org

Snort-Inline Rule Options Drop – The drop rule tells iptables to drop the

packet and log it via usual snort means Sdrop – The sdrop rule tells iptables to drop the

packet. Nothing is logged. Reject – The reject rule type tells iptables to drop

the packet; log it via usual snort means; and send a TCP reset if the protocol is TCP or an ICMP port unreachable if the protocol is UDP.

Snort-Inline Drop Rule

To drop an DNS attack, the signature would look as follows:

drop tcp $HOME_NET any $EXTERNAL_NET 53(msg:"DNS EXPLOIT named";flags: A+;content:"|CD80 E8D7 FFFFFF|/bin/sh";

Snort-Inline Drop Rule

Data ControlSnort-Inline Honeypot

Management Kernel Space

modprobe ip_queue

iptables -A OUTPUT -p icmp -j QUEUE

Iptables-1.2.7a

Ip_queue

User Space

Snort-Inline Snort Rules = Drop

DROPsnort –Q –c /snort.conf

Snort-Inline Replace Rule

Another option replaces portions of the payload (disabling the effectiveness of the attack) but allowing the connection to continue:

alert tcp $HOME_NET any -> $EXTERNAL_NET 53(msg:"DNS EXPLOIT named";flags: A+;content:"|CD80 E8D7 FFFFFF|/bin/sh";replace:"|0000 E8D7 FFFFFF|/ben/sh";)

Snort-Inline Replace Mode

Data ControlSnort-Inline Honeypot

Management Kernel Space

modprobe ip_queue

iptables -A OUTPUT -p icmp -j QUEUE

Iptables-1.2.7a

Ip_queue

User Space

Snort-InlineSnort Rules = Replace

Internet

/bin/sh/ben/sh

Honeyd

Honeyd, when used in conjunction with arpd can simulate an entire LAN containing virtual hosts.

These virtual hosts can fool various TCP and ICMP fingerprinting methods.

These virtual hosts can run various virtual, proxied, or fake services.

http://www.citi.umich.edu/u/provos/honeyd/

Honeyd Operation

Honeypot

ping 192.168.1.15

arpd

arpd_send:who-has 192.168.1.15 to

192.168.1.9

arpd_reply:192.168.1.15 is-at00:09:6b:e0:39:9b

honeyd

Sending ICMPEcho Reply:

192.168.1.15 ->192.168.1.9

Reply from 192.168.1.15:

bytes=32 time<10ms TTL=64

Honeyd: The role of arpd

Like the bridging firewall used by snort-inline, arpd also operates at Layer 2.

Arpd replies to any ARP request for an IP address (Layer 3) within the simulated network with the MAC address of the specified interface of the machine running arpd.

This allows one host to simulate an entire network of machines.

Arpd Screenshot

Honeyd Screenshot

ARP Cache

Sample Honeyd Configuration

# Example of a simple host template and its bindingcreate defaultset default personality “FreeBSD 2.2.1-STABLE”add default tcp port 80 “sh scripts/web.sh”add default tcp port 22 "sh scripts/test.sh $ipsrc $dport" add default tcp port 113 resetadd default tcp port 1 resetset default uid 32767 gid 32767bind 192.168.1.15 defaultset 192.168.1.15 uptime 1327650#add default tcp port 23 proxy 192.168.1.13:23#set default subsystem “/usr/sbin/httpd”

NMAP Portscan and OS Fingerprint

SebekKernel Space data collection The Sebek kernel module collects data passing

through the read() system call. This captures the intruder’s ssh keystrokes and recovers scp file transfers.

Sebek utilizes the adore rootkit to hide the sebek files and processes from the attacker.Sebek : http://www.honeynet.org/papers/honeynet/tools/

Adore: http://www.team-teso.net/releases.php

Sdm: The Sebek Device Monitor

Sdm encrypts the payload. Based on the intruder’s input, the IP

addresses, MAC addresses, and UDP port numbers are falsified.

Data is transferred using a variable amount of delay.

Sdm transmits decoy packets when there is no legitimate traffic.

Sebeksniff and Sbdump

Collects the data from sdm, unencrypts it, and stores it in a log file.

Use the sbdump.pl script to examine these log files.

Sbdump displays the timestamp, user id, process name, tty, file descriptor and the data (ssh keystrokes or file transferred by scp)

Sebek Diagram

Honeywall CDComing Soon…

Bootable CDROM Honeynet Gateway extracts operating system onto a ram drive.

Hardware requirements: 256MB of RAM, a CD-ROM, a 10GB IDE hard drive (for logging and storage of various boot variables such as which networks to bridge), and two NICs.

Capable of Generation 1 (Layer 3) or Generation 2 (Layer 2) Honeynet Data Control.

Kernel contains bridge firewalling support for the inline enabled snort. Also includes Sebek, dsniff, tcpdump, and p0f.

Honeywall CD Main Screen

Initialize drive mounts a local IDE drive for Honeynet Logging and storage of settings.

Start Layer 2 Bridge

Bringing up the bridge and starting various utilities

Wininterrogate: Analysis of Win32 File systems and Processes

Wininterrogate: File system

Recursively walks directory structure obtaining the following: File Name Complete Path Directory File Size Creation Time Last Access Time Last Write Time Attributes

Wininterrogate: Processes

Display Process Name and Path Process ID (pid) Linked DLLs DLL Entry Point DLL Base DLL Image Size Port Bindings (Windows XP Only)

Wininterrogate: Common Options MD5 Checksum providing similar functionality to tripwire CSV (comma separated value). Import into Microsoft

Excel or any database for processing.Extra information Gathered on *.DLL, *.VBX, *.DRV, *.EXE,

*.OCX, *.BIN, *.SCR CompanyName FileDescription FileVersion InternalName LegalCopyright OriginalFilename ProductName ProductVersion