Modern Honey Net An Introduction.

Slides:

Advertisements

Similar presentations

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.

Advertisements

What is MySQL? MySQL is a relational database management system (A relational database stores data in separate tables rather than putting all the data.

Manuka project IEEE IA Workshop June 10, Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.

Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.

The easy way to a nice looking website design By a total non-designer (Me!)

MIS Week 7 Site:

Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Honeypot and Intrusion Detection System

Internet of Things with Intel Edison Compiling and running Pierre Collet Intel Software.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

Linux Services Muhammad Amer. 2 xinetd Programs  In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon.

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Guide to Linux Installation and Administration, 2e1 Chapter 11 Using Advanced Administration Techniques.

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.

CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

Microsoft ® Official Course Module 6 Managing Software Distribution and Deployment by Using Packages and Programs.

MIS Week 5 Site:

CNIT 125: Honeypot and Malware Presentation Alan Wennersten Jeffrey Tom.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

© 2016 You Have Alerts. Now What? Brian Carrier VP of Digital Forensics Basis Technology 1.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

PuTTY Introduction to Web Programming Kirkwood Continuing Education by Fred McClurg © Copyright 2016, All Rights Reserved ssh client.

Understanding FTP File Transfer Protocol. Learning Objectives By the end of this lecture, you should be able to: – Describe the purpose of FTP – Install.

Honeypot as a Service Bedřich Košata • • 26 May 2016.

Security Script Kiddies Network Security Port Scans.

1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.

Fundamental of Databases

Project CTF Yeganeh Safaei Arizona State University

Ssh: secure shell.

Open OnDemand: Open Source General Purpose HPC Portal

Jkelany Chat Project.

Port Forwarding and Shell Login Essentials

BIF713 Managing Disk Space.

VIRUS HOAX + BOTS. VIRUS HOAX + BOTS Group Members Aneeqa Ikram Fatima Ishaque Tufail Rana Anwar Amjad.

,Cyber Defense Competitions Club

Article by:. rown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh

Part 3 – Remote Connection, File Transfer, Remote Environments

Introduction to Programming the WWW I

Working of Script integrated with SiteScope

Bomgar Remote support software

Steps to Setup and Install McAfee Antivirus

Dynamic DNS support for EGI Federated cloud

Telnet/SSH Connecting to Hosts Internet Technology.

INSTALLING AND SETTING UP APACHE2 IN A LINUX ENVIRONMENT

Honeypots and Honeynets

Sweetening Your Threat Intelligence with Automated Honeypots

Practical Rootkit Detection with RAI

Chapter 3. Basic Dynamic Analysis

Introduction to Ansible

Cyber Operation and Penetration Testing Online Password Cracking Cliff Zou University of Central Florida.

Module P3 Practical: Building a webapp in nodejs and

Radoslaw Jedynak, PhD Poland, Technical University of Radom

How to Improve Releasing Efficiency via i18N/L10n Test Automation.

FORTH’s Honeypots CIPSEC workshop Frankfurt 16/10/2018

Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein

Intro Cyber Security Labs on GENI

An IoT Honeypot Device for Malware Forensics

Honeyd Build it Create a script/program to simulate one

DIBBs Brown Dog Tutorial Setup

Presentation transcript:

Modern Honey Net An Introduction

Why? Why not? Capture Malware for study. See what “attackers” do. Education. Target specific type of attacker – Thinkst Canary is an example.

What Honeypot? What traffic you’re trying to capture will of course determine the type of honeypot. Kippo / Cowrie – SSH Honeypot Wordpot – Wordpress Honeypot Suricata IDS/IPS (not a honeypot) Conpot – SCADA/ICS Honeypot Glastoph – WebApp Honeypot

What Honeypot? What or Who are trying to attract? Specific Attackers? Just listening for scans/attacks? Malware collection?

Modern Honey Net? Unified interface for managing multiple Honeypots. Aggregates lots of data from sensors. Provides a nice method of installing new sensors.

My Honeynet Digital Ocean Droplets - $5usd/m 512mb RAM

Modern Honey Net - Install https://github.com/threatstream/mhn Requires Ubuntu 14.04 – Trusty Tahr MHN did not install on Ubuntu 16 Installs all dependencies automatically, including Nginx and other Python deps.

Overview - Cowrie Cowrie is a port of an older SSH Honeypot, Kippo. Written in Python. It offers a full shell environment for attackers to interact with. Attackers login and access it just as they would a regular SSH daemon/Bash shell. Uploaded malware is stored safely for later inspection. Configurable for Username/Password combos that will be accepted.

Sensor Install - Cowrie Access “Deploy” menu item. Select Cowrie. Copy command & execute on sensor VM. Shows script content in same window.

Cowrie - Sensor Install Install script reconfigures SSH daemon to listen on TCP 2222 Cowrie takes over TCP 22 Reboot & get pwned!

Cowrie - Sensor Install There is a couple of minor ‘gotchas’. Script misses a couple of dependencies, connections and transfers fail without them. Install ‘python-tftpy’ and ‘python-configparser’. Restart ‘supervisord’ or reboot; I needed to reboot as ‘supervisord’ did not restart correctly.

Cowrie - Operation Logs Usernames/Passwords entered Popular Usernames:

Cowrie - Operation Popular Passwords:

Cowrie - Malware Uploaded to /opt/cowrie/dl Files SHA256 Hashed. Symlinked from individual attacks. 28,283 Attacks in under 7 days. 2000+ Malware binaries uploaded to Cowrie. Happy to provide a zip if anyone wants to reverse engineer any of the malware.

Cowrie – Malware - VirusTotal Checked a few hashes, none were new. Randomly grabbed one hash, submitted to VirusTotal. Hash not found… Wait, is this new malware!? Submitted, New to VirusTotal, but 29 out of 55 AV vendors were aware of the signature. Future: Planning to automate submissions to VT using their API.

Cowrie – Malware Running strings on any of the binaries returns typical IRC commands. Most appear to simply be botnet drones. One example Python script uploaded uses speedtest.net requests to determine speed of the server and reports back.

Cowrie – Malware - Downloader

Wordpot Wordpress Honeypot. Uses real Wordpress themes. Captures scans against the system and logs them.

Wordpot So far… Running just under 7 days. Only 2 scans, Both tests from my Kali VM! More investigation needed – may need more configuration.

Conclusion Modern Honey Net is simple to setup and operate. Sensors are very simple to setup and operate. It appears almost all connections are from automated bots. Interesting to see the interactions.