Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl2 Intrusion Deception—Deceiving the Blackhat Reconnaissance Reconnaissance An inspection or exploration of an area, especially one made to gather military information. A Honeypot MUST appear to be an attractive target.A Honeypot MUST appear to be an attractive target. –Accurate Responses to active (nmap) and passive(p0f) operating system fingerprinting methods, daemon banner queries, port scans, and vulnerability scanners (nessus). nmapp0fnessusnmapp0fnessus –Convincing content if system is running httpd or ftpd. –Inconspicuous in relation to rest of network. –The Honeypot can reside next to production systems so that it is scanned during sweeps or ports can be redirected from production systems to the Honeypot.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl3 Intrusion Deception— Passing Recon Honeynet Project Honeynet Project Honeynet Project Honeynet Project Uses actual default installations of actively exploited operating systems and services.Uses actual default installations of actively exploited operating systems and services. –Nothing is emulated so host’s response to reconnaissance methods will be accurate. –Data Capture (logging), Data Control (firewalling), and Intrusion Detection (alerting) are performed utilizing other HARDENED hosts on the network. –No production hosts on network to eliminate data pollution. All traffic is suspect and is logged in full tcpdump format.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl4 Honeynet Design – Generation I

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl5 Honeynet Design – Generation II The Honeynet Sensor Data Control: Limits outbound connections (hogwash or iptables) allowing Blackhats to obtain their tools, but not attack other systems.Limits outbound connections (hogwash or iptables) allowing Blackhats to obtain their tools, but not attack other systems.hogwash Data Capture: IDS (snort) logging all traffic as well as providing alert mechanism.IDS (snort) logging all traffic as well as providing alert mechanism.snort Deception: No IP Stack.No IP Stack. No TTL decrementing.No TTL decrementing.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl6 Intrusion Deception— Passing Recon Virtual Honeynets Virtual Honeynets Virtual Honeynets Virtual Honeynets VMWare: GuestOS (Honeypot) virtual machine inside HostOSVMWare: GuestOS (Honeypot) virtual machine inside HostOS –GuestOS is caged by denying access to HostOS filesystem. –Host only networking forces the GuestOS to access the network through the HostOS allowing firewalling and intrusion detection. –The Honeynet Project utilizes a Red Hat default installation running inside a Hardened Red Hat installation. –NMAP’s TCP fingerprinting returned unknown OS –Running a mock ecommerce site.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl7 Intrusion Deception— Passing Recon Open source Honeypots Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run simulated TCP services or proxy the service to another machine. The TCP/IP personality (OS Fingerprints) can be adapted so that they appear to be running certain versions of operating systems. Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run simulated TCP services or proxy the service to another machine. The TCP/IP personality (OS Fingerprints) can be adapted so that they appear to be running certain versions of operating systems. Honeyd Arpd enables a single host to claim all unassigned addresses on a LAN by answering any ARP request for an IP address with the MAC address of the machine running arpd. Arpd enables a single host to claim all unassigned addresses on a LAN by answering any ARP request for an IP address with the MAC address of the machine running arpd. Arpd

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl8 Honeyd / Arpd Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl9 Intrusion Deception— Passing Recon Commercial Honeypots Commercial Honeypots MantrapMantrap from Recourse Technologies (requires Solaris)Mantrap –Ability to create up to 4 sub-systems (cages) each running Solaris by utilizing separate interfaces (each host will have unique MAC Address). –You can run virtually any application that doesn’t interact with the kernel within the 4 chrooted cages. –Content Generation Module can be used to create realistic data.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl10 Mantrap Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl11 Mantrap Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl12 Intrusion Deception— Passing Recon Commercial Honeypots Commercial Honeypots Specter (requires Windows NT)Specter (requires Windows NT)Specter –Specter can emulate one of 13 different operating systems. As of Version 6.02 the IP stack is not emulated so IP fingerprinting tools are not fooled. (A Stealth Plugin is currently under development using raw socket support on XP.) –Specter honeypots offer % emulated services such as: STMP, FTP, Telnet, Finger, POP3, IMAP4, HTTP, and SSH –Custom fake password files and custom HTTP content.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl13 Specter Configuration

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl14 Intrusion Deception— Passing Recon Commercial Honeypots Commercial Honeypots Netfacade from Verizon (requires Solaris)Netfacade from Verizon (requires Solaris)Netfacade –Can simulate up to an entire class C although all hosts will have the same MAC Address. –Simulates 8 different operating systems properly fooling TCP fingerprinting methods. –Simulates 13 different vulnerable services such as FTP (wu academ[BETA-12](1), System V Release 4.0, and SunOS4.1 versions), SSH (SSH Communications Security Ltd's and versions), etc. –Automatically generates hostnames, user accounts, operating systems and running services for simulated hosts through web interface.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl15 Intrusion Deception— Changing with the times Blackhat techniques have become more sophisticated. Blackhat techniques have become more sophisticated. Using kernel module rootkits (adore, kis)Using kernel module rootkits (adore, kis)adorekisadorekis –Process hiding –Keystroke logging –Covert communication channels Polymorphic shellcode (ADMutate)Polymorphic shellcode (ADMutate)ADMutate Fragroute (IDS Evasion)Fragroute (IDS Evasion)Fragroute Honeynet Project Honeynet Project Patching the kernel directlyPatching the kernel directly –Keystroke logging allowing us to capture encrypted outbound traffic (ssh) –Logging via covert communication channels rather than remote syslog –Snort-stable enabling appropriate preprocessors and logging all traffic (Not just TCP/UDP/ICMP) Snort-stable

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl16 Intrusion Deception— Honeynet Alliance Research Alliance Honeynets Research Alliance Honeynets Freedom for organizations to create their own honeynets and participate in a virtual community.Freedom for organizations to create their own honeynets and participate in a virtual community. –Standardized Capture and Logging formats –Events can be forwarded to a common database –Shared Research and Analysis Research Alliance Honeynets exist within advertised environments alongside production systems.Research Alliance Honeynets exist within advertised environments alongside production systems. –Hopefully attracting targeted and more sophisticated attacks.

Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl17 Intrusion Deception— More Information –Whitepapers –Forensic Challenge –Scan of the month –Research Alliance –Know your Enemy book