Download presentation
Presentation is loading. Please wait.
Published by展妮 余 Modified over 7 years ago
1
Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste
Capturing Malware Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste
2
Nepenthes What is it ? low interaction honeypot
simulates 22 vulnerabilities : MS windows Dameware MSSql IIS ... Listening on 26 ports Capture malwares that use those vuln to propagate C.Monniez - FCCU
3
Nepenthes Where to get it
Runs on Gnu/linux, OpenBSD, FreeBSD, Mac OSX, Cygwin Where to find it : Official Debian package ( ) Unofficial Debian package ( ) nthes/ Download and compile from the subversion repository : svn co trunk/ C.Monniez - FCCU
4
Nepenthes Useful features
Does nothing else than waiting for malware by default Module architecture A module to synchronize malware repositories between two nepenthes sensors with to a database to a web server C.Monniez - FCCU
5
Nepenthes Useful features
A norman sandbox module automatically send to norman sandbox report is received by mail maybe broken due to captcha ... a lot more module to explore pcap ... C.Monniez - FCCU
6
Nepenthes Useful features
hexdumps of unknown attacks C.Monniez - FCCU
7
Nepenthes Where to place it ?
In front of your internet connexion Examples On a gateway between your internal net and internet Side by side with your gateway if you can have another internet IP C.Monniez - FCCU
8
Nepenthes Where to place it ?
In some sort of DMZ Example Forward the 26 ports from your internet GW to the sensor C.Monniez - FCCU
9
Nepenthes Where to place it ?
In your office intranet !!! A good way to track malwares that are spreading in your internal network C.Monniez - FCCU
10
Nepenthes Where to place it ?
At some ISP :-) C.Monniez - FCCU
11
Nepenthes Border filtering
It seems that some ISP are doing border filtering in this case, you only capture malware coming from people at the same ISP C.Monniez - FCCU
12
Nepenthes Captured binaries
Binary files are stored your disk the name of the binary is the md5 hash C.Monniez - FCCU
13
Nepenthes Log files nepenthes.log
a very verbose log file of what nepenthes did logged_downloads filename and from where malware was downloaded logged_submissions filename, from where it was downloaded and md5hash C.Monniez - FCCU
14
Nepenthes Log files logged_downloads screenshot C.Monniez - FCCU
15
Nepenthes Log files logged_submissions screenshot C.Monniez - FCCU
16
Other tools Honeytrap Collect unknown attacks informations
honeyd Honeybow High interaction honeypots honeynet C.Monniez - FCCU
17
Other tools Bleeding snort On windows :
Honeybot (mid interaction honeypot) hp Multipot C.Monniez - FCCU
18
Online sanboxes Sunbelt sandbox Norman sandbox Anubis Threat expert
Norman sandbox Anubis Threat expert C.Monniez - FCCU
19
Online sanboxes Virus Total http://www.virustotal.com/fr/
C.Monniez - FCCU
20
question time Questions ? C.Monniez - FCCU
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.