Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modern Honey Net An Introduction.

Published byWilliam Gallagher Modified over 6 years ago

Similar presentations

Presentation on theme: "Modern Honey Net An Introduction."— Presentation transcript:

1 Modern Honey Net An Introduction

2 Why? Why not? Capture Malware for study. See what “attackers” do.
Education. Target specific type of attacker – Thinkst Canary is an example.

3 What Honeypot? What traffic you’re trying to capture will of course determine the type of honeypot. Kippo / Cowrie – SSH Honeypot Wordpot – Wordpress Honeypot Suricata IDS/IPS (not a honeypot) Conpot – SCADA/ICS Honeypot Glastoph – WebApp Honeypot

4 What Honeypot? What or Who are trying to attract? Specific Attackers?
Just listening for scans/attacks? Malware collection?

5 Modern Honey Net? Unified interface for managing multiple Honeypots.
Aggregates lots of data from sensors. Provides a nice method of installing new sensors.

6 My Honeynet Digital Ocean Droplets - $5usd/m 512mb RAM

7 Modern Honey Net - Install
Requires Ubuntu – Trusty Tahr MHN did not install on Ubuntu 16 Installs all dependencies automatically, including Nginx and other Python deps.

8 Overview - Cowrie Cowrie is a port of an older SSH Honeypot, Kippo.
Written in Python. It offers a full shell environment for attackers to interact with. Attackers login and access it just as they would a regular SSH daemon/Bash shell. Uploaded malware is stored safely for later inspection. Configurable for Username/Password combos that will be accepted.

9 Sensor Install - Cowrie
Access “Deploy” menu item. Select Cowrie. Copy command & execute on sensor VM. Shows script content in same window.

10 Cowrie - Sensor Install
Install script reconfigures SSH daemon to listen on TCP 2222 Cowrie takes over TCP 22 Reboot & get pwned!

11 Cowrie - Sensor Install
There is a couple of minor ‘gotchas’. Script misses a couple of dependencies, connections and transfers fail without them. Install ‘python-tftpy’ and ‘python-configparser’. Restart ‘supervisord’ or reboot; I needed to reboot as ‘supervisord’ did not restart correctly.

12 Cowrie - Operation Logs Usernames/Passwords entered Popular Usernames:

13 Cowrie - Operation Popular Passwords:

14 Cowrie - Malware Uploaded to /opt/cowrie/dl Files SHA256 Hashed.
Symlinked from individual attacks. 28,283 Attacks in under 7 days. 2000+ Malware binaries uploaded to Cowrie. Happy to provide a zip if anyone wants to reverse engineer any of the malware.

15 Cowrie – Malware - VirusTotal
Checked a few hashes, none were new. Randomly grabbed one hash, submitted to VirusTotal. Hash not found… Wait, is this new malware!? Submitted, New to VirusTotal, but 29 out of 55 AV vendors were aware of the signature. Future: Planning to automate submissions to VT using their API.

16 Cowrie – Malware Running strings on any of the binaries returns typical IRC commands. Most appear to simply be botnet drones. One example Python script uploaded uses speedtest.net requests to determine speed of the server and reports back.

17 Cowrie – Malware - Downloader

18 Wordpot Wordpress Honeypot. Uses real Wordpress themes.
Captures scans against the system and logs them.

19 Wordpot So far… Running just under 7 days.
Only 2 scans, Both tests from my Kali VM! More investigation needed – may need more configuration.

20 Conclusion Modern Honey Net is simple to setup and operate.
Sensors are very simple to setup and operate. It appears almost all connections are from automated bots. Interesting to see the interactions.

Download ppt "Modern Honey Net An Introduction."

Similar presentations

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.
What is MySQL? MySQL is a relational database management system (A relational database stores data in separate tables rather than putting all the data.

What is MySQL? MySQL is a relational database management system (A relational database stores data in separate tables rather than putting all the data.
Manuka project IEEE IA Workshop June 10, 2004. Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.

Manuka project IEEE IA Workshop June 10, Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.
Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.

Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.
The easy way to a nice looking website design By a total non-designer (Me!)

The easy way to a nice looking website design By a total non-designer (Me!)
MIS 5211.001 Week 7 Site:

MIS Week 7 Site:
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.

Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.

1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Internet of Things with Intel Edison Compiling and running Pierre Collet Intel Software.

Internet of Things with Intel Edison Compiling and running Pierre Collet Intel Software.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
Linux Services Muhammad Amer. 2 xinetd Programs  In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon.

Linux Services Muhammad Amer. 2 xinetd Programs  In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon.

Similar presentations

Ads by Google