Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Honeynet Project Advancements in Honeypot Tools.

Published byLogan Townsend Modified over 9 years ago

Similar presentations

Presentation on theme: "The Honeynet Project Advancements in Honeypot Tools."— Presentation transcript:

1 The Honeynet Project Advancements in Honeypot Tools

2 Presented by Kirby Kuehl Background Feel free to ask questions during presentation. Email: kkuehl@cisco.comkkuehl@cisco.com Websites: http://www.honeynet.orghttp://www.honeynet.org http://winfingerprint.sourceforge.net

3 About the Honeynet Project Informally began as the Wargames mailing list in 1999. Project officially formed in 2000. Became a Non-profit organization in 2001. Consists of 30 members who volunteer their time and resources to research the hacker community.

4 Honeynet Project Goals Learn the Tools, Tactics, and Motives of the Hacker Community Raise Awareness through release of “Know Your Enemy” series of whitepapers. Teach and Inform Scan of the Month Challenges Reverse Challenge Forensic Challenge Research Honeynet Alliance Tool Development

5 Layer 3 Data Control: A shell script counted the number of outbound connections initiated by the attacker and blocked all connections after a count of 10 was reached. This suspicious behavior could lead to the discovery of the firewall via TTL decrementing (traceroute) and possible attack since the firewall obviously has Layer 3 Address (IP Address). Data Capture: The IDS (snort) listens on the span port of the switch, capturing all inbound/outbound traffic.

6

7 Generation II Honeynet Sensor Components: The Bridging Firewall Counting and Blocking Connections Improvements Data Control with Snort-Inline Sebek kernel module Honeyd and arpd Sneak Peak of “The Honeywall CD”

8 Honeynet Data Control The Linux Bridging Firewall Bridges are Layer 2 devices that connect two or more distinct Ethernet segments. All packets received by one interface are transparently copied to the other interface based upon MAC address. A Bridging Firewall is capable of transparently filtering received frames before they are copied to the second interface. Requires a Linux kernel compiled with bridge and bridge firewall support. See http://bridge.sourceforge.net/ for kernel patches and more information.http://bridge.sourceforge.net/

9 Honeynet Data Control Method 1: Counting and Blocking Connections IPTables Firewall Script uses the LOG and ACCEPT targets for all inbound connections allowing attackers to enter the honeynet. The IPTables Firewall Script LOGs and ACCEPTs outbound connections until a predefined limit is reached within a specified timeframe. Connection attempts beyond the limit are DROPped. Example Data Control Firewall Script http://www.honeynet.org/papers/honeynet/tools/rc.firewall http://www.honeynet.org/papers/honeynet/tools/rc.firewall

10 Honeynet Data Control Method 2: Snort-Inline The Honeynet Project utilizes Snort-Inline in combination with netfilter/iptables operating as a bridging firewall to send packets to userspace for processing. This is accomplished with the QUEUE target. The standard queue handler for IPv4 iptables is the ip_queue module, which is distributed with the kernel and marked as experimental. Snort-inline (the userspace application) uses the libipq API, (which is distributed with iptables) to receive and possibly manipulate the packets traversing the bridge as demonstrated in the next slides. Snort-Inline: http://www.snort.org/dl/contrib/patches/inline/http://www.snort.org/dl/contrib/patches/inline/ Netfilter/iptables: http://www.netfilter.orghttp://www.netfilter.org

11 Snort-Inline Rule Options Drop – The drop rule tells iptables to drop the packet and log it via usual snort means Sdrop – The sdrop rule tells iptables to drop the packet. Nothing is logged. Reject – T he reject rule type tells iptables to drop the packet; log it via usual snort means; and send a TCP reset if the protocol is TCP or an ICMP port unreachable if the protocol is UDP.

12 Snort-Inline Drop Rule To drop an DNS attack, the signature would look as follows: drop tcp $HOME_NET any $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh";

13 Snort-Inline Drop Rule Management Kernel Space modprobe ip_queue iptables -A OUTPUT -p icmp -j QUEUE Iptables-1.2.7a Ip_queue User Space Snort-InlineSnort Rules = Drop DROP snort –Q –c /snort.conf

14 Snort-Inline Replace Rule Another option replaces portions of the payload (disabling the effectiveness of the attack) but allowing the connection to continue: alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";)

15 Snort-Inline Replace Mode Management Kernel Space modprobe ip_queue iptables -A OUTPUT -p icmp -j QUEUE Iptables-1.2.7a Ip_queue User Space Snort-Inline Snort Rules = Replace Internet /bin/sh/ben/sh

16 Honeyd Honeyd, when used in conjunction with arpd can simulate an entire LAN containing virtual hosts. These virtual hosts can fool various TCP and ICMP fingerprinting methods. These virtual hosts can run various virtual, proxied, or fake services. http://www.citi.umich.edu/u/provos/honeyd/

17 Honeyd Operation ping 192.168.1.15 arpd arpd_send: who-has 192.168.1.15 to 192.168.1.9 arpd_reply: 192.168.1.15 is-at 00:09:6b:e0:39:9b honeyd Sending ICMP Echo Reply: 192.168.1.15 -> 192.168.1.9 Reply from 192.168.1.15: bytes=32 time<10ms TTL=64

18 Honeyd: The role of arpd Like the bridging firewall used by snort- inline, arpd also operates at Layer 2. Arpd replies to any ARP request for an IP address (Layer 3) within the simulated network with the MAC address of the specified interface of the machine running arpd. This allows one host to simulate an entire network of machines.

19 Arpd Screenshot

20 Honeyd Screenshot

21 ARP Cache

22 Sample Honeyd Configuration # Example of a simple host template and its binding create default set default personality “FreeBSD 2.2.1-STABLE” add default tcp port 80 “sh scripts/web.sh” add default tcp port 22 "sh scripts/test.sh $ipsrc $dport" add default tcp port 113 reset add default tcp port 1 reset set default uid 32767 gid 32767 bind 192.168.1.15 default set 192.168.1.15 uptime 1327650 #add default tcp port 23 proxy 192.168.1.13:23 #set default subsystem “/usr/sbin/httpd”

23 NMAP Portscan and OS Fingerprint

24 Sebek Kernel Space data collection The Sebek kernel module collects data passing through the read() system call. This captures the intruder’s ssh keystrokes and recovers scp file transfers. Sebek utilizes the adore rootkit to hide the sebek files and processes from the attacker. Sebek : http://www.honeynet.org/papers/honeynet/tools/http://www.honeynet.org/papers/honeynet/tools/ Adore: http://www.team-teso.net/releases.phphttp://www.team-teso.net/releases.php

25 Sdm : The Sebek Device Monitor Sdm encrypts the payload. Based on the intruder’s input, the IP addresses, MAC addresses, and UDP port numbers are falsified. Data is transferred using a variable amount of delay. Sdm transmits decoy packets when there is no legitimate traffic.

26 Sebeksniff and Sbdump Collects the data from sdm, unencrypts it, and stores it in a log file. Use the sbdump.pl script to examine these log files. Sbdump displays the timestamp, user id, process name, tty, file descriptor and the data (ssh keystrokes or file transferred by scp)

27 Sebek Diagram

28 Honeywall CD Coming Soon… Bootable CDROM Honeynet Gateway extracts operating system onto a ram drive. Hardware requirements: 256MB of RAM, a CD- ROM, a 10GB IDE hard drive (for logging and storage of various boot variables such as which networks to bridge), and two NICs. Capable of Generation 1 (Layer 3) or Generation 2 (Layer 2) Honeynet Data Control. Kernel contains bridge firewalling support for the inline enabled snort. Also includes Sebek, dsniff, tcpdump, and p0f.

29 Honeywall CD Main Screen

30 Initialize drive mounts a local IDE drive for Honeynet Logging and storage of settings.

31 Start Layer 2 Bridge

32 Bringing up the bridge and starting various utilities

33 Wininterrogate: Analysis of Win32 File systems and Processes

34 Wininterrogate: File system Recursively walks directory structure obtaining the following: File Name Complete Path Directory File Size Creation Time Last Access Time Last Write Time Attributes

35 Wininterrogate: Processes Display Process Name and Path Process ID (pid) Linked DLLs DLL Entry Point DLL Base DLL Image Size Port Bindings (Windows XP Only)

36 Wininterrogate: Common Options MD5 Checksum providing similar functionality to tripwire CSV (comma separated value). Import into Microsoft Excel or any database for processing. Extra information Gathered on *.DLL, *.VBX, *.DRV, *.EXE, *.OCX, *.BIN, *.SCR CompanyName FileDescription FileVersion InternalName LegalCopyright OriginalFilename ProductName ProductVersion

Download ppt "The Honeynet Project Advancements in Honeypot Tools."

Similar presentations

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.
TCP/IP Protocol Suite 1 Chapter 7 Upon completion you will be able to: ARP and RARP Understand the need for ARP Understand the cases in which ARP is used.

TCP/IP Protocol Suite 1 Chapter 7 Upon completion you will be able to: ARP and RARP Understand the need for ARP Understand the cases in which ARP is used.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
Module 1: Reviewing the Suite of TCP/IP Protocols.

Module 1: Reviewing the Suite of TCP/IP Protocols.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
1 Version 3.1 Module 4 Learning About Other Devices.

1 Version 3.1 Module 4 Learning About Other Devices.
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.

Similar presentations

Ads by Google