Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise."— Presentation transcript:

1 Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise Behavior Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania, School of Arts and Sciences

2 Copyright 2010 Justin C. Klein Keane Background SSH  Secure replacement for telnet  RFC defined protocol (open)  Available on most Linux/Unix machines Ongoing brute force attacks are seen on SSH servers Unfortunately we don't know what are attackers after  Tempting logical fallacy to assume motivation  Threat modeling and risk analysis depend on knowing motivation

3 Copyright 2010 Justin C. Klein Keane Honeypots What is a honeypot?  Service deliberately configured to attract malicious attention Why would you use one?  Tar pit, waste attacker time  Early warning, warn of attacks  Profiling, determine the types of attacks that are being utilized against your resources

4 Copyright 2010 Justin C. Klein Keane Types of Honeypots High interaction  Full system installation  Advantage is attacker has a full stack to interact with  Disadvantage is attacker has more tools, could hide or break out of the honeypot Low interaction  Software implementation that simulates a system  Controlled environment, but is much easier for attackers to detect

5 Copyright 2010 Justin C. Klein Keane Danger! Downstream liability  Attackers could user your honeypot as a launching pad to attack others  Attackers could host malicious content on your server  Attacker could use your honeypot as a dump site for illegal material Pivot point  Attackers could end-run access control to internal resources using the honeypot

6 Copyright 2010 Justin C. Klein Keane Logistical Considerations Resource intensive  Set up is time consuming, installation of OS and configuring software  Analysis – it takes time to pore through logs and recreate attacker activity  Redeployment can be a hassle, although virtual machine snap-shots make this much easier

7 Copyright 2010 Justin C. Klein Keane Kojoney Open source low interaction SSH honeypot  Written in Python so it should work on any platfrom http://kojoney.sourceforge.net/ Has some flaws...  Static timestamps, many commands unsupported, limited filesystem, etc.

8 Copyright 2010 Justin C. Klein Keane How Kojoney Works How it works  Negotiates a full SSH session with attackers  Takes attacker input, logs it, examines it and responds with simulated output  Allows attackers to download toolkits with wget and curl, but stores the files outside the sandbox

9 Copyright 2010 Justin C. Klein Keane Customization Modified interaction to appear more dynamic Updated directories, using the defaults can be a dead giveaway Added directory functionality so attackers can navigate the structure, create and remove directories Added support for “requested” commands, if we saw attempts to use an unsupported command we built support in Added MySQL database support where all login data and commands are stored which makes reporting and analysis much easier

10 Copyright 2010 Justin C. Klein Keane Setup Kojoney running October 27, 2009, through May 3, 2010. Commodity desktop hardware, just an old Pentium powered machine with 512 MB RAM Dedicated IP Separate management interface

11 Copyright 2010 Justin C. Klein Keane Data Set Observed 109,121 login attempts 596 distinct IP addresses 70 IP's participated in multiple attacks Longest span between attacks was 135 days

12 Copyright 2010 Justin C. Klein Keane Attacks per Hour

13 Copyright 2010 Justin C. Klein Keane Attacks per Day

14 Copyright 2010 Justin C. Klein Keane Attacks per Month

15 Copyright 2010 Justin C. Klein Keane Top 16 Attacks by Country

16 Copyright 2010 Justin C. Klein Keane Top 20 Usernames

17 Copyright 2010 Justin C. Klein Keane Top 20 Passwords

18 Copyright 2010 Justin C. Klein Keane Most Popular Commands (3,062 issued, 181 distinct)

19 Copyright 2010 Justin C. Klein Keane Distinct Commands

20 Copyright 2010 Justin C. Klein Keane Commands by Session

21 Copyright 2010 Justin C. Klein Keane Wget Downloads 282 downloads captured Windows XP SP 3 downloaded 41 times Other popular downloads:  PsyBNC  Other IRC bots  UDP Ping Flooders  Port scanners  SSH brute force tools

22 Copyright 2010 Justin C. Klein Keane Attack Command Analysis Context is key  In 94/150 times 'cat' was used as: cat /proc/cpuinfo Some attacker commands innocuous, others not:  w  uptime  wget  unset

23 Copyright 2010 Justin C. Klein Keane Target Accounts System accounts favorite targets Dictionary lists were uncommon Passwords were relatively complex  Dictionary attack was uncommon Username 'alice' with password 'password' would withstand attacks

24 Copyright 2010 Justin C. Klein Keane Defensive Strategies Use SSH keys Disable remote root login over SSH Run SSH on an alternate port Use login attempt limits to frustrate brute force

25 Copyright 2010 Justin C. Klein Keane Detection Mechanisms Blacklist using: OSSEC  http://www.ossec.net SSH Black  http://www.pettingers.org/code/sshblack.html

26 Copyright 2010 Justin C. Klein Keane Conclusions Blocking by source IP may be feasible Limit access by time of day Use IP to seed examination of other logs 'trojan' certain programs to log activity

27 Copyright 2010 Justin C. Klein Keane Known Hostile Traffic Look for internal source Use IP as seed for log analysis Fingerprint malware captures Look for traceable activity  Creating directories with names like.tmp  unset history

Download ppt "Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Telnet/SSH: Connecting to Hosts Internet Technology1.

Telnet/SSH: Connecting to Hosts Internet Technology1.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Ana Chanaba Robert Huylo

Ana Chanaba Robert Huylo
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.

Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Similar presentations

Ads by Google