Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.

Published byGillian Alice Hubbard Modified over 9 years ago

Similar presentations

Presentation on theme: "Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception."— Presentation transcript:

1 Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception

2 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl2 Intrusion Deception—Deceiving the Blackhat Reconnaissance Reconnaissance An inspection or exploration of an area, especially one made to gather military information. A Honeypot MUST appear to be an attractive target.A Honeypot MUST appear to be an attractive target. –Accurate Responses to active (nmap) and passive(p0f) operating system fingerprinting methods, daemon banner queries, port scans, and vulnerability scanners (nessus). nmapp0fnessusnmapp0fnessus –Convincing content if system is running httpd or ftpd. –Inconspicuous in relation to rest of network. –The Honeypot can reside next to production systems so that it is scanned during sweeps or ports can be redirected from production systems to the Honeypot.

3 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl3 Intrusion Deception— Passing Recon Honeynet Project Honeynet Project Honeynet Project Honeynet Project Uses actual default installations of actively exploited operating systems and services.Uses actual default installations of actively exploited operating systems and services. –Nothing is emulated so host’s response to reconnaissance methods will be accurate. –Data Capture (logging), Data Control (firewalling), and Intrusion Detection (alerting) are performed utilizing other HARDENED hosts on the network. –No production hosts on network to eliminate data pollution. All traffic is suspect and is logged in full tcpdump format.

4 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl4 Honeynet Design – Generation I

5 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl5 Honeynet Design – Generation II The Honeynet Sensor Data Control: Limits outbound connections (hogwash or iptables) allowing Blackhats to obtain their tools, but not attack other systems.Limits outbound connections (hogwash or iptables) allowing Blackhats to obtain their tools, but not attack other systems.hogwash Data Capture: IDS (snort) logging all traffic as well as providing alert mechanism.IDS (snort) logging all traffic as well as providing alert mechanism.snort Deception: No IP Stack.No IP Stack. No TTL decrementing.No TTL decrementing.

6 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl6 Intrusion Deception— Passing Recon Virtual Honeynets Virtual Honeynets Virtual Honeynets Virtual Honeynets VMWare: GuestOS (Honeypot) virtual machine inside HostOSVMWare: GuestOS (Honeypot) virtual machine inside HostOS –GuestOS is caged by denying access to HostOS filesystem. –Host only networking forces the GuestOS to access the network through the HostOS allowing firewalling and intrusion detection. –The Honeynet Project utilizes a Red Hat default installation running inside a Hardened Red Hat installation. –NMAP’s TCP fingerprinting returned unknown OS –Running a mock ecommerce site.

7 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl7 Intrusion Deception— Passing Recon Open source Honeypots Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run simulated TCP services or proxy the service to another machine. The TCP/IP personality (OS Fingerprints) can be adapted so that they appear to be running certain versions of operating systems. Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run simulated TCP services or proxy the service to another machine. The TCP/IP personality (OS Fingerprints) can be adapted so that they appear to be running certain versions of operating systems. Honeyd Arpd enables a single host to claim all unassigned addresses on a LAN by answering any ARP request for an IP address with the MAC address of the machine running arpd. Arpd enables a single host to claim all unassigned addresses on a LAN by answering any ARP request for an IP address with the MAC address of the machine running arpd. Arpd

8 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl8 Honeyd / Arpd Configuration

9 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl9 Intrusion Deception— Passing Recon Commercial Honeypots Commercial Honeypots MantrapMantrap from Recourse Technologies (requires Solaris)Mantrap –Ability to create up to 4 sub-systems (cages) each running Solaris by utilizing separate interfaces (each host will have unique MAC Address). –You can run virtually any application that doesn’t interact with the kernel within the 4 chrooted cages. –Content Generation Module can be used to create realistic data.

10 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl10 Mantrap Configuration

11 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl11 Mantrap Configuration

12 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl12 Intrusion Deception— Passing Recon Commercial Honeypots Commercial Honeypots Specter (requires Windows NT)Specter (requires Windows NT)Specter –Specter can emulate one of 13 different operating systems. As of Version 6.02 the IP stack is not emulated so IP fingerprinting tools are not fooled. (A Stealth Plugin is currently under development using raw socket support on XP.) –Specter honeypots offer 14 100% emulated services such as: STMP, FTP, Telnet, Finger, POP3, IMAP4, HTTP, and SSH –Custom fake password files and custom HTTP content.

13 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl13 Specter Configuration

14 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl14 Intrusion Deception— Passing Recon Commercial Honeypots Commercial Honeypots Netfacade from Verizon (requires Solaris)Netfacade from Verizon (requires Solaris)Netfacade –Can simulate up to an entire class C although all hosts will have the same MAC Address. –Simulates 8 different operating systems properly fooling TCP fingerprinting methods. –Simulates 13 different vulnerable services such as FTP (wu-2.4.2-academ[BETA-12](1), System V Release 4.0, and SunOS4.1 versions), SSH (SSH Communications Security Ltd's. 1.2.26 and 2.0.9 versions), etc. –Automatically generates hostnames, user accounts, operating systems and running services for simulated hosts through web interface.

15 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl15 Intrusion Deception— Changing with the times Blackhat techniques have become more sophisticated. Blackhat techniques have become more sophisticated. Using kernel module rootkits (adore, kis)Using kernel module rootkits (adore, kis)adorekisadorekis –Process hiding –Keystroke logging –Covert communication channels Polymorphic shellcode (ADMutate)Polymorphic shellcode (ADMutate)ADMutate Fragroute (IDS Evasion)Fragroute (IDS Evasion)Fragroute Honeynet Project Honeynet Project Patching the kernel directlyPatching the kernel directly –Keystroke logging allowing us to capture encrypted outbound traffic (ssh) –Logging via covert communication channels rather than remote syslog –Snort-stable enabling appropriate preprocessors and logging all traffic (Not just TCP/UDP/ICMP) Snort-stable

16 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl16 Intrusion Deception— Honeynet Alliance Research Alliance Honeynets Research Alliance Honeynets Freedom for organizations to create their own honeynets and participate in a virtual community.Freedom for organizations to create their own honeynets and participate in a virtual community. –Standardized Capture and Logging formats –Events can be forwarded to a common database –Shared Research and Analysis Research Alliance Honeynets exist within advertised environments alongside production systems.Research Alliance Honeynets exist within advertised environments alongside production systems. –Hopefully attracting targeted and more sophisticated attacks.

17 Networld+Interop Las Vegas 2002: Intrusion Deception by Kirby Kuehl17 Intrusion Deception— More Information http://project.honeynet.org http://project.honeynet.org –Whitepapers –Forensic Challenge –Scan of the month –Research Alliance –Know your Enemy book kkuehl@cisco.com kkuehl@cisco.com

Download ppt "Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
The Honeynet Project Advancements in Honeypot Tools.

The Honeynet Project Advancements in Honeypot Tools.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Telnet/SSH: Connecting to Hosts Internet Technology1.

Telnet/SSH: Connecting to Hosts Internet Technology1.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.

IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.

Similar presentations

Ads by Google