Honey Pot Seminar REport

SEMINAR REPORT

ON

HONEYPOT

T TABLE OF CONTENTS

NO TOPIC PAGE NO

1. Abstract 42. Introduction 53. Types of Honeypot 7

3.1 Production Honeypot3.2 Research Honeypot

4. Concepts 8 4.1low interection involvement

4.2 High interection involvement

5. Placement of Honeypot 13 6. Honeypot detection 15

6.1 h/w-s/w detection 6.2 fundmental detection

7. Honeypot over firewall 17 8. Honeypot topologies 19 8.1honeynet 8.2virtual Honeypot 8.3wireless Honeypot

9. Advantages 27 10. Disadvatages 29 11. Conclusion 30 12. Bibliography 31

ABSTRACT

With the help of this types of project student get all information of security community. By this project we can create the information about books available in library.

The purpose of this project is that, the students can understands how to tracking Hackers.

Just by referring this types if projects any one can get the information about their own also.

This manual contains useful information about Honeypot-Tracking hackers whose value is being attacked or probed.

With the help of this manual we can know about detect or prevent attacks and also know about attack strategies.

All the abbreviation and references are maintained at the end of document.

INTRODUCTION

Honeypots are an exciting new technology with enormous potential for the security community. The concepts were first introduced by several icons in computer security, specifically Cliff Stoll in the book The Cuckoo's Egg", and Bill Cheswick's paper " An Evening with Berferd." Since then, honeypots have continued to evolve, developing into the powerful security tools they are today.

Honeypot is comes from the Honeypot mailing list, a list consisting of about 5000 different security professionals working with Honeypot technology.

“A Honeypot is a security resource whose value is being probed, attacked or comprised.”

A honeypot is a security resource….. This security resource may come in different shapes and

sizes. In fact, a Honeypot could just as simply be one of your old PC’s, a script or even a digital entity3 like some made-up patient records.

Whose value is being probed,attacked or comprised. If anyone “touches” our Honeypot, then we

knowsomeone’s creeping around in our network system, no person or resource should be communicating with it. Incoming traffic or more dangerously, outgoing traffic would be considered unauthorized traffic.

A Honeypot is a security resource whose value is in its being probed, attacked or compromised. A Honeypot could come in different sizes. It can be one of your old PC’s, a script like Honeyd or even more complicated setups like the Honeynet8.

A Honeypot looks and acts like a production system but in reality is not so. Since its’ not a production system, no ones supposed to use it thus should have no valid traffic. So if we detect traffic, most likely its potentially malicious traffic.

Concrete definition:“A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”

They are a resource that has no authorized activity, they do not have any production value. Theoreticlly, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. While this concept sounds very simple (and it is), it is this very simplicity that give honeypots their tremendous advantages

TYPES OF HONEYPOT

Honeypots can be classified based on their deployment and based on their level of involvement. Based on the deployment, honeypots may be classified as:

Production Honeypots

Research Honeypots

Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization.

Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the BLACKHAT community targeting different networks. These honeypots do not add direct value to a specific organization. Instead they are used to research the threats organizations face, and to learn how to better protect against those threats. This information is then used to protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.

CONCEPTS

Level of Honeypot:

Low-Involvement Honeypot

High-Involvement Honeypot

Involvement defines the level of activity a honeypot allows an attacker.

Low-Involvement Honeypot

Easy to install and deploy. Usually requires simply installing and configuring software on a computer.

Minimal risk, as the emulated services control what attackers can and cannot do.

Captures limited amounts of information, mainly transactional data and some limited interaction.

HONEYD is a low-interaction honeypot. Developed by Niels Provos, Honeyd is OpenSource and designed to run primarily on Unix systems (though it has been ported to Windows). Honeyd works on the concept of monitoring unused IP space. Anytime it sees a connection attempt to an unused IP, it intercepts the connection and then interacts with the attacker, pretending to be the victim. By default, Honeyd detects and logs any connection to any UDP or TCP port. In addition, you can configure emulated services to monitor specific ports, such as an emulated FTP server monitoring TCP port 21. When an attacker connects to the emulated service, not only does the honeypot detect and log the activity, but it captures all of the attacker's interaction

with the emulated service. In the case of the emulated FTP server, we can potentially capture the attacker's login and password, the commands they issue, and perhaps even learn what they are looking for or their identity.

High- Involvement Honeypot

Has a real underlying Operating System

Attacker has rights on the system

He is in Jail,a Sandbox

Time-consuming to build/maintain

All actions can be recorded and analyzed

High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, we give attackers the real thing.

If you want a Linux honeypot running an FTP server, you build a real Linux system running a real FTP server. The advantages with such a solution are two fold. First, you can capture extensive amounts of information. By giving attackers real systems to interact with, you can learn the full extent of their behavior, everything from new rootkits to international IRC sessions.

The second advantage is high-interaction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior we would not expect.

An excellent example of this is how a Honeynet captured encoded back door commands on a non-standard IP protocol.

PLACEMENT OF HONEYPOT

There r various way to allocate a honeypot:

In front of the firewall(Internet)

DMZ(demilitarized zone)

DMZ is to add an additional layer of security to an organization's local area network (LAN).

In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet.

The term is normally referred to as a DMZ by information technology professionals. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

Behind the firewall

Honeywall is also there to control the flow of data. Without Honeywall no data restrictin is there.

HONEYPOT DETECTION

Hardware/software specific honeypot detection:

Detect virtual environment via specific code E.g., time response, memory address Detect faculty honeypot program Case by case detection

Detection based on fundamental difference:

Honeypot defenders are liable for attacks sending out

Liability law will become mature It’s a moral issue as well

DETECTION OF HONEYPOT

Real attackers bear no liability: Check whether a bot can send out malicious traffic

or not.

Two-stage Reconnaissance to Detect Honeypot:

Fully distributed:

No central sensor is used Could be fooled by double-honeypot Counterattack is presented in our paper

Lightweighted spearhead code:

Infect + honeypot detection Speedup UDP-based infection

HONEYPOT OVER FIREWALL

First, without a firewall, the firewall can not prevent attacks. Data without a firewall, the firewall can not check.

Second, the firewall does not resolve the internal network from attacks and security issues. Firewalls can be designed either to prevent anti-foreign also inside, no one trusted, but most units because of inconvenience, does not require anti-in firewall.

Third, firewalls can not prevent configuration policy configuration error caused by improper or security threats. A firewall is a passive security policy enforcement device, like a guard, as according to policies and regulations to implement security, and not given a free hand.

Fourth,the firewall can not prevent access to human or natural damage. A firewall is a security device, but the firewall itself must exist in a safe place.

Fifth,the firewall can not prevent the use of standard network protocol defects in the attack. Once the firewall to allow some of the standard network protocol, a firewall can not prevent the use of the agreement of the defects of the attack.

Sixth,the firewall can not prevent the use of server system vulnerabilities to attack. Hacking through the firewall to allow access to ports on the server vulnerability to attack, the firewall can not prevent.

Seventh, a firewall can not prevent virus-infected file transfers. The firewall itself does not have the function of killing the virus, even if integrated third-party anti-virus software, there is no one kind of killing all the virus software.

Eighth, the firewall can not prevent data-driven attacks. When some seemingly innocuous mail or copy data to the host on the internal network was performed, which may occur data-driven attacks.

Ninth,the firewall can not prevent internal leaks of secrets. Inside the firewall active leak of a legitimate user, the firewall is powerless.

One of the advantages of honeypot systems is that they greatly reduce the data to be analyzed. For the usual website or mail server, attack traffic is usually overwhelmed by legitimate traffic.

HONEYPOT TOPOLOGIES

There are two types of honeypot topologies:

Honeynet Virtual Honeypot Wireless Honeypot

Honeynet:

Two or more honeypots on a network form a honeynet.

"A honeynet is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discretely regulated."

Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion-detection systems.

A honeyfarm is a centralized collection of honeypots and analysis tools.

Honeynets are digital network bait, and through deception, they are designed to actually attract intruders.

Honeypot one,Honeypot two,Honeypot three make honeynets.

Honeynets are a prime example of high-interaction honeypot. Honeynets are not a product, they are not a software solution that you install on a computer.

Instead, Honeyents are an architecture, an entire network of computers designed to attacked.

The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real computers running real applications.

The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. All of their activity, from

encrypted SSH sessions to emails and files uploads, are captured without them knowing it.

This is done by inserting kernel modules on the victim systems that capture all of the attacker's actions. At the same time, the Honeynet controls the attacker's activity.

Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic to the victim systems, but controls the outbound traffic using intrusion prevention technologies.

This gives the attacker the flexibility to interact with the victim systems, but prevents the attacker from harming other non-Honeynet computer.

Types of Honeynet:

High-interaction honeynet:

A distributed network composing many honeypots.

Low-interaction honeynet:

Emulate a virtual network in one physical machine.Example: honeyd

Value of Honeynet:

Defends Organization and React.

Provide an Organization Info. on their own Risk.

Test your abilities.

Determine System Compromised within Production Network.

Risks and Vulnerabilities discovered.

Specially for research.

Virtual Honeypot:

virtual honeypot uses application software to create a new, separate operating system environment.

The virtual host actually uses or shares that same hardware as the physical OS does.

Instead of using different hardware for each host, many different virtual servers may be contained on one piece of hardware.

Virtual machines Allows different os to run at the same time

on same machine.

Honeypots are guests on top of another OS.

We can implement guest OS on host OS in 2 ways:Rawdisc-actual disc partition, Virtual disc system.

Value of virtual Honeypot:

Can peek into guest operating system at anytime.

Reinstallation of contaminated guest is also easy.

And it is cheaper way.

Wireless Honeypot:

Wireless technologies are more and more available: In corporate networks In home networks In hot spots

New technologies such as VoIP/WLAN, UMA (Unlicensed Mobile Access)… are new ways to circumvent your security policies.

Seems that wireless honeypot could help us in evaluating these new risks.

Today, most corporate wireless access are still basedOn IPsec tunneling Implies that Wi-Fi networks are using « Open » mode.

Two options for a « Wireless Honeypot »:

A classic option is a wired honeypot near your IPsec gateway!

Another option is a fully featured virtual network emulated reachable from an open wireless access point.

With the help of Wireless Honeypot we have Knowledge of new technologies and tools– Wi-Fi hacker Toolbox

Examples of Honeypot: Google Honeypot

Proxy Honeypot:

It is used in distributed environment.

ADVANTAGES

Honeypots are a tremendously simply concept, which gives them some very powerful strengths.

Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots only capture bad activity, any interaction with a honeypot is most likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by

collectin only small data sets, but information of high value, as it is only the bad guys. This means its much easier (and cheaper) to analyze the data a honeypot collects and derive value from it.

New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before.

Minimal resources: Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network.

Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it.

Information: Honeypots can collect in-depth information that few, if any other technologies can match.

Simplicty: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.

Protection: Honeypot can help protect an organization is in reponse.

Attack prevention: One way that honeypots can help defend against such attacks is slowing their scanning down, potentially even stopping them. Called sticky honeypots, these solutions monitor unused IP space. When probed by such scanning activity, these honeypots interact with and slow the attacker down. They do this using a variety of TCP tricks, such as a Windows size of zero, putting the attacker into a holding pattern. This is excellent for slowing down or preventing the spread of a worm that has penetrated your in pc.

DISADVANTAGES

Like any technology, honeypots also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies.

Limited View:oneypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also.

Risk:All security technologies have risk. Firewalls have risk of being penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks.

Honeypots are no different, they have risk also. Specifically, honeypots have the risk of being taken over by the bad guy and being used to harm other systems. This risk various for different honeypots. Depending on the type of honeypot, it can have no more risk then an IDS sensor, while some honeypots have a great deal of risk.

CONCLUSION

The purpose of this topic was to define the what honeypots are and their value to the security community. We identified two different types of honeypots, low-interaction and high-interaction honeypots.

Interaction defines how much activity a honeypot allows an attacker. The value of these solutions is both for production or research purposes.

Honeypots can be used for production purposes by preventing, detecting, or responding to attacks. Honeypots can also be used for research, gathering information on threats so we can better understand and defend against them.

BIBLIOGRAPHY

Books:

Know Your Enemy: Honeynets

“Honey pots - Definitions and Value of Honey pots”

Reto Baumann, Christian Plattner “White Paper Honeypots” 2002

Websites:

www.honynet.org

www.tracking-hackers.com

www.honeypots.net

www.honeyd.org