Honeypots / honeynets · Honeypots Honeynets ... Source: Honeypots: Tracking Hackers", Lance Spitzner, 2002 (book) Apr-16-09 presentatie naam 7 History

Apr-16-09Apr-16-09 presentatie naampresentatie naam 11

Honeypots Honeypots / / honeynetshoneynets


AgendaAgenda

HoneypotsHoneypots HoneynetsHoneynets HoneywallHoneywall


TrafficTraffic

Problem:Problem: Vast quantities of normalVast quantities of normal traffictraffic Find suspect bitsFind suspect bits


HoneypotHoneypot Machine without normal taskMachine without normal task That is never mentionedThat is never mentioned

So:So: Machine that gets no normal trafficMachine that gets no normal traffic Every network packet is suspectEvery network packet is suspect

WithWith Contained environmentContained environment IDS (snort) and loggingIDS (snort) and logging


WhereWhere Anywhere within netAnywhere within net No specific placeNo specific place Built like productionBuilt like production

machinemachine Without functionWithout function


DefinitionDefinition

A honeypot is a [sacrificial] security resourcewhose value lies in being probed, attacked orcompromised.

Source: Source: HHooneypotsneypots: Tracking Hackers", Lance : Tracking Hackers", Lance SpitznerSpitzner, 2002 (book), 2002 (book)


HistoryHistory 1990: real systems1990: real systems

Deploy Deploy unpatched unpatched systems in default systems in default conconfifig g on unprotectedon unprotectednetwork (network (‘‘low-hanging fruitlow-hanging fruit’’))

Easy to deployEasy to deploy High-interaction, high-riskHigh-interaction, high-risk Nice reading: Nice reading: ““CuckooCuckoo’’s Eggs Egg”” by Clifford Stoll by Clifford Stoll

1998: service / OS emulation1998: service / OS emulation Deception Toolkit, Cyber Cop Sting, Deception Toolkit, Cyber Cop Sting, KFSensorKFSensor, Specter, Specter Easy to deployEasy to deploy Low-interaction, low-riskLow-interaction, low-risk

1999-current: virtual systems1999-current: virtual systems HoneyDHoneyD, , HoneywallHoneywall, , QdetectQdetect, Symantec Decoy Server(!, Symantec Decoy Server(!’’03/03/’’04)04) Less easy Less easy todeploytodeploy Mid / high-interaction, mid / high-riskMid / high-interaction, mid / high-risk


History of the History of the Honeynet Honeynet ProjectProject 1999: Lance 1999: Lance Spitzner Spitzner (Sun) founds (Sun) founds HoneynetprojectHoneynetproject 1999-2001, 1999-2001, GenIGenI: : PoCPoC, L3 + (, L3 + (modimodifified ed IP-headers)IP-headers) 2001-2003, 2001-2003, GenIIGenII: : GenI GenI + bridging (no TTL, harder to detect)+ bridging (no TTL, harder to detect) 2003: Release of 2003: Release of Eeyore Honeywall Eeyore Honeywall CD-ROMCD-ROM 2003-current, 2003-current, GenIIIGenIII: : GenII GenII + blocking (+ blocking (HoneywallHoneywall)) 2005: Release of 2005: Release of Roo Honeywall Roo Honeywall CD-ROMCD-ROM future: future: ‘‘GenIVGenIV’’ refers to refers to next-gen next-gen analysis capabilitiesanalysis capabilities

HoneynetHoneynet.org is home to the .org is home to the ‘‘KYE papersKYE papers’’..


Take care!Take care!

Machine must look realMachine must look real Outside traffic possibleOutside traffic possible

Or clearly fakeOr clearly fake Capture all trafficCapture all traffic

analyseanalyse Special restrictions onSpecial restrictions on outgoing trafficoutgoing traffic

Everything is allowedEverything is allowed Low bandwidth (Low bandwidth (tarpittarpit))


PurposePurpose ResearchResearch

Attract Attract blackhatsblackhats Reveal Reveal blackhattacticsblackhattactics, techniques, tools(KYE), techniques, tools(KYE) Reveal motives / intentions(?)Reveal motives / intentions(?) Mostly universities, governments, ISPsMostly universities, governments, ISPs

ProtectionProtection Deter Deter blackhats blackhats from real assetsfrom real assets Provide early warningProvide early warning Mostly governments, large enterprisesMostly governments, large enterprises

Purpose may determine Purpose may determine honeypot honeypot functionalityfunctionalityand architectureand architecture


DefinitionsDefinitions DeDefifinitionnition

A A honeynet honeynet is a network of [high-interaction]is a network of [high-interaction]honeypotshoneypots..

DeDefifinitionnition A A honeywall honeywall is a layer-2 bridge that is placed in-lineis a layer-2 bridge that is placed in-line

between a network and a between a network and a honeynethoneynet, or between a, or between anetwork and a network and a honeypothoneypot, to , to uni- uni- or or bidirectionallybidirectionallycapture, control and analyze attacks.capture, control and analyze attacks.

DeDefifinitionnition A A honeytoken honeytoken is a is a honeypot honeypot which is not a computer.which is not a computer.


Functional requirements of aFunctional requirements of ahoneypothoneypot

Data controlData control Data captureData capture Data collectionData collection Data analysisData analysis


EntrapmentEntrapment

Applies only to law enforcementApplies only to law enforcement Useful only as defence in criminalUseful only as defence in criminal

prosecutionprosecution Still, most legal authorities considerStill, most legal authorities consider

honeypots honeypots non-entrapmentnon-entrapment

ResponsibilityResponsibility for everything done fromfor everything done fromour netour net


Low vs. High interactionLow vs. High interaction Low interactionLow interaction

Burglar alarmBurglar alarm Not to learn about new attacksNot to learn about new attacks simplesimple

High interactionHigh interaction ResearchResearch Look at new thingsLook at new things Anatomy of new exploitAnatomy of new exploit Invest resources (manpower)Invest resources (manpower)


RealnessRealness

Make things look realMake things look real Windows servicesWindows services Windows exploitsWindows exploits But SolarisBut Solaris network stacknetwork stack


How to How to organiseorganise

Honeypot Honeypot moremore than than unpatched unpatched hosthost See what happensSee what happens ContainmentContainment Check logsCheck logs Limit outgoing trafficLimit outgoing traffic

DonDon’’t try this without thought!t try this without thought!


HoneydHoneyd http://www.honeyd.orghttp://www.honeyd.org

FrameworkFramework Config Config filefile ScriptsScripts forfor emulated servicesemulated services

•• Internal (python interpreter inInternal (python interpreter in honeyd honeyd))•• External (extern process)External (extern process)•• StdinStdin++stdout stdout = net,= net, stderr stderr == syslog syslog

Acts using Acts using nmap nmap fingerprintsfingerprints


honeydhoneyd


HoneydHoneyd

Run on a single ip addressRun on a single ip address Several services on one addressSeveral services on one address

Run as Run as honeynethoneynet SeveralSeveral hosts on several addresseshosts on several addresses Attract trafficAttract traffic

•• Static route in routerStatic route in router•• Have Have honeyd arp honeyd arp on addresseson addresses


ContainmentContainment

HoneywallHoneywall ApplianceAppliance Based on Based on unixunix 3 network interfaces3 network interfaces

•• ManagementManagement•• Data (inside / outside bridge)Data (inside / outside bridge)


SebekSebek: spying on your intruder: spying on your intruder

HoneynetHoneynet.org: .org: ““Sebek Sebek is a tool designed for datais a tool designed for datacapture, it attempts to capture most of the attackerscapture, it attempts to capture most of the attackersactivity on the activity on the honeypothoneypot, without the attacker knowing it, without the attacker knowing it(hopefully), then sends there covered data to a central(hopefully), then sends there covered data to a centrallogging system.logging system.””

Linux kernel module that hooks Linux kernel module that hooks sys_readsys_read()() Covertly sends captured data to Covertly sends captured data to honeywall honeywall (UDP)(UDP) Recovers keystrokes, uploaded Recovers keystrokes, uploaded fifilesles, passwords, IRC, passwords, IRC

chats, even if they are encrypted chats, even if they are encrypted bySSHbySSH, , IPSec IPSec or SSL.or SSL.


SebekSebek


Honeynet Honeynet RequirementsRequirements

Data ControlData Control Data CaptureData Capture

http://old.http://old.honeynethoneynet.org/alliance/requirements.html.org/alliance/requirements.html


Gen II Gen II honeynethoneynet


No Data ControlNo Data Control


Data ControlData Control


Honeynet Honeynet BridgeBridge

Internet

Eth0-NO IP

Eth1-NO IP

129.252.140.3 192.252.140.7

AdministrativeInterfaceSSH ConnectionsTrusted Hosts

Eth2- 129.252.xxx.yyy


What is Data Control andWhat is Data Control andWhy?Why?

Process used to control or contain traffic toProcess used to control or contain traffic toa a honeynethoneynet

Upstream liability Upstream liability –– an attack from one of an attack from one ofyour your honeypotshoneypots

Snort-inline Snort-inline –– South Florida South Florida HoneynetHoneynetProjectProject


Connection Limiting ModeConnection Limiting Mode

Hub

Data ControlSnort-InlineIPTables

Enemy

DROP

Packet No =10

IPTables


Snort-Inline Drop ModeSnort-Inline Drop Mode

Enemy Data ControlSnort-Inline

Hub

IP Tables

Ip_queue

Snort-InlineSnort Rules=Drop

IPTables Drop


Snort-Inline Replace ModeSnort-Inline Replace Mode

Enemy Data ControlSnort-Inline

Hub

IP Tables

Ip_queue

Snort-InlineSnort Rules=Replace

IPTables

bin/sh->ben/sh


GEN II Data ControlGEN II Data Control Gen II :Gen II :

Incorporates a firewall and IDS in one systemIncorporates a firewall and IDS in one system Provides more stealthy data controlProvides more stealthy data control Can be implemented for layer 2 bridging orCan be implemented for layer 2 bridging or

Layer 3 NAT translationLayer 3 NAT translation Packets passed from internet to Packets passed from internet to honeynet honeynet asas

layer 2 (layer 2 (datalinkdatalink) layer packets) layer packets•• no TTL decrementno TTL decrement•• invisibleinvisible


IPTables IPTables for GEN II for GEN II HoneynetHoneynet

IPTables IPTables is a free, is a free, statefulstateful, Open Source firewall for Linux, Open Source firewall for Linux2.4.x and 2.5.x kernels2.4.x and 2.5.x kernels

Each packet header is compared to a set of Each packet header is compared to a set of ““chainschains”” Chains contain rules: ACCEPT, DROP, REJECT, QueueChains contain rules: ACCEPT, DROP, REJECT, Queue Custom ChainsCustom Chains

tcpHandlertcpHandler udpHandlerudpHandler icmpHandlericmpHandler


Honeywall Honeywall Bootable CD-ROMBootable CD-ROM Standard ISO distributionStandard ISO distribution

GenII GenII Data Capture/Data Control featuresData Capture/Data Control features SebekSebek Simple User InterfaceSimple User Interface Auto-configure from floppyAuto-configure from floppy

Customization featuresCustomization features ““TemplateTemplate”” customization (file system) customization (file system) Run-time boot customizationRun-time boot customization


HoneywallHoneywall

Standard Standard intel intel PCPC 3 3 ethernet ethernet cardscards

Inside (Inside (honeypotshoneypots)) Outside (internet)Outside (internet) ManagementManagement

Outside -> inside: bridge, no restrictionsOutside -> inside: bridge, no restrictions Inside -> outside: bridge, restrictionsInside -> outside: bridge, restrictions Management: hidden from outside worldManagement: hidden from outside world


Honeywall Honeywall - - RooRoo

http://www.honeynet.org/tools/cdrom/http://www.honeynet.org/tools/cdrom/


Malware Malware catchingcatching

Nepentes Nepentes (http://nepenthes.carnivore.it)(http://nepenthes.carnivore.it) Malware-collecting Malware-collecting mid interaction mid interaction honeypothoneypot Emulates known vulnerabilitiesEmulates known vulnerabilities Captures Captures malware malware trying to exploit themtrying to exploit them Modular architectureModular architecture

First released in 2006First released in 2006


NepentesNepentes


Real world usesReal world uses

Surfnet Surfnet IDSIDS Honeypot Honeypot in sensorin sensor

QnetQnet Quarantaine Quarantaine net sensornet sensor ContainContain misbehaving hostmisbehaving host

Louis mail relayLouis mail relay Try again laterTry again later……

Documents

Honeypots / honeynets · Honeypots Honeynets ... Source: Honeypots: Tracking Hackers", Lance Spitzner, 2002 (book) Apr-16-09 presentatie naam 7 History