Honeypots: Visão Geral

  • View
    1.682

  • Download
    5

Embed Size (px)

DESCRIPTION

 

Text of Honeypots: Visão Geral

  • 1. Honeypots Bernardo Maia Rodrigues bmr@csirt.pop-mg.rnp.br CSIRT PoP-MG Computer Security Incident Response Team Ponto de Presena da RNP em Minas Gerais
  • 2. Introduo Um honeypot um recurso computacional de segurana dedicado a ser sondado, atacado ou comprometido.
  • 3. Aplicao Detectar ataques internos; Identificar varreduras e ataques automatizados; Identificar tendncias; Manter atacantes afastados de sistemas importantes; Coletar assiaturas de ataques e cdigos maliciosos (malware); Detectar mquinas comprometidas.
  • 4. Baixa x Alta Interatividade
  • 5. Ambientes para os Honeypots OpenBSD FreeBSD Linux Windows ???
  • 6. Survival Time: Windows The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe. The average time between probes will vary widely from network to network. Some of our submitters subscribe to ISPs which block ports commonly used by worms. As a result, these submitters report a much longer 'survival time'. On the other hand, University Networks and users of high speed internet services are frequently targeted with additional scans from malware like bots. If you are connected to such a network, your 'survival time' will be much smaller. http://isc.sans.org/survivaltime.html
  • 7. Survival Time: Windows
  • 8. Escolha do Ambiente
  • 9. Mquina Virtual
  • 10. Mquina Virtual
  • 11. Detectando Mquinas Virtuais /* VMM detector, based on SIDT trick written by joanna at invisiblethings.org * should compile and run on any Intel based OS * http://invisiblethings.org */ #include int main () { unsigned char m[2+4], rpill[] = "x0fx01x0dx00x00x00x00xc3"; *((unsigned*)&rpill[3]) = (unsigned)m; ((void(*)())&rpill)(); printf ("idt base: %#xn", *((unsigned*)&m[2])); if (m[5]>0xd0) printf ("Inside Matrix!n", m[5]); else printf ("Not in Matrix.n"); return 0; }
  • 12. Honeyd http://www.honeyd.org Baixa interatividade Daemon: redes virtuais Configurvel atravs de scripts para simular aplicaes de qualquer sistema operacional Niels Provos: engenheiro da Google, colaborador do OpenSSH e OpenBSD
  • 13. Honeyd Configurao $> cat /var/honeyd/conf/honeyd.conf annotate "Linux kernel 2.2.13 (SuSE; X86)" fragment old create brutessh set brutessh personality "Linux kernel 2.2.13 (SuSE; X86)" set brutessh default tcp action reset set brutessh default udp action reset set brutessh default icmp action reset add brutessh tcp port 22 proxy 10.0.0.1:9999 bind *.*.*.* brutessh create windows set windows personality "Microsoft Windows XP Professional SP1" set windows uptime 437849843 add windows tcp port 80 "scripts/iis5.net/main.pl" bind *.*.*.* windows
  • 14. Honeyd Scripts $> cat /var/honeyd/scripts/hello.sh $> telnet 10.0.0.1 23 Trying 10.0.0.1... #!/usr/local/bin/bash Connected to 10.0.0.1. echo "Hello world!" Escape character is '^]'. while read data Hello world! do echo "$data" $> tail /var/honeyd/log/honeyd.log done 2008-08-28-09:48:16.3539 tcp(6) S *.*.*.* 59255 10.0.0.1 23 [Linux 2.6 ] $> cat /var/honey/conf/honeyd.conf create test add test tcp port 23 "/var/honeyd/scripts/hello.sh" bind 10.0.0.1 test
  • 15. Honeyd Anlise de Logs $> cat /var/honeyd/log/honeyd.log 2008-08-28-00:39:00.0156 tcp(6) - 189.34.72.204 39367 *.*.*.* 22: 60 S [Linux 2.6 ] 2008-08-28-02:03:34.8542 tcp(6) - 124.64.123.69 64161 *.*.*.* 8080: 48 S [Windows XP SP1] 2008-08-28-02:17:44.3695 tcp(6) - 118.161.232.185 53063 *.*.*.* 3124: 48 S [Windows XP SP1] 2008-08-28-02:39:21.3643 tcp(6) - 201.160.39.176 4628 *.*.*.* 4899: 48 S [Windows XP SP1] 2008-08-28-03:15:22.0131 tcp(6) - 58.215.93.7 6000 *.*.*.* 2967: 40 S 2008-08-28-04:13:58.0860 icmp(1) - 222.124.175.222 *.*.*.*: 8(0): 61 2008-08-28-04:41:32.8131 tcp(6) - 148.204.175.200 35480 *.*.*.* 22: 60 S [Linux 2.6 ] 2008-08-28-04:55:34.4515 icmp(1) - 12.210.84.232 *.*.*.*: 8(0): 61 2008-08-28-05:09:05.3692 tcp(6) - 200.249.132.68 3353 *.*.*.* 135: 48 S [Windows XP SP1] 2008-08-28-06:39:50.9295 tcp(6) - 200.249.132.68 1300 *.*.*.* 135: 48 S [Windows XP SP1] 2008-08-28-07:16:31.3405 tcp(6) - 81.88.245.118 3559 *.*.*.* 445: 48 S [Windows XP SP1] 2008-08-28-07:36:45.1329 tcp(6) - 125.230.79.108 4512 *.*.*.* 25: 52 S [Windows 2000 RFC1323] 2008-08-28-07:45:31.4038 tcp(6) - 201.3.202.102 34215 *.*.*.* 22: 60 S [Linux 2.6 ] 2008-08-28-08:36:44.6540 tcp(6) - 84.60.254.245 4126 *.*.*.* 8080: 48 S [Windows 98 ]
  • 16. Honeyd Anlise de Logs $> cat /var/honeyd/log/brutessh.log Fri Jun 13 16:12:41 2008: Authentication attempt (SSHv2) ! User: sandro Password: maconha Fri Jun 13 16:12:41 2008: Connection from 200.168.71.203 port 18282 Fri Jun 13 16:12:42 2008: Authentication attempt (SSHv2) ! User: sandro Password: cannabis Fri Jun 13 16:12:42 2008: Connection from 200.168.71.203 port 18313 Fri Jun 13 16:12:32 2008: Authentication attempt (SSHv2) ! User: sandro Password: vasco Fri Jun 13 16:12:32 2008: Connection from 200.168.71.203 port 17956 Fri Jun 13 16:12:32 2008: Authentication attempt (SSHv2) ! User: sandro Password: flamengo Fri Jun 13 16:12:36 2008: Connection from 200.168.71.203 port 18086 Fri Jun 13 16:12:36 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro Fri Jun 13 16:12:37 2008: Connection from 200.168.71.203 port 18114 Fri Jun 13 16:12:37 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro1 Fri Jun 13 16:12:38 2008: Connection from 200.168.71.203 port 18141 Fri Jun 13 16:12:38 2008: Authentication attempt (SSHv2) ! User: sandro Password: sandro12
  • 17. Nepenthes http://nepenthes.mwcollect.org/ Baixa interatividade Emula vulnerabilidades conhecidas para coletar informaes de ataques Capta binrios e os comandos executados por worms Mwcollect.org: Coleo de malware e artefatos maliciosos
  • 18. Nepenthes Mdulos
  • 19. Nepenthes Anlise de Logs $> cat /var/nepenthes/log/logged_downloads [2008-08-27T04:24:58] 213.23.2.114 -> *.*.*.* tftp://192.168.168.199/mslaugh.exe [2008-08-27T12:16:57] 88.156.57.191 -> *.*.*.* creceive://88.156.57.191:9988/0 [2008-08-27T13:02:57] 65.207.42.75 -> *.*.*.* tftp://129.12.19.71/msblast.exe [2008-08-27T13:37:58] 83.92.20.178 -> *.*.*.* creceive://83.92.20.178:9988/0 [2008-08-27T14:10:51] 200.249.132.68 -> *.*.*.* link://200.249.132.68:42087/qFsh+A== [2008-08-27T17:43:10] 200.249.132.68 -> *.*.*.* link://200.249.132.68:42087/qFsh+A== [2008-08-27T18:03:06] 70.126.5.31 -> *.*.*.* creceive://70.126.5.31:9988/0 [2008-08-27T18:27:01] 170.51.137.180 -> *.*.*.* ftp://1:1@170.51.137.180:20864/directxx.exe [2008-08-27T20:31:50] 200.13.254.183 -> *.*.*.* link://200.13.254.183:58382/eOkm/A== [2008-08-27T21:37:29] 200.249.132.68 -> *.*.*.* link: