1
Honeypots The Art of Building Secure Systems by Making them Vulnerable
15th of January 2014, Talks #32
Andrei AvădăneiPresident of Cyber Security Research Center from Romaniahttp://ccsir.org
Cyber Security Research Center from Romania
2
Summary
1. Short bio
2. Into the Honeypots world..
3. Why should you care?
4. Types of Honeypots
5. Examples
6. Resources & References
7. Questions?
Cyber Security Research Center from Romania
3
1. Short bioPresident at CCSIR
Founder aand coordinator of DefCamp
Blogger @worldit.info
Speaker at Talks #1 :>
Ambassador of Talks by Softbinator
Proof:
… and others.
Cyber Security Research Center from Romania
4
2. Into the Honeypots world..
"A honeypot is a trap set to detect, deflect or in some
manner counteract attempts at unauthorized use of
information systems." [1]
"A honeypot is a security resource who's value lies in
being probed, attacked or compromised" [2]
- often, honeypot features are found in IDS products
- it's just another layer of security
Cyber Security Research Center from Romania
5
3. Why should you care?
- collect little data of high value
- usually no resource exhaustion
- no fancy algorithm to develop, no signature databases
to maintain, no rule base to misconfigure
- has a good return of investment if your setup is properly
configured
- prevent attacks before they really happens
- catch 0day (malware and attacks)
-> better security
Cyber Security Research Center from Romania
6
4. Honeypot types#1 – by enviroment
Production - one used within an organization's
environment to help mitigate risk. Ex: kippo, honeyd,
bubblegum, specter.
- distraction
- detect internal threats
- security assement
Research – add value to research in computer security
by providing a platform to study the threat. Ex:
Honeywall, Sombria, Sebek
- discover new attacks
- understand blackhat community
- help building some better defenses against threats
Cyber Security Research Center from Romania
7
4. Honeypot types#2 – by interaction
1. Low-interaction – honeyd, kfsensor
2. Medium-interaction – kippo, specter
3. High-interaction – Honeynet
- full enviroments/architecture
- maybe both defensive and offensive interaction [3]
Cyber Security Research Center from Romania
8
5. ExamplesCase study #1 – Softbinator.ro
- change ssh default port and install kippo as a
honeypot
- they run on WP so they should fake some WP plugins
versions
- add some fake configs pointing to a ftp (or others
services) that is logged
- create a folder that it can be brute forced where you
have some vulnerable script that is proxy reversed to
other server/VM
- log all this stuff in a fancy dashboard
- you can block requests automatically from iptables if
are you sure that nobody should be there
Estimating time of implementation: <= 24-48 hours.
Cyber Security Research Center from Romania
9
5. ExamplesCase study #2 – A network #I
- Gen1 honeynet
- create a separate dedicated network, layer 3 routing
firewall to limit/block outbound connections
- disadvantage on data capture, fingerprinting, destroying
Estimating time of implementation: <= 1-2 weeks.
Cyber Security Research Center from Romania
10
5. ExamplesCase study #2 – A network #II
- Gen2 honeynet
- can be used in the production network, honeynet
sensor act like a bridge on layer 2
- detect unauthorised/unknown activities
- Hogwash is an example of IDS gateway that can drop
or modify the packets that passes through the gateway
Estimating time of implementation: <= 1-2 weeks.
Cyber Security Research Center from Romania
11
5. ExamplesCase study #3 – Database of emails
- buy a random domain, lets say: honeyyyy.com
- configure a minimal mail service
- add some random users through your database. Ex:
[email protected], [email protected]
- create some triggers on the mail service to forward all
incoming mails from these particular adresses to you.
Estimating time of implementation: <= 1-4 hours.
Cyber Security Research Center from Romania
12
5. ExamplesCase study #4 – some fun with kippo
“Kippo is a medium interaction SSH honeypot designed
to log brute force attacks and, most importantly, the
entire shell interaction performed by the attacker.”
- you can download logs from ccsir.org/files/logs.tgz
- PS: tx shark0der for the logs
Lets play: utils/playlog.py logname.log
20130929-154735-3196.log
20130924-185020-4539.log
Etc.
Cyber Security Research Center from Romania
13
Bonus - ethical issues concerning Honeypots
- M.E. Kabay, the author of 'Liability and Ethics of
Honeypots' is unethical, proposing the next question:
“Since it is both unethical and illegal to lure someone into
stealing an object, why is it legal or ethical to lure an
individual into commiting a computer crime?”
- Other experts consider honeypots not only unethical,
but a disadvantage to the computer world since they are
in essence “building the better hacker”
- B. Scottberg, author of 'Internet Honeypots: Protection
or Entrapment?'
"tracking an intruder in a honeypot reveals invaluable
insights into attacker techniques and ultimately motives
so that production systems can be better protected. You
may learn of vulnerabilities before they are exploited."
Cyber Security Research Center from Romania
14
6. Resources & References1.http://ethics.csc.ncsu.edu/abuse/hacking/honeypots/st
udy.php
2. http://en.wikipedia.org/wiki/Honeypot
3.
http://www.darkreading.com/vulnerability/honeypot-sting
s-attackers-with-counterat/240151740
4. http://www.it-docs.net/ddata/792.pdf ← Awesome!
Honeypots:
https://github.com/rep/hpfeeds
http://www.honeyd.org/
https://github.com/buffer/thug
http://glastopf.org/
http://dionaea.carnivore.it/
http://www.specter.com/introduction50.htm
http://www.keyfocus.net/kfsensor/
http://map.honeycloud.net/
https://www.projecthoneypot.org/index.php
Cyber Security Research Center from Romania
15
7. Questions?
or
Stay safe! :-)
Cyber Security Research Center from Romania