honeypot technologies
play

Honeypot technologies 2006 First Conference / tutorial Junes 2006 - PowerPoint PPT Presentation

Aug 01, 2023 •370 likes •1.5k views

Honeypot technologies 2006 First Conference / tutorial Junes 2006 {Franck.Veysset,Laurent.Butti}@orange-ft.com D1 -June 2006 Agenda s Origins and background s Different kinds of honeypot Q High interaction honeypots Q Low interaction honeypots

  1. Honeyd – Advanced architecture (2/2) Q # Cisco router s Honeyd.conf Honeyd.conf Q create router Q set router personality "Cisco IOS 11.3 - 12.0(11)" Q set router default tcp action reset Q ## Honeyd configuration file ## Q set router default udp action reset Q ### Default computers Q add router tcp port 23 "/usr/bin/perl scripts/router- Q create default telnet.pl" Q set default personality "Windows 98" Q set router uid 32767 gid 32767 Q set default default tcp action reset Q set router uptime 1327650 Q set default default udp action reset Q bind 10.0.0.1 router Q add default tcp port 139 open Q bind 10.0.1.1 router Q add default tcp port 137 open Q bind 10.0.2.1 router Q add default udp port 137 open Q bind 10.0.3.1 router Q add default udp port 135 open Q ### Routing configuration Q set default uptime 398976 Q route entry 10.0.0.1 Q ### Windows computers Q route 10.0.0.1 link 10.0.0.0/24 Q create windows Q route 10.0.0.1 add net 10.0.1.0/24 10.0.1.1 latency 55ms Q set windows personality "Windows NT 4.0 Server SP5-SP6" loss 0.1 Q set windows default tcp action reset Q route 10.0.0.1 add net 10.0.2.0/24 10.0.2.1 latency 15ms Q set windows default udp action reset loss 0.01 Q add windows tcp port 80 "perl scripts/iis-0.95/iisemul8.pl" Q route 10.0.0.1 add net 10.0.3.0/24 10.0.3.1 latency 105ms loss 0.2 Q add windows tcp port 139 open Q route 10.0.1.1 link 10.0.1.0/24 Q add windows tcp port 137 open Q route 10.0.2.1 link 10.0.2.0/24 Q add windows udp port 137 open Q route 10.0.3.1 link 10.0.3.0/24 Q add windows udp port 135 open Q set windows uptime 3284460 Q bind 10.0.0.8 windows Q bind 10.0.1.9 windows Q bind 10.0.2.10 windows Q ### Linux 2.4.x computer Q create dns_server Q set dns_server personality "Linux 2.4.7 (X86)" Q set dns_server default tcp action reset Q set dns_server default udp action reset Q add dns_server udp port 53 "perl scripts/HoneyDNS.pl - udp" Q add dns_server tcp port 21 "sh scripts/ftp.sh" Q set dns_server uptime 3284460 Q bind 10.0.0.4 dns_server Q bind 10.0.0.5 dns_server Q ### Linux 2.4.x computer Q create smtp_server Q set smtp_server personality "Linux 2.4.7 (X86)" Q set smtp_server default tcp action reset Q set smtp_server default udp action reset Q add smtp_server tcp port 110 "sh scripts/pop3.sh" Q add smtp_server tcp port 25 "sh scripts/smtp.sh" Q add smtp_server tcp port 21 "sh scripts/ftp.sh" Q add smtp_server tcp port 23 "perl scripts/router-telnet.pl" Q set smtp_server uptime 3284460 Q bind 10.0.0.6 smtp_server France Télécom R&D – Veysset & Butti – June 2006 Q bind 10.0.0.7 smtp_server D30

  2. Honeyd France Télécom R&D – Veysset & Butti – June 2006 D31

  3. Honeyd – advanced features s Subsystem virtualization Q Run real UNIX applications under virtual Honeyd IP addresses: web servers, ftp servers, etc... s Internal Web server for easy satistics… s Management console that allows dynamic change on Honeyd configuration while Honeyd is running s Dynamic templates Q Allows the configuration of a host to adapt depending on the operating system of the remote host, the time of day, the source IP address, etc. s Tarpit s Passive fingerprintings (p0f) France Télécom R&D – Veysset & Butti – June 2006 D32

  4. Feedback: Sasser detection (1/2) s Sasser was seen for the first time on Saturday, May 1st 2004 from 7:50 pm (FTR&D Intranet) s Number of hits per day Hits 5000 4500 4000 3500 3000 2500 Hits 2000 1500 1000 500 0 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 t a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 D 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 / / / / / / / / / / / / / / / / / 4 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 / / / / / / / / / / / / / / / / / 4 0 1 2 3 4 5 6 0 1 2 3 5 6 7 8 9 3 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 France Télécom R&D – Veysset & Butti – June 2006 D33

  5. Sasser detection (2/2) s Maximum of activity on Sunday, May 2nd s Thousands of hits on May 2nd, 3rd and 4th Q This does not mean thousands of machines were infected Q In fact, 387 unique IP addresses were found (FTR&D site) s The worm was quickly brought down: 2 working days Q Monday and Tuesday following the infection France Télécom R&D – Veysset & Butti – June 2006 D34

  6. Honeyd: limitation s As a « low interaction » honeypot, there are some limitations Q Difficult to emulate complex (binaries) protocols Q It is possible to « fingerprint » honeyd, thus identify the honeypot s Stability issues Q Under heavy load… s Security issues Q ? France Télécom R&D – Veysset & Butti – June 2006 D35

  7. High interaction HP s Lots of work in this area s Different generations Q Gen1 1999-2002 Q Gen2 2002-2004 Q Gen3 2005-… Q … s Towards honeynet (networks of honeypots) France Télécom R&D – Veysset & Butti – June 2006 D36

  8. Key points s Strong needs to take care of incoming and outgoing traffic s Data Control Q Filter outgoing packets to stop further attacks s Data capture Q Log every packet that enters and leaves honeypot France Télécom R&D – Veysset & Butti – June 2006 D37

  9. No “Data Control” No Restrictions Honeypot Internet No Restrictions Honeypot France Télécom R&D – Veysset & Butti – June 2006 D38

  10. Data Control enabled France Télécom R&D – Veysset & Butti – June 2006 D39

  11. GEN I honeynet France Télécom R&D – Veysset & Butti – June 2006 D40

  12. GEN I honeynet s Controls outbound packets by passing through firewall and router s Router somehow « hide » the firewall s Data control is performed by the firewall Q Firewall keeps track of number of outbound connections Q The more outbound activity allowed, the more can be learned Q Might be risky! s Data capture Q The IDS gather all the information Q All systems export their logs to remote syslog server France Télécom R&D – Veysset & Butti – June 2006 D41

  13. GEN I: analysis s The first « honeypot » solution s Data Control is quite hard to perform Q Need to filter on outbound activity (counter?) Q Hackers can detect the trick Q Difficult to fine tune s Data Capture is limited Q Only IDS and Syslog s Introducing GEN II architectures France Télécom R&D – Veysset & Butti – June 2006 D42

  14. Honeynet - GenII France Télécom R&D – Veysset & Butti – June 2006 D43

  15. Gen II analysis (1/2) s Gateway works at layer 2 (bridge mode) Q Very stealthy s Administration is performed using C interface s Data Control & Data capture are done by the gateway (honeynet sensor) France Télécom R&D – Veysset & Butti – June 2006 D44

  16. Gen II analysis (2/2) s Advanced data control functionalities Q IDS/IPS functionalities Q Relies on SNORT-INLINE Q http://snort-inline.sourceforge.net s Advanced data capture functionalities Q Honeywall gathers firewall and snort logs Q Sebek runs on all honeypot Q Honeywall collects sebek logs France Télécom R&D – Veysset & Butti – June 2006 D45

  17. Snort-Inline Drop Rule User Space Snort-Inline Snort Rules = Drop snort –Q –c /snort.conf Iptables-1.2.7a DROP modprobe ip_queue Ip_queue iptables -A OUTPUT -p icmp -j QUEUE Kernel Space Management France Télécom R&D – Veysset & Butti – June 2006 D46

  18. Snort-Inline Drop Rule Exemple: DNS attack drop tcp $HOME_NET any $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; France Télécom R&D – Veysset & Butti – June 2006 D47

  19. Snort-Inline Replace Mode Internet User Space Snort Rules = Replace Snort-Inline /ben/sh /bin/sh Iptables-1.2.7a modprobe ip_queue Ip_queue iptables -A OUTPUT -p icmp -j QUEUE Kernel Space Management France Télécom R&D – Veysset & Butti – June 2006 D48

  20. Snort-Inline Replace Rule Exemple: DNS attack Can be very “stealth” alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";) France Télécom R&D – Veysset & Butti – June 2006 D49

  21. France Télécom R&D – Veysset & Butti – June 2006 D50

  22. Data Capture: Sebek s Tool developed by the honeynet project s Very useful for “data capture” Q Hidden kernel module that captures all activity Q Dumps activity to the network Q Attackers cannot sniff any traffic based on magic number and destination port s http://www.honeynet.org/tools/sebek/ France Télécom R&D – Veysset & Butti – June 2006 D51

  23. Sebek Diagram France Télécom R&D – Veysset & Butti – June 2006 D52

  24. Sebek: Data capture s The Sebek kernel module collects data passing through the read() system call Q For example, this captures the intruder’s ssh keystrokes and recovers scp file transfers. s Sebek client relies on stealth techniques to hide. This also harden its detection. First Sebek version was relying on “the adore rootkit” to hide the sebek files and processes from the attacker Q Sebek : http://www.honeynet.org/papers/honeynet/tools/ Q Adore: http://www.team-teso.net/releases.php France Télécom R&D – Veysset & Butti – June 2006 D53

  25. Sebek client: Sys_Read hooking France Télécom R&D – Veysset & Butti – June 2006 D54

  26. Sebek client France Télécom R&D – Veysset & Butti – June 2006 D55

  27. GUI Sebek France Télécom R&D – Veysset & Butti – June 2006 D56

  28. Sebek network France Télécom R&D – Veysset & Butti – June 2006 D57

  29. Sebek… what’s next s Lots of work on Sebek and “anti sebek” techniques Q See Fake Phrack mag #62 for example Q Kernel module detection Q Sebek s New research on the topic Q EuSec 06: Xebek… (more on this later) France Télécom R&D – Veysset & Butti – June 2006 D58

  30. Other HP usages s WiFi Honeypots s Virtual honeypots s Honeypots and Worms s Distributed Honeypots s Honeyclients s Honeypot farms s Honeynet project s Legal issues France Télécom R&D – Veysset & Butti – June 2006 D59

  31. Wireless Honeypots s Wireless technologies are more and more available Q In corporate networks Q In home networks Q In hot spots Q … s New technologies such as VoIP/WLAN, UMA (Unlicensed Mobile Access)… are new ways to circumvent your security policy s Seems that wireless honeypot could help us in evaluating these new risks France Télécom R&D – Veysset & Butti – June 2006 D60

  32. Wireless Honeypots s Today, most corporate wireless access are still based on IPsec tunneling Q Implies that Wi-Fi networks are using « Open » mode s Two options for a « Wireless Honeypot » Q A classic option is a wired honeypot near your IPsec gateway! Q Another option is a fully featured virtual network emulated reachable from an open wireless access point France Télécom R&D – Veysset & Butti – June 2006 D61

  33. Wireless Honeypot? s Goals Q Statistics on « Wardriving » Q Knowledge and understanding of hackers’ motivations – « intelligence » aspects Q Knowledge of new technologies and tools – Wi-Fi hacker Toolbox s Pros Q Looks like a typical Wi-Fi network Q Level 2 technology: detection of all customers equipments looking for Wi-Fi networks (even without connection) France Télécom R&D – Veysset & Butti – June 2006 D62

  34. Wireless Honeypot s Based on a real AP, and on a honeyd server emulating a full network s All traffic is monitored and captured s Can fool hacker and wardriver Simulated Network Access Point «Honeypot » « Honeyd » Serveur Hacker 1 Hacker 2 France Télécom R&D – Veysset & Butti – June 2006 D63

  35. Wireless Honeypot s After some experiments… Q Most of the connection are just looking for internet access (http://www.google.fr) Q More interesting, many clients do some “automatic” connections (ex: under Windows XP, auto_connect) Q This can be very dangerous (information leak, hole on the system…) France Télécom R&D – Veysset & Butti – June 2006 D64

  36. Wireless Honeypot s Thanks to Tino H. s His help made the demo possible… Q One of our laptop died in the plane France Télécom R&D – Veysset & Butti – June 2006 D65

  37. Virtual Honeypots (1/3) s New “architecture” to build honeynet s Ideas Q Run everything on a single computer Q Relies on virtualization technologies – VMware – Xen – UML (User Mode Linux) – … France Télécom R&D – Veysset & Butti – June 2006 D66

  38. Virtual Honeypots (2/3) s Pros Q Reduced cost Q Easy to maintain / repair Q Portable (honeynet laptop?) s Cons Q Single point of failure Q Not everything is possible (Cisco on Intel?) Q Security (strong compartmentalization?) Q Detection? Very difficult to hide… France Télécom R&D – Veysset & Butti – June 2006 D67

  39. Virtual Honeypots (3/3) s More information at Q http://www.honeynet.org/papers/virtual/index.html s New tools available for virtual honeypots ☺ Q See “Xebek” at “EuSecWest/Core06” Q See “VMware fingerprinting counter measures” – http://honeynet.rstack.org/tools.php s New tools against “virtual honeypot” � Q VMware fingerprinting tools (cf Kostya’s patches) Q And many more (dtdumper…) France Télécom R&D – Veysset & Butti – June 2006 D68

  40. Automated Malware Collection s Automated malware collection is a new hyped technique s Most well-known tools are Q Mwcollect Q Nepenthes Q Mwcollect and Nepenthes fusion (February, 2006) s Lots of other techniques are possible Q PCAP capture of compromised hosts for example France Télécom R&D – Veysset & Butti – June 2006 D69

  41. Nepenthes Operation s Nepenthes is a medium interaction honeypot Q It emulates known vulnerabilities Q It catches known shellcodes Q It interprets the shellcode actions Q It emulates the actions – Bind a shell, parses URLs… s Should not be compromised if no security vulnerabilities (coded in C++) ;-) s But can be easily detected, that’s not its purpose! France Télécom R&D – Veysset & Butti – June 2006 D70

  42. Nepenthes Loading s Loading of the configuration Q Examine the modules to be charged (vuln, shellcodes, download, submit, log) Q Record the handlers of download for each supported protocol of download (csend, creseive, ftp, HTTP, link, blink, tftp, CCP, optix) Q record the manager of DNS Q Record FileSubmit Q Sockets are binded on all the ports where the known vulnerabilities (in the form of DialogueFactory) are emulated Q Sockets are binded on all the ports where the known vulnerabilities (in the form of DialogueFactory) are emulated Q Loading of patterns present in 61 known shellcodes Q Be unaware of 17 ranges of IP addresses France Télécom R&D – Veysset & Butti – June 2006 D71

  43. – Watch ports ( "25", // SMTP, "110", // POP3, "143", // IMAP, "220", // IMAP, "465" // POP3 & SSL, "993", // IMAP & SSL, "995" // POP3 & SSL ) – Bagle port 2745 Q Ignoring 0.0.0.0/255.0.0.0 – Dameware port 6129 Q 10.0.0.0/255.0.0.0 – Dcom-vuln ports 135,445,1025 Q 14.0.0.0/255.0.0.0 – Vuln-ftp port 21 – vulnIIS port 443 Q 39.0.0.0/255.0.0.0 – Kuang2 port 17300 Q 127.0.0.0/255.0.0.0 – LSASS port 445 Q 128.0.0.0/255.255.0.0 – MSMQ ports: 2103,2105,2107 Q 169.254.0.0/255.255.0.0 – MSDTCD ports 1025,3372 – Mssql port 1434 Q 172.16.0.0/255.240.0.0 – Mydoom port 3127 Q 191.255.0.0/255.255.0.0 – Netbiosname port 139 Q 192.0.0.0/255.255.255.0 – NetDDE port 139 Q 192.0.2.0/255.255.255.0 – Optixshell port 3140 – PNP port 445 Q 192.88.99.0/255.255.255.0 – SasserFTPD ports 5554,1023 Q 192.168.0.0/255.255.0.0 – SUb7 port 27347 Q 198.18.0.0/255.254.0.0 – UPNP port 5000 Q 223.255.255.0/255.255.255.0 – VERITAS port 10000 – Wins vuln port 42 Q 224.0.0.0/240.0.0.0 – ASN1 ports: smb:445 iis:80 Q 240.0.0.0/240.0.0.0 France Télécom R&D – Veysset & Butti – June 2006 D72

  44. Handling Attacks (1/4) s Attempt at connection - > Creation of a « Dialogue » Q Emulation of a vulnerability s Data transmitted per packets to the Dialogues France Télécom R&D – Veysset & Butti – June 2006 D73

  45. Handling Attacks (2/4) match Comparison with all Download shellcodes patterns Switch off other dialogues on same port yes no Last Stage yes Hexdumps Vuln-Dialogue (== pattern?) e u g o l a i d r e h t gives o o If n & & socket o N closes No more packets Socket receives Close packet France Télécom R&D – Veysset & Butti – June 2006 D74

  46. Handling Attacks (3/4) s Some vulns have no pattern used for a first recognition Q Direct recognition against shellcode or direct action (Kuang2) s When a vuln Dialogue receives a SCH_DONE Message from a shellcode identifier Q It gives to the corresponding socket the state CL_ASSIGN_AND_DONE – In order the other sockets binded on the same port be dropped France Télécom R&D – Veysset & Butti – June 2006 D75

  47. Handling Attacks (4/4) Downloads binary If URL still OK DownloadManager Giving data (url, host, port) Creation of a WinNT shell Dialogue Match (xor'd if needed) Comparison with all known shellcodes France Télécom R&D – Veysset & Butti – June 2006 D76

  48. Collection s Files can be submitted to Q Nepenthes manager to collect Q Gotek server performs better but requires DB backend (mysql) Q Norman sandbox for analysis s Logs can be submitted to Q Managers (Prelude) thanks to IDMEF Q Surfnet for web interfacing Q IRC France Télécom R&D – Veysset & Butti – June 2006 D77

  49. Nepenthes Conclusions s Nepenthes is modular, organized around a core s Nepenthes is able to catch new shellcodes on known vulnerabilities Q Stored in hexdumps s Nepenthes is able to catch binaries whose shellcode is known Q Stored in binaries s Statistics are possible by analysing submitted logs France Télécom R&D – Veysset & Butti – June 2006 D78

  50. Honeypot and worms s Idea: as seen before, use a honeypot to detect worm (ie. System that connect to honeypot automatically) s Fighting back: launch some counter attack, in order to clean the offending system s More information Q http://www.citi.umich.edu/u/provos/honeyd/msblast.html Q http://www.rstack.org/oudot/ France Télécom R&D – Veysset & Butti – June 2006 D79

  51. In detail: Mblast infection France Télécom R&D – Veysset & Butti – June 2006 D80

  52. Using honeypot to fight worm 1. The worm connects to the honeypot, on port 135, and launch its exploit 2. The worm connects on a remote shell (honeypot, port TCP/4444). Then, the honeypot is able to download the worm code (using TFTP) 3. The honeypot know the IP address of the infected host. It is able to launch an attack (or simply connect back to port 4444) and clean or shutdown offending host France Télécom R&D – Veysset & Butti – June 2006 D81

  53. Honeytokens s honeypot which is not a computer s Used for Q Espionage Q Credit card, ssn monitoring Q bank Q Spam… s Two main usages Q Detect information leaking Q Tracking France Télécom R&D – Veysset & Butti – June 2006 D82

  54. Distributed Honeypot France Télécom R&D – Veysset & Butti – June 2006 D83

  55. Example : Leurre.com s Project by Eurecom institute Q The Eurecom Honeypot Project – http://www.eurecom.fr/~pouget/projects.htm – http://www.leurrecom.org s Distributed HP (more than 25 countries, 5 continents) s Project launched 4 years ago s Based on “distributed” honeyd France Télécom R&D – Veysset & Butti – June 2006 D84

  56. Information from *leurre.com* s Thanks to Marc Dacier from Eurecom institute s More information: dacier@eurecom.fr … s See Fabien Pouget & Marc Dacier – Friday 3pm s Extract from a presentation « Applied Computing 2006 » in spain France Télécom R&D – Veysset & Butti – June 2006 D85

  57. 35 platforms, 25 countries, 5 continents France Télécom R&D – Veysset & Butti – June 2006 D86

  58. In Europe … France Télécom R&D – Veysset & Butti – June 2006 D87

  59. Experimental Set Up R Mach0 e Windows 98 Workstation v e V i r Mach1 r t s Windows NT (ftp u Internet e + web server) a l S F W Mach2 i I T Redhat 7.3 (ftp r C server) H e w a l Observer (tcpdump) l France Télécom R&D – Veysset & Butti – June 2006 D88

  60. Big Picture s Distinct IP Addresses observed: 989,712 s # of received packets: 41,937,600 s # of emitted packets: 39,911,933 s TCP: 90.93% s UDP: 0.77% s ICMP: 5,16 % s Others: (malformed packets, etc) 3.14% France Télécom R&D – Veysset & Butti – June 2006 D89

  61. Observation 3 s All countries host attackers but some countries host more than others. France Télécom R&D – Veysset & Butti – June 2006 D90

  62. Attacks by country of origin (Jan 1 2005 until Jan 1 2006) France Télécom R&D – Veysset & Butti – June 2006 D91

  63. Observation 4 s There is a surprising steady decrease of the number of attacks France Télécom R&D – Veysset & Butti – June 2006 D92

  64. Attacks by environment (Jan 1 2005 until Jan 1 2006) France Télécom R&D – Veysset & Butti – June 2006 D93

  65. Observation 6 s Some compromised machines are used to scan the whole Internet s Some compromised machines take advantage of the data collected by the first group to launch attacks only against the vulnerable targets. ➔ maintaining black lists of scanners is useless. France Télécom R&D – Veysset & Butti – June 2006 D94

  66. The « scanners »: IP sources probing all 3 virtual machines (24 months ago) 100% closed 80% closed 47% 48% closed 60% 77% 40% open open 53% 20% 52% open 23% 0% m ach0 m ach1 m ach2 France Télécom R&D – Veysset & Butti – June 2006 D95

  67. The « attackers »: IP sources probing only 1 virtual machine (24 months ago) closed closed closed 100% 3% 4% 5% 80% 60% open open open 97% 96% 95% 40% 20% 0% mach0 mach1 mach2 France Télécom R&D – Veysset & Butti – June 2006 D96

  68. Observation 7 s The proportion or attackers vs. scanners has changed twice over the last 24 months. s Two possible explanations: Q Collected data is shared in a more efficient way and, thus, less scans are required. Q Scans are not done sequentially any more but random scans are instead preferred. France Télécom R&D – Veysset & Butti – June 2006 D97

  69. Scanners vs. attackers: evolution France Télécom R&D – Veysset & Butti – June 2006 D98

  70. Honeyclient s Idea: Honeypot client Q Detect malicious web server, IRC net, P2P net… Q Surf the web searching for websites that use browser exploits to install malware on the honeymonkey computer France Télécom R&D – Veysset & Butti – June 2006 D99

  71. France Télécom R&D – Veysset & Butti – June 2006 D100

Recommend

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

676 views • 52 slides
Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon

Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements Lionel Metongnon 12 Ramin Sadre 1 SIGCOMM-WTMC, 20th August 2018 1 Institute of Information and Communication Technologies, Electronics and Applied Mathematics

561 views • 17 slides
Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut The role of the honeypot The limitations Low-interaction honeypots: "Artificial" attack surface

846 views • 13 slides
Caught in the honeypot: (almost) a year in review ukasz Siewierski Polish Chapter / CERT

Caught in the honeypot: (almost) a year in review ukasz Siewierski Polish Chapter / CERT

Caught in the honeypot: (almost) a year in review ukasz Siewierski Polish Chapter / CERT Polska 2014 Honeynet Project Workshop Warsaw, 12th May, 2014 Honeeebox ukasz Siewierski Caught in the honeypot: (almost) a year in review 2 / 11

285 views • 15 slides
DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1),

DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1),

DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1), Michel Cukier(1), Ma9 Hiltunen(2), David Kormann(2), Gregory Vesonder(2), Robin Berthier(3) (1)

437 views • 22 slides
HackersPot By Vsevolod Ivanov CART 360 HoneyPot HoneyPing Electronic plants

HackersPot By Vsevolod Ivanov CART 360 HoneyPot HoneyPing Electronic plants

HackersPot By Vsevolod Ivanov CART 360 HoneyPot HoneyPing Electronic plants http://advances.sciencemag.org/ content/1/10/e1501136.full Venus Flytrap Soft robotics http://biorobotics.snu.ac.kr/wp-co ntent/uploads/2014/05/2014_BIO

354 views • 16 slides
A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

Honeypots architecture Security Properties Statistical results Conclusion A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande C. Toinard LIFO Universit dOrlans ENSI de Bourges SHPCS08,

401 views • 19 slides
Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik Kinkel Jon Osborne Korbin Stich http://may1601.sd.ece.iastate.edu Client : Alliant Energy Advisor : Dr. Doug Jacobson April 28, 2016 May1601 ICS

384 views • 15 slides
capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge

capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge

Honware: A virtual honeypot framework for capturing CPE and IoT zero days Alexander Vetterl and Richard Clayton University of Cambridge eCrime 2019, APWG Symposium on Electronic Crime Research November 14, 2019 Introduction Honeypot: A

224 views • 19 slides
Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina Rente { jmfranco, frente } at dei.uc.pt Software and System Engineering Research Group FCT University of Coimbra Agenda Agenda

378 views • 16 slides
NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2.

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2.

NCSC One: IoT Honeypot Pieter Jansen & Jurriaan Bremer On the agenda: 1. Introduction 2. SBIR 3. Cuckoo Sandbox 4. Project 5. Architecture 6. Offline demo 7. Roadmap Introduction Pieter Jansen - CEO @ Cybersprint -

859 views • 42 slides
Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are

BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are

BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are today Technology World leaders in Advance Processing Technologies for small fruits and vegetables. R&D Strong focus on research

383 views • 17 slides
Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial

Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial

Project 4 Multi-Core Network Honeypot LL/SC - Important for mutex locking/unlocking - Crucial for synchronized data-structures - Up to 32 cores in PA4 LL/SC Syntax LL a, off(b): loads M[b + off] into register a SC c, off(d):

289 views • 18 slides
HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for

HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for

HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for Computer Science Operating Systems and Distributed Systems Reykjavk, July 29, 2013 Outline 1 Introduction 2 An IPv6 darknet experiment HoneydV6 -

890 views • 31 slides
A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau ( @obilodeau ) $ apropos Embedded Linux Malware Moose DNA (description) Moose Herding (the Operation) Whats New? Take Aways $ whoami Malware

1.19k views • 97 slides
20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79

20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79

20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79 % required breach 48 % exists? improve 62 % security page 03 * Gemalto The State of IoT Security Honeypot A honeypot is a computer

631 views • 25 slides
Technologies : Retour sur le Futur ? Technologies : Retour sur le Futur ? Technologies : Retour

Technologies : Retour sur le Futur ? Technologies : Retour sur le Futur ? Technologies : Retour

Technologies : Retour sur le Futur ? Technologies : Retour sur le Futur ? Technologies : Retour sur le Futur ? Technologies : Retour sur le Futur ? FOURPOINTS Funds Info Tech November 4. 2014 Fund Managers: Benot Flamant Twitter:

642 views • 47 slides
Anti-Honeypot Technology Thorsten Holz Laboratory for Dependable Distributed Systems

Anti-Honeypot Technology Thorsten Holz Laboratory for Dependable Distributed Systems

Dependable Distributed Systems Anti-Honeypot Technology Thorsten Holz Laboratory for Dependable Distributed Systems holz@i4.informatik.rwth-aachen.de Thorsten Holz Laboratory for Dependable Distributed Systems 21st Chaos Communication

576 views • 57 slides
COOLING TECHNOLOGIES IEA Technology Collaboration Programme on Heat Pumping Technologies (HPT

COOLING TECHNOLOGIES IEA Technology Collaboration Programme on Heat Pumping Technologies (HPT

COOLING TECHNOLOGIES IEA Technology Collaboration Programme on Heat Pumping Technologies (HPT TCP) Chair Stephan Renz www.heatpumpingtechnologies.org A/C TECHNOLOGIES AND MARKETS In the Past Expectations for the future Rapid growth

349 views • 16 slides
THANK YOU FOR YOUR INTEREST IN POKE YOKE TECHNOLOGIES POKE YOKE TECHNOLOGIES AT A GLANCE POKE

THANK YOU FOR YOUR INTEREST IN POKE YOKE TECHNOLOGIES POKE YOKE TECHNOLOGIES AT A GLANCE POKE

THANK YOU FOR YOUR INTEREST IN POKE YOKE TECHNOLOGIES POKE YOKE TECHNOLOGIES AT A GLANCE POKE YOKE TECHNOLOGIES PRIVATE LIMITED POKE YOKE TECHNOLOGIES IS A MANAGEMENT CONSULTING COMPANY WITH ENHANCING PERFORMANCE AT ITS CORE FOUNDED IN 2014

682 views • 10 slides
Ellidiss Technologies w w w . e l l i d i s s . c o m Ellidiss Technologies Model Processing

Ellidiss Technologies w w w . e l l i d i s s . c o m Ellidiss Technologies Model Processing

LAMP: A new model processing language for AADL ERTS 2020 Toulouse, 30 Jan 2020 P. Dissaux Ellidiss Technologies, 24, quai de la douane, 29200 Brest, France Ellidiss Technologies w w w . e l l i d i s s . c o m Ellidiss Technologies Model

353 views • 24 slides
HoneyDrone: a medium-interaction Unmanned Aerial Vehicle HoneyDrone: a medium-interaction Unmanned

HoneyDrone: a medium-interaction Unmanned Aerial Vehicle HoneyDrone: a medium-interaction Unmanned

HoneyDrone: a medium-interaction Unmanned Aerial Vehicle HoneyDrone: a medium-interaction Unmanned Aerial Vehicle HoneyDrone: a medium-interaction Unmanned Aerial Vehicle Honeypot Honeypot Honeypot DISSECT 2018 DISSECT 2018 DISSECT 2018

309 views • 16 slides
E3 E3T Energy Efficiency Emerging Technologies HVAC Technologies in Multifamily Buildings

E3 E3T Energy Efficiency Emerging Technologies HVAC Technologies in Multifamily Buildings

E3 E3T Energy Efficiency Emerging Technologies HVAC Technologies in Multifamily Buildings Jonathan Heller Ecotope Dan Auer King County Housing Authority Emerging Technologies Showcase September 14, 2016 GoToWebinar Logistics

918 views • 42 slides

More recommend