Honeyd – Advanced architecture (2/2) Q # Cisco router s Honeyd.conf Honeyd.conf Q create router Q set router personality "Cisco IOS 11.3 - 12.0(11)" Q set router default tcp action reset Q ## Honeyd configuration file ## Q set router default udp action reset Q ### Default computers Q add router tcp port 23 "/usr/bin/perl scripts/router- Q create default telnet.pl" Q set default personality "Windows 98" Q set router uid 32767 gid 32767 Q set default default tcp action reset Q set router uptime 1327650 Q set default default udp action reset Q bind 10.0.0.1 router Q add default tcp port 139 open Q bind 10.0.1.1 router Q add default tcp port 137 open Q bind 10.0.2.1 router Q add default udp port 137 open Q bind 10.0.3.1 router Q add default udp port 135 open Q ### Routing configuration Q set default uptime 398976 Q route entry 10.0.0.1 Q ### Windows computers Q route 10.0.0.1 link 10.0.0.0/24 Q create windows Q route 10.0.0.1 add net 10.0.1.0/24 10.0.1.1 latency 55ms Q set windows personality "Windows NT 4.0 Server SP5-SP6" loss 0.1 Q set windows default tcp action reset Q route 10.0.0.1 add net 10.0.2.0/24 10.0.2.1 latency 15ms Q set windows default udp action reset loss 0.01 Q add windows tcp port 80 "perl scripts/iis-0.95/iisemul8.pl" Q route 10.0.0.1 add net 10.0.3.0/24 10.0.3.1 latency 105ms loss 0.2 Q add windows tcp port 139 open Q route 10.0.1.1 link 10.0.1.0/24 Q add windows tcp port 137 open Q route 10.0.2.1 link 10.0.2.0/24 Q add windows udp port 137 open Q route 10.0.3.1 link 10.0.3.0/24 Q add windows udp port 135 open Q set windows uptime 3284460 Q bind 10.0.0.8 windows Q bind 10.0.1.9 windows Q bind 10.0.2.10 windows Q ### Linux 2.4.x computer Q create dns_server Q set dns_server personality "Linux 2.4.7 (X86)" Q set dns_server default tcp action reset Q set dns_server default udp action reset Q add dns_server udp port 53 "perl scripts/HoneyDNS.pl - udp" Q add dns_server tcp port 21 "sh scripts/ftp.sh" Q set dns_server uptime 3284460 Q bind 10.0.0.4 dns_server Q bind 10.0.0.5 dns_server Q ### Linux 2.4.x computer Q create smtp_server Q set smtp_server personality "Linux 2.4.7 (X86)" Q set smtp_server default tcp action reset Q set smtp_server default udp action reset Q add smtp_server tcp port 110 "sh scripts/pop3.sh" Q add smtp_server tcp port 25 "sh scripts/smtp.sh" Q add smtp_server tcp port 21 "sh scripts/ftp.sh" Q add smtp_server tcp port 23 "perl scripts/router-telnet.pl" Q set smtp_server uptime 3284460 Q bind 10.0.0.6 smtp_server France Télécom R&D – Veysset & Butti – June 2006 Q bind 10.0.0.7 smtp_server D30
Honeyd France Télécom R&D – Veysset & Butti – June 2006 D31
Honeyd – advanced features s Subsystem virtualization Q Run real UNIX applications under virtual Honeyd IP addresses: web servers, ftp servers, etc... s Internal Web server for easy satistics… s Management console that allows dynamic change on Honeyd configuration while Honeyd is running s Dynamic templates Q Allows the configuration of a host to adapt depending on the operating system of the remote host, the time of day, the source IP address, etc. s Tarpit s Passive fingerprintings (p0f) France Télécom R&D – Veysset & Butti – June 2006 D32
Feedback: Sasser detection (1/2) s Sasser was seen for the first time on Saturday, May 1st 2004 from 7:50 pm (FTR&D Intranet) s Number of hits per day Hits 5000 4500 4000 3500 3000 2500 Hits 2000 1500 1000 500 0 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 t a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 D 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 / / / / / / / / / / / / / / / / / 4 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 / / / / / / / / / / / / / / / / / 4 0 1 2 3 4 5 6 0 1 2 3 5 6 7 8 9 3 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 France Télécom R&D – Veysset & Butti – June 2006 D33
Sasser detection (2/2) s Maximum of activity on Sunday, May 2nd s Thousands of hits on May 2nd, 3rd and 4th Q This does not mean thousands of machines were infected Q In fact, 387 unique IP addresses were found (FTR&D site) s The worm was quickly brought down: 2 working days Q Monday and Tuesday following the infection France Télécom R&D – Veysset & Butti – June 2006 D34
Honeyd: limitation s As a « low interaction » honeypot, there are some limitations Q Difficult to emulate complex (binaries) protocols Q It is possible to « fingerprint » honeyd, thus identify the honeypot s Stability issues Q Under heavy load… s Security issues Q ? France Télécom R&D – Veysset & Butti – June 2006 D35
High interaction HP s Lots of work in this area s Different generations Q Gen1 1999-2002 Q Gen2 2002-2004 Q Gen3 2005-… Q … s Towards honeynet (networks of honeypots) France Télécom R&D – Veysset & Butti – June 2006 D36
Key points s Strong needs to take care of incoming and outgoing traffic s Data Control Q Filter outgoing packets to stop further attacks s Data capture Q Log every packet that enters and leaves honeypot France Télécom R&D – Veysset & Butti – June 2006 D37
No “Data Control” No Restrictions Honeypot Internet No Restrictions Honeypot France Télécom R&D – Veysset & Butti – June 2006 D38
Data Control enabled France Télécom R&D – Veysset & Butti – June 2006 D39
GEN I honeynet France Télécom R&D – Veysset & Butti – June 2006 D40
GEN I honeynet s Controls outbound packets by passing through firewall and router s Router somehow « hide » the firewall s Data control is performed by the firewall Q Firewall keeps track of number of outbound connections Q The more outbound activity allowed, the more can be learned Q Might be risky! s Data capture Q The IDS gather all the information Q All systems export their logs to remote syslog server France Télécom R&D – Veysset & Butti – June 2006 D41
GEN I: analysis s The first « honeypot » solution s Data Control is quite hard to perform Q Need to filter on outbound activity (counter?) Q Hackers can detect the trick Q Difficult to fine tune s Data Capture is limited Q Only IDS and Syslog s Introducing GEN II architectures France Télécom R&D – Veysset & Butti – June 2006 D42
Honeynet - GenII France Télécom R&D – Veysset & Butti – June 2006 D43
Gen II analysis (1/2) s Gateway works at layer 2 (bridge mode) Q Very stealthy s Administration is performed using C interface s Data Control & Data capture are done by the gateway (honeynet sensor) France Télécom R&D – Veysset & Butti – June 2006 D44
Gen II analysis (2/2) s Advanced data control functionalities Q IDS/IPS functionalities Q Relies on SNORT-INLINE Q http://snort-inline.sourceforge.net s Advanced data capture functionalities Q Honeywall gathers firewall and snort logs Q Sebek runs on all honeypot Q Honeywall collects sebek logs France Télécom R&D – Veysset & Butti – June 2006 D45
Snort-Inline Drop Rule User Space Snort-Inline Snort Rules = Drop snort –Q –c /snort.conf Iptables-1.2.7a DROP modprobe ip_queue Ip_queue iptables -A OUTPUT -p icmp -j QUEUE Kernel Space Management France Télécom R&D – Veysset & Butti – June 2006 D46
Snort-Inline Drop Rule Exemple: DNS attack drop tcp $HOME_NET any $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; France Télécom R&D – Veysset & Butti – June 2006 D47
Snort-Inline Replace Mode Internet User Space Snort Rules = Replace Snort-Inline /ben/sh /bin/sh Iptables-1.2.7a modprobe ip_queue Ip_queue iptables -A OUTPUT -p icmp -j QUEUE Kernel Space Management France Télécom R&D – Veysset & Butti – June 2006 D48
Snort-Inline Replace Rule Exemple: DNS attack Can be very “stealth” alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";) France Télécom R&D – Veysset & Butti – June 2006 D49
France Télécom R&D – Veysset & Butti – June 2006 D50
Data Capture: Sebek s Tool developed by the honeynet project s Very useful for “data capture” Q Hidden kernel module that captures all activity Q Dumps activity to the network Q Attackers cannot sniff any traffic based on magic number and destination port s http://www.honeynet.org/tools/sebek/ France Télécom R&D – Veysset & Butti – June 2006 D51
Sebek Diagram France Télécom R&D – Veysset & Butti – June 2006 D52
Sebek: Data capture s The Sebek kernel module collects data passing through the read() system call Q For example, this captures the intruder’s ssh keystrokes and recovers scp file transfers. s Sebek client relies on stealth techniques to hide. This also harden its detection. First Sebek version was relying on “the adore rootkit” to hide the sebek files and processes from the attacker Q Sebek : http://www.honeynet.org/papers/honeynet/tools/ Q Adore: http://www.team-teso.net/releases.php France Télécom R&D – Veysset & Butti – June 2006 D53
Sebek client: Sys_Read hooking France Télécom R&D – Veysset & Butti – June 2006 D54
Sebek client France Télécom R&D – Veysset & Butti – June 2006 D55
GUI Sebek France Télécom R&D – Veysset & Butti – June 2006 D56
Sebek network France Télécom R&D – Veysset & Butti – June 2006 D57
Sebek… what’s next s Lots of work on Sebek and “anti sebek” techniques Q See Fake Phrack mag #62 for example Q Kernel module detection Q Sebek s New research on the topic Q EuSec 06: Xebek… (more on this later) France Télécom R&D – Veysset & Butti – June 2006 D58
Other HP usages s WiFi Honeypots s Virtual honeypots s Honeypots and Worms s Distributed Honeypots s Honeyclients s Honeypot farms s Honeynet project s Legal issues France Télécom R&D – Veysset & Butti – June 2006 D59
Wireless Honeypots s Wireless technologies are more and more available Q In corporate networks Q In home networks Q In hot spots Q … s New technologies such as VoIP/WLAN, UMA (Unlicensed Mobile Access)… are new ways to circumvent your security policy s Seems that wireless honeypot could help us in evaluating these new risks France Télécom R&D – Veysset & Butti – June 2006 D60
Wireless Honeypots s Today, most corporate wireless access are still based on IPsec tunneling Q Implies that Wi-Fi networks are using « Open » mode s Two options for a « Wireless Honeypot » Q A classic option is a wired honeypot near your IPsec gateway! Q Another option is a fully featured virtual network emulated reachable from an open wireless access point France Télécom R&D – Veysset & Butti – June 2006 D61
Wireless Honeypot? s Goals Q Statistics on « Wardriving » Q Knowledge and understanding of hackers’ motivations – « intelligence » aspects Q Knowledge of new technologies and tools – Wi-Fi hacker Toolbox s Pros Q Looks like a typical Wi-Fi network Q Level 2 technology: detection of all customers equipments looking for Wi-Fi networks (even without connection) France Télécom R&D – Veysset & Butti – June 2006 D62
Wireless Honeypot s Based on a real AP, and on a honeyd server emulating a full network s All traffic is monitored and captured s Can fool hacker and wardriver Simulated Network Access Point «Honeypot » « Honeyd » Serveur Hacker 1 Hacker 2 France Télécom R&D – Veysset & Butti – June 2006 D63
Wireless Honeypot s After some experiments… Q Most of the connection are just looking for internet access (http://www.google.fr) Q More interesting, many clients do some “automatic” connections (ex: under Windows XP, auto_connect) Q This can be very dangerous (information leak, hole on the system…) France Télécom R&D – Veysset & Butti – June 2006 D64
Wireless Honeypot s Thanks to Tino H. s His help made the demo possible… Q One of our laptop died in the plane France Télécom R&D – Veysset & Butti – June 2006 D65
Virtual Honeypots (1/3) s New “architecture” to build honeynet s Ideas Q Run everything on a single computer Q Relies on virtualization technologies – VMware – Xen – UML (User Mode Linux) – … France Télécom R&D – Veysset & Butti – June 2006 D66
Virtual Honeypots (2/3) s Pros Q Reduced cost Q Easy to maintain / repair Q Portable (honeynet laptop?) s Cons Q Single point of failure Q Not everything is possible (Cisco on Intel?) Q Security (strong compartmentalization?) Q Detection? Very difficult to hide… France Télécom R&D – Veysset & Butti – June 2006 D67
Virtual Honeypots (3/3) s More information at Q http://www.honeynet.org/papers/virtual/index.html s New tools available for virtual honeypots ☺ Q See “Xebek” at “EuSecWest/Core06” Q See “VMware fingerprinting counter measures” – http://honeynet.rstack.org/tools.php s New tools against “virtual honeypot” � Q VMware fingerprinting tools (cf Kostya’s patches) Q And many more (dtdumper…) France Télécom R&D – Veysset & Butti – June 2006 D68
Automated Malware Collection s Automated malware collection is a new hyped technique s Most well-known tools are Q Mwcollect Q Nepenthes Q Mwcollect and Nepenthes fusion (February, 2006) s Lots of other techniques are possible Q PCAP capture of compromised hosts for example France Télécom R&D – Veysset & Butti – June 2006 D69
Nepenthes Operation s Nepenthes is a medium interaction honeypot Q It emulates known vulnerabilities Q It catches known shellcodes Q It interprets the shellcode actions Q It emulates the actions – Bind a shell, parses URLs… s Should not be compromised if no security vulnerabilities (coded in C++) ;-) s But can be easily detected, that’s not its purpose! France Télécom R&D – Veysset & Butti – June 2006 D70
Nepenthes Loading s Loading of the configuration Q Examine the modules to be charged (vuln, shellcodes, download, submit, log) Q Record the handlers of download for each supported protocol of download (csend, creseive, ftp, HTTP, link, blink, tftp, CCP, optix) Q record the manager of DNS Q Record FileSubmit Q Sockets are binded on all the ports where the known vulnerabilities (in the form of DialogueFactory) are emulated Q Sockets are binded on all the ports where the known vulnerabilities (in the form of DialogueFactory) are emulated Q Loading of patterns present in 61 known shellcodes Q Be unaware of 17 ranges of IP addresses France Télécom R&D – Veysset & Butti – June 2006 D71
– Watch ports ( "25", // SMTP, "110", // POP3, "143", // IMAP, "220", // IMAP, "465" // POP3 & SSL, "993", // IMAP & SSL, "995" // POP3 & SSL ) – Bagle port 2745 Q Ignoring 0.0.0.0/255.0.0.0 – Dameware port 6129 Q 10.0.0.0/255.0.0.0 – Dcom-vuln ports 135,445,1025 Q 14.0.0.0/255.0.0.0 – Vuln-ftp port 21 – vulnIIS port 443 Q 39.0.0.0/255.0.0.0 – Kuang2 port 17300 Q 127.0.0.0/255.0.0.0 – LSASS port 445 Q 128.0.0.0/255.255.0.0 – MSMQ ports: 2103,2105,2107 Q 169.254.0.0/255.255.0.0 – MSDTCD ports 1025,3372 – Mssql port 1434 Q 172.16.0.0/255.240.0.0 – Mydoom port 3127 Q 191.255.0.0/255.255.0.0 – Netbiosname port 139 Q 192.0.0.0/255.255.255.0 – NetDDE port 139 Q 192.0.2.0/255.255.255.0 – Optixshell port 3140 – PNP port 445 Q 192.88.99.0/255.255.255.0 – SasserFTPD ports 5554,1023 Q 192.168.0.0/255.255.0.0 – SUb7 port 27347 Q 198.18.0.0/255.254.0.0 – UPNP port 5000 Q 223.255.255.0/255.255.255.0 – VERITAS port 10000 – Wins vuln port 42 Q 224.0.0.0/240.0.0.0 – ASN1 ports: smb:445 iis:80 Q 240.0.0.0/240.0.0.0 France Télécom R&D – Veysset & Butti – June 2006 D72
Handling Attacks (1/4) s Attempt at connection - > Creation of a « Dialogue » Q Emulation of a vulnerability s Data transmitted per packets to the Dialogues France Télécom R&D – Veysset & Butti – June 2006 D73
Handling Attacks (2/4) match Comparison with all Download shellcodes patterns Switch off other dialogues on same port yes no Last Stage yes Hexdumps Vuln-Dialogue (== pattern?) e u g o l a i d r e h t gives o o If n & & socket o N closes No more packets Socket receives Close packet France Télécom R&D – Veysset & Butti – June 2006 D74
Handling Attacks (3/4) s Some vulns have no pattern used for a first recognition Q Direct recognition against shellcode or direct action (Kuang2) s When a vuln Dialogue receives a SCH_DONE Message from a shellcode identifier Q It gives to the corresponding socket the state CL_ASSIGN_AND_DONE – In order the other sockets binded on the same port be dropped France Télécom R&D – Veysset & Butti – June 2006 D75
Handling Attacks (4/4) Downloads binary If URL still OK DownloadManager Giving data (url, host, port) Creation of a WinNT shell Dialogue Match (xor'd if needed) Comparison with all known shellcodes France Télécom R&D – Veysset & Butti – June 2006 D76
Collection s Files can be submitted to Q Nepenthes manager to collect Q Gotek server performs better but requires DB backend (mysql) Q Norman sandbox for analysis s Logs can be submitted to Q Managers (Prelude) thanks to IDMEF Q Surfnet for web interfacing Q IRC France Télécom R&D – Veysset & Butti – June 2006 D77
Nepenthes Conclusions s Nepenthes is modular, organized around a core s Nepenthes is able to catch new shellcodes on known vulnerabilities Q Stored in hexdumps s Nepenthes is able to catch binaries whose shellcode is known Q Stored in binaries s Statistics are possible by analysing submitted logs France Télécom R&D – Veysset & Butti – June 2006 D78
Honeypot and worms s Idea: as seen before, use a honeypot to detect worm (ie. System that connect to honeypot automatically) s Fighting back: launch some counter attack, in order to clean the offending system s More information Q http://www.citi.umich.edu/u/provos/honeyd/msblast.html Q http://www.rstack.org/oudot/ France Télécom R&D – Veysset & Butti – June 2006 D79
In detail: Mblast infection France Télécom R&D – Veysset & Butti – June 2006 D80
Using honeypot to fight worm 1. The worm connects to the honeypot, on port 135, and launch its exploit 2. The worm connects on a remote shell (honeypot, port TCP/4444). Then, the honeypot is able to download the worm code (using TFTP) 3. The honeypot know the IP address of the infected host. It is able to launch an attack (or simply connect back to port 4444) and clean or shutdown offending host France Télécom R&D – Veysset & Butti – June 2006 D81
Honeytokens s honeypot which is not a computer s Used for Q Espionage Q Credit card, ssn monitoring Q bank Q Spam… s Two main usages Q Detect information leaking Q Tracking France Télécom R&D – Veysset & Butti – June 2006 D82
Distributed Honeypot France Télécom R&D – Veysset & Butti – June 2006 D83
Example : Leurre.com s Project by Eurecom institute Q The Eurecom Honeypot Project – http://www.eurecom.fr/~pouget/projects.htm – http://www.leurrecom.org s Distributed HP (more than 25 countries, 5 continents) s Project launched 4 years ago s Based on “distributed” honeyd France Télécom R&D – Veysset & Butti – June 2006 D84
Information from *leurre.com* s Thanks to Marc Dacier from Eurecom institute s More information: dacier@eurecom.fr … s See Fabien Pouget & Marc Dacier – Friday 3pm s Extract from a presentation « Applied Computing 2006 » in spain France Télécom R&D – Veysset & Butti – June 2006 D85
35 platforms, 25 countries, 5 continents France Télécom R&D – Veysset & Butti – June 2006 D86
In Europe … France Télécom R&D – Veysset & Butti – June 2006 D87
Experimental Set Up R Mach0 e Windows 98 Workstation v e V i r Mach1 r t s Windows NT (ftp u Internet e + web server) a l S F W Mach2 i I T Redhat 7.3 (ftp r C server) H e w a l Observer (tcpdump) l France Télécom R&D – Veysset & Butti – June 2006 D88
Big Picture s Distinct IP Addresses observed: 989,712 s # of received packets: 41,937,600 s # of emitted packets: 39,911,933 s TCP: 90.93% s UDP: 0.77% s ICMP: 5,16 % s Others: (malformed packets, etc) 3.14% France Télécom R&D – Veysset & Butti – June 2006 D89
Observation 3 s All countries host attackers but some countries host more than others. France Télécom R&D – Veysset & Butti – June 2006 D90
Attacks by country of origin (Jan 1 2005 until Jan 1 2006) France Télécom R&D – Veysset & Butti – June 2006 D91
Observation 4 s There is a surprising steady decrease of the number of attacks France Télécom R&D – Veysset & Butti – June 2006 D92
Attacks by environment (Jan 1 2005 until Jan 1 2006) France Télécom R&D – Veysset & Butti – June 2006 D93
Observation 6 s Some compromised machines are used to scan the whole Internet s Some compromised machines take advantage of the data collected by the first group to launch attacks only against the vulnerable targets. ➔ maintaining black lists of scanners is useless. France Télécom R&D – Veysset & Butti – June 2006 D94
The « scanners »: IP sources probing all 3 virtual machines (24 months ago) 100% closed 80% closed 47% 48% closed 60% 77% 40% open open 53% 20% 52% open 23% 0% m ach0 m ach1 m ach2 France Télécom R&D – Veysset & Butti – June 2006 D95
The « attackers »: IP sources probing only 1 virtual machine (24 months ago) closed closed closed 100% 3% 4% 5% 80% 60% open open open 97% 96% 95% 40% 20% 0% mach0 mach1 mach2 France Télécom R&D – Veysset & Butti – June 2006 D96
Observation 7 s The proportion or attackers vs. scanners has changed twice over the last 24 months. s Two possible explanations: Q Collected data is shared in a more efficient way and, thus, less scans are required. Q Scans are not done sequentially any more but random scans are instead preferred. France Télécom R&D – Veysset & Butti – June 2006 D97
Scanners vs. attackers: evolution France Télécom R&D – Veysset & Butti – June 2006 D98
Honeyclient s Idea: Honeypot client Q Detect malicious web server, IRC net, P2P net… Q Surf the web searching for websites that use browser exploits to install malware on the honeymonkey computer France Télécom R&D – Veysset & Butti – June 2006 D99
France Télécom R&D – Veysset & Butti – June 2006 D100
Recommend
More recommend