honeypot technologies
play

Honeypot technologies 2006 First Conference / tutorial Junes 2006 - PowerPoint PPT Presentation

Honeypot technologies 2006 First Conference / tutorial Junes 2006 {Franck.Veysset,Laurent.Butti}@orange-ft.com D1 -June 2006 Agenda s Origins and background s Different kinds of honeypot Q High interaction honeypots Q Low interaction honeypots


  1. Honeyd – Advanced architecture (2/2) Q # Cisco router s Honeyd.conf Honeyd.conf Q create router Q set router personality "Cisco IOS 11.3 - 12.0(11)" Q set router default tcp action reset Q ## Honeyd configuration file ## Q set router default udp action reset Q ### Default computers Q add router tcp port 23 "/usr/bin/perl scripts/router- Q create default telnet.pl" Q set default personality "Windows 98" Q set router uid 32767 gid 32767 Q set default default tcp action reset Q set router uptime 1327650 Q set default default udp action reset Q bind 10.0.0.1 router Q add default tcp port 139 open Q bind 10.0.1.1 router Q add default tcp port 137 open Q bind 10.0.2.1 router Q add default udp port 137 open Q bind 10.0.3.1 router Q add default udp port 135 open Q ### Routing configuration Q set default uptime 398976 Q route entry 10.0.0.1 Q ### Windows computers Q route 10.0.0.1 link 10.0.0.0/24 Q create windows Q route 10.0.0.1 add net 10.0.1.0/24 10.0.1.1 latency 55ms Q set windows personality "Windows NT 4.0 Server SP5-SP6" loss 0.1 Q set windows default tcp action reset Q route 10.0.0.1 add net 10.0.2.0/24 10.0.2.1 latency 15ms Q set windows default udp action reset loss 0.01 Q add windows tcp port 80 "perl scripts/iis-0.95/iisemul8.pl" Q route 10.0.0.1 add net 10.0.3.0/24 10.0.3.1 latency 105ms loss 0.2 Q add windows tcp port 139 open Q route 10.0.1.1 link 10.0.1.0/24 Q add windows tcp port 137 open Q route 10.0.2.1 link 10.0.2.0/24 Q add windows udp port 137 open Q route 10.0.3.1 link 10.0.3.0/24 Q add windows udp port 135 open Q set windows uptime 3284460 Q bind 10.0.0.8 windows Q bind 10.0.1.9 windows Q bind 10.0.2.10 windows Q ### Linux 2.4.x computer Q create dns_server Q set dns_server personality "Linux 2.4.7 (X86)" Q set dns_server default tcp action reset Q set dns_server default udp action reset Q add dns_server udp port 53 "perl scripts/HoneyDNS.pl - udp" Q add dns_server tcp port 21 "sh scripts/ftp.sh" Q set dns_server uptime 3284460 Q bind 10.0.0.4 dns_server Q bind 10.0.0.5 dns_server Q ### Linux 2.4.x computer Q create smtp_server Q set smtp_server personality "Linux 2.4.7 (X86)" Q set smtp_server default tcp action reset Q set smtp_server default udp action reset Q add smtp_server tcp port 110 "sh scripts/pop3.sh" Q add smtp_server tcp port 25 "sh scripts/smtp.sh" Q add smtp_server tcp port 21 "sh scripts/ftp.sh" Q add smtp_server tcp port 23 "perl scripts/router-telnet.pl" Q set smtp_server uptime 3284460 Q bind 10.0.0.6 smtp_server France Télécom R&D – Veysset & Butti – June 2006 Q bind 10.0.0.7 smtp_server D30

  2. Honeyd France Télécom R&D – Veysset & Butti – June 2006 D31

  3. Honeyd – advanced features s Subsystem virtualization Q Run real UNIX applications under virtual Honeyd IP addresses: web servers, ftp servers, etc... s Internal Web server for easy satistics… s Management console that allows dynamic change on Honeyd configuration while Honeyd is running s Dynamic templates Q Allows the configuration of a host to adapt depending on the operating system of the remote host, the time of day, the source IP address, etc. s Tarpit s Passive fingerprintings (p0f) France Télécom R&D – Veysset & Butti – June 2006 D32

  4. Feedback: Sasser detection (1/2) s Sasser was seen for the first time on Saturday, May 1st 2004 from 7:50 pm (FTR&D Intranet) s Number of hits per day Hits 5000 4500 4000 3500 3000 2500 Hits 2000 1500 1000 500 0 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 t a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 D 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 / / / / / / / / / / / / / / / / / 4 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 / / / / / / / / / / / / / / / / / 4 0 1 2 3 4 5 6 0 1 2 3 5 6 7 8 9 3 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 France Télécom R&D – Veysset & Butti – June 2006 D33

  5. Sasser detection (2/2) s Maximum of activity on Sunday, May 2nd s Thousands of hits on May 2nd, 3rd and 4th Q This does not mean thousands of machines were infected Q In fact, 387 unique IP addresses were found (FTR&D site) s The worm was quickly brought down: 2 working days Q Monday and Tuesday following the infection France Télécom R&D – Veysset & Butti – June 2006 D34

  6. Honeyd: limitation s As a « low interaction » honeypot, there are some limitations Q Difficult to emulate complex (binaries) protocols Q It is possible to « fingerprint » honeyd, thus identify the honeypot s Stability issues Q Under heavy load… s Security issues Q ? France Télécom R&D – Veysset & Butti – June 2006 D35

  7. High interaction HP s Lots of work in this area s Different generations Q Gen1 1999-2002 Q Gen2 2002-2004 Q Gen3 2005-… Q … s Towards honeynet (networks of honeypots) France Télécom R&D – Veysset & Butti – June 2006 D36

  8. Key points s Strong needs to take care of incoming and outgoing traffic s Data Control Q Filter outgoing packets to stop further attacks s Data capture Q Log every packet that enters and leaves honeypot France Télécom R&D – Veysset & Butti – June 2006 D37

  9. No “Data Control” No Restrictions Honeypot Internet No Restrictions Honeypot France Télécom R&D – Veysset & Butti – June 2006 D38

  10. Data Control enabled France Télécom R&D – Veysset & Butti – June 2006 D39

  11. GEN I honeynet France Télécom R&D – Veysset & Butti – June 2006 D40

  12. GEN I honeynet s Controls outbound packets by passing through firewall and router s Router somehow « hide » the firewall s Data control is performed by the firewall Q Firewall keeps track of number of outbound connections Q The more outbound activity allowed, the more can be learned Q Might be risky! s Data capture Q The IDS gather all the information Q All systems export their logs to remote syslog server France Télécom R&D – Veysset & Butti – June 2006 D41

  13. GEN I: analysis s The first « honeypot » solution s Data Control is quite hard to perform Q Need to filter on outbound activity (counter?) Q Hackers can detect the trick Q Difficult to fine tune s Data Capture is limited Q Only IDS and Syslog s Introducing GEN II architectures France Télécom R&D – Veysset & Butti – June 2006 D42

  14. Honeynet - GenII France Télécom R&D – Veysset & Butti – June 2006 D43

  15. Gen II analysis (1/2) s Gateway works at layer 2 (bridge mode) Q Very stealthy s Administration is performed using C interface s Data Control & Data capture are done by the gateway (honeynet sensor) France Télécom R&D – Veysset & Butti – June 2006 D44

  16. Gen II analysis (2/2) s Advanced data control functionalities Q IDS/IPS functionalities Q Relies on SNORT-INLINE Q http://snort-inline.sourceforge.net s Advanced data capture functionalities Q Honeywall gathers firewall and snort logs Q Sebek runs on all honeypot Q Honeywall collects sebek logs France Télécom R&D – Veysset & Butti – June 2006 D45

  17. Snort-Inline Drop Rule User Space Snort-Inline Snort Rules = Drop snort –Q –c /snort.conf Iptables-1.2.7a DROP modprobe ip_queue Ip_queue iptables -A OUTPUT -p icmp -j QUEUE Kernel Space Management France Télécom R&D – Veysset & Butti – June 2006 D46

  18. Snort-Inline Drop Rule Exemple: DNS attack drop tcp $HOME_NET any $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; France Télécom R&D – Veysset & Butti – June 2006 D47

  19. Snort-Inline Replace Mode Internet User Space Snort Rules = Replace Snort-Inline /ben/sh /bin/sh Iptables-1.2.7a modprobe ip_queue Ip_queue iptables -A OUTPUT -p icmp -j QUEUE Kernel Space Management France Télécom R&D – Veysset & Butti – June 2006 D48

  20. Snort-Inline Replace Rule Exemple: DNS attack Can be very “stealth” alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";) France Télécom R&D – Veysset & Butti – June 2006 D49

  21. France Télécom R&D – Veysset & Butti – June 2006 D50

  22. Data Capture: Sebek s Tool developed by the honeynet project s Very useful for “data capture” Q Hidden kernel module that captures all activity Q Dumps activity to the network Q Attackers cannot sniff any traffic based on magic number and destination port s http://www.honeynet.org/tools/sebek/ France Télécom R&D – Veysset & Butti – June 2006 D51

  23. Sebek Diagram France Télécom R&D – Veysset & Butti – June 2006 D52

  24. Sebek: Data capture s The Sebek kernel module collects data passing through the read() system call Q For example, this captures the intruder’s ssh keystrokes and recovers scp file transfers. s Sebek client relies on stealth techniques to hide. This also harden its detection. First Sebek version was relying on “the adore rootkit” to hide the sebek files and processes from the attacker Q Sebek : http://www.honeynet.org/papers/honeynet/tools/ Q Adore: http://www.team-teso.net/releases.php France Télécom R&D – Veysset & Butti – June 2006 D53

  25. Sebek client: Sys_Read hooking France Télécom R&D – Veysset & Butti – June 2006 D54

  26. Sebek client France Télécom R&D – Veysset & Butti – June 2006 D55

  27. GUI Sebek France Télécom R&D – Veysset & Butti – June 2006 D56

  28. Sebek network France Télécom R&D – Veysset & Butti – June 2006 D57

  29. Sebek… what’s next s Lots of work on Sebek and “anti sebek” techniques Q See Fake Phrack mag #62 for example Q Kernel module detection Q Sebek s New research on the topic Q EuSec 06: Xebek… (more on this later) France Télécom R&D – Veysset & Butti – June 2006 D58

  30. Other HP usages s WiFi Honeypots s Virtual honeypots s Honeypots and Worms s Distributed Honeypots s Honeyclients s Honeypot farms s Honeynet project s Legal issues France Télécom R&D – Veysset & Butti – June 2006 D59

  31. Wireless Honeypots s Wireless technologies are more and more available Q In corporate networks Q In home networks Q In hot spots Q … s New technologies such as VoIP/WLAN, UMA (Unlicensed Mobile Access)… are new ways to circumvent your security policy s Seems that wireless honeypot could help us in evaluating these new risks France Télécom R&D – Veysset & Butti – June 2006 D60

  32. Wireless Honeypots s Today, most corporate wireless access are still based on IPsec tunneling Q Implies that Wi-Fi networks are using « Open » mode s Two options for a « Wireless Honeypot » Q A classic option is a wired honeypot near your IPsec gateway! Q Another option is a fully featured virtual network emulated reachable from an open wireless access point France Télécom R&D – Veysset & Butti – June 2006 D61

  33. Wireless Honeypot? s Goals Q Statistics on « Wardriving » Q Knowledge and understanding of hackers’ motivations – « intelligence » aspects Q Knowledge of new technologies and tools – Wi-Fi hacker Toolbox s Pros Q Looks like a typical Wi-Fi network Q Level 2 technology: detection of all customers equipments looking for Wi-Fi networks (even without connection) France Télécom R&D – Veysset & Butti – June 2006 D62

  34. Wireless Honeypot s Based on a real AP, and on a honeyd server emulating a full network s All traffic is monitored and captured s Can fool hacker and wardriver Simulated Network Access Point «Honeypot » « Honeyd » Serveur Hacker 1 Hacker 2 France Télécom R&D – Veysset & Butti – June 2006 D63

  35. Wireless Honeypot s After some experiments… Q Most of the connection are just looking for internet access (http://www.google.fr) Q More interesting, many clients do some “automatic” connections (ex: under Windows XP, auto_connect) Q This can be very dangerous (information leak, hole on the system…) France Télécom R&D – Veysset & Butti – June 2006 D64

  36. Wireless Honeypot s Thanks to Tino H. s His help made the demo possible… Q One of our laptop died in the plane France Télécom R&D – Veysset & Butti – June 2006 D65

  37. Virtual Honeypots (1/3) s New “architecture” to build honeynet s Ideas Q Run everything on a single computer Q Relies on virtualization technologies – VMware – Xen – UML (User Mode Linux) – … France Télécom R&D – Veysset & Butti – June 2006 D66

  38. Virtual Honeypots (2/3) s Pros Q Reduced cost Q Easy to maintain / repair Q Portable (honeynet laptop?) s Cons Q Single point of failure Q Not everything is possible (Cisco on Intel?) Q Security (strong compartmentalization?) Q Detection? Very difficult to hide… France Télécom R&D – Veysset & Butti – June 2006 D67

  39. Virtual Honeypots (3/3) s More information at Q http://www.honeynet.org/papers/virtual/index.html s New tools available for virtual honeypots ☺ Q See “Xebek” at “EuSecWest/Core06” Q See “VMware fingerprinting counter measures” – http://honeynet.rstack.org/tools.php s New tools against “virtual honeypot” � Q VMware fingerprinting tools (cf Kostya’s patches) Q And many more (dtdumper…) France Télécom R&D – Veysset & Butti – June 2006 D68

  40. Automated Malware Collection s Automated malware collection is a new hyped technique s Most well-known tools are Q Mwcollect Q Nepenthes Q Mwcollect and Nepenthes fusion (February, 2006) s Lots of other techniques are possible Q PCAP capture of compromised hosts for example France Télécom R&D – Veysset & Butti – June 2006 D69

  41. Nepenthes Operation s Nepenthes is a medium interaction honeypot Q It emulates known vulnerabilities Q It catches known shellcodes Q It interprets the shellcode actions Q It emulates the actions – Bind a shell, parses URLs… s Should not be compromised if no security vulnerabilities (coded in C++) ;-) s But can be easily detected, that’s not its purpose! France Télécom R&D – Veysset & Butti – June 2006 D70

  42. Nepenthes Loading s Loading of the configuration Q Examine the modules to be charged (vuln, shellcodes, download, submit, log) Q Record the handlers of download for each supported protocol of download (csend, creseive, ftp, HTTP, link, blink, tftp, CCP, optix) Q record the manager of DNS Q Record FileSubmit Q Sockets are binded on all the ports where the known vulnerabilities (in the form of DialogueFactory) are emulated Q Sockets are binded on all the ports where the known vulnerabilities (in the form of DialogueFactory) are emulated Q Loading of patterns present in 61 known shellcodes Q Be unaware of 17 ranges of IP addresses France Télécom R&D – Veysset & Butti – June 2006 D71

  43. – Watch ports ( "25", // SMTP, "110", // POP3, "143", // IMAP, "220", // IMAP, "465" // POP3 & SSL, "993", // IMAP & SSL, "995" // POP3 & SSL ) – Bagle port 2745 Q Ignoring 0.0.0.0/255.0.0.0 – Dameware port 6129 Q 10.0.0.0/255.0.0.0 – Dcom-vuln ports 135,445,1025 Q 14.0.0.0/255.0.0.0 – Vuln-ftp port 21 – vulnIIS port 443 Q 39.0.0.0/255.0.0.0 – Kuang2 port 17300 Q 127.0.0.0/255.0.0.0 – LSASS port 445 Q 128.0.0.0/255.255.0.0 – MSMQ ports: 2103,2105,2107 Q 169.254.0.0/255.255.0.0 – MSDTCD ports 1025,3372 – Mssql port 1434 Q 172.16.0.0/255.240.0.0 – Mydoom port 3127 Q 191.255.0.0/255.255.0.0 – Netbiosname port 139 Q 192.0.0.0/255.255.255.0 – NetDDE port 139 Q 192.0.2.0/255.255.255.0 – Optixshell port 3140 – PNP port 445 Q 192.88.99.0/255.255.255.0 – SasserFTPD ports 5554,1023 Q 192.168.0.0/255.255.0.0 – SUb7 port 27347 Q 198.18.0.0/255.254.0.0 – UPNP port 5000 Q 223.255.255.0/255.255.255.0 – VERITAS port 10000 – Wins vuln port 42 Q 224.0.0.0/240.0.0.0 – ASN1 ports: smb:445 iis:80 Q 240.0.0.0/240.0.0.0 France Télécom R&D – Veysset & Butti – June 2006 D72

  44. Handling Attacks (1/4) s Attempt at connection - > Creation of a « Dialogue » Q Emulation of a vulnerability s Data transmitted per packets to the Dialogues France Télécom R&D – Veysset & Butti – June 2006 D73

  45. Handling Attacks (2/4) match Comparison with all Download shellcodes patterns Switch off other dialogues on same port yes no Last Stage yes Hexdumps Vuln-Dialogue (== pattern?) e u g o l a i d r e h t gives o o If n & & socket o N closes No more packets Socket receives Close packet France Télécom R&D – Veysset & Butti – June 2006 D74

  46. Handling Attacks (3/4) s Some vulns have no pattern used for a first recognition Q Direct recognition against shellcode or direct action (Kuang2) s When a vuln Dialogue receives a SCH_DONE Message from a shellcode identifier Q It gives to the corresponding socket the state CL_ASSIGN_AND_DONE – In order the other sockets binded on the same port be dropped France Télécom R&D – Veysset & Butti – June 2006 D75

  47. Handling Attacks (4/4) Downloads binary If URL still OK DownloadManager Giving data (url, host, port) Creation of a WinNT shell Dialogue Match (xor'd if needed) Comparison with all known shellcodes France Télécom R&D – Veysset & Butti – June 2006 D76

  48. Collection s Files can be submitted to Q Nepenthes manager to collect Q Gotek server performs better but requires DB backend (mysql) Q Norman sandbox for analysis s Logs can be submitted to Q Managers (Prelude) thanks to IDMEF Q Surfnet for web interfacing Q IRC France Télécom R&D – Veysset & Butti – June 2006 D77

  49. Nepenthes Conclusions s Nepenthes is modular, organized around a core s Nepenthes is able to catch new shellcodes on known vulnerabilities Q Stored in hexdumps s Nepenthes is able to catch binaries whose shellcode is known Q Stored in binaries s Statistics are possible by analysing submitted logs France Télécom R&D – Veysset & Butti – June 2006 D78

  50. Honeypot and worms s Idea: as seen before, use a honeypot to detect worm (ie. System that connect to honeypot automatically) s Fighting back: launch some counter attack, in order to clean the offending system s More information Q http://www.citi.umich.edu/u/provos/honeyd/msblast.html Q http://www.rstack.org/oudot/ France Télécom R&D – Veysset & Butti – June 2006 D79

  51. In detail: Mblast infection France Télécom R&D – Veysset & Butti – June 2006 D80

  52. Using honeypot to fight worm 1. The worm connects to the honeypot, on port 135, and launch its exploit 2. The worm connects on a remote shell (honeypot, port TCP/4444). Then, the honeypot is able to download the worm code (using TFTP) 3. The honeypot know the IP address of the infected host. It is able to launch an attack (or simply connect back to port 4444) and clean or shutdown offending host France Télécom R&D – Veysset & Butti – June 2006 D81

  53. Honeytokens s honeypot which is not a computer s Used for Q Espionage Q Credit card, ssn monitoring Q bank Q Spam… s Two main usages Q Detect information leaking Q Tracking France Télécom R&D – Veysset & Butti – June 2006 D82

  54. Distributed Honeypot France Télécom R&D – Veysset & Butti – June 2006 D83

  55. Example : Leurre.com s Project by Eurecom institute Q The Eurecom Honeypot Project – http://www.eurecom.fr/~pouget/projects.htm – http://www.leurrecom.org s Distributed HP (more than 25 countries, 5 continents) s Project launched 4 years ago s Based on “distributed” honeyd France Télécom R&D – Veysset & Butti – June 2006 D84

  56. Information from *leurre.com* s Thanks to Marc Dacier from Eurecom institute s More information: dacier@eurecom.fr … s See Fabien Pouget & Marc Dacier – Friday 3pm s Extract from a presentation « Applied Computing 2006 » in spain France Télécom R&D – Veysset & Butti – June 2006 D85

  57. 35 platforms, 25 countries, 5 continents France Télécom R&D – Veysset & Butti – June 2006 D86

  58. In Europe … France Télécom R&D – Veysset & Butti – June 2006 D87

  59. Experimental Set Up R Mach0 e Windows 98 Workstation v e V i r Mach1 r t s Windows NT (ftp u Internet e + web server) a l S F W Mach2 i I T Redhat 7.3 (ftp r C server) H e w a l Observer (tcpdump) l France Télécom R&D – Veysset & Butti – June 2006 D88

  60. Big Picture s Distinct IP Addresses observed: 989,712 s # of received packets: 41,937,600 s # of emitted packets: 39,911,933 s TCP: 90.93% s UDP: 0.77% s ICMP: 5,16 % s Others: (malformed packets, etc) 3.14% France Télécom R&D – Veysset & Butti – June 2006 D89

  61. Observation 3 s All countries host attackers but some countries host more than others. France Télécom R&D – Veysset & Butti – June 2006 D90

  62. Attacks by country of origin (Jan 1 2005 until Jan 1 2006) France Télécom R&D – Veysset & Butti – June 2006 D91

  63. Observation 4 s There is a surprising steady decrease of the number of attacks France Télécom R&D – Veysset & Butti – June 2006 D92

  64. Attacks by environment (Jan 1 2005 until Jan 1 2006) France Télécom R&D – Veysset & Butti – June 2006 D93

  65. Observation 6 s Some compromised machines are used to scan the whole Internet s Some compromised machines take advantage of the data collected by the first group to launch attacks only against the vulnerable targets. ➔ maintaining black lists of scanners is useless. France Télécom R&D – Veysset & Butti – June 2006 D94

  66. The « scanners »: IP sources probing all 3 virtual machines (24 months ago) 100% closed 80% closed 47% 48% closed 60% 77% 40% open open 53% 20% 52% open 23% 0% m ach0 m ach1 m ach2 France Télécom R&D – Veysset & Butti – June 2006 D95

  67. The « attackers »: IP sources probing only 1 virtual machine (24 months ago) closed closed closed 100% 3% 4% 5% 80% 60% open open open 97% 96% 95% 40% 20% 0% mach0 mach1 mach2 France Télécom R&D – Veysset & Butti – June 2006 D96

  68. Observation 7 s The proportion or attackers vs. scanners has changed twice over the last 24 months. s Two possible explanations: Q Collected data is shared in a more efficient way and, thus, less scans are required. Q Scans are not done sequentially any more but random scans are instead preferred. France Télécom R&D – Veysset & Butti – June 2006 D97

  69. Scanners vs. attackers: evolution France Télécom R&D – Veysset & Butti – June 2006 D98

  70. Honeyclient s Idea: Honeypot client Q Detect malicious web server, IRC net, P2P net… Q Surf the web searching for websites that use browser exploits to install malware on the honeymonkey computer France Télécom R&D – Veysset & Butti – June 2006 D99

  71. France Télécom R&D – Veysset & Butti – June 2006 D100

Recommend


More recommend