October 30, 2017 | Author: Anonymous | Category: N/A
. (which should be MINIX), fooling nmap and xprobe. Matthijs Koot (
Intrusion Detection Systems Matthijs Koot (
[email protected])
Intrusion Detection Systems Lecture #4: Honeypots
Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall
Matthijs Koot (
[email protected])
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics
Faculteit van Natuurwetenschappen, Wiskunde en Informatica Universiteit van Amsterdam
2008-04-10 / SNE-IDS college ’07-’08
Honeynet Research Alliance
Summary
Outline
Intrusion Detection Systems Matthijs Koot (
[email protected])
Definitions, purpose
Definitions, purpose
History
How honeypots work
History
HoneyD Honeynet, Honeywall
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Outlook Limitations Recent topics Honeynet Research Alliance
Definitions: ‘honeypot’.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History How honeypots work HoneyD
Definition A honeypot is a [sacrificial] security resource whose value lies in being probed, attacked or compromised. Source: “Honeypots: Tracking Hackers", Lance Spitzner, 2002 (book)
Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Purpose of a honeypot.
Intrusion Detection Systems Matthijs Koot (
[email protected])
The two main purposes of a honeypot: I Research I I I I
Attract blackhats Reveal blackhat tactics, techniques, tools (KYE) Reveal motives/intentions (?) Mostly universities, governments, ISPs
Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations
I
Protection I I I
I
Deter blackhats from real assets Provide early warning Mostly governments, large enterprises
Purpose may determine honeypot functionality and architecture
Recent topics Honeynet Research Alliance
Summary
Definitions: ‘honeynet’ and ‘honeywall’.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose
Definition
History
A honeynet is a network of [high-interaction] honeypots.
How honeypots work HoneyD
Definition A honeywall is a layer-2 bridge that is placed in-line between a network and a honeynet, or between a network and a honeypot, to uni- or bidirectionally capture, control and analyze attacks.
Definition A honeytoken is a honeypot which is not a computer.
Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Warning.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History
WARNING
How honeypots work HoneyD
In real life, “Honeynet"/“honeynet" and “Honeywall"/“honeywall" are sometimes used ambiguously to refer to both their concepts, as well as their prevalent implementation (think ‘DNS’ versus ‘bind’). This also explains any inconsistencies in (my) use of CaPiTaLiZaTiOn.
Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Psychology behind a honeypot.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History
In its protective form, a honeypot is designed on deception and intimidation (Fred Cohen, 2001): I
Concealment
I
Camouflage
I
False/planted information (honeytokens) Feints, lies, et cetera
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations
I
I
E.g. false claims that a facility if being watched by law enforcement authorities
Recent topics Honeynet Research Alliance
Summary
Functional requirements of a honeypot.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History
Functional requirements of a honeypot include: I
Data control (important!)
I
Data capture
I
Data collection (for large-scale honeynets)
I
Data analysis
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Taxonomy of honeypots.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose
Honeypots may be distinguished by their properties: I
Level of interactivity
I
Data capture
I
Containment (= ‘data control’)
I
Distribution appearance
I
Role in N-tier architecture
I
Communication interface (API, NIC, ...)
History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations
Source: “Taxonomy of Honeypots", Seifert, Welch & Komisarczuk, 2006
Recent topics Honeynet Research Alliance
Summary
Taxonomy of honeypots.
Intrusion Detection Systems Matthijs Koot (
[email protected])
Role in an N-tier architecture
High
Definitions, purpose
Distribution appearance
Low
History How honeypots work
Client
Interaction level
Server
Distributed
Stand-alone
HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
None
None
Honeypot
Outlook Limitations Recent topics
Slowdown
Attacks Containment
Data capture
Defuse
Summary Events
Communication interface
Block
Intrusions Software API
Non Network Hardware IF
Network IF
Honeynet Research Alliance
Level of interactivity: low.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History
Fake daemon
Operating System
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Other local resources
hard disk
Reconstructed from source: “Honeypots", R. Baumann, C. Plattern (diploma thesis), 2002
Summary
Level of interactivity: mid.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History
Fake daemon
Operating System
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Other local resources
hard disk
Reconstructed from source: “Honeypots", R. Baumann, C. Plattern (diploma thesis), 2002
Summary
Level of interactivity: high.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History
Fake daemon
Operating System
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Other local resources
hard disk
Reconstructed from source: “Honeypots", R. Baumann, C. Plattern (diploma thesis), 2002
Summary
History of honeypots.
Intrusion Detection Systems Matthijs Koot (
[email protected])
I
1990: real systems I
I I I
I
1998: service/OS emulation I
I I
I
Deploy unpatched systems in default config on unprotected network (‘low-hanging fruit’) Easy to deploy High-interaction, high-risk Nice reading: “Cuckoo’s Egg” by Clifford Stoll Deception Toolkit, CyberCop Sting, KFSensor, Specter Easy to deploy Low-interaction, low-risk
1999-current: virtual systems I
I I
HoneyD, Honeywall, Qdetect, Symantec Decoy Server (≈’03/’04) Less easy to deploy Mid/high-interaction, mid/high-risk
Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
History of the Honeynet Project.
Intrusion Detection Systems Matthijs Koot (
[email protected])
History of the Honeynet Project I
1999: Lance Spitzner (Sun) founds Honeynet project
I
1999-2001, GenI: PoC, L3+ (modified IP-headers) 2001-2003, GenII: GenI + bridging (no TTL, harder to detect)
I
I
I
2003: Release of Eeyore Honeywall CD-ROM
2003-current, GenIII: GenII + blocking (Honeywall)
Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics
I
I
2005: Release of Roo Honeywall CD-ROM
future: ‘GenIV’ refers to next-gen analysis capabilities
Honeynet.org is home to the ‘KYE papers’ and has many refs to academic work! They are also known for the Scan of the Month (SotM) challenges, which alas appear to have stopped in 2005.
Honeynet Research Alliance
Summary
Outline
Intrusion Detection Systems Matthijs Koot (
[email protected])
Definitions, purpose
Definitions, purpose
History
How honeypots work
History
HoneyD Honeynet, Honeywall
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Outlook Limitations Recent topics Honeynet Research Alliance
HoneyD.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose
HoneyD I I
Run multiple virtual IP-stacks in parallel (+ routing) Mid-interaction OS/service emulator I I
I
TCP/IP fingerprint spoofing through ‘personalities’ I
I I
I
Emulates SMTP, FTP, HTTP, ... Easily extendible through customizable scripts Impersonate Win32 on your favorite UNIX flavor (which should be MINIX), fooling nmap and xprobe Fake WinSize, DF, ToS, ISN, ... Fake packet loss, TTL, latency
First released in 2002 by Niels Provos (the guy from outguess/stegdetect)
History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
HoneyD.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose
HoneyD architecture
History How honeypots work HoneyD Honeynet, Honeywall
libnet
Personality engine
libpcap
Userland IP-stack
HoneyD
External program
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook
ICMP
Limitations
UDP
Service
Recent topics
proxy TCP
Honeynet Research Alliance
Summary
Reconstructed from source: http://md.hudora.de/presentations/2005-bh-honeypots-03-honeyd.pdf
HoneyD.
Intrusion Detection Systems
Applying the mid-interaction model to HoneyD: HoneyD servicing incoming requests on port TCP/21 by executing fake-ftpd.sh.
Matthijs Koot (
[email protected]) Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall
HoneyD listening on tcp/21
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Operating System
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Other local resources
fakeftpd.sh
Outline
Intrusion Detection Systems Matthijs Koot (
[email protected])
Definitions, purpose
Definitions, purpose
History
How honeypots work
History
HoneyD Honeynet, Honeywall
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Outlook Limitations Recent topics Honeynet Research Alliance
Honeynet, Honeywall.
Intrusion Detection Systems Matthijs Koot (
[email protected])
The basic idea of a Honeynet/Honeywall:
Definitions, purpose
Theory
History How honeypots work
No Restrictions
HoneyD Honeynet, Honeywall
Honeypot Internet
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics
Honeywall Connections Limited
Honeynet Research Alliance
Packet Scrubbed
Honeypot
17
Source: http://assert.uaf.edu/workshop06/slides/rdodge.pdf
Summary
Sebek.
Intrusion Detection Systems Matthijs Koot (
[email protected])
Sebek: spying on your intruder I
Honeynet.org: “Sebek is a tool designed for data capture, it attempts to capture most of the attackers activity on the honeypot, without the attacker knowing it (hopefully), then sends the recovered data to a central logging system."
Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics
I
Linux kernel module that hooks sys_read()
I
Covertly sends captured data to honeywall (UDP)
I
Recovers keystrokes, uploaded files, passwords, IRC chats, even if they’re encrypted by SSH, IPSec or SSL.
Honeynet Research Alliance
Summary
Sebek.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Source: “Know Your Enemy: Sebek - A kernel based data capture tool", Honeynet Project, 2003
eration Data Capture Architecture for Honeynets
Sebek in GenII honeynet.
Edward Balas and Camilo Viecco dvanced Network Management Lab Indiana University
mportant tool for wever, their effeca standard unified aving multiple unccess method and
ollection architecpid comprehension ta access methods: a canonical slow d on this architec-
nteraction honeyuite different from d [2] for they prooftware for an inf interactivity is a ability to observe m, and not a simoneypots are well Fig. 1. GenII Honeynet Data Capture. activity. However, er volume detailed Source: t difficult to “Towards man- a Third Generation Data Capture Architecture for Honeynets", Balas & Viecco, 2005 accounts of network activity. In addtion, these summaries lected data. lack needed detail such as the duration and quantity of ts and the sharing
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Hflowd data fusion (Perl script).
work activnication, we g capability, pcap based erating sysconnection. ross flows it anging for a e host might can improve ss of passive ation where a non-linux nd treat the ach taken by
o the Snort mprehensive enII design. the concept sources are the network
monitor net-
Intrusion Detection Systems Matthijs Koot (
[email protected])
Relational Data Access
Raw Data Access
Definitions, purpose
Pcap
Hflow DB
History How honeypots work
Hflowd: Data Fusion
HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Argus Flow Monitor
Snort Intrusion Detection System
P0f Passive OS detector
Sebek Data Collector
Traffic Recorder
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Deamons libpcap Kernel
Raw Socket
Honeynet Ethernet
Outline
Intrusion Detection Systems Matthijs Koot (
[email protected])
Definitions, purpose
Definitions, purpose
History
How honeypots work
History
HoneyD Honeynet, Honeywall
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Outlook Limitations Recent topics Honeynet Research Alliance
MWCollect: Nepenthes, HoneyTrap and HoneyBow.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History
MWCollect I MWCollect (sort of) is an alliance of malware researchers and software engineers I
I I
...and less pretty, it is the dead parent process from which Nepenthes was forked
Home to Nepenthes, HoneyTrap and HoneyBow State-of-art (scientific) research on malware I I I
Reverse engineering polymorphic shellcodes Call-flow graph (binary) analysis Et cetera
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Nepenthes.
Intrusion Detection Systems Matthijs Koot (
[email protected])
Nepenthes
Definitions, purpose History
I I
Malware-collecting mid-interaction honeypot Emulates known vulnerabilities and captures the malware trying to exploit them I
E.g. NetDDE, LSASS, DCOM, ASN1, MSSQL, UPNP, IIS vulns
I
Modular arch: vuln-*, shellcode-*, download-*, submit-*
I
Extensions are being developed for call-flow graphs and binary shellcode analysis
I
First released in 2006 by Paul Baecher et al.
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Nepenthes.
Intrusion Detection Systems Matthijs Koot (
[email protected])
geolocation-geoip module-portwatch
Definitions, purpose
Nepenthes
History How honeypots work
geolocation-hostip shellemuwinnt
vuln-lsass
tcp/135 tcp/80 tcp/...
Nepenthes core
tcp/445
vuln-dcom
download-tftp
submit-HoneyD xmlrpc
Honeynet, Honeywall
MWCollect: Nepenthes, HoneyTrap and HoneyBow
download-ftp
vuln-asn1
shellcodegeneric
submit-file
Outlook
download-http
vuln-wins
Limitations
download-link ...
Recent topics
submit-Honeynet Research normanAlliance
...
Summary log-download
log-irc
dnsresolve-adns
EXPLOIT
PAYLOAD
MALWARE URL
MALWARE!
Source: “The Nepenthes Platform: An Efficient Approach to Collect Malware", Baecher et al., 2006
HoneyTrap and HoneyBow.
Intrusion Detection Systems Matthijs Koot (
[email protected])
HoneyTrap I
Low-interaction malware collection honeypot
I
HoneyTrap binds to (all!) unbound TCP ports, and listens
I
Does not emulate vulns or services, although the latter is possible through plug-ins
Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations
I
Aimed at catching 0-days (unlike Nepenthes)
HoneyBow I
High-interaction malware collection honeypot
I
Announced in Dec/2006 by China Honeynet Project
I
Modular arch: MwWatcher, MwFetcher, MwSubmitter
I
Claimed it will interoperate with Nepenthes
Recent topics Honeynet Research Alliance
Summary
Outline
Intrusion Detection Systems Matthijs Koot (
[email protected])
Definitions, purpose
Definitions, purpose
History
How honeypots work
History
HoneyD Honeynet, Honeywall
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Outlook Limitations Recent topics Honeynet Research Alliance
Limitations.
Intrusion Detection Systems Matthijs Koot (
[email protected])
Limitations/caveats in honeypot technology I Complexity is the enemy of security, and honeynets are complex. I I I
I
I I
Bugs in emulators Bugs in data capture/analysis/control tools Privilege escalation / jailbreak
Known attacks: NoSEBrEaK, (unoffical) Phrack #62/0x07 (Local Honeypot Identification). Decoy/false attacks (counter-counter, etc.). Blackhats exchange and evade IP-ranges of known honeynets I
Auto(re)configuration, higher volatility might help
Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Outline
Intrusion Detection Systems Matthijs Koot (
[email protected])
Definitions, purpose
Definitions, purpose
History
How honeypots work
History
HoneyD Honeynet, Honeywall
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Outlook Limitations Recent topics Honeynet Research Alliance
Recent topics.
Intrusion Detection Systems Matthijs Koot (
[email protected])
I
Honeysnap I I
I
CLI tool for high-level analysis of captured data honeysnap -c honeynet.cfg myfile.pcap
Unified Data Analysis Framework (UDAF)
Definitions, purpose History How honeypots work HoneyD
I
I
Library for data acquisition, filtering, fusion, reporting, et cetera (towards visual programming) Let’s hope it’ll be interoperable with IDMEF / GOTEK
Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations
I I
Sandboxes: CWSandbox, Norman, Sandboxie SCADA honeynets I I
Cisco CIAG: scadahoneynet.sf.net PLC emulation; MODBUS, DNP
I
Client honeypots: honeyclient, Capture-HPC, HoneyC, SpyBye
I
Honeystick, Google Hack Honeypot
Recent topics Honeynet Research Alliance
Summary
Honeypot classification.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Source: “Taxonomy of Honeypots", Seifert, Welch & Komisarczuk, 2006
Outline
Intrusion Detection Systems Matthijs Koot (
[email protected])
Definitions, purpose
Definitions, purpose
History
How honeypots work
History
HoneyD Honeynet, Honeywall
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Outlook Limitations Recent topics Honeynet Research Alliance
Honeynet Research Alliance.
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History
Honeynet Research Alliance
How honeypots work HoneyD
I
“The Honeynet Research Alliance is a trusted forum of other honeypot research organizations. [...] These organizations subscribe to the Alliance for the purpose of researching, developing and deploying honeypot related technologies and sharing the lessons learned."
Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
Honeynet Research Alliance (map).
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
NL is still not represented. Why?
Summary
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History How honeypots work
Topics that have been discussed I
Definition, purpose, taxonomy
I
Tools: HoneyD, Honeywall, Sebek, Nepenthes
HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Outlook Limitations Recent topics
I
Limitations, recent topics
Honeynet Research Alliance
Summary
Feedback!
Intrusion Detection Systems Matthijs Koot (
[email protected]) Definitions, purpose History
Questions Questions regarding this lecture?
How honeypots work HoneyD Honeynet, Honeywall MWCollect: Nepenthes, HoneyTrap and HoneyBow
Lab assignments (deadline = April 14th): http://os3.nl/2007-2008/courses/ids/ practica_bij_10_april
Outlook Limitations Recent topics Honeynet Research Alliance
Summary
These slides will be uploaded here: http://os3.nl/2007-2008/courses/ids/
