Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 2 times |
1A. Qahtan
Honeynet
By: A.Qahtan
Prepared for: Dr. Khaled Salah
A. Qahtan 2
OutlinesOutlines Introduction Terminology Honeynet Requirements Honeynet Usage Honeynet Risks Honeypot Virtualization Honeynet Tools Defeating Honeynets
A. Qahtan 3
Introduction
Computer security was primarily defensive Firewalls, Intrusion Detection Systems,
Encryption Mechanisms to defensively protect computer
resources Attackers have the initiative
Honeynet attempts to change that
A. Qahtan 4
Introduction
Honeynet attempt to attract attackers to a system where everything is monitored.
Using Honeynets Attackers can be identified New attacking tools can be discovered Attack patterns can be determined Attacker motives can be studied
A. Qahtan 5
Honeypot
A honeypot is a security resource whose value lies in being probed, attacked or compromised Detect automated probes and attacks Capture tools, new worms, etc. Raise awareness Identify infected/compromised machines
A. Qahtan 6
Honeypot Advantages
There is no normal traffic Everything is suspicious and potentially malicious
Less data to analyze than IDS system Dramatically reducing if not eliminating false positives
Provide valuable information about attackers Capture new types of malware Work in IPv6 and encrypted environments
A. Qahtan 7
Honeypot Disadvantages
Potential risks for your network Time consuming to maintain Narrow view
Bad guys have to probe, use or communicate with the honeypot for it to work
A. Qahtan 8
Types of Honeypots Low-interaction
Emulate some parts of services and systems Attacker does not have access to the real OS Attacker can’t compromise the honeypot Easy to install and maintain Low risk Limited information gathering Examples
Listeners, Service emulators, honeyd, tiny honeypot
A. Qahtan 9
Types of Honeypots High-interaction
More difficult to install and maintain High risk Need containment mechanisms Extensive information gathering Examples
Honeynets, Virtual honeynets
A. Qahtan 10
HoneyToken A honeypot that is not a computer (some type of
digital entity) e.g. Credit card number, Excel spreadsheet, PowerPoint
presentation, a database entry, or even a bogus login Bogus credit card numbers can be embedded in a database SSN honeytokens in the students’ database at universities IDS sensors could be configured to watch the local networks
for these honeytoken numbers If detected on the wire, then the databases have most likely
been compromised
A. Qahtan 11
HoneyToken (example) Company is concerned about internal employees
attempting to find company secrets Create a bogus email, or honeytoken
To: Chief Financial Officer From: Security help desk Subject: Access to financial database Sir, The security team has updated your access to the company's financial records. Your new login and password to the system can be found below. If you need any help or assistance, do not hesitate to contact us.
https://finances.ourcompany.com login: cfo password: Ch13ff1n
Security Help Desk
A. Qahtan 12
HoneyMonkey Honeymonkey is a new way of detecting malicious
codes from websites that try to exploit certain vulnerabilities of Internet browsers
Automated web/internet patrol system To detect harmful materials in the Internet To come up with solutions To catch the people behind these malicious acts.
Computer system logs on to websites like a normal computer system to detect harmful codes that a certain website might try to inject or silently install onto computers that access it.
A. Qahtan 13
Commercial Honeypots Mantrap from Recourse Technologies
(requires Solaris) Emulates up to 4 hosts (each running Solaris)
running various services Virtually run any application
Specter (requires Windows NT) Can emulate 11 operating systems. Limited to
emulating 13 different vulnerable services.
A. Qahtan 14
Commercial Honeypots Netfacade (requires Solairs)
Able to simulate 8 different OSes and 13 different services.
Deception Toolkit Set of PERL scripts that can emulate various
vulnerable services.
A. Qahtan 15
Commercial Honeypots Easy to install, configure, deploy, manage and
maintain normally very expensive managed by administrators with less skills
and knowledge Via administrative GUI Come with many different functions and utilities
A. Qahtan 16
Homemade Honeypots Require a considerable amount of effort and
time to implement Require one with good skill and knowledge to
manage it Not limited to customization and configuration
A. Qahtan 17
Honeynet A network of high-interaction honeypots Real system computers left in their default
(and insecure) configuration Multiple systems and applications Sits behind a firewall where all inbound and
outbound data is contained, captured and controlled
Captured information is then analyzed to learn the tools, tactics, and motives of the hacker community
A. Qahtan 18
Honeyfarm Honeypots alone have a limited field of view Solution – honeyfarms
Multiple honeypots or even honeynets running vulnerable services are centrally operated
Each honeypot virtually belonging to different network domains.
Distributed presence Deploying redirectors
A redirector acts as a proxy or 'worm hole' that transports an attacker's probes to a honeypot within the honeypot farm
Centralized management Convenient attack correlation and data mining.
A. Qahtan 19
Honeynet Farm - example
Honeynet Research Alliance
A. Qahtan 20
Honeypot Farm - example
Honeypot Farm
A. Qahtan 21
Honeynet GEN I
Router
Internet
Windows XPSys Log Linux
FirewallGateway
Log/AlertServer
IDS
Production N
etwork
Sparc
Switch
A. Qahtan 22
Honeynet GEN II
Router
Internet
HoneypotHoneypot Honeypot
ProductionProductionProduction
Honeynet Sensor
A. Qahtan 23
GEN II Honeynet sensor (honeywall gateway)
Layer two bridge (layer three routing gateway can be used also)
Bridge is preferred, as it is harder to detect Separates production systems from the honeynet
network Three interfaces
eth0 connected to the production systems' network eth1 connected to the honeynet systems' network eth2 for remote administration of the gateway
A. Qahtan 24
Honeynet Requirements
Data Control
Data Capture
Data Collection
Alerting Mechanism
A. Qahtan 25
Data Control Prevent attackers from using the honeynet to
attack or harm other non-honeynet systems Mitigates risk, it does not eliminate it stealthiness vs safety
More you allow = more you can learn More you allow = more harm they can potentially
cause
A. Qahtan 26
Data Control: Firewall Firewall is the primary tool for controlling
inbound and outbound connections. Firewall is designed to allow any inbound
connection and limit the number of outbound connections
A. Qahtan 27
Data Control: Router Supplements the firewall Protect against spoofed or ICMP based
attacks Allows only packets with the source IP
address of the Honeynet to leave the router (ingress filtering)
A. Qahtan 28
Data Control: NIPS Inspecting each packet as it travels through
our gateway On matching any of the IDS rules, alert is
generated and packet can be dropped (blocking the attack) or modified (disabling the attack)
A. Qahtan 29
Data Capture: NIDS
Log all attacker activities Firewall logs all connections initiated to and
from the Honeynet IDS logs ALL data in tcpdump format IDS configured to send an alert when certain
attack signatures are seen
A. Qahtan 30
Data Capture: SysLog
The central syslog server is a hardened host within the honeynet
Attract more sophisticated attacks once a blackhat has compromised one of the default configuration honeynet systems
A. Qahtan 31
Data Collection Applies to organizations that have multiple
honeynets in distributed environments Single honeynet requires only data control and
data capture Multiple honeynets have to collect all of the
captured data and store it in a central location Captured data can be combined, exponentially
increasing its value Honeyfarm
A. Qahtan 32
Alerting Some organizations that cannot support 24/7
staff Alternative is automated alerting Automated monitoring using Swatch, the
Simple Watcher
A. Qahtan 33
Honeynet Usage Learn about hackers Tune the IT security process Intrusion prevention Honeypot-based forensics Eliminating false positive of the IDSs
A. Qahtan 34
Honeynet Risks Attracting attention to their seemingly insecure
configuration Require constant maintenance and
administration Data Analysis is very time consuming
Single compromise on average requires 30-40 hours of analysis
Risk of detection
A. Qahtan 35
Honeypot Virtualization Tar pits VMWare Honeyd UML
A. Qahtan 36
Tar Pits Computer entity that intentionally responds slowly
to incoming requests Delude clients
Unauthorized or illicit use of a fake service might be logged and slowed down
Layer 7 tarpits (defeating spammers) Looks like open mail relays, but instead answer very
slowly to SMTP commands
Layer 4 Labrea tarpit Slow down the spread of worms over the Internet TCP window size reduced to zero Tar pit continues to acknowledge incoming packets
A. Qahtan 37
VMWare Commercial software for virtual machines Allows you to launch multiple instances of
different operating systems on a single piece of hardware Isolates OSes in secure virtual machines Maps the physical hardware resources to the virtual
machine's resources Emulates x86 hardware Widely used by honeypot operators Allows easy deployment of honeypots
A. Qahtan 38
Honeyd Open source honeypot daemon Was used with another tool arpd Arpd answeres ARP requests in order to redirect
needed traffic to Honeyd Simulates several virtual hosts at the same time Permits configuration of arbitrary services Supports only IPv4, TCP, UDP and ICMP
protocols
A. Qahtan 39
User-Mode Linux (UML) Free software under the GPL Create virtual machines Virtualizes Linux itself
Runs an entire Linux environment in user-space Runs multiple instances of Linux on the same hardware
Dedicated to Linux
A. Qahtan 40
Building Blocks Honeywall Sebek Bait and switch technique
A. Qahtan 41
Honeywall Data capture and data control IDS snort / IPS snort_inline Netfilter/iptables for traffic limiting Further monitoring - swatch
A. Qahtan 42
Snort_inline Inline packet modification engine Modified version Snort (in recent snort version it
becomes part of snort) Adds several new rule types (drop, sdrop and reject) Provides packet rewriting from something dangerous
into something harmless e.g replacing the string /bin/sh by /ben/sh using the rule
alert ip $HONEYNET any -> $EXTERNAL_NET any (msg:"SHELLCODE x86 stealth NOOP"; sid:651; content:"|EB 02 EB 02 EB 02|"; replace:"|24 00 99 DE 6C 3E|";)
A. Qahtan 43
Netfilter/iptables for traffic limiting Netfilter/iptables-functionality of the Linux kernel for
connection limitation Prevents the abuse of a compromised honeypot for:
Denial-of-service attacks, mass scanning, download toolkits and setup automated bots
Honeynet Project allows 15 outgoing TCP-connections and 50 outgoing ICMP packets per day [...] ### Set the connection outbound limits for different protocols. SCALE="day" TCPRATE="15" UDPRATE="20" ICMPRATE="50" OTHERRATE="15" [...]
A. Qahtan 44
Sebek Client/server based application The primary data capture tool used by honeynet researchers Kernel-module on Linux & Solaris, patch on OpenBSD /
NetBSD, device driver for Windows Kernel-based rootkit that hijacks the read() system call
Remember API Hooking ?? Record all data accessed via read() Send data passing through sys_read() in covert manner over
the network to the sebek server Overwrites part of the network stack (packet_recvmsg) to
hide Sebek data passing on to the network Network counters and data structures have to be adapted
A. Qahtan 45
Bait and switch technique Follows the security paradigm of "Protect, Detect and
React“ Protect the network as best as possible (Firewalls) Detect any failures in the defense (IDS) React to failures (alerting) Bait and Switch redirects all malicious network traffic to
a honeypot Attacker is attacking a trap instead of real data based on Snort, iproute2, netfilter/iptables and some
custom code
A. Qahtan 46
Defeating Honeynets Tarpits VMWare Snort_inline Netfilter/iptables Sebek Bait and switch
A. Qahtan 47
Detecting Tar Pits Attacker (10.0.0.2) trying to reach a fake web server, (10.0.0.1) looking at the answers from 10.0.0.1 with records from tcpdump
Window size starts at 3 and then 0 for the next connection Attacker figures this very easily
A. Qahtan 48
Detecting Tar Pits Attacker on the same network segment as Labrea can
do fingerprinting at layer 2 Tarpits answers with the same unique MAC address 0:0:f:ff:ff:ff
Looking at such ARP responses 04:59:00.889458 arp reply 10.0.0.1 (0:0:f:ff:ff:ff) is-at 0:0:f:ff:ff:ff
you can find and change this hard coded value in the sources of Labrea (PacketHandler.c) u_char bogusMAC[6] = {0,0,15,255,255,255};
A. Qahtan 49
Detecting VMWare IEEE standards assigned MAC addresses to VMWare
in the ranges 00-05-69-xx-xx-xx 00-0C-29-xx-xx-xx 00-50-56-xx-xx-xx
MAC addresses can be obtained via arp –a Unix: ifconfig or Windows: ipconfig /all
Honeypots operators usually the NetBIOS port Attacker interacts with NetBIOS services can obtain the
MAC address using commands Unix: nmblookup or Windows: nbtstat -A @IP
A. Qahtan 50
Detecting VMWare
A. Qahtan 51
Detecting VMWare
A. Qahtan 52
Detecting Snort_inline Dropping of outgoing packets = blackhole Modification = can be detected by sophisticated
attacker Stealthiness of Snort_inline can be increased
with fewer rules, but this leads to more attacks that will not be noticed
A. Qahtan 53
Detecting Netfilters/iptables Aggressor can simply try to
Open many outgoing connections to different hosts Send a lot of ICMP echo request packets to varying
hosts If after some time no more outgoing packets
can reach the target then it is a honeypot
A. Qahtan 54
Detecting Sebek Latency
Read a single byte via a read(1) call = Sebek will transfer nearly 100 bytes of data
Do it tens of thousands of times = network congestion e.g. ping a local IP (the gateway) dd if=/dev/zero of=/dev/null bs=1 Ping again Average round-trip time grew from 0.7 milliseconds to
over 4800 milliseconds
A. Qahtan 55
Detecting Sebek Displaying hidden modules
Sebek uses cleaner.c, a simple loadable kernel module that unlinks the last module in the kernel's module list
module_hunter.c is able to locate hidden modules module_hunter.c searches for patterns of module
structures in the kernel's address space and is able to detect modules hidden via unlinking
Using the same technique one can get the address of Sebek’s cleanup_module() and disable Sebek
Toolkit written in Python 2.3 can detect and remove Sebek from honeypot
Get the source code at md.hudora.de
A. Qahtan 56
Detecting Sebek
A. Qahtan 57
Detecting Sebek Modification of sys-call table
Commonly used by rootkit detection tools
Looking at the system call table and analyzing the pointers to the various system calls
Unmodified system call table, the pointers to the read() and write() system calls are adjacent
Sebek changes the pointer of the read() system call
Adjacency is no longer given
A. Qahtan 58
Detecting Sebek Network traffic counters
Sebek adjusts some counters to conceal the transmission of the logging data
Sophisticated attacker compares the kernel's internal network counters and the output of ifconfig or other tools
A. Qahtan 59
Kebes Anti-Sebek techniques
Sebek activity (log) Anti-Sebek
All network traffic Use encrypted communication / attack logging host (hard!)
All calls to read() don’t use read()
Forensic data obtained by disk analysis
keep most things in memory only
Syslog-data avoid it as best as possible
A. Qahtan 60
Kebes Under the project name NoSEBrEaK Entirely written in Python 2.3 for portability with no
external dependency Uses mmap() to avoid read() system calls Implements all basic functionality of a shell
Reading and writing of files Secure deleting Direct executing of programs
Implements an encrypted channel between the attacker and the honeypot logging of network activity is useless
A. Qahtan 61
Summary
Never end fight between hackers and security
community
Honeynets should be carefully deployed and
should act as real system (stealthness vs
safety)
Be aware of hackers techniques in detecting
honeypots
A. Qahtan 62
Q&A
Thank you