Be vewy, vewy quiet….

let’s watch some hackers..

Interactive portion introWhoamiWhat is a Honeypot?Different HoneypotsWhy Honeypots?Things I discovered

Interactive portion end results

Agenda

Interactive portionSSID – FBI MobileIP address – 192.168.2.5User ID – rootThe password is….123456

Whoami

FatherHusband

Whoami

Geek

Antagonist of the shiny things

ShadowServer.org volunteer

Security analyst

Whoami

What is a Honeypot?

A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. (May 2003)

Why Honeypots?

Why Honeypots?

Low interaction

Different HoneypotsServer Honeypots

Windows XP SP 0 Windows Vista SP 0

Client HoneypotsHigh Interaction

Different Honeypots

Basic Network Configuration

Initial Research

A word of advice on using an EC2 instance.

GeoIP locationDionaea - Ireland

Dionaea stats

Started 3/7/2013Stopped 3/9/2013

Started 3/12/2013Stopped 3/14/2013

Dionaea stats

• Don’t forget to add your API key from VirusTotal to your config file!!• If you don’t add the API key, then the pretty visualization tool can’t do it’s job and you have to do manually!!!

58.2

18.1

99.2

50

189.

248.

217.

168

61.1

47.1

03.1

88

61.1

55.1

68.5

9

58.1

20.1

90.2

22

64.3

1.14

.106

218.

222.

22.2

05

69.1

62.1

05.1

8

199.

217.

115.

214

74.6

3.19

5.91

144

109

71

56

1714

149

98

Dionaea statsTop 10 IP addresses

Wireshark AnalysisAttack Attempts

Malware CapturesMD5 Virus Total

Detection Ratio

Common name Source IP Address/WhoIs

78c9042bbcefd65beaa0d40386da9f89

44 / 46 Microsoft - Worm:Win32/Conficker.C

• 209.190.25.37• XLHost – VPS provider• http://www.xlhost.com/

7acba0d01e49618e25744d9a08e6900c

45 / 46 Microsoft - Worm:Win32/Conficker.B

69.28.137.10LimeLight Networks -  a Digital Presence Management companyhttp://www.limelight.com/

90c081de8a30794339d96d64b86ae194

42 / 43 Kaspersky - Backdoor.Win32.Rbot.aftu

69.38.10.83WindStream Communications – Voice and data providerhttp://NuVox.net

bcaef2729405ae54d62cb5ed097efa12

43 / 44 Kaspersky - Backdoor.Win32.Rbot.bqj

69.9.236.128Midwest Communications – Comcast/WideOpenWest parallelhttp://midco.net/

GeoIP locationDionaea - recent

Kippo

Started 2/27/2013Stopped 3/1/2013

IP addresses• 14 unique IP addresses• Maximum password attempts – 1342• Successful logins – 7• Replay scripts – 1• Files uploaded - 1

Attacker's IP addresses67

.23.

166.

100

113.

142.

37.1

14

106.

3.10

5.27

221.

132.

73.1

54

213.

165.

170.

183

222.

187.

96.7

0

124.

160.

194.

27

61.1

67.3

3.22

2

222.

114.

39.1

71

220.

172.

191.

31

1.23

4.51

.243

86.1

23.1

30.6

9

116.

11.2

52.1

94

1342

1190

454

163163

156

28 2216

54

1 1

Kippo stats

Attacker's IP addresses/connection attempts

GeoIP locationKippo – recent

Kippo stats

root bi

n

orac

lete

st

nagi

os

mar

tin toor

ftpus

erus

er

post

gres in

fo

webm

aste

r

apac

he

back

up

gues

tr0

0t

publ

ic

gree

n

dem

osit

eje

ffan

dy

i-hea

rt

user

0

cont

ent

1856

6717 10 9 6 6 6 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 3

Top 25 User names

Times tried

Kippo stats

1234

56

Pass

wor

d 0 ?

!Q@

W#E$

R%T^

Y&U*

7hur

@y@

t3am

$#@

!(*

7hur

@y@

t3am

$#@

!(*(

1234

56] s

ucce

eded

pass

w0r

d12

3412

34 test

1234

56] s

ucce

eded

1234

7hur

@y@

t3am

$#@

!(*(

1234

1234

1111

11

!@#$%

^&*

abc1

23

27

16

9 9 98

7 7 7 7 7 7 7 7 7 7 76 6 6

Top 25 Passwords

Tries

Kippo stats

Accounts that used 123456 as password

User ID Triesroot 7ftpuser 3oracle 3andy 2info 2jeff 2site 2test 2webmaster 2areyes 1brian 1

“7 successful logons? But your chart says 27 used the password of 123456?! WTF?”

Kippo stats

root ├╢├Ä ä Ñ . ä ┐ é Ñ├ ┬ ├╛ ├▓├ ┬ ├ ┬ root !Q@W#E$root !@$#jMu2vEUIOLweoP#!TTG$@#dsgfGR#$sgs root !Q@W#E$Rroot $hack4m3baby#b1gbroth3r$ root !Q@W#E$R%root 654321 root !Q@W#E$R%Troot Ki!l|iN6#Th3Ph03$%nix@NdR3b!irD root !Q@W#E$R%T^root @!#$%&*Th3@#$!F0RcE%&*@#IS!@#$%!& root !Q@W#E$R%T^Yroot diffie-hellman-group-exchange-sha11 root !Q@W#E$R%T^Y&root 123 root !Q@W#E$R%T^Y&Uroot 1234 root !Q@W#E$R%T^Y&U*root 12345 root !Q@W#E$R%T^Y&U*Iroot 1234567 root !Q@W#E$R%T^Y&U*I(root 12345678 root !Q@W#E$R%T^Y&U*I(Oroot 123456789 root !Q@W#E$R%T^Y&U*I(O)root deathfromromaniansecurityteamneversleepba root !Q@W#E$R%T^Y&U*I(O)Proot rooooooooooooooooooooooooooooooooot root !Q@W#E$R%T^Y&U*I(O)P_

Interesting passwords

Kippo statsFile downloaded

psyBNC 2.3.2

------------

This program is useful for people who cannot be on irc all the time. Its used to keep a connection to irc and your irc client connected, or also allows to act as a normal bouncer by disconnecting from the irc server when the client disconnects.

HoneyD

How you can your netbook useful and fun again!

Interactive portion results….

Etc

http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots/at_download/fullReport

EtcHoneydrive

Keith Dixon@Tazdrumm3r#misec – Tazdrumm3rtazdrummer@gmail.comhttp://tazdrumm3r.wordpress.com