Research Paper By: Hasantha Alahakoon | 1: Overview of Cyber crimes 1

Computer Hacker Profiling

Despite being a relatively new domain, Internet has become a requisite of the contemporary society. A

country‟s political, social and individual performances are even more dependent on the internet than

ever before. In the twentieth century, the internet, or the cyberspace, is playing a vital role in most, if

not all, of the key aspects of the society such as communication, transport, education, entertainment

and warfare. But with this rapid growth of the internet, going by the popular belief „with every new

technology leads the way to new kinds of crimes‟(Agar 2003), an emergence of new breed of crimes

so called Cyber crimes and a new breed of criminals so called Cyber-criminals was inevitable.

However, because of the increased dependency between the internet and the critical services of the

contemporary society, these cyber-crimes pose a very real and a probable threat. According to a

research conducted by the McAfee Inc, a world‟s prominent computer security company, Businesses

have lost more than one trillion of American Dollars only in year 2008 due to Data theft and Cyber

crimes which depicts how devastating they actually are (Research Shows Global Recession Increasing

Risks to Intellectual Property 2009). Therefore suitable measures to detect and prevent cyber

criminals in advance is of utmost important, and this paper would propose a method of identifying

cyber criminals, hackers to be exact, based on their behavioural aspects with the help of honeynets.

This paper is organised as follows: In section 1, paper would provide an overview of current Cyber

crimes on a very brief height in order to keep the size of the paper in a manageable level. In section 2,

the paper would critically discuss the concept of computer hacking and different types of computer

hackers. Section 3 would discuss hacker profiling, a unique signature that can be used to identify

computer hackers. Section 4 would provide a detailed discussion of step-by-step procedures of setting

up a honeypot, how it functions, how the activities can be monitored, how evidence can be gathered

and how the criminal can be traced back. Finally the paper would draw the conclusions and provide

the grounds for future work.

1: Overview of Cyber crimes Cyber crimes, a domain which has a long lasting history that runs as early as to 1970s, yet an

overlooked concept until early eighties, come in different shapes and flavours. Those are DDOS

attacks, Web Defacement, Identity Theft, Distribution of child pornography, Software Piracy and

Computer Hacking, just to name a few. The following paragraphs would provide very brief

introductions on them.

DDOS is an attack conducted by a cyber criminal using several hundred random computers on the

internet to collectively attack a victim computer infrastructure with a continuous workload up to the

point that it can no longer process its legitimate tasks, thus bringing it offline (Janczewski & Colarik

2005, p.86).

Web Defacement on the other hand, is a cyber criminal accessing and changing the contents of a

popular web server without the consent of the server administrator for the purpose of humiliating the

owners, to gain recognition among the underground community or to convey the hacker‟s opposition

to the contents of the web page (Janczewski & Colarik 2005, p.99).

Child pornography, though a crime that is known to the world before the advent of the internet, has

been reinforced by the cyber space because it acts as a breeding ground for paedophiles to engage

Research Paper By: Hasantha Alahakoon | 2

with and meet children in a virtual world, not to mention it has make it easier for sex offenders to

produce illicit material, meet with offenders with similar interests and to exchange those illicit

materials (Hazelwood & Burgess 2009).

Identity theft/Identity Forge on the other hand, is „the misappropriation of the identity (such as the

name, date of birth, current address or previous addresses) of another person, without their knowledge

or consent‟ (CIFAS) and using those details for criminal activities and for purchasing goods and

services (Janczewski & Colarik 2005, p.120).

Software piracy is unauthorized use or illegal coping of computer software. According to the

Business Software Alliance, as of 2008, the amount of pirated software used in businesses and home

computers accounts for 41 percent causing financial loses of estimated 53 billion American dollars for

software developers (Bartz 2009).

Research Paper By: Hasantha Alahakoon | 2: Review of Computer Hacking 3

2: Review of Computer Hacking Computer hacking or hackers, the focus of this paper, unlike the other disciplines mentioned above,

is hard to define. Just like the term „hacker‟, the „computer hacking‟ too does not have a clear and

concise definition. The term „hacker‟ which referred to a programmer who has extreme competence in

programming skills as a sign of respect in 1970‟s, is now referring to a young programmer who uses

his technical skills to harmful ends such as creating viruses, breaking into other‟s computers and

crashing machines (Chiesa et al. 2007).

Similarly, in early 1960‟s „Computer Hacking‟ is defined as „to put together software programs with

little regard for “official” methods or software writing procedures in order to improve speed and

efficiency‟ (Chiesa et al. 2007). But today, the Cambridge Advanced Dictionary interprets computer

hacking as „to get into someone else‟s computer system without permission in order to find out

information or to do something illegal ‟. So in today‟s world hacking can be loosely defined as

unauthorised access to computer systems. But it is hard to draw a fine line between Computer hacking

and the other computer misuses such as DDOS, Web Defacement, Unauthorised modification etc…

Hacking is not an end, but a means. For instance, in order to perform a DDOS attack, the attacker has

to recruit the zombie machines by hacking into computers and by installing malicious (such as IRC

bots) software on them. Similarly, in order to deface a web page, the attacker has to gain access to that

web server by hacking in to it.

So it is clear that, hacking is merely a means of performing another crime. Once hacked, the attacker

can perform any crime he desires ranging from DDOS, Web Defacement, and Identity theft to credit

card fraud.

“To some, it is about exploration, learning, and fascination with the inner workings of the technology

that surrounds us; to others, it is more about playing childish pranks, such as rearranging someone‟s

Web page or displaying pornographic images on a public server.” (Thomas 2002)

2.1: Computer Hackers In early 1960‟s the term „Hacker‟ was used by the programmers to describe a fellow programmer who

is really competent in programming and who has the ability to change or modify existing codes in a

way that would result the software to run more efficiently than the „official‟ version. But by the time

of late 1970‟s, it was not sufficient for a programmer to write efficient code in order to be called as a

„hacker‟, but it was also necessary for him to belong to a hacker culture or to the hacker

„underground‟. But today, a „hacker‟ is a programmer who merely uses his skills or the tools he

possess for destructives ends such as network crashing, virus creating and illegal computer access.

The term „hacker‟ which was an honourable term once, is now used to describe the programmers once

so called „crackers‟. (Chiesa et al. 2007)

Definitions aside, hackers see themselves as a set of people who are motivated by inquisitiveness,

willing to take challengers, smarter than others and continuously in search of information. In addition

they are strong believers of freedom of information. They believe that the information should be

equally available for everyone and things should be allowed to be improved. One‟s reputations or the

rank in the hacker underground is dependent on his skills on programming and on various operating

systems, his abilities and knowledge on hacking, and on his willingness to share his knowledge with

the others. Though hacking in to computer systems without the consent is considered illegal,

according to hacker code of ethics, it is acceptable as long as the hacker is not stealing, destroying or

breaching the confidentiality of the owner (Thomas 2002).

Research Paper By: Hasantha Alahakoon | 4

However, not all of the hackers adhere to the „hacker code of ethics‟ equally. Therefore the hacker

community can be categorised into two main section, „white-hat hackers‟ and „black-hat hackers‟. As

the names imply, those represent the two extreme ends of the hacking community, the good and the

evil. White-hat hackers are the „good‟ hackers who possess the skills of a black hat but have decided

to stay with authorities and governments to help with anti-cyber crime operations. Black-hats, on the

other hand, are the criminal hackers who access the others‟ computer systems illegally and steal and

sell information reside on them. Between those two extremes, reside the „grey-hat‟ hackers who do

not seem to have a clear code of ethics.

The hackers can be further categorised based on their level of expertise in the field of hacking. The

main ones are, among others, „Wannabe lamer‟, „Script-kiddie‟, „Cracker‟, „Ethical hacker‟,‟ Cyber-

warrior‟ and „Industrial spies‟. (Chiesa et al. 2007)

Wannabe lamer, the most common type of hackers, are the „newbie‟ of field of computer hacking.

They are new to hacking and lack the expertise needed. Script-kiddie, the next instalment of the

hacker community, is a bit more advanced hacker who is specialised in using hacking tools that are

developed by others.

„Cracker‟, though initially was used to describe software pirates, now refers to dangerous hackers who

are technically competent but are violent in their nature. „Ethical hacker‟ on the other hand, is a

hacker who has a widespread knowledge on several operating systems and a one who uses his

knowledge in a harmless way. They might hack into a system, but they would not spread chaos as the

crackers; they might even inform system administrators after the hacking, about the security fixes

instead. (Chiesa et al. 2007)

„Cyber warriors‟ and the „industrial spies‟ are the professional hackers who have developed various

skills over the years. Unlike the less competent hackers such as Script-kiddies and lamers, they like to

maintain a low profile. „Industrial spies‟ can be disgruntled or ex-employees and therefore they pose a

larger security threat as they are aware of the computer systems used.

Research Paper By: Hasantha Alahakoon | 3: Profiling Computer Hackers 5

3: Profiling Computer Hackers With an understanding of different types of hackers, this section would focus on creating a profile that

would represent a hacker, so that it can be used to attract the other hackers to a honeypot for

subsequent studies. As already pointed out in the previous section, there are different types of hackers.

Those different types of hackers have different types of personalities, motives, knowledge, resources

and technical skills. Therefore, the author believes that, it is not possible to create a single profile that

would cater the needs of all of the above hacker types. Therefore the paper would be more focused on

creating a profile that would appear as a „Script-kiddie‟ which would help attracting the other script-

kiddies to the honeypot. Though the profile might work on the other types of hackers, it will not be

just as effective as it is on the Script-kiddies.

There are several reasons why the paper selected a Script-kiddie as its target. First and foremost, they

are the most common type of hackers next to the „wannabe lamer‟. Though „wannabe lamer‟ is the

most common type, because of their lower skill level, they are not much of a threat to the current

computer systems. In addition, most of the Script-kiddies can also be labelled as „crackers‟ since they

are often destructive. Because of their high numbers and because of their destructive nature, the paper

believes that it is vital to understand them before the other hacker types.

Furthermore, as would be discussed later in the „profile of a Script-kiddie‟ section, script-kiddies do

not have a clear target. They scan the internet for specific vulnerabilities and attack those servers

whereas the big fishes have a clear and a predefined target. Therefore it is next to impossible to easily

attract‟ true‟ hackers into a honeypot using just a profile (Even if a real black-hat is caught he would

most likely identify that he is in a honeypot and would abort), as oppose to script-kiddies who would

most willingly attack (unaware that it is a honeypot) the honeypot if they think they can bring it down

with their tools. Therefore the paper decided to profile script-kiddies to better understand their

behaviours and their tools of the trade.

3.1: Cyber profiling Cyber-crime profiling can be defined as „the investigation, analysis, assessment and reconstruction of

data from a behavioural or psychological perspective extracted from computer systems, networks and

the humans committing the crimes‟ (Tofoyo 2003). Understanding the cyber-criminals better would

undoubtedly help the organisations to safeguard their networks. Criminal profiling can be done in one

of the two ways, deductive profiling and inductive profiling. In deductive profiling, the criminal‟s

personality is deduced by observing the crime scene. In Inductive profiling, the personality of the

criminal is deduced by comparing him with a set of known offenders (Chiesa et al. 2007). In

traditional criminal profiling, the investigators would observe the crime scene behaviour of the

criminal and deduce the information about him. But this paper would be using a reverse approach to

traditional criminal profiling; it would use the inductive profiling. Here, the characteristics of the

criminal (script-kiddie) will be identified by observing known offenders and then a potential crime

scene (a honeypot) of his interest will be developed with the intention of attracting him for further

observations.

In this paper, the deductive method of criminal profiling will be used to create the profile of the

Script-kiddie. The characteristics of the hacker, script-kiddies to be exact, will be identified by

reviewing the available literature on hackers. Those identified characteristics will be used and be

portrayed in the profile that will be created.

Research Paper By: Hasantha Alahakoon | 3: Profiling Computer Hackers 6

3.2: Profile of a Hacker (Script-kiddie) Script-kiddie is a bit advanced hacker than the „wannabe lamer‟ and is specialised in using hacking

tools that are developed by others. While the „real‟ hackers would develop their own tools (in addition

to the available tools) according to the network they are intending to attack, script kiddies always have

to rely on tools developed by others because they possess very little technical skills. They do not have

an idea of the functionality of those tools or how the exploit works, but they do specialise in using

them. Script-kiddies regularly update their arsenal of tools by visiting sites which provides such tools

(Chiesa et al. 2007).

„Real‟ hackers penetrate into computer systems because of their love to the technology and because

they are inquisitive by their very nature. Contrarily, script kiddies do not have any interest to learn or

to gain new competences. They do not care about the means; they are only interested in the end result

(Chiesa et al. 2007).

Script-kiddies are mainly consisted of teenagers who are between the ages 10-18. Script kiddies can

function alone or as a group, but they mostly prefer to act alone. The best way to identify a script-

kiddie is that they love to brag about their activities (the activities they have done using the others

tools) in public. They are mostly driven by the fame; they have a strong ego and have a higher need to

show-off than the other hackers. Script kiddies often use IRC chat rooms to brag about their success

and their exploits whereas the „real‟ hackers are confident about their abilities, do not seek outside

recognition, do not try to satisfy their ego and like to keep a low profile (Chiesa et al. 2007).

For „real‟ hackers, „hacking‟ means being good at computer and operating systems. While a script

kiddie‟s biggest motive is fame, they might also use hacking to show their anger, to make fun of

others or to vent their frustration and aggressiveness. They might find a great satisfaction by hacking

into systems that are considered secure and invulnerable, and this would give them a sense of

ownership and a thrill of forbidden. The idea of getting caught by the police does not discourage

them, but they are excited about it instead. If caught, they think they will be celebrities in their little

hacker underground . (Chiesa et al. 2007)

On the other hand, most of the script-kiddies have never seriously considered the possibility of getting

arrested. They are overly confident about their „hacking skills‟; they believe that they have taken

necessary precautions and have wiped out all the traces. They are even ready to go the extra mile by

openly challenging authorities clamming that they have never been arrested (Chiesa et al. 2007).

The most popular activities among script kiddies are web defacement, DOS, getting control of IRC

chat rooms, kicking their rivals from the chat room and crashing the chat rooms. When it comes to

penetrating computer systems, the „real‟ hackers are well organised and they do not leave anything to

chance. They have a clear target, they use sophisticated tools and tricks, they take notes in every

important step, they follow a specific mode of operation (they have a specific attack signature) and

they would even practice social engineering if necessary. But script kiddies are not so well organised.

Their modus operandi is totally different from the „real‟ hackers. First and foremost, they do not have

a specific target. They just scan the internet for random web servers with known vulnerabilities for

which they have scripts to exploit with. Once such a web sever is found, with the help of those scripts,

they gain root access, do some browsing, copy the contents if interested and would deface the web

page and leave his signature. One significant characteristic of the script kiddies, at least of the

majority of them, is that they do not destroy the contents of the webpage; they copy it into a different

location and notify the system administrators about it (Chiesa et al. 2007).

Research Paper By: Hasantha Alahakoon | 3: Profiling Computer Hackers 7

When defacing, script kiddies prefer to select popular sites and greatly visible sites such government

web sites and large cooperation systems. Further, Script-kiddies can be categorised as „crackers‟ since

they prefer to crash or to DDOS sites with high visibility, as oppose to „real‟ hacker who rarely crash

computer systems deliberately.

3.3: Development of the Physical Profile In order to attract the script-kiddies to the honeypot, it is necessary to visit the underground forums

and IRC chat-rooms they reside and post numerous comments. Before start posting in forums, it is

almost always necessary to register and create a profile with them. When registering with a forum, the

user is asked to provide a nickname, password, email address, age, profile picture, gender and

signature. The following section would provide a brief discussion on the potential information a

script-kiddie would provide when registering with such a forum.

According to Chiesa et al. the nickname of a script-kiddie or a hacker can be anything and it does not

portray any characteristic of him. But Raoul et al. also state that hackers pick nicknames that they

think is „cool‟, or describes their technical skills or often nicknames of elite hackers. And also they

pick nicknames from famous movie (some of the famous movies among hackers are „Wargames‟,

„Lord of the rings‟, „Ferris Bueller‟s Day Off‟ and „The Matrix‟) characters (Chiesa et al. 2007).

Therefore when creating the profile it is possible to pick a nickname such a „m4tr!x_n3o‟ (the

character from a movie) or „Pr0metheus‟ (the nickname of a elite hacker). Script-kiddies or hackers in

general, prefer to use hacker slang when picking a name or when posting on the forums.

As already mentioned, script kiddies are often teenagers between the ages 10-18. Therefore when

creating the profile, it is suitable to pick an age within that range, preferably close to the upper-end.

Choosing a lower age would sometimes reduce the respect among the other script-kiddies, therefore

reducing the chances of attracting the other hackers.

According to a survey conducted by Chiesa et al, most of the hackers are boys. According to his

statistics of the survey 60% of the hackers are male. Therefore as the gender it is suitable to select

„male‟ in order to better mimic a real script-kiddie.

As there is no literature describing a hacker‟s profile picture, a picture of the main actor of the

„Matrix‟ movie will be used to complement the nickname -„m4tr!x_n3o‟ .

The forums often ask for a signature which would be displayed below each of the comments of the

user. Since script-kiddies are often high on their ego, aggressive and overestimates their hacking

skills, in order to appear as a real script-kiddie it is necessary to use a signature such as „hax0r. Real

life is just a hobby‟ or „I 0wn u n00bs!.

Figure 1: An Example profile created at http://www.hackforums.net

Research Paper By: Hasantha Alahakoon | 3: Profiling Computer Hackers 8

After creating the script-kiddie‟s profile, the next and the most important step is to start posting in the

forums. These posts have to be in the hacker slang and carefully planned targeting the interests of the

scrip-kiddies so that they would be lured into the honeypot.

Chiesa et al. in their book „Profiling hackers‟ provide an example of a posting of a hacker. The post is

as follows:

‘Yo man! Whaz da b3st way t0 hack www.nasa.gov???? Hey c’mon, explain me man!!!’

Therefore when posting comments this kind of style and slang would be used to better fit into the

hacker culture. For the purpose of attracting script-kiddies to the honeypot, following comment can be

posted on various hacker forums.

‘yo n00bs, I f0und di$ n3tw0rk (172.168.0.50) last night while I was d0ing $um pr0bing. L00ks like it

is $ome kind 0f a mu$ic service and its Fu11 of $ecurity bugs!! I am g0nna download as much as

mus!c I like 2day, u know what I mean :P’

Figure 2: An example thread started at http://www.hackforums.net

The comment conveys several messages (at least in the best-case scenario) to a script-kiddie, which

would hopefully exploit their weaknesses. First and foremost, the poster is bragging about his

abilities, which is a typical behaviour of a script-kiddie. This bragging and insulting („noob‟ is

considered as an insult in hacking community) would trigger a competition among the fellow

aggressive script-kiddies to take control of the server to prove that they are better than the poster.

Secondly, the poster says that the server is full of security bugs and was found while the poster was

probing. Since the most common method of script-kiddies to find vulnerable servers is by probe

scanning, the other script-kiddies too would expect to find this server by probing. Since the poster

also comments that the server is full of bugs, the script-kiddies would be further encouraged to either

access it illegally, to DDOS it or to deface it (a typical script-kiddie‟s favourite crimes). Since the

most script-kiddies are between the age group of 10-18, it was assumed that they would like to

download audio tracks. Therefore as a bait, the poster mentions about a music service hosted by those

network. Another important characteristic of this comment is that it can not be considered as

entrapment. The poster is not inviting the fellow hackers to the honeypot; at least not directly.

These kind of comments posted on various hacker forums would help to attract script-kiddies to the

honeypot.

Research Paper By: Hasantha Alahakoon | 4: A Honeypot for capturing Script-kiddies 9

4: A Honeypot for capturing Script-kiddies A honey pot is defined by L. Spitzner as an „information system resource whose value lies in

unauthorized or illicit use of that resource‟. Using a honeypot it is possible to better understand the

hackers in terms of their technical aspects such as the their root-kits, tools, Trojans and exploits, and

their ethnological aspects such as their motives, interests and hidden links between different black-hat

groups. Therefore this section of the paper would discuss utilising honeypots in order to better

understand script-kiddies.

4.1: Design of the honeypot For the purpose of observing script-kiddie behaviour, the paper would utilise a 3

rd generation

honeynet; the „Roo‟ Honeywall CDROM provided by the „Honeynet Project‟. The author believes

that it is better to use a well established honeynet framework for this purpose rather than building one

from the scratch. This is because the honeynet framework proposed by the „Honeynet project‟ is

thoroughly tested and evaluated, and on the other hand, there is no need to reinvent the wheel.

A honeynet is a network of honeypots. In other words, it is a high interaction honeypot. It allows the

hackers to interact with real operating systems, real software and real services as oppose to low

interaction honeypots where the attacker is dealing with an emulated environment. Because of this

real environment provided by the honeynets, it is possible to capture more extensive information on

threats such as how they attack, why they attack, what tools they use and how they communicate, than

with a traditional honeypot. One reason for selecting honeynets for this paper is this ability to collect

in-depth information about the attackers, not to mention the freedom it provides the system

administrator to install wide array of applications, services and hardware as on a real server (Spitzner

2003).

Since building a real honeynet is complex, expensive and hard to maintain, the paper would use a

virtual honeynet to attract script kiddies. In a traditional honeynet, each honeypot would be installed

on separate computers. Not only this approach is expensive and hard to maintain, but also the analysis

of the results are harder because the evidence are scattered throughout the network. Contrary, the

virtual honeynet would only occupy a single computer with virtualisation software installed in it; but

it would appear as a network of computers with different operating systems to a script-kiddie.

Therefore the author believes that it is best to use a virtual honeynet to understand script-kiddies.

But virtual honeynets have downsides in their own merit. First and foremost, if an attacker has the

ability to compromise the virtualisation software, he has the ability to take over the honeynet.

Secondly, it is easier for an attacker to detect a virtual honeynet than a traditional honeynet thus

jeopardising the whole idea of the honeypot (Know Your Enemy: Defining Virtual Honeynets 2003).

But, it was assumed that the target population of the honeynet, the script-kiddies, do not possess such

high level skills.

In order to further ensure that the script-kiddies can not gain control of the entire virtual honeynet, it

will be implemented as a „Hybrid virtual honeynet‟. In this case, similar to a traditional honeynet,

firewalls, intrusion detection systems and activity logging will be done on separate devices. Only the

honeypots will be virtually on a single computer. Not only this would make it impossible for script-

kiddies to gain control of the entire honeynet by just exploiting the virtualisation software, but also it

would preserve the evidence even in case of a honeynet takeover.

Research Paper By: Hasantha Alahakoon | 4: A Honeypot for capturing Script-kiddies 10

4.1.1: Precautions to take when designing the Virtual honeynet

The ability to use the honeynet against other computer systems should be minimized. For an

instance, a script-kiddie might try to use the honeynet as a launching pad of DDOS attacks

against other computer systems. Therefore the ability to use the honeypot against the other

computers should be minimised. But it is impossible to neutralise this risk, because in order

to observe hacker behaviour it is necessary to provide him with a considerable degree of

freedom (Know Your Enemy: Honeynets 2006).

The script-kiddie should not be able to detect that he is interacting with a honeynet rather than

with an actual server. If they recognise, the chances are they would abandon the server or try

to bypass the honeynet. Therefore it is crucial to make as little modifications to the honeynet

as possible.

Even if a script-kiddie takeover the honeynet, he should not under any circumstance detect or

modify the collected data. The best way to do this is by storing captured data on a separate

secure computer.

The script-kiddie should never be able to disable the functionality (data control and data

capturing) of the honeynet (Know Your Enemy: Honeynets 2006).

The script-kiddies must not be able to perform illegal activities such as uploading child

pornography, pirated movies, audio and games from the honeynet (Know Your Enemy:

Honeynets 2006).

The script-kiddies must not be entrapped by the honeynet. They should never be forced or

tempted by the honeynet to perform something that they would not do otherwise.

4.1.2: Architecture of the Honeypot

The honeynet system would mainly consist of three components. Those are the honeywall, the virtual

honeynet and the remote management server.

The honeywall will act as the gateway to the honeynet and it will log all the incoming and outgoing

traffic to and from the honeynet. In case of a successful honeynet penetration, the honeywall would

inform the network administrator. In addition to logging all the traffic, the honeywall would also

prevent using the honeynet against the other computer systems.

Fedora core 3 (fully patched with latest security updates), key-logging software and virtualisation

software would be installed on the honeynet computer. Then with the help of the virtualisation

software, different virtual honeypots will be created inside the honeynet computer. Then different

operating systems will be installed on each of the honeypots. These honeypots would appear as a

network of computers to a script-kiddie.

The honey pot operating systems would be left un-patched with security updates so that the script-

kiddies would detect those individual honeypots as potential targets during their vulnerability

scanning. The relevant software and web pages will be installed on the honeypots to make them look

like real web servers, so that the script-kiddies would try to attack them. Since the network level

traffic is already captured and logged by the honeywall, the honeynet only has to capture the activities

that the script-kiddie would perform inside the honeypots such as his keystrokes.

All the data that is collected by the honeywall and the honeynet would be transferred covertly to the

remote management server for storing. The remote management server will be kept separately from

the honeynet and it will be well secured. In addition to storing data collected from the honeynet, the

remote management server can be also used to control the configuration of the honeynet through a

secure connection.

Research Paper By: Hasantha Alahakoon | 4: A Honeypot for capturing Script-kiddies 11

The data collected from the honeynet can be analysed and based on the information derived from

analyses, the script-kiddies can be profiled.

4.2: Functionality of the Honeynet

Figure 3: The Architecture of the Virtual Honeynet

Research Paper By: Hasantha Alahakoon | 4: A Honeypot for capturing Script-kiddies 12

Figure 4: Flowchart for the Honeynet

The most important component of the honeynet is the gateway, often called as the „honeywall‟. It

separates the honeynet from the outside network. It is the single point where all the traffic to the

honeynet is passing through. It is advisable to use a layer two device as the Honeywall in order to

reduce the risk of detection by the script-kiddies (Know Your Enemy: GenII Honeynets 2005).

The honeywall would consist of three Ethernet interfaces. Eth1 is used for the honeynet. Eth0 is used

for the production computers (the production computers are used to profile any internal hackers), and

this interface would stop any attackers accessing the production computers by exploiting the

honeynet. Eth0 and Eth1 would be in the bridging mode in order to reduce the chances of detection.

When in bridging mode, no MAC addresses will be assigned to them, there will be no hops in

between and therefore TTL will not be decremented; thus would effectively reduce the chances of

detection (Know Your Enemy: GenII Honeynets 2005).

As already mentioned above, it is crucial to not to store the collected data on the same computer as the

honeynet as an attacker might destroy or modify them. Therefore eth2 would be used to covertly

transmit collected data into the remote management server. In addition, this interface will be also

used by the remote management server to control the configuration of the honeynet through a secure

shell.

As already mentioned, it is important that the honeynet can not be used as an attacking pad to other

computer system. This is achieved by installing data control software such as IPTables and network

intrusion detection systems on the honeywall. The IPTables will be configured to control the amount

of outbound connection that the honeynet can initiate. When controlling the amount of outbound

Research Paper By: Hasantha Alahakoon | 4: A Honeypot for capturing Script-kiddies 13

connections, it is important to note that limiting it too much would disable the freedom of the script-

kiddie, thus reducing the ability to identify his behaviour properly (It is worth noting that a script-

kiddie would often use outbound connections for ftp, downloading rootkits and for connecting to IRC

channels) . Not only this would disable his freedom, but also would increase the chances of detection

as a skilful hacker might purposely increase the outbound connections to see if he is inside a honeynet

(Know Your Enemy: GenII Honeynets 2005).

The network intrusion detection system on the honeywall is used to drop any packets with known

attacking signatures. The Snort NIPS will be used for this.

4.2.1: Activity Monitoring

In addition to the above functionalities, the most important aspect of any honeypot; the data capturing

and activity monitoring would be done in several layers in the honeynet. Firstly, when IPTables are

used in the honeywall for the purpose of rate limiting the outbound traffic, it also logs all the inbound

and outbound traffic into a separate log file (/var/log/messages) (Know Your Enemy: GenII

Honeynets 2005).

Secondly, a packet sniffer such as Snort which is built into the honeywall would be used to further

monitor each and every packet and its corresponding payload. These two approaches, IPTables and

Snort, would monitor any network level activity (Know Your Enemy: GenII Honeynets 2005).

But script-kiddies activities inside honeynet itself can not be monitored by the honeywall. If the

script-kiddie is using a non-encrypted shell such as telnet to communicate with a honeynet, Snort

would be able to successfully capture them. But most of the time they are using secure encrypted

connections which prove network level packet sniffers inefficient.

Therefore any automated scripts and script-kiddie‟s keystrokes have to be captured inside the

honeynet itself; right after they are decrypted. For that, Sebek, a kernel level data capturing tool,

would be used. Sebek would secretly record any keystrokes and scripts of the attacker, and would

transmit them to the remote management server (Know Your Enemy: GenII Honeynets 2005).

In addition to data storing, as already mentioned under the „Architecture of the honeynet‟, remote

management server can be used to control the honeynet through a remote connection.

4.2.2: Evidence Gathering

All the data that is gathered by the IPTables, Snort and Sebek will be transferred to the Remote

Management server. This is to reduce the chances of detection and to ensure that the script-kiddie will

not be able to modify or to destroy the collected evidence. Since all the collected data from network

level and host level and of different honeypots are in a centralised location, the analyses are made

easier.

When designing the honeynet, in order to attract the script-kiddies, the method of inductive profiling

was used. The honeynet was designed according to the interests, motives and characteristics of the

script-kiddies so that they would be attracted to it. But now it is the time to gauge the success of the

profiling method used; now it is the time to measure the success of attracting the interest. Since now

there is a crime scene and a snapshot of the criminals behaviour, it is possible to see if the captured

behaviour and the crime scene leftovers match with the profile designed earlier.

Research Paper By: Hasantha Alahakoon | 14

After analysing the logs files of IPTables, Snort and Sebek, it is possible to find who hacked into the

honeynet (IP address), when he hacked into it, the tools he used, how he gained access, the timeline of

the events and from where he gained access.

In addition to those details, it is even possible to deduce why he hacked and his characteristics by

observing his behaviour. In other words, it is now possible to build the criminal‟s profile using

deductive profiling. For an instance, if the logs reveal that the hacker has specifically target this

honeypot, it can be assumed that he is mostly like not a script-kiddie. By observing the timeline of the

events, it is also possible get a rough idea about the hacker. As an example, if the attacker is only

present in the early mornings and in late nights, he might be a student or someone who is employed.

In addition, the information the attacker searched for and his actions would also help profiling him.

For an instance, if he searched for a specific object, then he may not be in the honeynet by pure

opportunity. If he was looking for common files such as mp3, movies and credit card numbers,

chances are he ended up in the honeypot randomly and therefore he could be a script-kiddie. If the

attacker performed destructive activities, it can be assumed that he is driven by the anger.

Furthermore, even the way a hacker hesitates, handles the mistakes, and his FTP user name and

password (Most of the time hackers use FTP to download root-kits and other tools) too can reveal

valuable information about him (Romney et al. 2005).

4.2.3: Identity Identification

As the exact information about the attacker such as his IP address and deduced information such as

his potential profile was identified in the „Evidence gathering‟ stage, it is possible to trace back the

attacker. Further information about the black-hat can be received by contacting the ISP related to that

IP address. These information will be then provided to the authorities. The authorities would charge

the attacker based on his activities captured by the honeynet.

4.3: The Laws against the Script-kiddie A script-kiddie can be mainly prosecuted against the „Computer Fraud and Abuse Act‟ in USA and

against the „Computer Misuse Act‟ in UK. The „Computer Fraud and Abuse Act‟ act can be further

broken down into three sub acts. Those are „Unlawful Access to Information act‟, „Unlawful Access

to Obtain Something of Value act‟ and „Unlawful Access Causing Damage act‟ (Wittliff 2003). The

„Computer Misuse Act‟ mentions three computer misuses. Those are „Unauthorised access to a

computer system‟, Unauthorised access with intent to commit or facilitate commission of further

offences‟ and „Unauthorised modification of computer material‟. Based on the script-kiddie‟s

activities inside the honeynet, he can be charged with one or more of those acts.

But however the criminal can present the defence of entrapment against the evidence collected from a

honeynet. In order get the best use of a honeynet, it has to be probed or attacked. Therefore developers

often promote honeynets among the hacker community. So the criminal can argue that he was

tempted by the honeynet to perform something that he would not do otherwise.

Research Paper By: Hasantha Alahakoon | 5: Conclusion 15

5: Conclusion With the rapid development of the internet and the associated technologies, there has also been an

equal, if not more, increase in the cyber crimes. Cyber-criminals are increasing in an alarming rate as

a result of freely available tools and guides on the internet. Everyday new tools and exploits are being

released making it next to impossible for system administrators to familiarise with these exploits and

to stay on par with the hackers.

As a result, the concept of honeypots was developed. The concept of honeypot is quite simple. It is a

resource available for public so that it might attract the cyber-criminals providing them with a virtual

environment that they can interact with. Though not a novel concept, the latest honeypots, the

honeynets, provide some of the most promising features in terms in criminal profiling. Unlike the

earlier honeypots, they are highly interactive, easy to install, easy to maintain and inexpensive. They

work straight out of the box and even come as a complete package in a CD ROM as oppose to earlier

honeypots where the individual components had to be installed and configured separately. The new

honeypots are capable of capturing extensive information about the criminals thus making criminal

profiling easier.

Criminal profiling, on the other hand can be seen as providing criminals with a unique signature based

on their characteristics such as skills, motivations, resources and knowledge. Criminal profiling would

help better understanding the cyber-criminals. Understanding the cyber-criminals and their behaviour

would undoubtedly help the organisations to safeguard their networks.

It is clear that the information gathered from latest honeynets and criminal profiling strategies would

undoubtedly make a hacker‟s life hard. But the current honeynet developers tend to overly focus on a

single aspect of the honeynet. They are continuously focusing on the honeynet itself, and looking for

more sophisticated capturing tools (Raynal et al). But the author believes that the future research on

honeynet has to be more oriented on developing tools that are capable of analysing the captured data

more comprehensively.

Research Paper By: Hasantha Alahakoon | 6. References 16

6. References Agar, J 2003, Constant Touch: A Global History of the Mobile Phone, Icon Books, UK.

Bartz, D 2009, Study finds software piracy growing. Retrieved April 28, 2009 from

http://uk.news.yahoo.com/22/20090512/ttc-study-finds-software-piracy-growing-fe50bdd.html

Chiesa, R, Ducci, S & Ciappi, S 2007, Profiling Hackers, Auerbach Publications, Broken Sound

Parkway.

Douglas, T 2002, Hacker Culture, University of Minnesota Press, Minnesota.

Hazelwood, RR & Burgess, AW 2009, Practical Aspects of Rape Investigation, Taylor & Francis

Group, Broken Sound Parkway.

Janczewski, LJ & Colarik, A 2005, Managerial Guide for Handling Cyber-Terrorism and Information

Warfare, Idea Group Publishing, Hershey.

Know Your Enemy: Defining Virtual Honeynets 2003. Retrieved from May 2, 2009 from

http://old.honeynet.org/papers/virtual/

Know Your Enemy: GenII Honeynets 2005. Retrieved from May 2, 2009 from

http://old.honeynet.org/papers/gen2/

Know Your Enemy: Honeynets 2006. Retrieved from May 2, 2009 from

http://old.honeynet.org/papers/honeynet/

Research Shows Global Recession Increasing Risks to Intellectual Property 2009. Retrieved April 28,

2009 from http://www.mcafee.com/us/about/press/corporate/2009/20090129_063500_j.html

Romney, GW, Jeremiah, JK, Brandon, LR & MacCabe, P 2005, IT Security Education is Enhanced

by Analyzing Honeynet Data, IEEE, USA.

Spitzner, L 2003, Honeypots: Definitions and Value of Honeypots. Retrieved April 28, 2009 from

http://www.tracking-hackers.com/papers/honeypots.html

Wittliff, WR 2003, Computer Hacking and Liability Issues: When Does Liability Attach?. Retrieved

from May 5, 2009 from http://www.gdhm.com/pdf/wrw-hack_article.pdf