Countering Attack Deception TechniquesCountering Attack Deception Techniques

Pacsec04 - OUDOT Laurentoudot@rstack.org

http://rstack.org/oudot/

"Your eyes can deceive you. Don't trust them!

Stretch out with your feelings...", Obiwan Kenobi

Countering Attack Deception TechniquesCountering Attack Deception Techniques

« « Blackhats versus Whitehats Blackhats versus Whitehats Around Honeypots technologiesAround Honeypots technologies » »

SummarySummary

• About Deception• Defeating Deception• Cloaking issues• Technical examples

– Cyberbattle : fake proxies– Tarpits– Honeyd– Sebek– User-mode-linux– Vmware– Data control– Wireless honeypots

• Conclusions• Some references

About DeceptionAbout Deception

• "A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource", Lance Spitzner– Goal : Know Your Enemy by learning the tools, tactics and motives of

the blackhat community.• Building your own deception architecture

– Create non production networks, devices, systems used to delude the attackers (fake company, etc)

– Log everything (system activity, network activity, etc)• Steal their exploits, rootkits, etc

– Protect the infrastructure• Careful with outbound traffic, etc

– Wait and see• Look at attackers loosing time, etc

HoneypotsHoneypots

• Legal issues– Entrapment, tracking, recording, privacy…– What if an attacker uses your honeypot to jump elsewhere ?

• Technical issues– Hardening the network (no bounce, etc) and systems– You need time to monitor the box and analyze intrusions– Stealth problems (!) : fingerprinting...

• Psycho/Philosophy– Do you really want to play with aggressors ?

• What about the strike-back if they become angry ?

• Join the Alliance Research of the Honeynet Project– http://www.honeynet.org/

Defeating DeceptionDefeating Deception

• Goal of attackers– Detect/Avoid the trap– Disable/Avoid logging capabilities

• Why ?– Avoid being tracked and caught– Avoid the capture of 0-days and private techniques

• Tactics used by blackhats– Denial Of Service against part of the architecture– Specific queries to identify differences with a real network/computer– Low level modifications/interactions– Feeling ["Stretch out with your feelings...", Obiwan Kenobi]

Cloaking issuesCloaking issues

• Technical and non-technical problems– Building a honeypot implies strong relationships between managers and

technical staff• About non-technical issues

– Need to create a fake world that looks like being real– Information found though Whois, DNS…– Services proposed

• Web server, Contacts with email…– Just be logical and simple

• Big web agency hosted on a university network ? Strange…– Florida Honeynet Project

• Specific technical issues– Most of the time, honeypots creators deal with hardening, some stealth

problems, etc, but there is no activity generated

Technical ExamplesTechnical Examples

Cyberbattle : fake proxiesTarpits

HoneydSebek [Honeynet]User-Mode-Linux

VMWareData control

Wireless honeypots

Cyberbattle : Fake ProxiesCyberbattle : Fake Proxies

• Fake Proxies are used to delude people like spammers…– Usenix Security 2004, Niels Provos

• Honeypot Hunter, anti-honeypot commercial tool (!)– http://www.send-safe.com/honeypot-hunter.php– Input : list of HTTPS and SOCKS4/SOCKS5 proxies – Output : list of honeypots– Used by spammers to detect the presence of honeypots (tarpits…)– Open a local fake email server on port 25 (SMTP) and ask each proxy to

connect back to itself. If the proxy claims that the session is ok whereas there is no related incoming session : alert.

– Tiny solution : allowing a limited number of outbound connections... • Beyond those technical issues, we can see that the cyberbattle

between honeypots creators and blackhats has already begun

TarpitsTarpits

• A Tarpit is an entity that will delude clients by intentionally responding slowly to their requests (logged and slowed down)– « Labrea Tarpit » by Tom Liston created to slow down the

spread of worms over Internet (http://labrea.sourceforge.net/)– « Netfilter Tarpit Target »

iptables -A INPUT -p tcp -m tcp --dport 139 -j TARPIT

– « Honeyd Tarpit mode »add template tcp port 139 tarpit

Fingerprinting a Tarpit (layer 3)Fingerprinting a Tarpit (layer 3)

• Signature : TCP window size reduced to zero and acknowledgement of further incoming packets – Labrea on 10.0.0.1 (persistent mode) :

03:26:01.435072 10.0.0.2.1330 > 10.0.0.1.139: S 45487:(0) win 64240 (id 6969, len 48)

03:26:01.435635 10.0.0.1.139 > 10.0.0.2.1330: S 38435:(0) ack 45488 win 3 (id 48138, len 40)

03:26:01.435719 10.0.0.2.1330 > 10.0.0.1.139: . 1:1(0) ack 1 win 64320 (id 4970, len 40)

(Three way handshake finished)03:26:01.435887 10.0.0.2.1330 > 10.0.0.1.139: . 1:4(3) ack 1 win 64320 (id 4971, len 43)

03:26:01.436224 10.0.0.1.139 > 10.0.0.2.1330: . 1:1(0) ack 4 win 0 (id 44321, len 40)

03:26:03.731433 10.0.0.2.1330 > 10.0.0.1.139: . 4:5(1) ack 1 win 64320 (id 4973, len 41)

03:26:03.731673 10.0.0.1.139 > 10.0.0.2.1330: . 1:1(0) ack 4 win 0 (id 35598, len 40)

...

– Answers from 10.0.0.1 : first window size equals 3 and furthers equal 0 (« win 0 »)

Fingerprinting a Tarpit (layer 2)Fingerprinting a Tarpit (layer 2)

• Labrea can handle requests sent to non existing hosts– By looking at unanswered ARP requests, Labrea might decide

to simulate an unused IP address (interesting to fight big ugly scanning worms…)

• It answers ARP requests with the same unique MAC address 0:0:f:ff:ff:ff, which acts as a kind of black hole

04:59:00.889458 arp reply 10.0.0.1 (0:0:f:ff:ff:ff) is-at 0:0:f:ff:ff:ff

• Hard-coded value Labrea’s sources (PacketHandler.c)u_char bogusMAC[6] = {0,0,15,255,255,255};

• Notice that Honeyd is now able to play with MAC addresses (better than with the old Arpd method) :

set template ethernet "<vendor|mac address>"

HoneydHoneyd

• Honeyd is an opensource project (GPL) by Niels Provos • Create thousands of honeypots easily

– Network simulated, – Services simulated, – Fake IP stack to defeat xprobe|nmap…

• http://www.honeyd.org

Configuring HoneydConfiguring Honeyd

• Very easy, focus on creation, imagine what could be your own fake networks and systemseg: “I would like a fake box with Linux on 192.168.1.22 with a fake mail server, a fake squid server, and ……….”

• Personality + Services + Fake IP Stack Potential differences ?

create templateset template personality "Linux Kernel 2.4.0 - 2.4.18 (X86)"add template tcp port 25 "perl scripts/fake-sendmail.pl"add template tcp port 3128 "sh scripts/squid.sh $ipsrc $dport"add template tcp port 1080 proxy 192.168.1.34:1080set template default tcp action resetbind 192.168.1.22 template

Building fake servicesBuilding fake services

• Example– A remote attacker contacts the honeypot [1] in order

to talk to the SMTP service.– Honeyd launches an external script [2] that will delude

the attacker [3] by replying with fake answers [4].

echo "220 intranet ESMTP Sendmail 8.1"while read data{

if data ~ "HELO" then …if data ~ "MAIL FROM” then ……

}

Attacker

HoneydHELO

site.com

HELO

sit

e.c

om

stdin

250 intranet...

250

intr

an

et.

..

stdout

[1]

[2]

[3]

[4]

Inside Honeyd Inside Honeyd

LIBPCAPVirtual

IP StackTCP

UDP

ICMP

Services

External

programs

stdin

stdouter

r

logs

Personalities

Engine

honeyd

• Blackhats will try to look at each point of potential differences between reality and Honeyd

Fingerprinting HoneydFingerprinting Honeyd

• Fingerprinting Honeyd– Example of story: linenoise fake-phrack p62 (4 IP released ?)– Another example: Honeyd-0.5

• Time based TCP Fingerprinting method (SYN Proxy behavior)

blackhat computerSYN

SYN/ACKTimeout

SYN/ACK

blackhat honeydSYN

SYN/ACK

?!

# Manually send one SYN to the IP $TARGET (port 80) with hping2.

# Forbid our related RST generated by the incoming SYN|ACK from $TARGET.

iptables –I OUTPUT –i eth0 –d $TARGET –p tcp --tcpflags RST RST –j DROP

hping –c 1 –n –S $TARGET –p 80

SebekSebek

• Stealth system low level logger created for Honeynet architectures

• sys_read() captured and stealthy sent to a remote security database

• Increase the knowledge on the tools, methods and tactics of the attackers

• Examples : – Capture keystroke of blackhats (commands, etc) even over

cyphered sessions (like SSH...),– Steal their tools (local exploits uploaded...) [works with scp...]

• URL: http://www.honeynet.org/tools/sebek/

Anti-Sebek TechnologiesAnti-Sebek Technologies

• Detect problems around sys_read() hijacking...• Detect network modifications (statistics…)…• Example : NoSebreak by Dornseif & Holz

– dd attack– tracking modifications of the syscall table

• Sebek NetBSD : JUMP idea, but easy to detect too• Fozzy idea (time based)

Hardening SebekHardening Sebek

• Current attacks use modules injection, reading of /dev/kmem ...• Towards a trusted sebek version ?

– Patches > Modules (possible Honeynet goal in a short future)– In order to wait, one may avoid modules injection :

• Linux: delete capability "CAP_SYS_MODULE"sysctl -w kernel.cap-bound=-65793

– But attacks based on modules won't be seen anymore and kmem problems remain

• What if Sebek become too stealth ?– Whitehats will enjoy this safer tool– But blackhats may use it to spy on remote victims !

• One report of such an attack in France (non verified)• Q: Should we add an antivirus signature for Sebek Win32 ?

• We must admit that perfection will just be a dream : 100% stealth will remain impossible

User-Mode-LinuxUser-Mode-Linux

• UML is a nice tool that allows to run different instances of Linux (called guests) over a Linux (called the host).– http://user-mode-linux.sf.net/

• Useful to debug kernels (reboot an instance of Linux without rebooting the computer…)

• Paper « Know Your Enemy : Building Honeypots with User-Mode-Linux »– The guests are used as honeypots– The host is used as a security gateway between Internet and

the guests/usr/local/bin/linux ubd0=slash.ext2 tuntap=eth0,,,192.168.1.1

Fingerprint UMLFingerprint UML

• Fingerprinting a standard configuration– « uname –a » « *uml* »

• Solution: create your own kernel without any UML signs– /proc Issues

« cat /proc/cmdline » « ubd0=* root=/dev/ubd0 »« cat /proc/devices » « 98 ubd »« cat /proc/interrupts » « SIGIO ubd »« cat /proc/partitions » « ubd/disc0/disc »• Solution: use « hppfs » the Honeypot ProcFS in order to create your

own /proc

More advanced fingerprintingMore advanced fingerprinting

• More advanced fingerprinting techniques around UML– « /dev » Issues

• « /dev/mem » « /root/.uml/… »• No BIOS Memory, check at specific addresses :

– Bios Memory : 0xFE000 – 0xFFFFF– Bios Video : 0xC0000, Bios HD : 0xC8000

• Solution: oups… pray ? Patch it ?– Ring Buffer Issues : it contains many sensitive data (« uml » « ubd » …)

kprinted at boot• klogctl(3,buf,len) read the ring buffer, accepted for non-root users

and used by dmesg• Fast solution ? Clear the buffer after the boot : klogctl(5,0,0)

• Conclusion : with efforts, one should be able to delude non skilled attackers

Breaking-out of UMLBreaking-out of UML

• Security question: is it possible to jump from a guest to the host ?• HOSTFS problem :

– HOSTFS has been created to allow UML guests to mount the host’s partitions (ease exchange, debug, installation, etc)

– This specific driver is an option proposed during the compilation of UML– If compiled, an attack is pretty easy :Guest-OS# mount –t hostfs /dev/hda1 /mnt

Guest-OS# vi /mnt/etc/shadow (…)– ADVISORY PacSec04: Debian’s package user-mode-linux uses HostFS

by default so that native Debian UML based Honeypots are vulnerable…– Solution: Avoid HostFS, Recompile your own UML by checking values…

• SKA mode : no known evasion, but fingerprintable (dmesg)

Honeypots with VMWareHoneypots with VMWare

• VMWare– http://www.vmware.com/

• Remote detection– Windows guest : queries sent to netbios services to get the

MAC address, Volume information...• NB Name Queries type NBSTAT : MAC Addresses = field « Unit ID »[win] nbtstat –A $IPTARGET

[unix] nmblookup –A $IPTARGET –S

MAC Address = 00-0C-29-xx-xx-xx

– MAC address on the same LAN (or on the guest)• 00-05-69-xx-xx-xx, 00-0C-29-xx-xx-xx, 00-50-56-xx-xx-xx

VMWare, local actionsVMWare, local actions

• Local detection of VMWare : Ken Kato– http://chitchat.at.infoseek.co.jp/vmware/backdoor.html

• I/O ports used between VMWare host and its guests to communicate (useful for the VMWare tools) : 0x5658 and 0x5659

MOV EAX, 564D5868h ; Magic Number ["VMXh"]

MOV EBX, COMMAND_PARAMETER

MOV ECX, BACKDOOR_COMMAND_NUMBER

MOV EDX, 5658h ; Port Number

IN EAX, DX

– ECX : 0Ah Get VMWare version. (EAX, ECX) (version, minor)– ECX : 07h Read (spy) data from host’s clipboard (EAX modified)

VMWare’s BiosVMWare’s Bios

• VMWare uses a PhoenixBIOS– Type F2 at boot

VMW: Playing with Bios valuesVMW: Playing with Bios values• Example : VGA BIOS card on my laptop# dd if=/dev/mem bs=64k skip=12 count=1 |hd...00000080 0d 0a 4d 39 20 42 49 4f 53 20 52 65 71 34 34 37 |..M9 BIOS Req447|00000090 37 0d 0a 00 28 43 29 20 31 39 38 38 2d 32 30 30 |7...(C) 1988-200|000000a0 32 2c 20 41 54 49 20 54 65 63 68 6e 6f 6c 6f 67 |2, ATI Technolog|000000b0 69 65 73 20 49 6e 63 2e 20 42 4b 2d 41 54 49 20 |ies Inc. BK-ATI |000000c0 56 45 52 30 30 38 2e 30 30 37 2e 30 31 31 2e 30 |VER008.007.011.0|000000d0 31 37 00 20 66 78 69 62 6d 2e 61 6c 6c 20 76 36 |17. fxibm.all v6|000000e0 31 31 20 00 4d 39 20 20 41 47 50 20 44 47 44 31 |11 .M9 AGP DGD1|

• Same test with VMWareIBM COMPATIBLE - PhoenixView(tm) VGA-Compatible BIOS VersionCopyright (C) 1984-1992 Phoenix Technologies Ltd. All Rights Reserved

00000010 66 03 27 01 00 00 00 00 00 01 18 01 00 00 49 42 |f.'...........IB|00000020 4d 20 43 4f 4d 50 41 54 49 42 4c 45 0a 50 68 6f |M COMPATIBLE.Pho|00000030 65 6e 69 78 56 69 65 77 28 74 6d 29 20 56 47 41 |enixView(tm) VGA|00000040 2d 43 6f 6d 70 61 74 69 62 6c 65 20 42 49 4f 53 |-Compatible BIOS|00000050 20 56 65 72 73 69 6f 6e 20 00 0d 0a 43 6f 70 79 | Version ...Copy|00000060 72 69 67 68 74 20 28 43 29 20 31 39 38 34 2d 31 |right (C) 1984-1|00000070 39 39 32 20 50 68 6f 65 6e 69 78 20 54 65 63 68 |992 Phoenix Tech|00000080 6e 6f 6c 6f 67 69 65 73 20 4c 74 64 2e 0d 0a 41 |nologies Ltd...A|00000090 6c 6c 20 52 69 67 68 74 73 20 52 65 73 65 72 76 |ll Rights Reserv|

VMWare : solutions ?VMWare : solutions ?

• Remote detection of a Windows guest– Cool idea proposed by Kirby Kuehl (Cisco) : use snort-inline to modify

NetBIOS answers sent by the guestalert udp $HONEYNET 137 -> $EXTERNAL_NET any (msg:"Rewriting VMWare MAC Address in NBSTAT responses";content:"|00 0C 29|"; replace:"|00 0D 60|";)

• Local detection : Hardening VMWare [!]– Incredible patch by Kostya Kortchinsky that modifies interesting values

used by blackhats to fingerprint VMWare• Strings for IDE devices (HD & CDROM)• Strings for SCSI devices (HD & CDROM)• Video adaptor vendor & device IDs• I/O backdoor number [!]• Could be used to change MAC addresses, etc.

– It directly patches the binary of VMWare…– http://www.securityfocus.com/archive/119/349385

Handling outbound traffic: Handling outbound traffic: mission impossible ?mission impossible ?

• What if a blackhat try to bounce from a compromised honeypot ?– Difficult to balance stealthyness and safety (Block it? Slow it? Modify it?)

• Snort_inline : inline packet modification engine– http://snort-inline.sourceforge.net/ – Modification of the well known GPL IDS « Snort » [http://www.snort.org]

• Libpcap Libipqueue (Linux only)– If the snort engine detect something wrong, snort-inline may ask its local

Netfilter to handle the attack (Firewall + NIDS = NIPS)• Pass, Drop, Reject, Replace…• Replace part of the attack to disable it (strings, shellcodes…)

– /bin/sh /ben/sh– alert ip $HONEYNET any -> $EXTERNAL_NET any (msg: "SHELLCODE x86 stealth NOOP"; sid:651; content:"|EB 02 EB 02 EB 02|"; replace:"|24 00 99 DE 6C 3E|";)

– Useful on a gateway to control outbound traffic from a honeypot zone • Data Control (GenII Honeynet) to avoid dangerous bounces from the honeypot

Detecting Data ControlDetecting Data Control

• After a break-in, if a blackhat realizes that outgoing traffic is forbidden, that might look suspicious (weird black hole)

• If some aggressive outgoing packets are modified, it might be possible to detect this trick. Simple method :1) Send packets with malicious content to another controlled host 2) Check whether the packet arrives and remains unaltered at destination

• Difference Inline modification or limitation (all, time, type, number…)

• Solution (?) limiting outbound connections. – Honeynet Project default rc.firewall script :

• Allows 15 outgoing TCP-connections and 50 outgoing ICMP packets per day.### Set the connection outbound limits for different protocols.SCALE="day"TCPRATE="15"UDPRATE="20"ICMPRATE="50"OTHERRATE="15" 

• Fingerprint possible…

Wifi Honeypots : Fake-APWifi Honeypots : Fake-AP

• « Wireless Honeypots Trickery », Securityfocus, L.Oudot• Fake AP : opensource perl script to generate 802.11b beacon

frames with random or specific ESSID and BSSID (@MAC)– http://www.blackalchemy.to/project/fakeap/ – Should Hide an official AP in the cacophony obtained– Legitimate users know the official SSID : no problem– Malicious users will scan and try to connect to fake thousands of SSIDs

• Problem : Fake AP does not generate fake traffic over the simulated access points ( easy to fingerprint)

• Idea of tiny solution : generate random traffic on the wireless device owing to another tool (while running Fake AP)– Example with « esic » (used to stress/test IDS, etc) :

• esic –i wlan1 –s rand –d rand &

ConclusionConclusion

• Fake realities created to delude attackers will (of course) remain different from the reality– Deception architecture will keep some limitations (no perfection)– Blackhats will be able to fingerprint those traps– They will probably try to avoid/disable logging

• What is the goal then ?– We need to simulate the best fake reality– We need to record the more we can to understand their behavior

• Sebek future : sys_read + (sys_execve + sys_fork + sys_open + sys_socket...)– We need to recognize when blackhats try to fingerprint a honeypot– Then, even if someone breaks in a honeypot

• We have the recording to recognize the fingerprinting actions– Role of a burglar alarm + Information about how skilled is your enemy

Some referencesSome references

« Local Honeypot Identification », Fake Phrack 62, Joseph Corey« Advanced Honey Pot Identification », Fake Phrack 63, Joseph Corey« NoSEBrEaK, Attacking Honeynets », IAW 2004, US Military Academy, West

Point, M.Dornseif and T.Holz« Defeating Honeypots, Network Issues », SecurityFocus, T.Holz & L.Oudot« Introduction to honeypot detection », Hackademy Journal, Fozzy« Dossier Honeypots », MISC Magazine 8, http://www.miscmag.com« Why Honeypots sucks », Cansecwest 2004, Lance Spitzner

• Greetz: Dragos, Kostya Kortchinsky, Thorsten Holz, Philippe Biondi, Fozzy, Maximilian Dornseif, Lance Spitzner, MISC Magazine, Obiwan Kenobi

Starwars pictures taken from http://starwars.pl/galeria/fanarts/

May the force be with you…May the force be with you…