Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | anonymous-luiwju87ar |
View: | 215 times |
Download: | 0 times |
of 46
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
1/46
Low Interaction Server Honeypot Evolution
Mark SchloesserGiraffe Honeynet Project
FIRST Technical Colloquium, Kuala Lumpur
December 2, 2009
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
2/46
Special thanks. . .
. . . for support
...for this event
Mark SchloesserGiraffe Honeynet Project
Low Interaction Server Honeypot Evolution 1 of 39
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
3/46
Server honeypots?
Ways to collect malware
Spamtraps
Honeyclients
. . .
High interaction Honeypots (Windows systems in virtual machines)
Low interaction server honeypots
Mark SchloesserGiraffe Honeynet Project
Low Interaction Server Honeypot Evolution 2 of 39
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
4/46
Giraffe Honeynet Project
Availability of tools is bad There are non-public (non-GPL) tools
Can not / may not be shared
Some available, but not efficient enough
Giraffe believes in Open Source
Publicly available
GPL
Low interaction Fast, efficient (/16 or more)
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 3 of 39
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
5/46
Carnivores
Nepenthes
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 4 of 39
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
6/46
Nepenthes
Low-interaction server honeypot
Written by Markus Koetter and Paul Baecher (Giraffe)
Written entirely in C++
Vulnerability Modules
Shellcode Manager
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 5 of 39
h
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
7/46
Nepenthes
Low-interaction server honeypot
Written by Markus Koetter and Paul Baecher (Giraffe)
Written entirely in C++
Vulnerability Modules
Shellcode Manager
Great tool, widely used
Lots of sensors deployed on lots of IP space
Lots of malware gathered over the years
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 5 of 39
N h
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
8/46
Nepenthes success
Malware reality
1 Malware often uses public exploit code to spread
2 Malware often packs a bunch of public exploits
3 Malware authors often are lazy / unskilled4 Malware community does code sharing / selling
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 6 of 39
N h
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
9/46
Nepenthes success
Malware reality
1 Malware often uses public exploit code to spread
2 Malware often packs a bunch of public exploits
3 Malware authors often are lazy / unskilled4 Malware community does code sharing / selling
This leads to. . .
. . . Nepenthes still capturing malware.
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 6 of 39
Th bl
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
10/46
The problems
There are always two sides. . .
Pros: C++
Cons: C++
Huh?Even though we always claimed it was easy to write nepenthesmodules/addons, there was very little contribution.
C++ is an insult to the human brain.
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 7 of 39
d th i
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
11/46
. . . and other issues . . .
Nepenthes disadvantages
No new / unknown vulnerabilities supported
Vulnerability- instead of Protocol-emulation
Several vulns on Port 445/TCP interfering with each other
Impossible to keep up with exploitation trends
Shellcode manager needs to know shellcode in advance
No TLS
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 8 of 39
S l d t il
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
12/46
Some ugly details
Vuln modules acquiring 445/TCP
LSASS, PNP, DCOM, ASN1, ms06-070, ms08-067
Interference Modules mostly match against certain byte strings
Return UNSURE, DROP, ASSIGN to core
Which one sends back a response?
Random / Parallel / Chaos
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 9 of 39
Laziness
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
13/46
Laziness
Malware authors are lazy
send(packetbuffer)
recv(1024) and discard
send(packetbuffer)
recv(1024) and discard
. . .
Nepenthes authors are lazy, too ;)
LSASSDialogue::incomingData(Message *msg) {
// ...
char reply[512];
for (int32_t i=0;i
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
14/46
What now?
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
15/46
What now?
Something needs to be done here . . .
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 12 of 39
Other approaches
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
16/46
Other approaches
Honeytrap
Written by Tillmann Werner (Giraffe)
Dynamically handles incoming connection attempts
Binds UDP/TCP ports upon request
No vulnerability modules
Mirror mode
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 13 of 39
Honeytraps mirror mode
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
17/46
Honeytrap s mirror mode
Steps
1 Technically interested person (TIP) connects to honeypot
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 14 of 39
Honeytraps mirror mode
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
18/46
Honeytrap s mirror mode
Steps
1 Technically interested person (TIP) connects to honeypot2 Connection request gets freezed
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 14 of 39
Honeytraps mirror mode
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
19/46
Honeytrap s mirror mode
Steps
1 Technically interested person (TIP) connects to honeypot2 Connection request gets freezed
3 honeytrap starts a listener and accepts the request
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 14 of 39
Honeytraps mirror mode
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
20/46
Honeytrap s mirror mode
Steps
1 Technically interested person (TIP) connects to honeypot2 Connection request gets freezed
3 honeytrap starts a listener and accepts the request
4 Mirror incoming data to the TIP and vice versa
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 14 of 39
Problems with Mirror mode
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
21/46
Problems with Mirror mode
Not applicable everywhere
Malware that patches the vulnerability it used to get in
Conficker A lot of law enforcement or government institutions may not use
such a mode because of legal issues
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 15 of 39
Moving on
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
22/46
Moving on
We wanted to create a new honeypot that provides a stablebase for any future needs and does not suffer from the
shortcomings of nepenthes.
Requirements
Vulnerability modules
Scripting Language to ease implementation of modules
Reusing code from libraries
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 16 of 39
One more thing
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
23/46
g
One more thing before we get to the new shiny honeypot.
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 17 of 39
Shellcode detection
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
24/46
The nepenthes way Nepenthes shellcode manager only uses pattern matching
Shellcode needs to be known in advance
Actions taken dependant on shellcode content
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 18 of 39
Shellcode detection
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
25/46
Libemu Generic shellcode detection using
GetPC heuristics
Binary backwards traversal Instruction dependency tracking
Shellcode emulation supporting all basic x86 CPU/FPU instructions
Profiling by mapping required parts of windows process memory
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 19 of 39
Libemu output example
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
26/46
p pHMODULE LoadLibraryA (
LPCTSTR lpFileName = 0x0012fe84 =>
= "ws2_32";
) = 0x71a10000;
int WSAStartup (
WORD wVersionRequested = 2;
LPWSADATA lpWSAData = 1244280;) = 0;
SOCKET WSASocket (
int af = 2;
int type = 1;
int protocol = 0;
LPWSAPROTOCOL_INFO lpProtocolInfo = 0;
GROUP g = 0;
DWORD dwFlags = 0;) = 66;
int bind (
SOCKET s = 66;
struct sockaddr_in * name = 0x0012fe70 =>
struct = {
short sin_family = 2;
unsigned short sin_port = 23569 (port=4444);
struct in_addr sin_addr = {unsigned long s_addr = 0 (host=0.0.0.0);
};
char sin_zero = " ";
};
int namelen = 16;
) = 0;
int listen (
SOCKET s = 66;int backlog = 2;Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 20 of 39
Libemu graph output example
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
27/46
g p p p
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 21 of 39
nough said
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
28/46
g
Libemu will be a core component of the new honeypot.
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 22 of 39
Carnivores continued
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
29/46
dionaea
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 23 of 39
Environment
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
30/46
Who, what and when
Core by Markus Koetter
SMB/CIFS protocol stack by me Funded by Honeynet Project summer of code
Project timeline in parallel to Google summer of code
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 24 of 39
Dependencies
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
31/46
Not reinventing the wheel
No C++, but C with glib
Core event dispatching by libev
Embedding Python (using Cython)
OpenSSL for TLS
udns for asynchronous DNS
curl for http downloads
libemu for shellcode detection / emulation
liblcfg for configuration file parsing
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 25 of 39
Honeypot features
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
32/46
Implementation efficiency Emulate the SMB/CIFS protocol to get (unknown) RPC calls
Detect shellcode (generically) in attacks and create a profile of it
From the profile guess its actions and act upon that knowledge
Emulate windows shell (cmd.exe)
Download malware via http/ftp/ftp.exe/tftp
Execute multistage shellcode in libemu and grab the downloadedfile (link:// protocol)
Surfnet SURFids integration
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 26 of 39
Honeypot features
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
33/46
Implementation efficiency
Emulate the SMB/CIFS protocol to get (unknown) RPC calls
Detect shellcode (generically) in attacks and create a profile of it
From the profile guess its actions and act upon that knowledge
Emulate windows shell (cmd.exe)
Download malware via http/ftp/ftp.exe/tftp
Execute multistage shellcode in libemu and grab the downloadedfile (link:// protocol)
Surfnet SURFids integration
And it can do Mirror Mode.
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 26 of 39
Mirror mode with dionaea in Python
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
34/46
class mirrorc(connection):
def __init__(self, peer=None):
connection.__init__(self,peer.transport)
self.bind(peer.local.host,0)
self.connect(peer.remote.host,peer.local.port)
self.peer = peer
def handle_established(self):
self.peer.peer = self
def handle_io_in(self, data):
if self.peer: self.peer.send(data)
return len(data)
def handle_error(self, err):
if self.peer:
self.peer.peer = None
self.peer.close()
def handle_disconnect(self):
if self.peer: self.peer.close()
if self.peer: self.peer.peer = None
return 0
class mirrord(connection):
def __init__(self, proto=None, host=None, port=None,
connection.__init__(self,proto)
if host:
self.bind(host, port, iface)
self.listen()
self.peer=None
def handle_established(self):
self.peer=mirrorc(self)
self.timeouts.sustain = 60
self._in.accounting.limit = 100*1024
self._out.accounting.limit = 100*1024
def handle_io_in(self, data):
if self.peer: self.peer.send(data)
return len(data)
def handle_error(self, err):
if self.peer: self.peer.peer = None
def handle_disconnect(self):
if self.peer: self.peer.close()
if self.peer: self.peer.peer = None
return 0
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 27 of 39
The connection class
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
35/46
Subclass connection to implement some service
1 class allyourbase(connection):2 def __init__ (self):3 connection.__init__(self,"tcp")4 #initialize56 def handle_established(self):7 self.timeouts.sustain = 60
8 self._in.accounting.limit = 100*10249 self._out.accounting.limit = 100*1024
10 self.processors()1112 def handle_io_in(self,data):13 #handle data and return processed len14 self.send(All your base...)15 return len(data)1617 def handle_disconnect(self):18 return 0
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 28 of 39
What else
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
36/46
Logging to SQL (sqlite)
Nepenthes had awful, huge logfiles
Logging to sqlite eases analysis and statistics generation
Table connections
Tables for DCERPC information (services, binds, requests, opnums)
Table for emulation profiles
Tables for file offers and downloads
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 29 of 39
Simple example
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
37/46
Which host attacked us most
SELECT
COUNT(remote_host),
remote_host
FROM
connections
WHEREconnection_type = accept
GROUP BY
remote_host
ORDER BY
COUNT(remote_host)
DESCLIMIT
10;
COUNT(remote_host) remote_host
|1655| 10.204.202.23|
|420| 10.2.101.193|
|234| 10.246.93.128|
|224| 10.208.119.223|
|120| 10.54.151.201|
|120| 10.129.95.105|
|120| 10.174.16.255|
|120| 10.234.207.36|
|120| 10.133.39.52|
|120| 10.31.104.74|
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 30 of 39
Complex example
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
38/46
Python script accessing sqlite db
connection 610 smbd tcp accept 10.69.53.52:445
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
39/46
Demo.
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 32 of 39
Comments on dionaea
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
40/46
Evolution It was good to start over
Fun to code on dionaea, fun to implement modules / services
SMB layer copes with all RPC function vulnerabilites
Nepenthes R.I.P.
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 33 of 39
So please. . .
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
41/46
Help us testing and spread the word
We want to replace nepenthes installations
Tell us if things are missing
Help us test the code
Measuring performance on large amounts of IP space
Give feedback
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 34 of 39
Installation
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
42/46
Packaging ...
We have no distribution packages ready Compilation needs newer library versions than most distributions
have
There are quite a number of dependencies
We hope that people try it nevertheless! The .debs will come!
Virtualbox image
Dionaea dirty install on debian (by Hugo Gonzalez, HP)
Ready for running in Virtualbox
ftp://ftp.carnivore.it/projects/dionaea/images/virtualbox-20091127-hugo/
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 35 of 39
Dionaea website
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
43/46
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 36 of 39
Carnivore.it
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
44/46
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 37 of 39
Honeynet Project
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
45/46
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 38 of 39
EOF
7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01
46/46
Thank you!
Mark [email protected]
Dionaea honeypothttp://dionaea.carnivore.it/
Giraffe Honeynet Projecthttp://giraffe.honeynet.org
carnivore.it Softwarehttp://carnivore.it/
Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 39 of 39
http://dionaea.carnivore.it/http://giraffe.honeynet.org/http://carnivore.it/http://carnivore.it/http://giraffe.honeynet.org/http://dionaea.carnivore.it/