Lowint Honeypots Mark Schloesser 2009-12-01

7/28/2019 Lowint Honeypots Mark Schloesser 2009-12-01

1/46

Low Interaction Server Honeypot Evolution

Mark SchloesserGiraffe Honeynet Project

FIRST Technical Colloquium, Kuala Lumpur

December 2, 2009


2/46

Special thanks. . .

. . . for support

...for this event


Low Interaction Server Honeypot Evolution 1 of 39


3/46

Server honeypots?

Ways to collect malware

Spamtraps

Honeyclients

. . .

High interaction Honeypots (Windows systems in virtual machines)

Low interaction server honeypots


Low Interaction Server Honeypot Evolution 2 of 39


4/46

Giraffe Honeynet Project

Availability of tools is bad There are non-public (non-GPL) tools

Can not / may not be shared

Some available, but not efficient enough

Giraffe believes in Open Source

Publicly available

GPL

Low interaction Fast, efficient (/16 or more)

Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 3 of 39


5/46

Carnivores

Nepenthes



6/46

Nepenthes

Low-interaction server honeypot

Written by Markus Koetter and Paul Baecher (Giraffe)

Written entirely in C++

Vulnerability Modules

Shellcode Manager


h


7/46

Nepenthes

Low-interaction server honeypot

Written by Markus Koetter and Paul Baecher (Giraffe)

Written entirely in C++

Vulnerability Modules

Shellcode Manager

Great tool, widely used

Lots of sensors deployed on lots of IP space

Lots of malware gathered over the years


N h


8/46

Nepenthes success

Malware reality

1 Malware often uses public exploit code to spread

2 Malware often packs a bunch of public exploits

3 Malware authors often are lazy / unskilled4 Malware community does code sharing / selling


N h


9/46

Nepenthes success

Malware reality

1 Malware often uses public exploit code to spread

2 Malware often packs a bunch of public exploits

3 Malware authors often are lazy / unskilled4 Malware community does code sharing / selling

This leads to. . .

. . . Nepenthes still capturing malware.


Th bl


10/46

The problems

There are always two sides. . .

Pros: C++

Cons: C++

Huh?Even though we always claimed it was easy to write nepenthesmodules/addons, there was very little contribution.

C++ is an insult to the human brain.


d th i


11/46

. . . and other issues . . .

Nepenthes disadvantages

No new / unknown vulnerabilities supported

Vulnerability- instead of Protocol-emulation

Several vulns on Port 445/TCP interfering with each other

Impossible to keep up with exploitation trends

Shellcode manager needs to know shellcode in advance

No TLS


S l d t il


12/46

Some ugly details

Vuln modules acquiring 445/TCP

LSASS, PNP, DCOM, ASN1, ms06-070, ms08-067

Interference Modules mostly match against certain byte strings

Return UNSURE, DROP, ASSIGN to core

Which one sends back a response?

Random / Parallel / Chaos


Laziness


13/46

Laziness

Malware authors are lazy

send(packetbuffer)

recv(1024) and discard

send(packetbuffer)

recv(1024) and discard

. . .

Nepenthes authors are lazy, too ;)

LSASSDialogue::incomingData(Message *msg) {

// ...

char reply[512];

for (int32_t i=0;i


14/46

What now?


15/46

What now?

Something needs to be done here . . .


Other approaches


16/46

Other approaches

Honeytrap

Written by Tillmann Werner (Giraffe)

Dynamically handles incoming connection attempts

Binds UDP/TCP ports upon request

No vulnerability modules

Mirror mode


Honeytraps mirror mode


17/46

Honeytrap s mirror mode

Steps

1 Technically interested person (TIP) connects to honeypot




18/46


Steps

1 Technically interested person (TIP) connects to honeypot2 Connection request gets freezed




19/46


Steps


3 honeytrap starts a listener and accepts the request




20/46


Steps


3 honeytrap starts a listener and accepts the request

4 Mirror incoming data to the TIP and vice versa


Problems with Mirror mode


21/46

Problems with Mirror mode

Not applicable everywhere

Malware that patches the vulnerability it used to get in

Conficker A lot of law enforcement or government institutions may not use

such a mode because of legal issues


Moving on


22/46

Moving on

We wanted to create a new honeypot that provides a stablebase for any future needs and does not suffer from the

shortcomings of nepenthes.

Requirements

Vulnerability modules

Scripting Language to ease implementation of modules

Reusing code from libraries


One more thing


23/46

g

One more thing before we get to the new shiny honeypot.


Shellcode detection


24/46

The nepenthes way Nepenthes shellcode manager only uses pattern matching

Shellcode needs to be known in advance

Actions taken dependant on shellcode content


Shellcode detection


25/46

Libemu Generic shellcode detection using

GetPC heuristics

Binary backwards traversal Instruction dependency tracking

Shellcode emulation supporting all basic x86 CPU/FPU instructions

Profiling by mapping required parts of windows process memory


Libemu output example


26/46

p pHMODULE LoadLibraryA (

LPCTSTR lpFileName = 0x0012fe84 =>

= "ws2_32";

) = 0x71a10000;

int WSAStartup (

WORD wVersionRequested = 2;

LPWSADATA lpWSAData = 1244280;) = 0;

SOCKET WSASocket (

int af = 2;

int type = 1;

int protocol = 0;

LPWSAPROTOCOL_INFO lpProtocolInfo = 0;

GROUP g = 0;

DWORD dwFlags = 0;) = 66;

int bind (

SOCKET s = 66;

struct sockaddr_in * name = 0x0012fe70 =>

struct = {

short sin_family = 2;

unsigned short sin_port = 23569 (port=4444);

struct in_addr sin_addr = {unsigned long s_addr = 0 (host=0.0.0.0);

};

char sin_zero = " ";

};

int namelen = 16;

) = 0;

int listen (

SOCKET s = 66;int backlog = 2;Mark SchloesserGiraffe Honeynet Project Low Interaction Server Honeypot Evolution 20 of 39

Libemu graph output example


27/46

g p p p


nough said


28/46

g

Libemu will be a core component of the new honeypot.


Carnivores continued


29/46

dionaea


Environment


30/46

Who, what and when

Core by Markus Koetter

SMB/CIFS protocol stack by me Funded by Honeynet Project summer of code

Project timeline in parallel to Google summer of code


Dependencies


31/46

Not reinventing the wheel

No C++, but C with glib

Core event dispatching by libev

Embedding Python (using Cython)

OpenSSL for TLS

udns for asynchronous DNS

curl for http downloads

libemu for shellcode detection / emulation

liblcfg for configuration file parsing


Honeypot features


32/46

Implementation efficiency Emulate the SMB/CIFS protocol to get (unknown) RPC calls

Detect shellcode (generically) in attacks and create a profile of it

From the profile guess its actions and act upon that knowledge

Emulate windows shell (cmd.exe)

Download malware via http/ftp/ftp.exe/tftp

Execute multistage shellcode in libemu and grab the downloadedfile (link:// protocol)

Surfnet SURFids integration


Honeypot features


33/46

Implementation efficiency

Emulate the SMB/CIFS protocol to get (unknown) RPC calls

Detect shellcode (generically) in attacks and create a profile of it

From the profile guess its actions and act upon that knowledge

Emulate windows shell (cmd.exe)

Download malware via http/ftp/ftp.exe/tftp

Execute multistage shellcode in libemu and grab the downloadedfile (link:// protocol)

Surfnet SURFids integration

And it can do Mirror Mode.


Mirror mode with dionaea in Python


34/46

class mirrorc(connection):

def __init__(self, peer=None):

connection.__init__(self,peer.transport)

self.bind(peer.local.host,0)

self.connect(peer.remote.host,peer.local.port)

self.peer = peer

def handle_established(self):

self.peer.peer = self

def handle_io_in(self, data):

if self.peer: self.peer.send(data)

return len(data)

def handle_error(self, err):

if self.peer:

self.peer.peer = None

self.peer.close()

def handle_disconnect(self):

if self.peer: self.peer.close()

if self.peer: self.peer.peer = None

return 0

class mirrord(connection):

def __init__(self, proto=None, host=None, port=None,

connection.__init__(self,proto)

if host:

self.bind(host, port, iface)

self.listen()

self.peer=None

def handle_established(self):

self.peer=mirrorc(self)

self.timeouts.sustain = 60

self._in.accounting.limit = 100*1024

self._out.accounting.limit = 100*1024

def handle_io_in(self, data):

if self.peer: self.peer.send(data)

return len(data)

def handle_error(self, err):


def handle_disconnect(self):

if self.peer: self.peer.close()


return 0


The connection class


35/46

Subclass connection to implement some service

1 class allyourbase(connection):2 def __init__ (self):3 connection.__init__(self,"tcp")4 #initialize56 def handle_established(self):7 self.timeouts.sustain = 60

8 self._in.accounting.limit = 100*10249 self._out.accounting.limit = 100*1024

10 self.processors()1112 def handle_io_in(self,data):13 #handle data and return processed len14 self.send(All your base...)15 return len(data)1617 def handle_disconnect(self):18 return 0


What else


36/46

Logging to SQL (sqlite)

Nepenthes had awful, huge logfiles

Logging to sqlite eases analysis and statistics generation

Table connections

Tables for DCERPC information (services, binds, requests, opnums)

Table for emulation profiles

Tables for file offers and downloads


Simple example


37/46

Which host attacked us most

SELECT

COUNT(remote_host),

remote_host

FROM

connections

WHEREconnection_type = accept

GROUP BY

remote_host

ORDER BY

COUNT(remote_host)

DESCLIMIT

10;

COUNT(remote_host) remote_host

|1655| 10.204.202.23|

|420| 10.2.101.193|

|234| 10.246.93.128|

|224| 10.208.119.223|

|120| 10.54.151.201|

|120| 10.129.95.105|

|120| 10.174.16.255|

|120| 10.234.207.36|

|120| 10.133.39.52|

|120| 10.31.104.74|


Complex example


38/46

Python script accessing sqlite db

connection 610 smbd tcp accept 10.69.53.52:445


39/46

Demo.


Comments on dionaea


40/46

Evolution It was good to start over

Fun to code on dionaea, fun to implement modules / services

SMB layer copes with all RPC function vulnerabilites

Nepenthes R.I.P.


So please. . .


41/46

Help us testing and spread the word

We want to replace nepenthes installations

Tell us if things are missing

Help us test the code

Measuring performance on large amounts of IP space

Give feedback


Installation


42/46

Packaging ...

We have no distribution packages ready Compilation needs newer library versions than most distributions

have

There are quite a number of dependencies

We hope that people try it nevertheless! The .debs will come!

Virtualbox image

Dionaea dirty install on debian (by Hugo Gonzalez, HP)

Ready for running in Virtualbox

ftp://ftp.carnivore.it/projects/dionaea/images/virtualbox-20091127-hugo/


Dionaea website


43/46


Carnivore.it


44/46


Honeynet Project


45/46


EOF


46/46

Thank you!

Mark [email protected]

Dionaea honeypothttp://dionaea.carnivore.it/

Giraffe Honeynet Projecthttp://giraffe.honeynet.org

carnivore.it Softwarehttp://carnivore.it/

http://dionaea.carnivore.it/http://giraffe.honeynet.org/http://carnivore.it/http://carnivore.it/http://giraffe.honeynet.org/http://dionaea.carnivore.it/

Date post:	03-Apr-2018
Category:	Documents
Upload:	anonymous-luiwju87ar
View:	215 times
Download:	0 times

Lowint Honeypots Mark Schloesser 2009-12-01

Documents