Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | bridget-osborne |
View: | 222 times |
Download: | 0 times |
The Honeynet Project
Setting Up A Honeynet
Examples Of Blackhat Activity
Test Results, by Kirk Hausman
Review – What Is A Honeynet?
A networked system behind a firewall. Black Hats use it rather than your production system. Can look like an actual production system Records network and system data to logs Designed to learn who would like to use your system
without your permission for their own ends Gives organizations information when attacked
Learn vulnerabilities Develop response plans
What About Honeypots?
Typically, these are single systems connected to a production system to lure attackers. “The Cuckoo’s Nest” by Cliff Stoll
What products make a honeypot? Fred Cohan’s Deception Toolkit
http://www.all.net/dtk/index.html Cybercop Sting
http://www.pgp.com/products/cybercop-sting/default.asp Recourse Mantrap
http://www.recourse.com/products/mantrap/trap.html
What’s The Difference?
Honeypots use known vulnerabilities to lure attack. Configure a single system with special software or
system emulations Want to find out actively who is attacking the system
Honeynets are networks open to attack Often use default installations of system software Behind a firewall Rather they mess up the Honeynet than your production
system
Diagram Of A Honeynet
IDS – Intrusion Detection System
p. 21, The Honeynet Project. Addison-Wesley 2002.
Entry to Honeynet
IDS – Intrusion Detection System
p. 21, The Honeynet Project. Addison-Wesley 2002.
Exit from Honeynet
IDS – Intrusion Detection System
p. 21, The Honeynet Project. Addison-Wesley 2002.
Costs
For hardware, can be minimal Honeynet Project used Pentiums and SPARC5 with Win
’98, RH Linux and Solaris 2.6. Also old Cisco routers.
High effort associated with configuring security Restrict how Black Hats use the Honeynet Don’t let them know they’re being monitored
High effort with analysis of data No tools are available to perform this kind of analysis
Firewalls Suggested
CheckPoint Firewall-1 Honeynet Project used it to enforce rules Their book provides custom scripts to send alerts
and limit outbound connections IPFilter
Open source on Linux “Swatch” utility to monitor and count outbound
connections
Rules Enforced At Firewall
Anyone can connect from Internet to Honeynet
Unlimited inbound, restricted outbound No packets allowed between Honeynet and
Administrative network
DNS And NTP
If want unlimited number of connections from Honeynet to Internet, recommend setting one machine as primary DNS and NTP. Points to one trusted, recursive DNS on Internet
That system to resolve names Black Hats expect & require DNS (downloading, etc.) Easier to collect log data about network traffic from one machine
than many within Honeynet. Role as NTP (Network Time Protocol) server
Communicates with specific, trusted system for NTP updates Maintains time to sync system clocks
Anti-spoofing
Critical to enact This is the most common type of attack out of a Honeynet
How to enact Set 5 to 10 connections maximum outgoing Limit number to packets to between 5,000 and 10,000 per
24 hours. Set these limits using script in rulebase of firewall Apply limit to both UDP and TCP Deny all outbound ICMP traffic
Router
Honeynet Project used router to filter packets Anti-spoofing
Only those with correct source IP allowed out Router is secondary to firewall to control how
Honeynet is usedAttackers not surprised to find a routerFirewall more transparent if limits on activity are
suspected to be due to the router
Bandwidth
Keep bandwidth small Honeynet Project used 128 Kbps Smaller throughput reduces number of packets
sent out during DoS attack Potentially cheaper to maintain the honeynet
Data Capture
This is the reason for setting up a honeynet. Layers of data capture
Use more than one layer Compromise of one layer leaves others available to see what
happened Kinds
Access control devices Network layer System layer Off-line layer
Access Control Devices
Kinds Firewall Router
Scripting Inbound alerting scripts capture logs Use in firewall
Network Layer
Logging of packets in Honeynet network Capture two kinds of data
Signature alerts Packet payload
IDS (Intrusion Detection System) They used utility called “Snort” (www.snort.org) On suspicious activity, Snort captured data and sent alert
message via syslogd to Log/Alert Server “Swatch” on Log/Alert Server looked for specific alerts
and sent e-mail or page notification to administrator
System Layer
By remote logging, send system logs to Administrative Alert/Log server
Recommended capturing keystrokes via modules within kernel or by modified bash shell
Expect logging within Honeynet to be attacked Expect syslogd to also be killed or Trojan-horsed
Off-line Layer
Use utility like “Tripwire” to take images of system before opening up Honeynet
Take compromised system off-line and take another image
Inspect images to recover tools installed by Black Hats
Data Analysis
30 minutes of blackhat activity is about 30 to 40 work hours of data analysis
All activity within Honeynet is suspicious Less than 10 MB of logging per 24 hours is typical.
Fingerprinting
Learn about attacker without detection Active fingerprinting
Fyodor’s Nmap Security Scanner (http://www.insecure.org/nmap)
Ofir Arkin’s paper “ICMP Usage in Scanning” (http://www.sys-security.com)
Passive fingerprinting Sniffer traces
Forensics
UNIX systems The Coroner’s Toolkit, by Dan Farmer and Wietse Venema
Automated data gathering Recovery of deleted files Reconstruction of events based on modify/access/change times
Windows and NT EnCase (http://www.encase.com) J.D. Glaser (Foundstone)
(http://www.blackhat.com/html/bh-usa-99/bh3-speakers/html)
Example Of A Blackhat Session
Following An IRC Chat Session
The Honeynet Project. Know Your Enemy. Addison-Wesley, 2002.
Scenario
What was attacked Solaris 2.6 honeypot with a rpc.ttdbserv Solaris exploit
Buffer overflow in TookTalk object database server Exploit listed in SANS Institute’s Top Ten List
(http://www.sans.org/topten.htm)
What blackhats put there IRC bot installed
It captured all conversations on the IRC channel Honeynet Project listened in
After setting system up for their use, they harden security on the system to prevent other blackhats from using it
Authors believe kiddie scripts were used
The Adventures Of D1ck And J4n3
D1ck probably an older teenager living in Pakistan, possibly near Kashmir, maybe in Lahore
J4n3 possibly from Pakistan but wants to appear as an “elite” hacker.
IRC chat captured Underground language and slang. Parts using Urdu, native language of Pakistan
What Was Happening
Appeared that several Black Hats in group were sympathetic to Pakistani causes but others to Indian. Justification for hacking was for these causes
Frequently attacked other Black Hats Compromise systems to hinder their exploits
Shared common skills and techniques
Example of Blackhat WarfareJune 6, 2000
D1ck! :I just tookover 3 of diz’s box today ;(D1ck! :one day I did 36Sp07! : *** itD1ck! :hehD1ck! :*ALL* his boxesJ4n3! :wooD1ck! :Sp07D1ck! :hmmmmmmD1ck! :umSp07! :?D1ck! :J4n3:who’se domain example.com is?D1ck! :and who host’s itD1ck! :satnet called up zahid eh
p. 196, The Honeynet Project.
D1ckJune 9, 2000
Rooted more than 40 systems Here, he gives J4n3 access to one of themJ4n3 : D1ckD1ck :supJ4n3 : I can’t access www.example.com with the user k1dd13 and pass u gave…D1ck :sha..d4v3J4n3 :yup that is…D1ck :site work?J4n3 :waitJ4n3 :yup
p. 244, The Honeynet Project
Honeynet Project’s Favorite Quotes
June 9, 2000
D1ck brags how many Linux boxes he compromised in 3 hours
D1ck :hehe come with yure ip I’ll add u to the new 40 bots
D1ck :I owned and trojaned 40 servers of linux in 3 hours
D1ck ::))))
J4n3 :heh
D1ck :***
J4n3 :107 bots
D1ck :yup
J4n3 :wait brb
D1ck :105 :P
J4n3 :back
D1ck :kewl
p. 250, The Honeynet Project
Psychological Review Of D1ck And J4n3’s Group
Social structure was robust with a complex meritocracy
Status hierarchy in his local social group and in groups outside this local group
Use of derogatory statements to challenge status of others and to control social processes
High level of tension reduces their cohesiveness Constant fear of detection and arrest