Title: KFSensor Vs Honeyd
1KFSensor Vs Honeyd
Sunil Gurung 60-475 Security and Privacy on the
Internet
2- Agenda
- Introduction
- Honeypot Technology
- KFSensor
- Honeyd
- Features
- Tests
- Conclusion
3- Introduction
- Good Defence is Good Offence
- Network security Firewall, IDS, antivirus.
- Traditional approach defensive
- Today offensive approach
- Honeypot solutions
4- Honeypot Technology
- A honeypot is security resource whose value lies
in being probed, attacked, or compromised. -
Lance Spitzner - we want attackers to probe and exploit the
virtual system running emulated services. - System no production value, no traffic, most
connection probe, attack or compromised. - Complements the traditional security tools.
5Fig The basic setup up of the honeypot system.
In the figure two KFSensor are configured
production honeypots.
Figure taken from User Manual of KFSensor
Help
6- TYPES of ATTACKERS
- Script Kiddies
- Amateurs, dont care about the host
- Educate the inadequacy of the security policy
- Blackhat
- Focus on high value system, more experienced
- More dangerous and operate silently
7- Types of Honeypot
- Interaction level of activity Honeypot allows
with attacker - Low Interaction
- Emulated services, easy to deploy and maintain,
less risk. - Designed to capture only known attack
- High Interaction
- Setup real services and provides interaction with
OS - More information, no assumption made give full
open environments. - Can use the real honeypot to attack others.
- Symantec Decoy Server, Honeynet
8- KFSensor
- Commercial low interaction honeypot solution
- Windows OS
- Preconfigured services ssh, http, ftp etc
- Easy configuration and flexible
- Components of KFSensor
- Scenarios, Sim Server standard and banner
9(No Transcript)
10- Honeyd
- Low interaction, open source
- Developed by Niels Provos of U of M
- Features service emulation and IP stack of OS
- Product Detail
- Software honeyd
- Version honeyd 0.8
- License open source
- Download site http//honeyd.org
- OS Windows, Linux, Unix Solaris
11- Installation
- ARPD, Libraries Dependencies
- Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz
- Honeyd package
- Installation process
- tar -zvxf libevent-0.8a.tar.gz
- Compile the libevent
- cd libevent-0.8a (Note pwd is
/honeyd_packages/ libevent-0.8a) - . /configure
- make
- make install
12- Major Differences between the two software
- IP address assignment
- Listening port
- OS emulation
- Open source advantage
- Financial value
13(No Transcript)
14- Configuration File
- Nmap.print Xprobe2
- Script for running the services
15- Explanation of Configuration file
Example of a simple host template and its
binding annotate "AIX 4.0 - 4.2" fragment
old create template set template personality "AIX
4.0 - 4.2" add template tcp port 80 open add
template tcp port 22 open add template tcp port
23 open set template default tcp action
reset bind 192.168.1.80 template
16- Nmap.print and Xprobe2
- Contributed by Felix Lindner (flindner_at_gmx.de)
- Fingerprint AXENT Raptor Firewall running on
Windows NT - TSeq(ClassTR)
- T1(RespYDFYW2017ACKSFlagsASOpsM)
- T2(RespN)
- T3(RespYDFYW2017ACKSFlagsASOpsM)
- T4(RespYDFNW0ACKSFlagsAROps)
- T5(RespYDFNW0ACKSFlagsAROps)
- T6(RespYDFNW0ACKSFlagsAROps)
- T7(RespN)
- PU(RespN)
17- Test Environment
- Inside the router
- 1) University network
- 2) Home network putting the honeypot system
inside the router 192.168.0.102 - Various test performed
18- Testing Honeyd
- IP of honeypot 192.168.1.122
- IP of host running the honeypot 192.168.1.121
- Running ARPD
- arpd 192.168.0.0\24
- 2) Running Honeyd
- honeyd d f config.sample p nmap.print x
xprobe2 l \Log File I 2
19 20 21- Other possible test (Network Topology)
route entry 10.0.0.1 route 10.0.0.1 link
10.0.0.0/24 route 10.0.0.1 add net 10.1.0.0/16
10.1.0.1 latency 55ms loss 0.1 route 10.0.0.1 add
net 10.2.0.0/16 10.2.0.1 latency 20ms loss
0.1 route 10.1.0.1 link 10.1.0.0/24 route
10.2.0.1 link 10.2.0.0/24 create routerone set
routerone personality "Cisco 7206 running IOS
11.1(24)" set routerone default tcp action
reset add routerone tcp port 23
"scripts/router-telnet.pl" create netbsd set
netbsd personality "NetBSD 1.5.2 running on a
Commodore Amiga (68040 processor)" set netbsd
default tcp action reset add netbsd tcp port 22
proxy ipsrc22 add netbsd tcp port 80 "sh
scripts/web.sh" bind 10.0.0.1 routerone bind
10.1.0.2 netbsd
22- Results take from the abstract
traceroute -n 10.3.0.10 traceroute to 10.3.0.10
(10.3.0.10), 64 hops max 1 10.0.0.1 0.456 ms
0.193 ms 0.93 ms 2 10.2.0.1 46.799 ms 45.541 ms
51.401 ms 3 10.3.0.1 68.293 ms 69.848 ms 69.878
ms 4 10.3.0.10 79.876 ms 79.798 ms 79.926 ms
23- Conclusion
- Both are low interaction
- Honey with better feature like IP simulation and
OS IP stack simulation - KFSensor better GUI easy configuration
- Can not replace the existing system. Work better
along with it.