KFSensor Vs Honeyd

1
KFSensor Vs Honeyd
Sunil Gurung 60-475 Security and Privacy on the
Internet

• Honeypot System

2

• Agenda
• Introduction
• Honeypot Technology
• KFSensor
• Honeyd
• Features
• Tests
• Conclusion

3

• Introduction
• Good Defence is Good Offence
• Network security Firewall, IDS, antivirus.
• Traditional approach defensive
• Today offensive approach
• Honeypot solutions

4

• Honeypot Technology
• A honeypot is security resource whose value lies
  in being probed, attacked, or compromised. -
  Lance Spitzner
• we want attackers to probe and exploit the
  virtual system running emulated services.
• System no production value, no traffic, most
  connection probe, attack or compromised.
• Complements the traditional security tools.

5
Fig The basic setup up of the honeypot system.
In the figure two KFSensor are configured
production honeypots.
Figure taken from User Manual of KFSensor
Help
6

• TYPES of ATTACKERS
• Script Kiddies
• Amateurs, dont care about the host
• Educate the inadequacy of the security policy
• Blackhat
• Focus on high value system, more experienced
• More dangerous and operate silently

7

• Types of Honeypot
• Interaction level of activity Honeypot allows
  with attacker
• Low Interaction
• Emulated services, easy to deploy and maintain,
  less risk.
• Designed to capture only known attack
• High Interaction
• Setup real services and provides interaction with
  OS
• More information, no assumption made give full
  open environments.
• Can use the real honeypot to attack others.
• Symantec Decoy Server, Honeynet

8

• KFSensor
• Commercial low interaction honeypot solution
• Windows OS
• Preconfigured services ssh, http, ftp etc
• Easy configuration and flexible
• Components of KFSensor
• Scenarios, Sim Server standard and banner

9
(No Transcript)
10

• Honeyd
• Low interaction, open source
• Developed by Niels Provos of U of M
• Features service emulation and IP stack of OS
• Product Detail
• Software honeyd
• Version honeyd 0.8
• License open source
• Download site http//honeyd.org
• OS Windows, Linux, Unix Solaris

11

• Installation
• ARPD, Libraries Dependencies
• Libevent-0.8a.tar.gz, libpcap0.8.3.tar.gz
• Honeyd package
• Installation process
• tar -zvxf libevent-0.8a.tar.gz
• Compile the libevent
• cd libevent-0.8a (Note pwd is
  /honeyd_packages/ libevent-0.8a)
• . /configure
• make
• make install

12

• Major Differences between the two software
• IP address assignment
• Listening port
• OS emulation
• Open source advantage
• Financial value

13
(No Transcript)
14

• How it works

1. Configuration File
2. Nmap.print Xprobe2
3. Script for running the services

15

• Explanation of Configuration file

Example of a simple host template and its
binding annotate "AIX 4.0 - 4.2" fragment
old create template set template personality "AIX
4.0 - 4.2" add template tcp port 80 open add
template tcp port 22 open add template tcp port
23 open set template default tcp action
reset bind 192.168.1.80 template
16

• Nmap.print and Xprobe2
• Contributed by Felix Lindner (flindner_at_gmx.de)
• Fingerprint AXENT Raptor Firewall running on
  Windows NT
• TSeq(ClassTR)
• T1(RespYDFYW2017ACKSFlagsASOpsM)
• T2(RespN)
• T3(RespYDFYW2017ACKSFlagsASOpsM)
• T4(RespYDFNW0ACKSFlagsAROps)
• T5(RespYDFNW0ACKSFlagsAROps)
• T6(RespYDFNW0ACKSFlagsAROps)
• T7(RespN)
• PU(RespN)

17

• Test Environment
• Inside the router
• 1) University network
• 2) Home network putting the honeypot system
  inside the router 192.168.0.102
• Various test performed

18

• Testing Honeyd
• IP of honeypot 192.168.1.122
• IP of host running the honeypot 192.168.1.121
• Running ARPD
• arpd 192.168.0.0\24
• 2) Running Honeyd
• honeyd d f config.sample p nmap.print x
  xprobe2 l \Log File I 2

19

• Test 1 FTP (KFSensor)

20

• Test 2 FTP honeyd

21

• Other possible test (Network Topology)

route entry 10.0.0.1 route 10.0.0.1 link
10.0.0.0/24 route 10.0.0.1 add net 10.1.0.0/16
10.1.0.1 latency 55ms loss 0.1 route 10.0.0.1 add
net 10.2.0.0/16 10.2.0.1 latency 20ms loss
0.1 route 10.1.0.1 link 10.1.0.0/24 route
10.2.0.1 link 10.2.0.0/24 create routerone set
routerone personality "Cisco 7206 running IOS
11.1(24)" set routerone default tcp action
reset add routerone tcp port 23
"scripts/router-telnet.pl" create netbsd set
netbsd personality "NetBSD 1.5.2 running on a
Commodore Amiga (68040 processor)" set netbsd
default tcp action reset add netbsd tcp port 22
proxy ipsrc22 add netbsd tcp port 80 "sh
scripts/web.sh" bind 10.0.0.1 routerone bind
10.1.0.2 netbsd
22

• Results take from the abstract

traceroute -n 10.3.0.10 traceroute to 10.3.0.10
(10.3.0.10), 64 hops max 1 10.0.0.1 0.456 ms
0.193 ms 0.93 ms 2 10.2.0.1 46.799 ms 45.541 ms
51.401 ms 3 10.3.0.1 68.293 ms 69.848 ms 69.878
ms 4 10.3.0.10 79.876 ms 79.798 ms 79.926 ms
23

• Conclusion
• Both are low interaction
• Honey with better feature like IP simulation and
  OS IP stack simulation
• KFSensor better GUI easy configuration
• Can not replace the existing system. Work better
  along with it.