Honeynet

1
Honeynet

• By A.Qahtan
• Prepared for Dr. Khaled Salah

2
Outlines

• Introduction
• Terminology
• Honeynet Requirements
• Honeynet Usage
• Honeynet Risks
• Honeypot Virtualization
• Honeynet Tools
• Defeating Honeynets

3
Introduction

• Computer security was primarily defensive
• Firewalls, Intrusion Detection Systems,
  Encryption
• Mechanisms to defensively protect computer
  resources
• Attackers have the initiative
• Honeynet attempts to change that

4
Introduction

• Honeynet attempt to attract attackers to a system
  where everything is monitored.
• Using Honeynets
• Attackers can be identified
• New attacking tools can be discovered
• Attack patterns can be determined
• Attacker motives can be studied

5
Honeypot

• A honeypot is a security resource whose value
  lies in being probed, attacked or compromised
• Detect automated probes and attacks
• Capture tools, new worms, etc.
• Raise awareness
• Identify infected/compromised machines

6
Honeypot Advantages

• There is no normal traffic
• Everything is suspicious and potentially
  malicious
• Less data to analyze than IDS system
• Dramatically reducing if not eliminating false
  positives
• Provide valuable information about attackers
• Capture new types of malware
• Work in IPv6 and encrypted environments

7
Honeypot Disadvantages

• Potential risks for your network
• Time consuming to maintain
• Narrow view
• Bad guys have to probe, use or communicate with
  the honeypot for it to work

8
Types of Honeypots

• Low-interaction
• Emulate some parts of services and systems
• Attacker does not have access to the real OS
• Attacker cant compromise the honeypot
• Easy to install and maintain
• Low risk
• Limited information gathering
• Examples
• Listeners, Service emulators, honeyd, tiny
  honeypot

9
Types of Honeypots

• High-interaction
• More difficult to install and maintain
• High risk
• Need containment mechanisms
• Extensive information gathering
• Examples
• Honeynets, Virtual honeynets

10
HoneyToken

• A honeypot that is not a computer (some type of
  digital entity)
• e.g. Credit card number, Excel spreadsheet,
  PowerPoint presentation, a database entry, or
  even a bogus login
• Bogus credit card numbers can be embedded in a
  database
• SSN honeytokens in the students database at
  universities
• IDS sensors could be configured to watch the
  local networks for these honeytoken numbers
• If detected on the wire, then the databases have
  most likely been compromised

11
HoneyToken (example)

• Company is concerned about internal employees
  attempting to find company secrets
• Create a bogus email, or honeytoken

To Chief Financial Officer From Security help
desk Subject Access to financial database Sir,
The security team has updated your access to the
company's financial records. Your new login and
password to the system can be found below. If you
need any help or assistance, do not hesitate to
contact us. https//finances.ourcompany.com
login cfo password Ch13ff1n Security Help
Desk
12
HoneyMonkey

• Honeymonkey is a new way of detecting malicious
  codes from websites that try to exploit certain
  vulnerabilities of Internet browsers
• Automated web/internet patrol system
• To detect harmful materials in the Internet
• To come up with solutions
• To catch the people behind these malicious acts.
• Computer system logs on to websites like a normal
  computer system to detect harmful codes that a
  certain website might try to inject or silently
  install onto computers that access it.

13
Commercial Honeypots

• Mantrap from Recourse Technologies (requires
  Solaris)
• Emulates up to 4 hosts (each running Solaris)
  running various services
• Virtually run any application
• Specter (requires Windows NT)
• Can emulate 11 operating systems. Limited to
  emulating 13 different vulnerable services.

14
Commercial Honeypots

• Netfacade (requires Solairs)
• Able to simulate 8 different OSes and 13
  different services.
• Deception Toolkit
• Set of PERL scripts that can emulate various
  vulnerable services.

15
Commercial Honeypots

• Easy to install, configure, deploy, manage and
  maintain
• normally very expensive
• managed by administrators with less skills and
  knowledge
• Via administrative GUI
• Come with many different functions and utilities

16
Homemade Honeypots

• Require a considerable amount of effort and time
  to implement
• Require one with good skill and knowledge to
  manage it
• Not limited to customization and configuration

17
Honeynet

• A network of high-interaction honeypots
• Real system computers left in their default (and
  insecure) configuration
• Multiple systems and applications
• Sits behind a firewall where all inbound and
  outbound data is contained, captured and
  controlled
• Captured information is then analyzed to learn
  the tools, tactics, and motives of the hacker
  community

18
Honeyfarm

• Honeypots alone have a limited field of view
• Solution honeyfarms
• Multiple honeypots or even honeynets running
  vulnerable services are centrally operated
• Each honeypot virtually belonging to different
  network domains.
• Distributed presence
• Deploying redirectors
• A redirector acts as a proxy or 'worm hole' that
  transports an attacker's probes to a honeypot
  within the honeypot farm
• Centralized management
• Convenient attack correlation and data mining.

19
Honeynet Farm - example
Honeynet Research Alliance
20
Honeypot Farm - example
Honeypot Farm
21
Honeynet GEN I
22
Honeynet GEN II
23
GEN II

• Honeynet sensor (honeywall gateway)
• Layer two bridge (layer three routing gateway can
  be used also)
• Bridge is preferred, as it is harder to detect
• Separates production systems from the honeynet
  network
• Three interfaces
• eth0 connected to the production systems' network
  
• eth1 connected to the honeynet systems' network
• eth2 for remote administration of the gateway

24
Honeynet Requirements

• Data Control
• Data Capture
• Data Collection
• Alerting Mechanism

25
Data Control

• Prevent attackers from using the honeynet to
  attack or harm other non-honeynet systems
• Mitigates risk, it does not eliminate it
• stealthiness vs safety
• More you allow more you can learn
• More you allow more harm they can potentially
  cause

26
Data Control Firewall

• Firewall is the primary tool for controlling
  inbound and outbound connections.
• Firewall is designed to allow any inbound
  connection and limit the number of outbound
  connections

27
Data Control Router

• Supplements the firewall
• Protect against spoofed or ICMP based attacks
• Allows only packets with the source IP address of
  the Honeynet to leave the router (ingress
  filtering)

28
Data Control NIPS

• Inspecting each packet as it travels through our
  gateway
• On matching any of the IDS rules, alert is
  generated and packet can be dropped (blocking the
  attack) or modified (disabling the attack)

29
Data Capture NIDS

• Log all attacker activities
• Firewall logs all connections initiated to and
  from the Honeynet
• IDS logs ALL data in tcpdump format
• IDS configured to send an alert when certain
  attack signatures are seen

30
Data Capture SysLog

• The central syslog server is a hardened host
  within the honeynet
• Attract more sophisticated attacks once a
  blackhat has compromised one of the default
  configuration honeynet systems

31
Data Collection

• Applies to organizations that have multiple
  honeynets in distributed environments
• Single honeynet requires only data control and
  data capture
• Multiple honeynets have to collect all of the
  captured data and store it in a central location
• Captured data can be combined, exponentially
  increasing its value
• Honeyfarm

32
Alerting

• Some organizations that cannot support 24/7 staff
  
• Alternative is automated alerting
• Automated monitoring using Swatch, the Simple
  Watcher

33
Honeynet Usage

• Learn about hackers
• Tune the IT security process
• Intrusion prevention
• Honeypot-based forensics
• Eliminating false positive of the IDSs

34
Honeynet Risks

• Attracting attention to their seemingly insecure
  configuration
• Require constant maintenance and administration
• Data Analysis is very time consuming
• Single compromise on average requires 30-40 hours
  of analysis
• Risk of detection

35
Honeypot Virtualization

• Tar pits
• VMWare
• Honeyd
• UML

36
Tar Pits

• Computer entity that intentionally responds
  slowly to incoming requests
• Delude clients
• Unauthorized or illicit use of a fake service
  might be logged and slowed down
• Layer 7 tarpits (defeating spammers)
• Looks like open mail relays, but instead answer
  very slowly to SMTP commands
• Layer 4 Labrea tarpit
• Slow down the spread of worms over the Internet
• TCP window size reduced to zero
• Tar pit continues to acknowledge incoming packets

37
VMWare

• Commercial software for virtual machines
• Allows you to launch multiple instances of
  different operating systems on a single piece of
  hardware
• Isolates OSes in secure virtual machines
• Maps the physical hardware resources to the
  virtual machine's resources
• Emulates x86 hardware
• Widely used by honeypot operators
• Allows easy deployment of honeypots

38
Honeyd

• Open source honeypot daemon
• Was used with another tool arpd
• Arpd answeres ARP requests in order to redirect
  needed traffic to Honeyd
• Simulates several virtual hosts at the same time
• Permits configuration of arbitrary services
• Supports only IPv4, TCP, UDP and ICMP protocols

39
User-Mode Linux (UML)

• Free software under the GPL
• Create virtual machines
• Virtualizes Linux itself
• Runs an entire Linux environment in user-space
• Runs multiple instances of Linux on the same
  hardware
• Dedicated to Linux

40
Building Blocks

• Honeywall
• Sebek
• Bait and switch technique

41
Honeywall

• Data capture and data control
• IDS snort / IPS snort_inline
• Netfilter/iptables for traffic limiting
• Further monitoring - swatch

42
Snort_inline

• Inline packet modification engine
• Modified version Snort (in recent snort version
  it becomes part of snort)
• Adds several new rule types (drop, sdrop and
  reject)
• Provides packet rewriting from something
  dangerous into something harmless
• e.g replacing the string /bin/sh by /ben/sh
  using the rule

alert ip HONEYNET any -gt EXTERNAL_NET any
(msg"SHELLCODE x86 stealth NOOP" sid651
content"EB 02 EB 02 EB 02" replace"24 00
99 DE 6C 3E")
43
Netfilter/iptables for traffic limiting

• Netfilter/iptables-functionality of the Linux
  kernel for connection limitation
• Prevents the abuse of a compromised honeypot for
  
• Denial-of-service attacks, mass scanning,
  download toolkits and setup automated bots
• Honeynet Project allows 15 outgoing
  TCP-connections and 50 outgoing ICMP packets per
  day

... Set the connection outbound limits for
different protocols. SCALE"day" TCPRATE"15"
UDPRATE"20" ICMPRATE"50" OTHERRATE"15"
...
44
Sebek

• Client/server based application
• The primary data capture tool used by honeynet
  researchers
• Kernel-module on Linux Solaris, patch on
  OpenBSD / NetBSD, device driver for Windows
• Kernel-based rootkit that hijacks the read()
  system call
• Remember API Hooking ??
• Record all data accessed via read()
• Send data passing through sys_read() in covert
  manner over the network to the sebek server
• Overwrites part of the network stack
  (packet_recvmsg) to hide Sebek data passing on to
  the network
• Network counters and data structures have to be
  adapted

45
Bait and switch technique

• Follows the security paradigm of "Protect, Detect
  and React
• Protect the network as best as possible
  (Firewalls)
• Detect any failures in the defense (IDS)
• React to failures (alerting)
• Bait and Switch redirects all malicious network
  traffic to a honeypot
• Attacker is attacking a trap instead of real data
• based on Snort, iproute2, netfilter/iptables and
  some custom code

46
Defeating Honeynets

• Tarpits
• VMWare
• Snort_inline
• Netfilter/iptables
• Sebek
• Bait and switch

47
Detecting Tar Pits

• Attacker (10.0.0.2) trying to reach a fake web
  server, (10.0.0.1)
• looking at the answers from 10.0.0.1 with records
  from tcpdump
• Window size starts at 3 and then 0 for the next
  connection
• Attacker figures this very easily

48
Detecting Tar Pits

• Attacker on the same network segment as Labrea
  can do fingerprinting at layer 2
• Tarpits answers with the same unique MAC address
  00fffffff
• Looking at such ARP responses
• 045900.889458 arp reply 10.0.0.1
  (00fffffff) is-at 00fffffff
• you can find and change this hard coded value in
  the sources of Labrea (PacketHandler.c)
• u_char bogusMAC6 0,0,15,255,255,255

49
Detecting VMWare

• IEEE standards assigned MAC addresses to VMWare
  in the ranges
• 00-05-69-xx-xx-xx
• 00-0C-29-xx-xx-xx
• 00-50-56-xx-xx-xx
• MAC addresses can be obtained via
• arp a
• Unix ifconfig or Windows ipconfig /all
• Honeypots operators usually the NetBIOS port
• Attacker interacts with NetBIOS services can
  obtain the MAC address using commands
• Unix nmblookup or Windows nbtstat -A _at_IP

50
Detecting VMWare
51
Detecting VMWare
52
Detecting Snort_inline

• Dropping of outgoing packets blackhole
• Modification can be detected by sophisticated
  attacker
• Stealthiness of Snort_inline can be increased
  with fewer rules, but this leads to more attacks
  that will not be noticed

53
Detecting Netfilters/iptables

• Aggressor can simply try to
• Open many outgoing connections to different hosts
  
• Send a lot of ICMP echo request packets to
  varying hosts
• If after some time no more outgoing packets can
  reach the target then it is a honeypot

54
Detecting Sebek

• Latency
• Read a single byte via a read(1) call Sebek
  will transfer nearly 100 bytes of data
• Do it tens of thousands of times network
  congestion
• e.g. ping a local IP (the gateway)
• dd if/dev/zero of/dev/null bs1
• Ping again
• Average round-trip time grew from 0.7
  milliseconds to over 4800 milliseconds

55
Detecting Sebek

• Displaying hidden modules
• Sebek uses cleaner.c, a simple loadable kernel
  module that unlinks the last module in the
  kernel's module list
• module_hunter.c is able to locate hidden modules
• module_hunter.c searches for patterns of module
  structures in the kernel's address space and is
  able to detect modules hidden via unlinking
• Using the same technique one can get the address
  of Sebeks cleanup_module() and disable Sebek
• Toolkit written in Python 2.3 can detect and
  remove Sebek from honeypot
• Get the source code at md.hudora.de

56
Detecting Sebek
57
Detecting Sebek

• Modification of sys-call table
• Commonly used by rootkit detection tools
• Looking at the system call table and analyzing
  the pointers to the various system calls
• Unmodified system call table, the pointers to the
  read() and write() system calls are adjacent
• Sebek changes the pointer of the read() system
  call
• Adjacency is no longer given

58
Detecting Sebek

• Network traffic counters
• Sebek adjusts some counters to conceal the
  transmission of the logging data
• Sophisticated attacker compares the kernel's
  internal network counters and the output of
  ifconfig or other tools

59
Kebes

• Anti-Sebek techniques

60
Kebes

• Under the project name NoSEBrEaK
• Entirely written in Python 2.3 for portability
  with no external dependency
• Uses mmap() to avoid read() system calls
• Implements all basic functionality of a shell
• Reading and writing of files
• Secure deleting
• Direct executing of programs
• Implements an encrypted channel between the
  attacker and the honeypot
• logging of network activity is useless

61
Summary

• Never end fight between hackers and security
  community
• Honeynets should be carefully deployed and should
  act as real system (stealthness vs safety)
• Be aware of hackers techniques in detecting
  honeypots

62
QA

• Thank you