Title: The Honeynet Project Advancements in Honeypot Tools
1The Honeynet ProjectAdvancements in
HoneypotTools
2Presented by Kirby Kuehl
- Background
- Feel free to ask questions during presentation.
- Email kkuehl_at_cisco.com
- Websites http//www.honeynet.org
- http//winfingerprint.sourceforge.net
3About the Honeynet Project
- Informally began as the Wargames mailing list in
1999. - Project officially formed in 2000.
- Became a Non-profit organization in 2001.
- Consists of 30 members who volunteer their time
and resources to research the hacker community.
4Honeynet Project Goals
- Learn the Tools, Tactics, and Motives of the
Hacker Community - Raise Awareness through release of Know Your
Enemy series of whitepapers. - Teach and Inform
- Scan of the Month Challenges
- Reverse Challenge
- Forensic Challenge
- Research
- Honeynet Alliance
- Tool Development
5Layer 3 Data Control A shell script counted the
number of outbound connections initiated by the
attacker and blocked all connections after a
count of 10 was reached. This suspicious behavior
could lead to the discovery of the firewall via
TTL decrementing (traceroute) and possible attack
since the firewall obviously has Layer 3 Address
(IP Address). Data Capture The IDS (snort)
listens on the span port of the switch, capturing
all inbound/outbound traffic.
6(No Transcript)
7Generation II Honeynet Sensor Components
- The Bridging Firewall
- Counting and Blocking Connections Improvements
- Data Control with Snort-Inline
- Sebek kernel module
- Honeyd and arpd
- Sneak Peak of The Honeywall CD
8Honeynet Data Control The Linux Bridging
Firewall
- Bridges are Layer 2 devices that connect two or
more distinct Ethernet segments. All packets
received by one interface are transparently
copied to the other interface based upon MAC
address. - A Bridging Firewall is capable of transparently
filtering received frames before they are copied
to the second interface. - Requires a Linux kernel compiled with bridge and
bridge firewall support. - See http//bridge.sourceforge.net/ for kernel
patches and more information.
9Honeynet Data ControlMethod 1 Counting and
Blocking Connections
- IPTables Firewall Script uses the LOG and ACCEPT
targets for all inbound connections allowing
attackers to enter the honeynet. - The IPTables Firewall Script LOGs and ACCEPTs
outbound connections until a predefined limit is
reached within a specified timeframe. Connection
attempts beyond the limit are DROPped. - Example Data Control Firewall Script
http//www.honeynet.org/papers/honeynet/tools/rc.f
irewall
10Honeynet Data ControlMethod 2 Snort-Inline
- The Honeynet Project utilizes Snort-Inline in
combination with netfilter/iptables operating as
a bridging firewall to send packets to userspace
for processing. - This is accomplished with the QUEUE target.
- The standard queue handler for IPv4 iptables is
the ip_queue module, which is distributed with
the kernel and marked as experimental. - Snort-inline (the userspace application) uses
the libipq API, (which is distributed with
iptables) to receive and possibly manipulate the
packets traversing the bridge as demonstrated in
the next slides. - Snort-Inline http//www.snort.org/dl/contrib/patc
hes/inline/ - Netfilter/iptables http//www.netfilter.org
11Snort-Inline Rule Options
- Drop The drop rule tells iptables to drop the
packet and log it via usual snort means - Sdrop The sdrop rule tells iptables to drop the
packet. Nothing is logged. - Reject The reject rule type tells iptables to
drop the packet log it via usual snort means
and send a TCP reset if the protocol is TCP or an
ICMP port unreachable if the protocol is UDP.
12Snort-Inline Drop Rule
- To drop an DNS attack, the signature would look
as follows - drop tcp HOME_NET any EXTERNAL_NET 53
- (msg"DNS EXPLOIT named"flags A
- content"CD80 E8D7 FFFFFF/bin/sh"
13Snort-Inline Drop Rule
User Space
Snort-Inline
Snort Rules Drop
snort Q c /snort.conf
Iptables-1.2.7a
DROP
modprobe ip_queue
Ip_queue
iptables -A OUTPUT -p icmp -j QUEUE
Kernel Space
14Snort-Inline Replace Rule
- Another option replaces portions of the payload
(disabling the effectiveness of the attack) but
allowing the connection to continue - alert tcp HOME_NET any -gt EXTERNAL_NET 53
- (msg"DNS EXPLOIT named"flags A
- content"CD80 E8D7 FFFFFF/bin/sh"
- replace"0000 E8D7 FFFFFF/ben/sh")
15Snort-Inline Replace Mode
User Space
Snort Rules Replace
Snort-Inline
/bin/sh
/ben/sh
Iptables-1.2.7a
modprobe ip_queue
Ip_queue
iptables -A OUTPUT -p icmp -j QUEUE
Kernel Space
16Honeyd
- Honeyd, when used in conjunction with arpd can
simulate an entire LAN containing virtual hosts. - These virtual hosts can fool various TCP and ICMP
fingerprinting methods. - These virtual hosts can run various virtual,
proxied, or fake services. - http//www.citi.umich.edu/u/provos/honeyd/
17Honeyd Operation
Sending ICMP Echo Reply 192.168.1.15
-gt 192.168.1.9
ping 192.168.1.15
Reply from 192.168.1.15 bytes32 timelt10ms TTL64
arpd_send who-has 192.168.1.15 to 192.168.1.9
arpd_reply 192.168.1.15 is-at 00096be0399b
18Honeyd The role of arpd
- Like the bridging firewall used by snort-inline,
arpd also operates at Layer 2. - Arpd replies to any ARP request for an IP address
(Layer 3) within the simulated network with the
MAC address of the specified interface of the
machine running arpd. - This allows one host to simulate an entire
network of machines.
19Arpd Screenshot
20Honeyd Screenshot
21ARP Cache
22Sample Honeyd Configuration
Example of a simple host template and its
binding create default set default personality
FreeBSD 2.2.1-STABLE add default tcp port 80
sh scripts/web.sh add default tcp port 22 "sh
scripts/test.sh ipsrc dport" add default tcp
port 113 reset add default tcp port 1 reset set
default uid 32767 gid 32767 bind 192.168.1.15
default set 192.168.1.15 uptime 1327650 add
default tcp port 23 proxy 192.168.1.1323 set
default subsystem /usr/sbin/httpd
23NMAP Portscan and OS Fingerprint
24SebekKernel Space data collection
- The Sebek kernel module collects data passing
through the read() system call. This captures the
intruders ssh keystrokes and recovers scp file
transfers. - Sebek utilizes the adore rootkit to hide the
sebek files and processes from the attacker. - Sebek http//www.honeynet.org/papers/honeynet/t
ools/ - Adore http//www.team-teso.net/releases.php
25Sdm The Sebek Device Monitor
- Sdm encrypts the payload.
- Based on the intruders input, the IP addresses,
MAC addresses, and UDP port numbers are
falsified. - Data is transferred using a variable amount of
delay. - Sdm transmits decoy packets when there is no
legitimate traffic.
26Sebeksniff and Sbdump
- Collects the data from sdm, unencrypts it, and
stores it in a log file. - Use the sbdump.pl script to examine these log
files. - Sbdump displays the timestamp, user id, process
name, tty, file descriptor and the data (ssh
keystrokes or file transferred by scp)
27Sebek Diagram
28Honeywall CDComing Soon
- Bootable CDROM Honeynet Gateway extracts
operating system onto a ram drive. - Hardware requirements 256MB of RAM, a CD-ROM, a
10GB IDE hard drive (for logging and storage of
various boot variables such as which networks to
bridge), and two NICs. - Capable of Generation 1 (Layer 3) or Generation 2
(Layer 2) Honeynet Data Control. - Kernel contains bridge firewalling support for
the inline enabled snort. Also includes Sebek,
dsniff, tcpdump, and p0f.
29Honeywall CD Main Screen
30Initialize drive mounts a local IDE drive for
Honeynet Logging and storage of settings.
31Start Layer 2 Bridge
32Bringing up the bridge and starting various
utilities
33Wininterrogate Analysis of Win32 File systems
and Processes
34Wininterrogate File system
- Recursively walks directory structure obtaining
the following - File Name
- Complete Path
- Directory
- File Size
- Creation Time
- Last Access Time
- Last Write Time
- Attributes
35Wininterrogate Processes
- Display Process Name and Path
- Process ID (pid)
- Linked DLLs
- DLL Entry Point
- DLL Base
- DLL Image Size
- Port Bindings (Windows XP Only)
36Wininterrogate Common Options
- MD5 Checksum providing similar functionality to
tripwire - CSV (comma separated value). Import into
Microsoft Excel or any database for processing. - Extra information Gathered on .DLL, .VBX,
.DRV, .EXE, .OCX, .BIN, .SCR - CompanyName
- FileDescription
- FileVersion
- InternalName
- LegalCopyright
- OriginalFilename
- ProductName
- ProductVersion