Implementing a Honeynet - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Implementing a Honeynet

Description:

Implements file hiding, process hiding, privileged command execution [7] ... installed modules to hide itself, cannot be detected using lsmod, or removed using rmmod. ... – PowerPoint PPT presentation

Number of Views:152
Avg rating:3.0/5.0
Slides: 38
Provided by: kristin116
Category:

less

Transcript and Presenter's Notes

Title: Implementing a Honeynet


1
Implementing a Honeynet
  • Nathan D. Truhan
  • Kent State University

2
Overview
  • What is a honeynet
  • Why implement a honeynet
  • Risks of implementing a honeynet
  • Implementing a honeynet Sebek
  • Conclusions
  • References
  • Questions

3
What is a honeynet
  • Honeypot vs. Honeynet
  • A Honeypot is a system that is setup on your
    network as either complete system or virtual
    machine that performs a specific function, such
    as a web or mail server.
  • Honeypots are typically low-interaction. They
    provide the operating system and/or services, and
    sit luring hackers away from production systems
  • Honeynets are second generation honeynets
  • Honeynets are typically high-interaction. Not
    only do they provide first generation honeypot
    features, but provide extensive logging
    capabilities

4
What is a honeynet
  • Examples of Honeypots and Honeynets

5
Why implement a honeynet
  • The problem
  • July 4th, 2004 9,922,144 attacks reported.
  • Nov 29th, 2004 12,771,229 attacks reported.
  • The SANS Institute Internet Storm Center 1
  • 145 vulnerabilities recorded for Windows XP
    Professional, up from 123 in July
  • SecurityFocus Vulnerability Database 2

6
Why implement a honeynet
  • The problem
  • July 4th, 2004 9,922,144 attacks reported.
  • Nov 29th, 2004 12,771,229 attacks reported.
  • The SANS Institute Internet Storm Center 1
  • 145 vulnerabilities recorded for Windows XP
    Professional, up from 123 in July
  • SecurityFocus Vulnerability Database 2
  • MEECES
  • Money, Ego, Entertainment, Cause (basic
    ideology), Entrance to a social group, and Status
  • Dr. Max Kilger, Social Psychologist, Honeynet
    Project 3

7
Why implement a honeynet
  • Research
  • At Georgia Tech 10, the honeynet network is
    used by students conducting research in the areas
    of operating system and network security
  • The honeynet has assisted in research efforts to
    include devising a new methodology for
    characterizing rootkits to aid in their
    subsequent detection
  • The use of a honeynet allows for operating
    systems of interest to be deployed in order to
    collect any attack traffic for subsequent
    analysis

8
Why implement a honeynet
  • Instruction
  • Working with the honeynet provides hands-on
    experience to students who monitor the honeynet
    as part of an independent study program.
  • Studying the attacks and the root-kits allows
    these students to produce documentation and notes
    on how and when the attacks occurred as well as
    analysis of the root-kits how to remove them,
    how they work, and how they could be improved
  • Honeynet data is also used in network security
    classes in order to teach students how to use
    tools such as ethereal and tcpdump in order to
    analyze attack traffic

9
Risks of implementing a honeynet
  • Security and Legal Implications
  • There are three legal issues to consider when
    considering to implement a honeypot or honeynet
  • Privacy, Entrapment and Liability
  • Honeypots Tracking Hackers 4

10
Risks of implementing a honeynet
  • Privacy is defined as the quality or state of
    being apart from company or observation, or
    freedom from unauthorized intrusion.
  • Merriam-Webster dictionary 5
  • Do we as administrators have a legal right to
    monitor what a user does?
  • Best practice is to obtain a policy letter that
    identifies the legal and procedural guidelines on
    the use of honeynets
  • At Georgia Tech 10, their legal department
    decided the use of a honeynet on their network
    provides the university with a legal method
    unobtrusively observe anomalous and misuse
    traffic directed on the network

11
Risks of implementing a honeynet
  • Government vs. Private Organization
  • The Fourth Amendment of the Constitution
  • The right of the people to be secure in their
    persons, houses, papers, and effects, against
    unreasonable searches and seizures, shall not be
    violated, and no Warrants shall issue, but upon
    probable cause, supported by Oath or affirmation,
    and particularly describing the place to be
    searched, and the persons or things to be
    seized. 6
  • Other sources of information
  • Federal Wiretap Act - real-time traffic
    surveillance
  • Pen Register/Trap and Trace Statue - collecting
    of information from voice and data networks
  • Electronic Communication Privacy Act - disclosure
    and access of account records and files from
    network service providers

12
Risks of implementing a honeynet
  • The United States Department of Justice states
    that a honeynet can qualify under an Exception to
    Wiretap Act, the Provider Exception (System
    Protection) clause
  • One concern, however is with IRC. A user that is
    using IRC may not know the channel they are on
    exists at a compromised system, that user would
    have an expectation of privacy. Allowing this
    traffic on the honeynet machine may have the
    chance of violating the US Wiretap Act
  • At Georgia Tech 10, no IRC traffic is collected
    from their honeynet. If an IRC server is
    established on their honeynet, that machine is
    immediately taken off line.

13
Risks of implementing a honeynet
  • Entrapment
  • The process by which a law enforcement officer
    or government agent lures a person into
    committing a crime in order to prosecute that
    individual for it
  • A person is not entrapped into committing a
    crime because the opportunity presented itself
  • Given that honeynets are deployed on networks and
    no advertisement enticing people to scan and/or
    break into the honeynet, the case of entrapment
    has little merit

14
Risks of implementing a honeynet
  • Liability
  • question If a honeypot is compromised and then
    used to attack other systems in another
    organization, could the honeypot operator be held
    liable in a suit brought by downstream victims?
  • Honeypots Tracking Hackers 4
  • Defined at a state level, not a federal level
  • Can vary widely wherever the victim resides and
    the system that performed the attack resides.

15
Overview
  • What is a honeynet
  • Why implement a honeynet
  • Risks of implementing a honeynet
  • Implementing a honeynet Sebek
  • Conclusions
  • References
  • Questions

16
Implementing a honeynet Sebek
  • Tracking hackers inside a honeynet
  • Hackers use the same type of tools administrators
    do,
  • such as SSH and SCP
  • Need method of circumventing encryption rather
    than breaking it

17
Implementing a honeynet Sebek
  • What is a Rootkit?
  • LKM, Loadable Kernel Module
  • Set of tools and utilities used by hackers to
    maintain access to a compromised system
  • Circumvent system binaries by redirecting their
    functionality from the kernel

18
Implementing a honeynet Sebek
  • What is a Rootkit?
  • LKM, Loadable Kernel Module
  • Set of tools and utilities used by hackers to
    maintain access to a compromised system
  • Circumvents system binaries by redirecting their
    functionality from the kernel
  • Adore Rootkit
  • Implements file hiding, process hiding,
    privileged command execution 7

19
Implementing a honeynet Sebek
  • Sebek honeynet 8
  • Based off of the Adore rootkit
  • Consists of an LKM client, and server collection
    tools
  • Implements it own TCP/IP stack for communications
  • Virtually undetectable to intruders on the system

20
Implementing a honeynet Sebek
  • Sebek client architecture
  • Windows 2000/XP, Linux, OpenBSD, Solaris
  • Intercepts sys_read function calls on UNIX-like
    platforms and system communications from cmd.exe
    on Windows platforms.
  • Implements its own TCP/IP stack and generates its
    own UDP packets
  • Undetectable to port
  • scanners and sniffers
  • running on a Sebek
  • system. Cannot be
  • blocked.

21
Implementing a honeynet Sebek
  • Sebek client architecture
  • Communicates to server component via MAC
    addresses 9 and a specified port number using
    ARP, Address Resolution Protocol
  • Client system does not need an IP address to
    communicate to server
  • Stores itself inside kernel space, and on
    UNIX-like systems, manipulates the list of
    installed modules to hide itself, cannot be
    detected using lsmod, or removed using rmmod.

22
Implementing a honeynet Sebek
  • Sebek server architecture
  • Consists of 1 executable, sbk_extract and two
    perl scripts, sbk_ks_log.pl, and sbk_upload.pl
  • Monitors network on a specified port waiting for
    Sebek client packets to be broadcast on the
    network
  • Can record data to a MySQL database

23
Implementing a honeynet Sebek
  • Sebek server architecture
  • Consists of 1 executable, sbk_extract and two
    perl scripts, sbk_ks_log.pl, and sbk_upload.pl
  • Monitors network on a specified port waiting for
    Sebek client packets to be broadcast on the
    network
  • Can record data to a MySQL database
  • Sebek web architecture
  • Set of web pages that gather stored Sebek client
    data for analysis
  • Can gather keystrokes, search for activity, and
    even recover SCPed files

24
Implementing a honeynet Sebek
  • Prerequisites for installing the Sebek client
  • Determine both client and server systems, will
    need MAC address of server, and optionally IP
    address of server
  • Determine magic number, which is a number that
    identifies a Sebek network and prevents other
    Sebek machines from detecting those packets
  • Determine common port number to communicate
  • Is this a test or production honeypot?

25
Implementing a honeynet Sebek
  • Prerequisites for installing the Sebek server
  • Installed and active Sebek client or clients
    broadcasting on a specified port
  • Perl 5.x installed for supplemental scripts
  • Optional MySQL server with database for Sebek,
    scripts are provided for database structure
  • Prerequisites for installing Sebek Web
  • Apache 2.x
  • PHP scripting language
  • MySQL server with stored Sebek client data

26
Implementing a honeynet Sebek
  • Installing the Sebek client
  • Download package from Sebek site
  • Configure client via configuration script using
    values gathered from prerequisites
  • Interface, Destination IP, Destination MAC,
    Magic Value, Source and Destination UDP port,
    Keystrokes Only, Testing
  • Compile to module, then install into kernel
  • Installing the Sebek server
  • Download package from Sebek site
  • Compile and install into shared folder

27
Implementing a honeynet Sebek
  • Gathering Data from Sebek 11
  • The sbk_extract application has three option
    switches to collect data. The first is -i device.
    This parameter will specify the device on which
    we are monitoring, usually this is eth0. The
    second parameter is -p port. This parameter will
    specify on what port to listen on for Sebek
    client packets. This must match the value from
    the DESTINATION_PORT of the client install

28
Implementing a honeynet Sebek
  • Gathering Data from Sebek 11
  • Since the Sebek client records any activity sent
    to the sys_read system call, it will capture all
    user and system data to the standard output. If
    you are running an Xterm or other intensive
    application, when you start the sbk_extract
    application your screen will start to fill with
    system calls as well as user data. One way to
    clean up the output is to run the client in run
    level 3 to only record shell activity

29
Implementing a honeynet Sebek
  • Gathering Data from Sebek 11

30
Implementing a honeynet Sebek
  • Gathering Data from Sebek 11
  • Since Sebek can gather large amounts of data in a
    short period, it provides you with two Perl shell
    scripts
  • The first script is sbk_ks_log.pl. This script
    will filter out only key presses that occur on
    the client. This is called by using a pipe to
    redirect the output of sbk_extract into the
    script's input. An example of this is sbk_extract
    -i etho -p 9999 sbk_ks_log.pl.
  • Data from Sebek can also be collected into a
    MySQL database using the sbk_upload.pl script,
    which can later be analyzed by the Sebek Web
    Interface. The table used is configured from a
    script provided by a Sebek SQL input file called
    sebek. It is initially setup using mysql u root
    p xxxx lt sebek. Then by using the sbk_upload.pl
    script we redirect the output to the MySQL
    server. An example is sbk_extract -i eth0 -p
    9999 sbk_upload.pl -u root -p password -d sebek
    -s localhost

31
Implementing a honeynet Sebek
  • Gathering Data from Sebek 11
  • The web interface allows you to analyze data
    retrieved from Sebek. It captures all data,
    including keystrokes and files that have been
    copied.

32
Implementing a honeynet Sebek
33
Implementing a honeynet Sebek
34
Conclusions
  • Some facts
  • Average life expectancy of an out-of-the-box
    default installation of an operating system is 24
    hours until system is fully compromised
  • Records of compromised systems is 15 minutes
  • New vulnerabilities and viruses are being
    discovered daily
  • Many solutions are available such as scanning,
    patching and monitoring

35
References
  • 1 "Internet Storm Center," vol. 2004 The SANS
    Institute, pp. Cooperative Cyber Threat monitor
    and Alert System. lthttp//isc.sans.orggt.
  • 2 "SecurityFocus Vulnerability Database," vol.
    2004 SecurityFocus, 2004. The SecurityFocus
    Vulnerability Database provides security
    professionals with the most up-to-date
    information on vulnerabilities for all platforms
    and services. This information is provided for
    free with a 48-hour delay from when the
    vulnerability is first posted.
  • lthttp//www.securityfocus.com/bidgt.
  • 3 "The Honeynet Project," vol. 2004, pp. The
    Honeynet Project is a non-profit (501c3) research
    organization of security professionals dedicated
    to information security. lthttp//www.honeynet.orggt
    .
  • 4 L. Spitzner, Honeypots Tracking Hackers
    Addison-Wesley, 2002. lthttp//www.tracking-hackers
    .comgt.
  • 5 "Merriam-Webster Online Dictionary," vol.
    2004. Springfield, MA Merriam-Webster,
    Incorporated, 2004, pp. Merriam-Webster Online
    Dictionary. lthttp//www.m-w.comgt.

36
References
  • 6 "Amendment 4," vol. Constitution of the
    United States of America United State Code
    Service, 1791.
  • 7 D. D. Zovi, "Kernel Rootkits," in Information
    Security Reading Room, vol. 2004 The SANS
    institute, 2001. lthttp//www.sans.org/rr/papers/60
    /449.pdfgt.
  • 8 "Sebek," 2.1.7 ed The Honeynet Project,
    2004. lthttp//project.honeynet.org/tools/sebekgt.
  • 9 "What is a MAC address?" vol. 2004, pp. MAC
    address definition. lthttp//www.webopedia.com/TERM
    /M/MAC_address.htmlgt.
  • 10 Know Your Enemy Honeynets in Universities.
    26 Apr. 2004. The Georgia Institute of
    Technology. 30 Nov. 2004 lthttp//www.honeynet.org/
    papers/edugt.
  • 11 Know Your Enemy Sebek. 17 Nov. 2003. The
    Honeynet Project. 30 Nov. 2004 lthttp//www.honeyne
    t.org/papers/edugt.

37
Questions?
Write a Comment
User Comments (0)
About PowerShow.com