Implementing a Honeynet

1
Implementing a Honeynet

• Nathan D. Truhan
• Kent State University

2
Overview

• What is a honeynet
• Why implement a honeynet
• Risks of implementing a honeynet
• Implementing a honeynet Sebek
• Conclusions
• References
• Questions

3
What is a honeynet

• Honeypot vs. Honeynet
• A Honeypot is a system that is setup on your
  network as either complete system or virtual
  machine that performs a specific function, such
  as a web or mail server.
• Honeypots are typically low-interaction. They
  provide the operating system and/or services, and
  sit luring hackers away from production systems
• Honeynets are second generation honeynets
• Honeynets are typically high-interaction. Not
  only do they provide first generation honeypot
  features, but provide extensive logging
  capabilities

4
What is a honeynet

• Examples of Honeypots and Honeynets

5
Why implement a honeynet

• The problem
• July 4th, 2004 9,922,144 attacks reported.
• Nov 29th, 2004 12,771,229 attacks reported.
• The SANS Institute Internet Storm Center 1
• 145 vulnerabilities recorded for Windows XP
  Professional, up from 123 in July
• SecurityFocus Vulnerability Database 2

6
Why implement a honeynet

• The problem
• July 4th, 2004 9,922,144 attacks reported.
• Nov 29th, 2004 12,771,229 attacks reported.
• The SANS Institute Internet Storm Center 1
• 145 vulnerabilities recorded for Windows XP
  Professional, up from 123 in July
• SecurityFocus Vulnerability Database 2
• MEECES
• Money, Ego, Entertainment, Cause (basic
  ideology), Entrance to a social group, and Status
  
• Dr. Max Kilger, Social Psychologist, Honeynet
  Project 3

7
Why implement a honeynet

• Research
• At Georgia Tech 10, the honeynet network is
  used by students conducting research in the areas
  of operating system and network security
• The honeynet has assisted in research efforts to
  include devising a new methodology for
  characterizing rootkits to aid in their
  subsequent detection
• The use of a honeynet allows for operating
  systems of interest to be deployed in order to
  collect any attack traffic for subsequent
  analysis

8
Why implement a honeynet

• Instruction
• Working with the honeynet provides hands-on
  experience to students who monitor the honeynet
  as part of an independent study program.
• Studying the attacks and the root-kits allows
  these students to produce documentation and notes
  on how and when the attacks occurred as well as
  analysis of the root-kits how to remove them,
  how they work, and how they could be improved
• Honeynet data is also used in network security
  classes in order to teach students how to use
  tools such as ethereal and tcpdump in order to
  analyze attack traffic

9
Risks of implementing a honeynet

• Security and Legal Implications
• There are three legal issues to consider when
  considering to implement a honeypot or honeynet
• Privacy, Entrapment and Liability
• Honeypots Tracking Hackers 4

10
Risks of implementing a honeynet

• Privacy is defined as the quality or state of
  being apart from company or observation, or
  freedom from unauthorized intrusion.
• Merriam-Webster dictionary 5
• Do we as administrators have a legal right to
  monitor what a user does?
• Best practice is to obtain a policy letter that
  identifies the legal and procedural guidelines on
  the use of honeynets
• At Georgia Tech 10, their legal department
  decided the use of a honeynet on their network
  provides the university with a legal method
  unobtrusively observe anomalous and misuse
  traffic directed on the network

11
Risks of implementing a honeynet

• Government vs. Private Organization
• The Fourth Amendment of the Constitution
• The right of the people to be secure in their
  persons, houses, papers, and effects, against
  unreasonable searches and seizures, shall not be
  violated, and no Warrants shall issue, but upon
  probable cause, supported by Oath or affirmation,
  and particularly describing the place to be
  searched, and the persons or things to be
  seized. 6
• Other sources of information
• Federal Wiretap Act - real-time traffic
  surveillance
• Pen Register/Trap and Trace Statue - collecting
  of information from voice and data networks
• Electronic Communication Privacy Act - disclosure
  and access of account records and files from
  network service providers

12
Risks of implementing a honeynet

• The United States Department of Justice states
  that a honeynet can qualify under an Exception to
  Wiretap Act, the Provider Exception (System
  Protection) clause
• One concern, however is with IRC. A user that is
  using IRC may not know the channel they are on
  exists at a compromised system, that user would
  have an expectation of privacy. Allowing this
  traffic on the honeynet machine may have the
  chance of violating the US Wiretap Act
• At Georgia Tech 10, no IRC traffic is collected
  from their honeynet. If an IRC server is
  established on their honeynet, that machine is
  immediately taken off line.

13
Risks of implementing a honeynet

• Entrapment
• The process by which a law enforcement officer
  or government agent lures a person into
  committing a crime in order to prosecute that
  individual for it
• A person is not entrapped into committing a
  crime because the opportunity presented itself
• Given that honeynets are deployed on networks and
  no advertisement enticing people to scan and/or
  break into the honeynet, the case of entrapment
  has little merit

14
Risks of implementing a honeynet

• Liability
• question If a honeypot is compromised and then
  used to attack other systems in another
  organization, could the honeypot operator be held
  liable in a suit brought by downstream victims?
• Honeypots Tracking Hackers 4
• Defined at a state level, not a federal level
• Can vary widely wherever the victim resides and
  the system that performed the attack resides.

15
Overview

• What is a honeynet
• Why implement a honeynet
• Risks of implementing a honeynet
• Implementing a honeynet Sebek
• Conclusions
• References
• Questions

16
Implementing a honeynet Sebek

• Tracking hackers inside a honeynet
• Hackers use the same type of tools administrators
  do,
• such as SSH and SCP
• Need method of circumventing encryption rather
  than breaking it

17
Implementing a honeynet Sebek

• What is a Rootkit?
• LKM, Loadable Kernel Module
• Set of tools and utilities used by hackers to
  maintain access to a compromised system
• Circumvent system binaries by redirecting their
  functionality from the kernel

18
Implementing a honeynet Sebek

• What is a Rootkit?
• LKM, Loadable Kernel Module
• Set of tools and utilities used by hackers to
  maintain access to a compromised system
• Circumvents system binaries by redirecting their
  functionality from the kernel
• Adore Rootkit
• Implements file hiding, process hiding,
  privileged command execution 7

19
Implementing a honeynet Sebek

• Sebek honeynet 8
• Based off of the Adore rootkit
• Consists of an LKM client, and server collection
  tools
• Implements it own TCP/IP stack for communications
• Virtually undetectable to intruders on the system

20
Implementing a honeynet Sebek

• Sebek client architecture
• Windows 2000/XP, Linux, OpenBSD, Solaris
• Intercepts sys_read function calls on UNIX-like
  platforms and system communications from cmd.exe
  on Windows platforms.
• Implements its own TCP/IP stack and generates its
  own UDP packets
• Undetectable to port
• scanners and sniffers
• running on a Sebek
• system. Cannot be
• blocked.

21
Implementing a honeynet Sebek

• Sebek client architecture
• Communicates to server component via MAC
  addresses 9 and a specified port number using
  ARP, Address Resolution Protocol
• Client system does not need an IP address to
  communicate to server
• Stores itself inside kernel space, and on
  UNIX-like systems, manipulates the list of
  installed modules to hide itself, cannot be
  detected using lsmod, or removed using rmmod.

22
Implementing a honeynet Sebek

• Sebek server architecture
• Consists of 1 executable, sbk_extract and two
  perl scripts, sbk_ks_log.pl, and sbk_upload.pl
• Monitors network on a specified port waiting for
  Sebek client packets to be broadcast on the
  network
• Can record data to a MySQL database

23
Implementing a honeynet Sebek

• Sebek server architecture
• Consists of 1 executable, sbk_extract and two
  perl scripts, sbk_ks_log.pl, and sbk_upload.pl
• Monitors network on a specified port waiting for
  Sebek client packets to be broadcast on the
  network
• Can record data to a MySQL database
• Sebek web architecture
• Set of web pages that gather stored Sebek client
  data for analysis
• Can gather keystrokes, search for activity, and
  even recover SCPed files

24
Implementing a honeynet Sebek

• Prerequisites for installing the Sebek client
• Determine both client and server systems, will
  need MAC address of server, and optionally IP
  address of server
• Determine magic number, which is a number that
  identifies a Sebek network and prevents other
  Sebek machines from detecting those packets
• Determine common port number to communicate
• Is this a test or production honeypot?

25
Implementing a honeynet Sebek

• Prerequisites for installing the Sebek server
• Installed and active Sebek client or clients
  broadcasting on a specified port
• Perl 5.x installed for supplemental scripts
• Optional MySQL server with database for Sebek,
  scripts are provided for database structure
• Prerequisites for installing Sebek Web
• Apache 2.x
• PHP scripting language
• MySQL server with stored Sebek client data

26
Implementing a honeynet Sebek

• Installing the Sebek client
• Download package from Sebek site
• Configure client via configuration script using
  values gathered from prerequisites
• Interface, Destination IP, Destination MAC,
  Magic Value, Source and Destination UDP port,
  Keystrokes Only, Testing
• Compile to module, then install into kernel
• Installing the Sebek server
• Download package from Sebek site
• Compile and install into shared folder

27
Implementing a honeynet Sebek

• Gathering Data from Sebek 11
• The sbk_extract application has three option
  switches to collect data. The first is -i device.
  This parameter will specify the device on which
  we are monitoring, usually this is eth0. The
  second parameter is -p port. This parameter will
  specify on what port to listen on for Sebek
  client packets. This must match the value from
  the DESTINATION_PORT of the client install

28
Implementing a honeynet Sebek

• Gathering Data from Sebek 11
• Since the Sebek client records any activity sent
  to the sys_read system call, it will capture all
  user and system data to the standard output. If
  you are running an Xterm or other intensive
  application, when you start the sbk_extract
  application your screen will start to fill with
  system calls as well as user data. One way to
  clean up the output is to run the client in run
  level 3 to only record shell activity

29
Implementing a honeynet Sebek

• Gathering Data from Sebek 11

30
Implementing a honeynet Sebek

• Gathering Data from Sebek 11
• Since Sebek can gather large amounts of data in a
  short period, it provides you with two Perl shell
  scripts
• The first script is sbk_ks_log.pl. This script
  will filter out only key presses that occur on
  the client. This is called by using a pipe to
  redirect the output of sbk_extract into the
  script's input. An example of this is sbk_extract
  -i etho -p 9999 sbk_ks_log.pl.
• Data from Sebek can also be collected into a
  MySQL database using the sbk_upload.pl script,
  which can later be analyzed by the Sebek Web
  Interface. The table used is configured from a
  script provided by a Sebek SQL input file called
  sebek. It is initially setup using mysql u root
  p xxxx lt sebek. Then by using the sbk_upload.pl
  script we redirect the output to the MySQL
  server. An example is sbk_extract -i eth0 -p
  9999 sbk_upload.pl -u root -p password -d sebek
  -s localhost

31
Implementing a honeynet Sebek

• Gathering Data from Sebek 11
• The web interface allows you to analyze data
  retrieved from Sebek. It captures all data,
  including keystrokes and files that have been
  copied.

32
Implementing a honeynet Sebek
33
Implementing a honeynet Sebek
34
Conclusions

• Some facts
• Average life expectancy of an out-of-the-box
  default installation of an operating system is 24
  hours until system is fully compromised
• Records of compromised systems is 15 minutes
• New vulnerabilities and viruses are being
  discovered daily
• Many solutions are available such as scanning,
  patching and monitoring

35
References

• 1 "Internet Storm Center," vol. 2004 The SANS
  Institute, pp. Cooperative Cyber Threat monitor
  and Alert System. lthttp//isc.sans.orggt.
• 2 "SecurityFocus Vulnerability Database," vol.
  2004 SecurityFocus, 2004. The SecurityFocus
  Vulnerability Database provides security
  professionals with the most up-to-date
  information on vulnerabilities for all platforms
  and services. This information is provided for
  free with a 48-hour delay from when the
  vulnerability is first posted.
• lthttp//www.securityfocus.com/bidgt.
• 3 "The Honeynet Project," vol. 2004, pp. The
  Honeynet Project is a non-profit (501c3) research
  organization of security professionals dedicated
  to information security. lthttp//www.honeynet.orggt
  .
• 4 L. Spitzner, Honeypots Tracking Hackers
  Addison-Wesley, 2002. lthttp//www.tracking-hackers
  .comgt.
• 5 "Merriam-Webster Online Dictionary," vol.
  2004. Springfield, MA Merriam-Webster,
  Incorporated, 2004, pp. Merriam-Webster Online
  Dictionary. lthttp//www.m-w.comgt.

36
References

• 6 "Amendment 4," vol. Constitution of the
  United States of America United State Code
  Service, 1791.
• 7 D. D. Zovi, "Kernel Rootkits," in Information
  Security Reading Room, vol. 2004 The SANS
  institute, 2001. lthttp//www.sans.org/rr/papers/60
  /449.pdfgt.
• 8 "Sebek," 2.1.7 ed The Honeynet Project,
  2004. lthttp//project.honeynet.org/tools/sebekgt.
• 9 "What is a MAC address?" vol. 2004, pp. MAC
  address definition. lthttp//www.webopedia.com/TERM
  /M/MAC_address.htmlgt.
• 10 Know Your Enemy Honeynets in Universities.
  26 Apr. 2004. The Georgia Institute of
  Technology. 30 Nov. 2004 lthttp//www.honeynet.org/
  papers/edugt.
• 11 Know Your Enemy Sebek. 17 Nov. 2003. The
  Honeynet Project. 30 Nov. 2004 lthttp//www.honeyne
  t.org/papers/edugt.

37
Questions?